O'Grady's PowerPage » security

Latest OS X 10.10.2 build features Google Project Zero discoveries/fixes

Posted by:
Date: Friday, January 23rd, 2015, 10:23
Category: News, security, Software

yosemitelogo

If Yosemite is driving you a bit crazy, the good news is that the upcoming version won’t feature any bugs that have been pinned down by Google.

Per iMore and Ars Technica, Google’s Project Zero research program has disclosed and released proof-of-concept code for a series of 0day — previously unknown — vulnerabilities found in Apple’s OS X operating system for the Mac. It should be noted, however, that the first vulnerability was marked as fixed and closed by Google two weeks ago, and the others are fixed in OS X Yosemite 10.10.2, now in beta.

(more…)

Leaked files outline NSA-sponsored hacker training, use of vulnerability within Safari web browser to gain access to devices

Posted by:
Date: Monday, January 19th, 2015, 12:30
Category: Hacks, iOS, News, security, Software

politerain

It’s interesting what the intelligence community gets up to in its day to day work.

According to Spiegel Online International, the Politerain hiring process posted ads for candidates who wanted “to break things.”

Politerain is not a project associated with a conventional company. It is run by a US government intelligence organization, the National Security Agency (NSA). More precisely, it’s operated by the NSA’s digital snipers with Tailored Access Operations (TAO), the department responsible for breaking into computers.

Potential interns are also told that research into third party computers might include plans to “remotely degrade or destroy opponent computers, routers, servers and network enabled devices by attacking the hardware.” Using a program called Passionatepolka, for example, they may be asked to “remotely brick network cards.” With programs like Berserkr they would implant “persistent backdoors” and “parasitic drivers”. Using another piece of software called Barnfire, they would “erase the BIOS on a brand of servers that act as a backbone to many rival governments.”

(more…)

August Connect hub now available for pre-order

Posted by:
Date: Thursday, January 8th, 2015, 15:14
Category: Hardware, News, security

augustconnect

This could be useful for home automation.

The August Connect hub, which controls the August Smart Lock via Bluetooth, allows you to remotely unlock or lock your door for guests, immediately know if someone has entered or left your home and automatically locks your door, removing this uncertainty.

(more…)

Security researcher demonstrates Thunderbolt firmware hack proof of concept at Chaos Computer Congress

Posted by:
Date: Monday, January 5th, 2015, 10:15
Category: Hack, Hardware, News, security, Thunderbolt

thunderstrike

As great as Thunderbolt is, there are vulnerabilities to consider.

Per 9to5Mac, a security researcher speaking at the Chaos Computer Congress in Hamburg demonstrated a hack that rewrites an Intel Mac’s firmware using a Thunderbolt device with attack code in an option ROM. Known as Thunderstrike, the proof of concept presented by Trammel Hudson infects the Apple Extensible Firmware Interface (EFI) in a way he claims cannot be detected, nor removed by reinstalling OS X.

Since the boot ROM is independent of the operating system, reinstallation of OS X will not remove it. Nor does it depend on anything stored on the disk, so replacing the hard drive has no effect. A hardware in-system-programming device is the only way to restore the stock firmware.

(more…)

iDict brute-force security tool for hacking iCloud account passwords becomes available on GitHub

Posted by:
Date: Friday, January 2nd, 2015, 15:21
Category: iCloud, News, security, Software

icloudicon

This may be worth keeping an eye on if you’re concerned about iCloud security.

Per 9to5Mac, a new tool submitted to developer web site GitHub claims to be able to perform password dictionary attacks on any iCloud account, seemingly able to evade detection from Apple’s rate-limiting security that is supposed to prevent such dictionary attacks from happening. In September, Apple reported it had closed one such hole that allowed brute-force attacks to occur.

(more…)

Apple releases Network Time Protocol security patch

Posted by:
Date: Tuesday, December 23rd, 2014, 08:43
Category: News, security, Software

trojanhorse

It’s not a huge patch, but it could make a difference.

Per Mac|Life, Apple released a small Network Time Protocol security patch on Friday. The patch, a 1.4 megabyte download, addresses what the company terms as a new “critical security issue”.

Fascinatingly enough, the vulnerability itself was discovered by the Google Security Team back on December 19, and the U.S. Government alerted users of it only a couple of days later. The dangers of the vulnerability are a little complex and the government’s ICS-CERT site is a little vague about what it is and what it does:

(more…)

Apple releases Safari 8.0.2 update

Posted by:
Date: Monday, December 15th, 2014, 04:32
Category: News, security, Software

Apple_Safari

It’s not a huge update, but it helps.

On Friday, Apple released version 8.0.2 of its Safari web browser.

The new version, a 53.8 megabyte download, offers the following fixes and changes:

- Fixes an issue that could prevent history from syncing across devices if iCloud Drive is not on.
•
- Fixes an issue that could prevent a saved password from being autofilled after two devices are added to iCloud Keychain.

(more…)

Apple releases iOS 8.1.2 update, includes ringtone purchase fix, security changes (updated)

Posted by:
Date: Tuesday, December 9th, 2014, 13:44
Category: iOS, iPad, iPhone, iPod, News, security, Software

ios8icon

This could come in handy.

Per 9to5Mac, Apple has released iOS 8.1.2 as an over-the-air software update for iPhone, iPad, and iPod touch users running iOS 8. The latest release contains bug fixes for users as well as a fix for a problem regarding ringtones purchased from Apple being removed from devices. Other fixes include a fix for keyboards that may not appear in Safari, Maps, or other third-party apps in iOS simulator and it offers Siri support for Singapore English, Repairing a bug that caused Notifications to fail to open an app and a fix for an issue that caused WatchKit apps to stop working in iOS 8 simulator.

For users subject to the reported issues involving ringtones purchased through iTunes, Apple points users to itunes.com/restore-tones for recovering those purchases.

(more…)

WireLurker security paper released, discusses potential next generation of OS X, iOS malware

Posted by:
Date: Friday, November 7th, 2014, 02:30
Category: iOS, News, security

trojanhorse

Not that you should be entirely paranoid about malware on your OS X and iOS devices, but a little caution couldn’t hurt.

Per Palo Alto Networks, a new paper has been published on WireLurker, a family of malware targeting both Mac OS and iOS systems for the past six months. It’s believed that WireLurker could herald in a new generation of malware on Apple’s desktop and mobile platforms given the following characteristics:
- It is only the second known malware family that attacks iOS devices through OS X via USB.

- It is the first malware to automate generation of malicious iOS applications, through binary file replacement.

- It is the first known malware that can infect installed iOS applications similar to a traditional virus.

- It is the first in-the-wild malware to install third-party applications on non-jailbroken iOS devices through enterprise provisioning.

WireLurker was used to trojanize 467 OS X applications on the Maiyadi App Store, a third-party Mac application store in China. In the past six months, these 467 infected applications were downloaded over 356,104 times and may have impacted hundreds of thousands of users.

(more…)

Security researcher finds unsaved files are automatically saved into iCloud

Posted by:
Date: Wednesday, November 5th, 2014, 17:10
Category: iCloud, News, security

icloudicon

This may not be what Apple intended to have happen with iCloud.

And there may be a patch coming for it posthaste.

According to Slate, security researcher Jeffrey Paul recently noticed that Apple’s default autosave is storing in-progress files—the ones you haven’t explicitly saved yet—in the cloud, not on your hard drive. Unless you decided to hit save before you start typing, or manually changed the default settings, those meeting notes, passwords, and credit card numbers you jotted down in “Untitled 17” are living in iCloud.

Although this issue seems to be a recent phenomenon, it appears that it’s been happening since at least December of 2013, according to Apple’s Knowledge Base, and it doesn’t just affect TextEdit, but also Preview, Pages, Numbers, and Keynote. Hopefully there wasn’t anything sensitive on those screenshots, spreadsheets, presentations, and documents you haven’t yet saved, or you were using other programs. Luckily, Word for Mac files don’t seem to be affected in this way.

You can turn off this surreptitious feature in Documents & Data —> Apple —> System Preferences —> iCloud —> Documents & Data, or you can save your empty file before you even start typing. But that’s not really the point. The problem is that users intuitively expect their in-progress documents to be saved locally, but these files are being stored on the Cloud instead.

(more…)