German group breaks through iPhone 5s Touch ID fingerprint authentication, releases video of hack

Posted by:
Date: Monday, September 23rd, 2013, 11:48
Category: Hack, iPhone, News, security

eliphone5s

It only took three days to hack the iPhone 5s’ Touch ID authentication system.

Per The Mac Observer, the gChaos Computer Club has claimed to have hacked Apple’s newest security feature. The group started by scanning the fingerprint associated with an iPhone at high resolution, and then printing it out for transfer to another material such as latex. Once the material holding the print, complete with ridges and grooves, has finished setting up, the group placed it over someone else’s finger and used it to successfully unlock the iPhone.

The Chaos Computer Club said, “In reality, Apple’s sensor has just a higher resolution compared to the sensors so far. So we only needed to ramp up the resolution of our fake.”

They added that it’s a simple process to lift fingerprints and then convert those into fakes that can be used to bypass security systems. “You leave them everywhere, and it is far too easy to make fake fingers out of lifted prints,” they said.

While the process CCC showed was fairly straight forward, it isn’t exactly a simple process for the average person. It involves successfully collecting a quality fingerprint, scanning it at 2400 DPI or higher, and cleaning up the scanned image and then printing it to an acetate sheet on a laser printer before applying the material that will ultimately hold the fake print.

The group released the following video demonstrating the hack:



Assuming someone steals your iPhone with the intent of hacking around Touch ID it’s actually much easier to simply make you unlock your iPhone instead of duplicating your finger or thumb’s unique patterns. Find My iPhone can also be used to remotely wipe the device and keep anyone from hacking into your personal information.

The bigger problem in this case is that someone else has physical control over your iPhone. When that happens it’s much easier to find ways to hack in — especially since at that point the potential hackers have time on their hands.

Even still, the CCC’s Touch ID demonstration does show that Apple’s Touch ID technology may not be quite as secure as the company implied.

Working around fingerprint security systems is something that people have been doing for years, and Apple doesn’t force iPhone 5s owners to use Touch ID. It’s a convenient alternative to using a four-digit passcode, and is still more difficult to work around.

Stay tuned for additional details as they become available.

iOS 7 Lock Screen bug discovered, Apple says fix is en route

Posted by:
Date: Thursday, September 19th, 2013, 15:58
Category: iOS, News, security, Software

ios7logo

Per Forbes and AllThingsD, the first iOS 7 security bug has appeared and may be worth noting. The bug is currently found in the iOS 7 Lock screen and Control Center implementation that could allow a person to bypass the device’s passcode and access the photo library. This bug is more of a potential security issue as it requires users to both be running their camera app (so it shows up in multitasking) and have Control Center activated for the Lock screen. Here are the steps (which we have independently re-produced):

1) Swipe up from the bottom of the Lock screen to open Control Center.

2) Launch the Clock app.

3) Open the Alarm Clock section of the Clock app.

4) Hold down the power button.

5) Quickly tap Cancel the immediately double-click the Home button.

6) Hold down for a bit longer on the second click.

With access to the photos, users could also share the images to social networks and via email (which could be worrisome). Of course, disabling Control Center access from the Lock screen will completely rid you of this potential security breach, but, either way, Apple will likely get a fix out in the coming weeks.

The hack is demonstrated below:



Apple has also confirmed in a statement to AllThingsD that it is working on a fix for a future software update:

“Apple takes user security very seriously,” Apple spokeswoman Trudy Muller told AllThingsD. “We are aware of this issue, and will deliver a fix in a future software update.”

Stay tuned for additional details as they become available.

iCloud keychain feature goes missing from iOS 7 golden master, no clear explanation given as to why

Posted by:
Date: Thursday, September 12th, 2013, 07:06
Category: iOS, News, security, Software

ios7logo

Ok, this is a little weird.

Per AppleInsider, developers updating their devices to the iOS 7 Golden Master seed have found that iCloud keychain, Apple’s new cloud-based credential storage system, has disappeared.

iCloud Keychain, a new feature of iOS 7 and OS X 10.9 Mavericks that allows users to securely store account names, passwords, and credit card information in iCloud and sync the data between their Macs, iPhones, and iPads, appears to have been removed from the latest iOS 7 pre-release seed.

The feature, revealed at Apple’s Worldwide Developers Conference in June, previously appeared as a toggle in the iCloud settings menu, but is now missing.

In addition, Apple’s iOS 7 ‘What’s New’ page now lists iCloud Keychain as ‘Coming Soon,’ an indication that there has been a change to the feature’s delivery schedule. It is possible that Cupertino may have opted to delay the release to coincide with the rollout of OS X Mavericks, which is expected in late October.

Stay tuned for additional details as they become available.

Adobe Reader, Acrobat Pro updated to 11.0.04

Posted by:
Date: Tuesday, September 10th, 2013, 07:41
Category: News, security, Software

You can’t knock a useful update.

On Tuesday, Adobe released version 11.0.04 of its Adobe Reader and Adobe Acrobat Pro applications. The updates, which can also be snagged through the Adobe Update Utility, add the following fixes and changes:

- This update provides system requirement enhancements, mitigation for security issues, improved overall stability, bug fixes, and feature enhancements.

Acrobat Reader 11.0.04 and Acrobat Pro 11.0.04 require an Intel-based processor and Mac OS X 10.6.8 or later to install and run.

If you’ve tried the new versions and noticed any differences, please let us know what you think.

Apple confirms September 10th media event, hints at next-gen iPhone handsets

Posted by:
Date: Wednesday, September 4th, 2013, 06:12
Category: Hardware, iOS, iPhone, News, security, Software

applelogo_silver

It went official yesterday.

On Tuesday, Apple sent out invitations for a media event next Tuesday, Sept. 10, at which the company is expected to show off its next-generation iPhone models that will come in a new range of colors.

Per The Loop, the event will kick off at 10 a.m. Pacific, 1 p.m. Eastern, according to The Loop. It will be held at Apple’s corporate headquarters in Cupertino, Calif.

Though the invitation itself makes no mention of the iPhone, it does say that the announcement “should brighten everyone’s day” — a likely reference to the fact that Apple is expected to offer its next iPhones in an array of new colors. Specifically, leaked parts have suggested “iPhone 5S” will be available in a new “champagne” shade, while a low-cost plastic “iPhone 5C” will potentially be available in white, green, red, blue, pink, and possibly more.


invite-130903

Colors featured in the invitation include yellow, green, orange, white, red, pink, and shades of dark and light blue. Apple’s forthcoming iOS 7 update is also a more vibrant and colorful update to the company’s mobile operating system.

The company may have some surprises in store for fans and observers when Chief Executive Tim Cook presumably takes the stage next Tuesday, but the event is widely expected to center on the company’s largest revenue generator: the iPhone. It will likely see the unveiling of the successor to the iPhone 5, currently thought to be named the “iPhone 5S.”

The company’s next-generation premium smartphone is expected to include a fingerprint sensor embedded in the home button. Last year, Apple purchased AuthenTec, a biometric security firm, potentially setting the stage for the defining feature of this year’s iPhone.

Integrating a fingerprint sensor — a move that would largely negate the need for passwords and lock-screen codes — could give Apple an edge that its competition could not likely soon address.

Apple’s “S” series iPhones have typically been refinements of the models immediately preceding them, and most of the rumors surrounding the “5S” have been in that vein. Leaked cases for the device have shown that it will retain the same form factor as the iPhone 5, though it may be available in a “champagne” color option, as well as the existing black and white models.

Analysts expect a 31 percent faster “A7″ chip that could be 20 percent more power efficient than the A6 seen in the iPhone 5. It may also feature a dedicated motion-tracking chip to enable a new range of user interactions.

Apple is also rumored to offer a model of the device with 128 gigabytes of storage, while the camera is expected to be upgraded with a dual-LED flash component for better low-light pictures. It’s likely that the camera itself will also see improvements.

Perhaps the most widely leaked device, though, has been the expected lower-cost plastic iPhone. That model is believed to be called the “iPhone 5C,” and recent leaks of an apparent user manual seem to confirm that name.

Observers believe that Apple will largely repackage the internals of the existing iPhone 5 into a polycarbonate shell to lower manufacturing costs. To differentiate the device, the “5C” would be available in a range of colors.

The move back to polycarbonate for the chassis would allow Apple to offer the “iPhone 5C” at a much lower price point than the premium-built iPhone 5 or anticipated “iPhone 5S.” That lower price could give Apple a better chance of picking up mid-range smartphone customers, who often choose Android phones when upgrading from feature phones simply due to price.

Most importantly, though, a lower-cost iPhone would give Apple a much better chance of competing in the world’s largest smartphone market: China. Investment firm UBS opined in August that an affordable iPhone would move more than 11 million units on China Mobile alone.

The Sept. 10 event will also mark the announcement of a release date for Apple’s newest mobile operating system, iOS 7. The new platform, revealed at this year’s Worldwide Developer Conference, features an almost complete visual overhaul, with many of the features of previous iOS versions giving way to a “flatter” aesthetic spun out of the leadership of Jony Ive, Apple’s design chief.

Aside from the new look, iOS 7 will also feature iTunes Radio, a new music streaming service that will take on Pandora, Spotify, and other services. It will also come with improvements to Siri, allowing Apple’s digital assistant to display more information and control phone settings, and tweaks to the Camera app, giving users access to more editing options.

The media event is likely to offer final – and long-anticipated – release dates for the next-gen iPhone handsets as well as iOS 7.

Stay tuned for additional details as they become available.

Apple blocks certain Java plug-ins, goes through security protocols yet again

Posted by:
Date: Friday, August 30th, 2013, 08:46
Category: News, security, Software

As nifty and useful as Java tends to be, its security nightmares remain.

And you should probably download and install the most recent version possible.

Per The Mac Observer, Apple blocked the Java 6 and Java 7 plug-ins for the third time this year over Mac users on Thursday over more potential security threats. Mac users running versions of Java that are earlier than version 6 update 51 and version 7 update 25 can no longer run Java code on their computer until they update to a newer version.

Apple hasn’t uninstalled Java from user’s Macs, and instead has simply disabled the older versions of the plug-in, which means apps and websites that rely on Java either won’t work or will be partially non-functional. Users running newer versions of the plug-ins aren’t affected.

This isn’t the first time this year Apple has remotely disabled older versions of Java over security-related issues. For Mac owners that don’t actually need Java, you can uninstall it, or at least find out exactly which version is living on your Mac, by following along with TMO’s handy guide.

Apple has taken to remotely disabling older versions of Java on user’s Macs, and will also auto-disable the plug-in when it hasn’t been used for at least 30 days. You can also disable Java yourself in Safari’s preferences.

Apple has stopped maintaining Java on its own and has handed that task off to Oracle, which also happens to be the company that develops the Java platform. Assuming you need Java on your Mac, you can find the latest version at Oracle’s Java website.

Stay tuned for additional details as they become available.

Researcher draws attention to long-standing security vulnerability in OS X operating systems

Posted by:
Date: Thursday, August 29th, 2013, 10:19
Category: News, security, Software

applelogo_silver

After five months, it might be time to fix this sucker…

Per mitre.org and Ars Technica, a unaddressed bug in Apple’s Mac OS X discovered five months ago allows hackers to bypass the usual authentication measures by tweaking specific clock and user timestamp settings, granting near unlimited access to a computer’s files.

While the security flaw has been around for nearly half a year, a new module created by developers of testing software Metasploit makes it easier to exploit the vulnerability in Macs.

The bug revolves around a Unix program called sudo, which allows or disallows users operational access based on privilege levels. Top tier privileges grant access to files belonging to other users’ files, though that level of control is password protected.

Instead of inputting a password, the flaw works around authentication by setting a computer’s clock to Jan. 1, 1970, or what is referred to as the Unix epoch. Unix time starts at zero hours on this date and is the basis for calculations. By resetting a Mac’s clock, as well as the sudo user timestamp, to epoch, time restrictions and privilege limitations can be bypassed.

“The bug is significant because it allows any user-level compromise to become root, which in turn exposes things like clear-text passwords from Keychain and makes it possible for the intruder to install a permanent rootkit,” said H.D. Moore, founder of the open-source Metasploit and chief research officer at security firm Rapid7.

Macs are especially vulnerable to the bug as OS X does not require a password to change these clock settings. As a result, all versions of the operating system from OS X 10.7 to the current 10.8.4 are affected. The same problem exists in Linux builds, but many of those iterations password protect clock changes.

While powerful, the bypass method has limitations. In order to implement changes, an attacker must already be logged in to a Mac with administrator privileges and have run sudo at least once before. As noted by the National Vulnerability Database, the person attempting to gain unauthorized privileges must also have physical or remote access to the target computer.

Apple has yet to respond or issue a patch for the bug.

“I believe Apple should take this more seriously but am not surprised with the slow response given their history of responding to vulnerabilities in the open source tools they package,” Moore said.

Stay tuned for additional details as they become available.

Georgia Institute of Technology security researchers prove App Store security flaw via “Jekyll and Hyde” attack

Posted by:
Date: Tuesday, August 20th, 2013, 07:18
Category: iOS, News, security, Software

The good news is that it’s getting a bit harder to sneak malware into the App Store.

The bad news is that it can still be done and Apple might need to invest in more security/screening features.

Per 9to5Mac and Ars Technica, researchers from the Georgia Institute of Technology managed to get a malicious app approved by Apple and included in the App Store by using a ‘Jekyll & Hyde’ approach, where the behaviour of a benign app was remotely changed after it had been approved and installed.

It appeared to be a harmless app that Apple reviewers accepted into the iOS App Store. They were later able to update the app to carry out a variety of malicious actions without triggering any security alarms. The app, which the researchers titled “Jekyll,” worked by taking the binary code that had already been digitally signed by Apple and rearranging it in a way that gave it new and malicious behaviors.

The researchers presented their findings in a paper at the USENIX Security Forum.

“Our method allows attackers to reliably hide malicious behavior that would otherwise get their app rejected by the Apple review process. Once the app passes the review and is installed on an end user’s device, it can be instructed to carry out the intended attacks. The key idea is to make the apps remotely exploitable and subsequently introduce malicious control flows by rearranging signed code. Since the new control flows do not exist during the app review process, such apps, namely Jekyll apps, can stay undetected when reviewed and easily obtain Apple’s approval.”

An Apple spokesman stated that changes have been made to iOS as a result of the exploit, but it’s not yet clear whether the change is to iOS 7 or the older iOS 5 and 6 versions that had been attacked. The researchers only left their app in the store for a few minutes and said that it was not downloaded by anyone outside the project in that time.

Apple Senior Vice President Phil Schiller tweeted back in March about a study revealing the rising incidences of malware on Android. The study showed that Android accounted for 79 percent of all mobile malware in 2012, while iOS came in at less than 1 percent.

Stay tuned for additional details as they become available.

Adobe releases Flash Player 11.8.800.146 beta

Posted by:
Date: Friday, August 16th, 2013, 09:19
Category: News, security, Software

When in doubt, there’s always the public beta to make things a bit better.

On Thursday, Adobe released Flash Player 11.8.800.115 for Mac OS X, an 18 megabyte download via MacUpdate. The new version adds the following fixes and changes:

- Includes new features as well as enhancements and bug fixes related to security, stability, performance, and device compatibility.

The Adobe Flash Player 11.8.800.146 beta requires an Intel-based Mac running Mac OS X 10.6 or later to install and run.

If you’ve tried the new Flash Player and have any feedback to offer, please let us know in the comments.

President Obama, Tim Cook, others meet to discuss PRISM surveillance

Posted by:
Date: Friday, August 9th, 2013, 07:54
Category: News, security

324963-nsa-prism

It’s not the happiest topic, but they’re meeting to discuss it.

On Thursday, President Obama met with Tim Cook and other tech executives from companies like Google and AT&T to discuss government surveillance according to Politico.

Civil liberties leaders were also at the closed-door meeting. The White House declined to comment about the details of the meeting, and all the attendees also declined to comment to Politico about any specifics. However, a White House aide did tell Politico:

“This is one of a number of discussions the administration is having with experts and stakeholders in response to the president’s directive to have a national dialogue about how to best protect privacy in a digital era, including how to respect privacy while defending our national security.”

These meetings are no doubt in response to the PRISM document leaks that occurred in June. These documents revealed that major tech companies may be cooperating with the US government to gather surveillance data about its users.

Stay tuned for additional details as they become available.