Apple adds two-step verification, other new features to iCloud security

Posted by:
Date: Friday, March 22nd, 2013, 06:44
Category: News, security, Software

When in doubt, beef up the ol’ security system a bit…

On Thursday, Apple has rolled out a new two-step verification service for iCloud and Apple ID users. This functionality greatly enhances the security of Apple accounts because it requires users to use a trusted device and an extra security code.

Per 9to5Mac, the security code can be sent via SMS or via the Find my iPhone iOS app (if it is installed). Users can now setup two-step authentication on their devices via the Apple ID web site. Users need to access the security tab on this website to conduct the setup process.

During the setup process for two-step verification, users can choose which of their iOS devices they want to be “trusted.” This new service will allow only you to be able to reset your password.

Full details can be located at the Apple ID web site.

New iOS passcode bypass bug discovered one day after iOS 6.1.3 release

Posted by:
Date: Thursday, March 21st, 2013, 07:32
Category: iOS, iPhone, News, security

Well, this is sort of awkward…

Remember how you JUST installed iOS 6.1.3 to get rid of a passcode bypass bug that would allow an unauthorized person to access the Phone app on a locked iPhone? Per iMore and The Next Web, a new bypass bug has been discovered.

The passcode bypass in the previous versions of iOS 6 required a series of well-timed taps and button presses. The result was full access to the Phone app on a locked device without entering the passcode. This new bug (not quite new, it seems to have existed prior to iOS 6.1.3) requires a sequence that’s a little easier to execute as can be seen in this video. For some reason, this bypass seems to to be more difficult to accomplish on newer, Siri-capable devices.



The bypass can be achieved using the iPhone’s Voice Dial feature. By holding the Home button on a device for a few seconds, the Voice Dial feature will come up. Issue a dial command such as “Dial 303-555-1212”, then as the call is being initiated, eject the SIM card. The iPhone detects the SIM has been removed, cancels the call, and displays an alert saying there is no SIM. Behind the alert you will see the Phone app and after dismissing the alert, you will have full access to the Phone app. As before this means you can access contact information as well as all photos on the device.

Initially thought to only be possible on non-Siri phones, reports are now coming in of this bypass being performed on the iPhone 4S and 5 as well, though it doesn’t seem to be as easily reproducible on these devices. Performing the bypass on these devices devices would also require Siri to be disabled and Voice Dial to be enabled.

Unlike the previous bug, this bypass can also easily be prevented by disabling Voice Dial. This can be done in the iPhone’s Settings app, under General > Passcode Lock, by turning the Voice Dial switch to off. With the way Apple has been handling these so far, it would not be surprising to see this fixed in a 6.1.4 update.

Stay tuned for additional details as they become available.

Apple TV updated to 5.2.1, adds bug fixes, redesigned Hulu interface

Posted by:
Date: Wednesday, March 20th, 2013, 06:49
Category: Apple TV, News, Software

When in doubt, go for a bit of a redesign.

Per 9to5Mac, Apple released its Apple TV 5.2.1 operating system on Tuesday. The update features bug fixes, security fixes and a redesigned Hulu interface that makes it easier and quicker to access content. Like other Apple TV features, the updated Hulu section now has a top-bar with categories. Users can now jump into each individual category to access content.

Apple TV users on the latest iOS version will receive the new interface automatically. Apple added Hulu to the Apple TV last summer after settling some “political” issues with the content provider. Apple is rumored to be adding HBO Go to the Apple TV later this year.

Apple releases iOS 6.1.3 update

Posted by:
Date: Tuesday, March 19th, 2013, 12:59
Category: iOS, iPhone, iPod Touch, News, security, Software

I’ll say this for Apple: it’s getting speedier on its iOS updates.

On Tuesday, Apple released iOS 6.1.3, a 107 megabyte download offering the following fixes for its supported iOS devices:

- Fixes a bug that could allow someone to bypass the passcode and access the Phone app.

- Improvements to Maps in Japan.

iOS 6.1.3 is available via iTunes or Over-The-Air updating and requires an iPhone 3GS, 4, 4S, 5, iPad 2, third or fourth-gen iPad, iPod Touch 4th Gen or iPad Mini to install and run.

Rumor: ABC working on subscriber-based streaming app to bring network’s live programming to iOS devices

Posted by:
Date: Tuesday, March 19th, 2013, 07:26
Category: iOS, iPad, iPhone, iPod Touch, Rumor, Software

abc-current-logo1

You can’t knock additional streaming options if they’re offered to you…

The Walt Disney Company, while sorting out the future of the online video Web site Hulu, has an app in the works that may render Hulu passé for some people.

Per the New York Times, the app will live stream ABC programming to the phones and tablets of cable and satellite subscribers. The app could become available to some subscribers this year, according to people briefed on the project, who insisted on anonymity because they were not authorized to speak about it publicly.

With the app, ABC, a subsidiary of Disney, will become the first of the American broadcasters to provide a live Internet stream of national and local programming to people who pay for cable or satellite. The subscriber-only arrangement, sometimes called “TV Everywhere” in industry circles, preserves the cable business model that is crucial to the bottom lines of broadcasters, while giving subscribers more of what they seem to want — mobile access to TV shows. The arrangement could extend the reach of ads that appear on ABC as well.

Disney already distributes similar live streaming and on-demand apps, known as “Watch” apps, for ESPN and the Disney Channel. Special hurdles exist, however, for the ABC app, in part because of contracts between the network and the companies that produce some of its shows that were written before mobile phone video streaming was even possible. Other complexities involve ABC’s local stations, which might — if not courted properly — feel threatened by an app.

But ABC, seeing shifts in consumer behavior, is pressing forward. The network has started to talk with stations about how to include them in the live streaming app. Illustrating the difficult contractual issues, ABC offhandedly first mentioned a forthcoming Watch ABC app in a news release nine months ago, when it signed a deal with Comcast to make several Watch Disney apps available to Comcast subscribers.

But the network live streaming ability is inching closer to fruition, the people briefed on the project said. A spokesman for ABC declined to comment.

Stay tuned for additional details as they become available.

Apple releases Safari 6.0.3 update

Posted by:
Date: Friday, March 15th, 2013, 07:17
Category: News, security, Software

safarilogo.jpg

Hey, an update’s an update.

Late Thursday, Apple released Safari 6.0.3, an update to its web browser. The new version, a 44.8 megabyte download (via MacUpdate), includes the following fixes and new features:
- Contains updated security content. Download included with OS X 10.8.3 Mountain Lion.

- Improves scrolling on facebook.com.

- Improves scrolling while zoomed in on a webpage.

- Improves performance on webpages with plug-in content.

- A fix for an issue that could cause the inaccurate appearance of an alert that bookmarks can’t be changed.

- A fix for an issue that could cause duplicate bookmarks to appear on an iOS device after editing bookmarks with Safari in OS X.

- A fix for an issue that permitted users to access unfiltered search results when searching from google.com when Parental Controls are enabled.

- A fix for an issue that could prevent Safari from restoring the last position on a webpage a user navigated back to.

Safari 6.0.3 requires an Intel-based Mac running Mac OS X 10.7 or later to install and run and can also be located and downloaded via Mac OS X’s Software Update feature. If you’ve tried the new version and have any feedback to offer, please let us know.

Security firm Skycure illustrates possible hacking attacks through iOS’ use of Provisioning Profiles

Posted by:
Date: Tuesday, March 12th, 2013, 07:41
Category: iOS, iPhone, News, security, Software

In the words of assorted security analysts, Apple may be setting itself up for a malware fall thanks to its Provisioning Profiles.

Per The Next Web, while iOS users have been relatively safe from malware on their devices, researchers from security company Skycure say they’re concerned about a feature of iOS that could be used by malicious actors to read information, passwords and even encrypted data from devices without customers knowledge. They’ve detailed the new vulnerability in a presentation at the Herzliya Conference and a company blog post.

It’s worth noting at the beginning that Skycure’s product, still in development, is a mobile firewall with a cloud component designed to secure devices against attacks just like these. This isn’t all that unusual, though, as many security firms like Sophos and Intego produce research reports along with consulting and security products.

Provisioning Profiles (mobileconfigs) are small files installed with a single tap on iOS devices. They essentially function as instruction lists which can alter many settings, including network configurations and they’re used by thousands of companies around the world including app developers, corporations with IT departments and more.

Their use is officially approved by Apple and there is nothing innately malicious about any given profile. But, if put to the right uses, they do open up the ability to read usernames and passwords right off of a screen, transmit data that would normally be secure (over HTTPS) to a malicious server where it can be read and a lot more.

In a demonstration, Skycure’s CTO Yair Amit and CEO Adi Sharabani sent the author to a website where a link was offered. A provisioning profile was presented, installed and led to a screen that looked a lot like a phishing attempt, which requires an action on the part of a user in order to infect or grant access to a hacker.

After the profile was installed, Sharabani demonstrated that he could not only read exactly which websites the author had visited, but also scrape keystrokes, searches and login data from apps like Facebook and LinkedIn. To be perfectly clear, this is not a vulnerability within iOS, instead it uses standardized frameworks to deliver a profile that has malicious intent.

iOS has typically been far more secure than other platforms because of its heavy use of curation on the App Store, but also because it has been built from the ground up to use sandboxing. This means that apps are cordoned off, unable to reach outside of their data box or to affect any other apps that have not given them explicit permission to do so.

Provisioning Profiles step outside of that protection and can do things like route all of a victim’s traffic through a third-party server, install root certificates allowing for interception and decryption of secure HTTPS traffic and more.

Sharabani provides a couple of scenarios by which people could be convinced to install what seems like a harmless provisioning profile, only to be a victim of a traffic re-routing attack:

- Victims browse to an attacker-controlled website, which promises them free access to popular movies and TV shows. In order to get the free access, “all they have to do” is to install an iOS profile that will “configure” their devices accordingly.

- Victims receive a mail that promises them a “better battery performance” or just “something cool to watch” upon installation.

The attacks, Sharabani stated, can be configured to use a VPN, APN proxy or a wireless proxy (WiFi), so just because you’re not on a WiFi network doesn’t mean that the profile can’t send your traffic to a third-party. This also means that (unlike a VPN, where there is an indicator in your status bar), you could also be affected by the hack without your knowledge. Of course, you would still have had to install a profile in the first place.

For the third attack scenario, Skycure came up with a list of cellular carriers that ask clients to install a special profile that configures their device to work with that network’s data servers. Of course, those sites could end up being compromised to deliver corrupted profiles, but it’s bound to be harder to do if it’s the carrier’s own servers doing the distribution.

As of now, no evidence has been found of a Provisioning Profile attack in the wild. And, to be extremely blunt once again, you are not at risk at all if you don’t install any profiles to your device, period. And if you have to, make sure that those profiles are from a trusted source and are verified. You should also only download and install profiles from ‘secure’ HTTPS links.

The disclosure of the issue, Sharabani says, is really about raising awareness, rather than starting a panic. While the attacks can be powerful and harmful, the Provisioning Profile attack, much like phishing, relies on user ignorance. Just as you wouldn’t type your password into a page provided as a random link, don’t install profiles from websites that you don’t know and avoid them completely if at all possible.

Because of the deep integration of Provisioning Profiles into the workflows of IT departments and other companies, it’s unlikely that they’ll be going away any time soon. So the best defense for now is knowledge and care.

Stay tuned for additional details as they become available.

Mozilla VP confirms that Firefox won’t be ported to iOS until Apple relaxes web browser stipulations

Posted by:
Date: Monday, March 11th, 2013, 07:12
Category: News, Software

elfirefox

If you were hoping to see Firefox on your iOS browser, it might never happen.

Per CNET, Mozilla vice president Jay Sullivan was quoted as saying that Firefox will not be coming to iPads and iPhones until Apple decides to loosen the restrictions governing browsers iOS.

The comments, which came at a South by Southwest Interactive panel on Saturday. Sullivan says Apple’s current rules — which forbid browsers that do not use Apple’s version of WebKit — make it so that Firefox cannot build the browser it wants to for Apple’s platform.

In addition to the WebKit requirement, iOS prevents users from setting any non-Safari app as the default means of handling browsing. Apple’s Mobile Safari is the top mobile browser according to industry reports, with about 60 percent share of all mobile browser usage.

Mozilla pulled its Firefox Home app from Apple’s App Store in September of 2012. The company isn’t working on an iOS version of Firefox and, according to Sullivan, doesn’t have any plans to do so.

Another member of the panel, Dolphin Browser’s David Dehgahn, lamented Apple’s policy as inhibiting competition.

“Competition is critical to our survival,” Dehgahn said. Sullivan and Mike Taylor from Opera Software — which recently released a WebKit-based version of Opera for iOS — agreed, saying that giving consumers browser choice was necessary in order to move the mobile web forward. Users suffer, they said, under Apple’s closed system.

CNet’s report says that the panel’s moderator then performed a quick poll of the audience, asking how many of them were suffering being largely limited to Safari. Very few hands were raised.

Stay tuned for additional details as they become available.

Rumor: Intel, Apple in negotiations for Intel to start making processors for iOS devices

Posted by:
Date: Thursday, March 7th, 2013, 06:26
Category: Hardware, News, Processors, Rumor

intellogo.jpg

Maybe a really good partnership CAN live forever…

Per the Chicago Tribune, an anonymous source has cited that executives have over the past year discussed a possible partnership in which Intel’s foundries would be used to manufacture Apple-designed chips. A deal has not yet been reached, the source said.

This is not the first time rumors of an Apple-Intel partnership have cropped up. A report from May 2011 suggested that Intel showed interest in building Apple’s A4 and A5 SoCs, though no action was taken and the idea was apparently shelved as the so-called Ultrabook initiative gained momentum.

Intel is supposedly looking to shift its strategy as PC sales continue to slump as mobile devices, led by tablets like Apple’s iPad, continue to gobble up marketshare. The firm has been looking to expand its foundry business, most recently agreeing to fabricate silicon based on technology from chip maker Altera.

While an agreement to start production of ARM SoCs would likely undercut adoption of Intel’s own Atom mobile processor, the move might be necessary to keep pace with a quickly changing market. The report also speculates that Intel’s replacement for CEO Paul Otellini, who plans to retire in May, may further diversify the company’s contract operations in a bid to keep manufacturing facilities working at full capacity.

As for Apple, a move to Intel is easier to imagine, as the Mac lineup already runs on x86 processors. It has also been rumored that the company wants to distance itself from current A-series SoC manufacturer Samsung, with which it is ensnarled in a worldwide patent struggle. The Korean electronics giant is also Apple’s biggest competition in the mobile marketplace, with a variety of Android-based devices going jockeying for position against iOS products like the iPhone and iPad.

Stay tuned for additional details as they become available.

Second lockscreen bypass exploit discovered in iOS 6.1, data vulnerable via USB connection

Posted by:
Date: Tuesday, February 26th, 2013, 07:07
Category: Hack, iOS, News, security, Software

Apple either needs to assign its iOS security people some business hammocks or take their current ones away…

A second iOS 6.1 bug has been discovered that gives access to contacts, photos and more. The vulnerability uses a similar method as the one disclosed previously, though it apparently gives access to more user data when the phone is plugged into a computer.

Per MacRumors and Kaspersky’s Threatpost, the exploit involves manipulating the phone’s screenshot function, its emergency call function and its power button. Users can make an emergency call (911 for example) on the phone and then cancel it while toggling the power on and off to get temporary access to the phone. A video posted by the group shows a user flipping through the phone’s voicemail list and contacts list while holding down the power button. From there an attacker could get the phone’s screen to turn black before it can be connected to a computer via a USB cord. The device’s photos, contacts and more “will be available directly from the device hard drive without the pin to access,” according to the advisory.

Apple was expected to fix the lock screen bug in iOS 6.1.2, but that small release fixed a different bug. Instead, it appears a fix for at least one of the lock screen vulnerabilities will be coming in iOS 6.1.3, currently in the hands of developers.

Stay tuned for additional details as they become available.