iPad hacker faces multiple drug charges, spotty past following FBI arrest

Posted by:
Date: Thursday, June 17th, 2010, 05:16
Category: iPad, News

Some hackers just have no luck.

Per CNET, one of the hackers in the group that snatched more than 100,000 iPad owner email addresses from AT&T’s servers was arrested Tuesday on felony drug charges after the FBI searched his Arkansas, US home.

Andrew “Escher” Auernheimer was arrested by Fayetteville, Ark., police and was booked into the Washington County Detention Center Tuesday afternoon, where he is being held on bonds totaling US$3,160.

Auernheimer, 24, faces four felony charges of possession of a controlled substance and one misdemeanor drug charge. During the raid, police reportedly found drugs that included cocaine, ecstasy, LSD, and Schedule 2 and 3 pharmaceuticals when they searched his home.

Auernheimer, who also goes by the hacker nickname “weev,” is one of 10 members of Goatse Security, a hacking group that used an automated script to collect 114,000 iPad email addresses from AT&T through a public feature of the carrier’s Web site.

Goatse revealed its e-mail harvesting after AT&T closed the hole, then defended its actions as “responsible disclosure” (the term given to security revelations made public only after a vendor has patched a bug). In a letter to customers apologizing for the email address disclosure, however, AT&T said the group “maliciously exploited” its Web site and promised it would “prosecute violators to the fullest extent of the law.”

In recent interview, Auernheimer argued that Goatse’s attack was “ethical” and denied that they did anything illegal . “We love America and did this in the public interest,” Auernheimer said at the time.

Wednesday, the Fayetteville Police Department declined to comment on the charges against Auernheimer, instead referring all questions to the FBI.

Special Agent Bryan Travers of the FBI’s Newark, N.J., division confirmed that the agency had served a search warrant at Auernheimer’s home, but declined to answer any other questions, including whether agents removed computers from Auernheimer’s residence. “This remains an open investigation,” Travers said in an email.

The FBI launched an investigation into the Goatse attack last week, saying then that it was trying to determine if the group broke any laws.

Auernheimer is no stranger to drugs, according to Brian Krebs, a former reporter for the Washington Post and now the author of the Krebs on Security blog. In 2006, said Krebs, Auernheimer started a talk at a security conference by telling the audience that he was tripping on acid.

He has also regularly posted anti-Semitic statements on his LiveJournal blog, where he has claimed that the FCC is “Jewish-run” and that Jews “have long made a sham of the nobel [sic] prize.”

Auernheimer was arrested last March, according to a report by Fayetteville television station KHBS-TV , which noted that city police said he had given them a false name when they responded to a parking complaint.

A court hearing is scheduled for Friday morning in Washington County Circuit Court.

Stay tuned for additional details as they become available.

Apple releases Security Update 2010-04 for Mac OS X 10.5.x users

Posted by:
Date: Wednesday, June 16th, 2010, 07:05
Category: News, Software

applelogo_silver

Late Tuesday, Apple released Security Update 2010-04 for Mac OS X 10.5.x (“Snow Leopard”). The update, a 218.6 megabyte download, adds a slew of security fixes and changes, as summarized here.

The update requires Mac OS X 10.5 or later to install and run and can be snagged via Mac OS X’s Software Update feature.

If you’ve tried the new update and have any feedback to offer, let us know.

FBI to investigate AT&T/iPad security breach

Posted by:
Date: Friday, June 11th, 2010, 09:33
Category: iPad, News

When embarrassingly hacked, call the FBI.

Per Reuters, the Federal Bureau of Investigation said Thursday that it has begun a probe into an AT&T security breach that exposed the email address of over 100,000 registered iPad owners.

“The FBI is aware of these possible computer intrusions and has opened an investigation to address the potential cyber threat,” FBI spokesman Jason Pack said.

The move comes one day after AT&T acknowledged that a security flaw on its website made it possible for hackers to query its database and uncover the email addresses of customers who had registered to use its mobile broadband service on their iPhone 3G.

“This issue was escalated to the highest levels of the company and was corrected by Tuesday,” the carrier said. “We are continuing to investigate and will inform all customers whose e-mail addresses may have been obtained.”

The attack on AT&T’s web servers resulted in at least 114,000 iPad 3G users’ emails being leaked to Goatse Security hackers when batches of iPad ICC-IDs were entered via specially formatted HTTP requests.

The group automated requests of the email address information for a wide swath of ICC-ID serial numbers using a script. Although the exploit revealed the addresses of several prominent government and corporate officials, no other information was revealed as part of the breach.

A representative for Goatse Security stated that it ‘hasn’t heard from law enforcement and that it didn’t do anything illegal, so doesn’t see why it would.’

Stay tuned for additional details as they become available.

Adobe releases Flash Player 10.1.53.64

Posted by:
Date: Friday, June 11th, 2010, 03:52
Category: News, Software

adobelogo

Late Thursday, Adobe officially released Flash Player 10.1.53.64, the newest version of its multimedia software for Mac OS X. The new version, a 7.4 megabyte download, offers a slew of security fixes detailed here with full (and extensive) release note changes documented here.

The new version is available for free and requires Mac OS X 10.5 or later to install and run.

Google Chrome 5.0.375.70 out the door

Posted by:
Date: Thursday, June 10th, 2010, 04:50
Category: News, Software

google-chrome-logo

Google Chrome, Google’s new web browser, just reached version 5.0.375.70 for the Mac. The new version, an 25.2 megabyte download, offers the following the following changes:

- Medium: Cross-origin keystroke redirection. Credit to Michal Zalewski of Google Security Team.

- High Cross-origin bypass in DOM methods. Credit to Sergey Glazunov.

- High: Memory error in table layout. Credit to wushi of team509.

- High: Linux sandbox escape. Credit to Mark Dowd under contract to Google Chrome Security Team.

- High: Bitmap stale pointer. Credit to Mark Dowd under contract to Google Chrome Security Team.

- High: Memory corruption in DOM node normalization. Credit to Mark Dowd under contract to Google Chrome Security Team.

- High: Memory corruption in text transforms. Credit to wushi of team509.

- Medium: XSS in inner HTML property of text area. Credit to sirdarckcat of Google Security Team.

- High: Memory corruption in font handling. Credit: Apple.

- High: Geolocation events fire after document deletion. Credit to Google Chrome Security Team (Justin Schuh).

- High: Memory corruption in rendering of list markers. Credit: Apple.

Google Chrome requires Mac OS X 10.5 or later and an Intel-based Mac to install and run.

If you’ve played with it and have an opinion, let us know what you think in the comments.

Microsoft releases Office 2004 11.5.9, Office 2008 12.2.5

Posted by:
Date: Wednesday, June 9th, 2010, 04:09
Category: News, Software

microsoftlogo.jpg

Late Tuesday, Microsoft released version 11.5.9 of its Microsoft Office 2004 suite and version 12.2.5 of its Microsoft Office 2008 suite. The updates, which weigh in at 9.7 and 332 megabytes, respectively, focus on improving security for both suites, fixing vulnerabilities that could allow malicious code to overwrite portions of your Mac’s memory and run arbitrary commands.

The updates are free and available through the AutoUpdate programs and require Mac OS X 10.2 or later to run Office 2004 and Mac OS X 10.4 or later to run Office 2008.

If you’ve installed the updates and have any feedback to offer, let us know.

Security researchers locate additional iPhone security hole, publish findings

Posted by:
Date: Thursday, May 27th, 2010, 04:02
Category: iPhone, News, security

3gs.jpg

Even if you feel absolutely secure in entering your PIN every time you unlock your iPhone, there may still be some security shortfalls. Per a blog post by Bernd Marienfeldt, Marienfeldt and fellow security wonk Jim Herbeck have discovered that plugging even a fully up-to-date, non-jailbroken iPhone 3GS into a computer running Ubuntu Lucid Lynx allows nearly full read access to the phone’s storage even when it’s locked.

The belief is that they’re just a buffer overflow away from full write access as well, which would surely open the door to making calls. Bernd believes the iPhone’s lack of data encryption for content is a real problem, and also cites the inability to digitally sign e-mails as reasons why the iPhone is still not ready for prime time in the enterprise.

Still, better that these guys found it and put the evidence in front of Apple than another party locate the security hole.

Stay tuned for additional details as they become available.

Apple releases Java updates for Mac OS X 10.5, 10.6 operating systems

Posted by:
Date: Wednesday, May 19th, 2010, 05:07
Category: News, Software

applelogo_silver

On Tuesday, Apple released a pair of Java updates for its Mac OS X 10.5 and 10.6 operating systems. The updates (Java for Mac OS X 10.5 Update 7 and Java for Mac OS X 10.6 Update 2) make the same changes and per Macworld, offer “improved compatibility, security, and reliability.” The specifics on how the updates do this are unclear, however, as the release notes for both the 10.6 and 10.5 updates are a little light on the details.

Apple does tell us that the 122MB download for users of OS X 10.5.8 and later updates J2SE 5.0 to 1.5.0_24 and Java SE 6 to 1.6.0_20. As with the Java update released last December, J2SE 1.4.2 remains disabled by default, as it’s no longer being updated.

As for the 78MB Java for Mac OS X 10.6 download, it updates Java SE 6 to version 1.6.0_20. It’s aimed at Mac OS X 10.6.3 and later.

Both downloads are available via Mac OS X’s built-in Software Update feature.

Jobs goes bananas on Adobe Flash in open letter

Posted by:
Date: Friday, April 30th, 2010, 05:59
Category: News

adobelogo

In the wake of several weeks of back and forth between Apple and Adobe regarding Flash, Apple CEO Steve Jobs has posted an open letter explaining Apple’s position on Flash, going back to his company’s long history with Adobe and expounding upon six main points of why he thinks Flash is wrong for mobile devices. HTML5 naturally comes up, along with a few reasons you might not expect.

Per Engadget, here’s the breakdown:

It’s not open: “While Adobe’s Flash products are widely available, this does not mean they are open, since they are controlled entirely by Adobe and available only from Adobe. By almost any definition, Flash is a closed system.” HTML5, CSS, and JavaScript, on the other hand, exist as open web standards.

The “full web”: Steve responds to Adobe’s claim of Apple devices missing out on “the full web,” with an age-old argument (YouTube) aided by the numerous new sources that have started providing video to the iPhone and iPad in HTML5 or app form like CBS, Netflix, and Facebook. Regarding the games argument, he states that “50,000 games and entertainment titles on the App Store, and many of them are free.” If we were keeping score we’d still call this a point for Adobe.

Reliability, security and performance: Steve states that “Flash is the number one reason Macs crash,” but adds another great point on top of this: “We have routinely asked Adobe to show us Flash performing well on a mobile device, any mobile device, for a few years now. We have never seen it.”

Battery life: “The video on almost all Flash websites currently requires an older generation decoder that is not implemented in mobile chips and must be run in software.”

Touch: Steve hits hard against one of the web’s greatest hidden evils: rollovers. Basically, Flash UIs are built around the idea of mouse input, and would need to be “rewritten” to work well on touch devices. “If developers need to rewrite their Flash websites, why not use modern technologies like HTML5, CSS and JavaScript?”

The most important reason: Steve finally addresses the third party development tools situation by writing that “If developers grow dependent on third party development libraries and tools, they can only take advantage of platform enhancements if and when the third party chooses to adopt the new features.”

Jobs concludes in saying that “Flash was created during the PC era – for PCs and mice.”

Stay tuned for additional details as they become available and let us know what you think in the feedback section.

Mozilla releases Firefox 3.6.3 update

Posted by:
Date: Monday, April 5th, 2010, 03:47
Category: Software

elfirefox

Late last week, Mozilla.org released version 3.6.3 of its Firefox web browser. The new version, an 18.6 megabyte <a href=”http://www.mozilla.com/products/download.html?product=firefox-3.6.3&amp;os=osx&amp;lang=en-US”>download</a>, sports the following major change:

- Fixes a critical security issue that could potentially allow remote code execution.

Firefox 3.6.3 is available in more than 70 different languages and requires a G3, G4, G5 or Intel-based Mac, Mac OS X 10.4 or later and 128MB of RAM to install and run. If you’ve snagged the new version and have any feedback to offer about it, let us know in the comments.