Reasons to embrace or avoid upgrading, hacks and scams, and all for science
It's now October, and all the big Apple gifts we're going to get for Xmas this year are (probably) behind us. There's just one more to open: OS X 10.11 El Capitan. Should you jump to the latest and greatest? There are reasons to do so, and there are reasons to wait, depending on your situation. MacNN Editor Charles Martin and Managing Editor Mike Wuerthele discuss the pros and cons, talk about the real differences between the iPhone 6s and iPhone 6s Plus, argue whether 16GB can work on an iOS device for storage without much pain, and more.
Chinese malware was not malicious, but points out new vector of attack
Apple has now responded publicly to the XcodeGhost malware scare, explaining in a page on its Chinese website addressed to customers that even if they used apps affected by the issue, no personally-identifiable information was gathered. The company removed any affected apps, and explained the cause (iOS programs were built using compromised Chinese versions of Xcode downloaded from other sources), while offering developers a method of ensuring that their own installations of Xcode were valid.
In digital world, boundaries for countries, law enforcement mean little
As has been predicted for some time, the US government is clashing with technology companies over the encryption of personal data when it comes to law enforcement. The Justice Department is accusing Apple of disobeying a court order that it turn over text messages, in real time, between suspects in a guns-and-drugs case who are using iPhones. Apple has said the messages are encrypted without third-party keys, and thus it cannot comply with the order. Microsoft is also fighting the government, over whether emails stored outside the US should be given to US officials.
Requires vents to release small amount of water vapor, runs for a week
Users of smartphones are always complaining -- despite huge advancements in battery technology over the past few years -- about the need to recharge devices frequently. A new form factor from British firm Intelligent Energy could potentially change this to only having to recharge a phone on a weekly, rather than daily, basis. The company has placed a hydrogen fuel-cell battery into an iPhone 6 as a proof-of-concept, with only tiny changes to the casing for the device.
Leverages bugs to cause memory corruption which could bypass kASLR protection
Two new zero-day vulnerabilities have been uncovered by an 18-year-old Italian man that could be exploited to gain remote access in OS X 10.9.5 through 10.10.5, though the researcher has already published a version of a fix Apple could adopt in a future update. The new discoveries come on the heels of a similar vulnerability that was fixed by Apple in the last OS X software update. Details of the exploits were published by Luca Todesco on Github, just hours after he had notified Apple of the flaws.
What happens when there are more strokes than you thought?
A lot has happened since the last installment of Tech in Recovery, so please pardon the delay. The primary subject of the series, my wife, has suffered further mini-strokes, which led to a significant setback in both her treatment, and this series. So, absent of other data, for now, let's roll into the third installment of Technology in Recovery. This week, we're going to discuss some things that have been used in her therapy, as well as addressing a frequently-asked question -- what am I doing to stay sane?
Latest exploits flaw marketed by Hacking Team to governments, others
Adobe has updated Flash to version 22.214.171.124 for Windows and Mac in an effort to close yet another batch of security flaws. While no active use of the exploits had been discovered, the company had been notified earlier this week that some of the exploits had been discovered to be known by Hacking Team, a group of commercial security attackers that has sold such secrets and flaws to government agencies around the world.
Stolen computer prompts Dominican rapper to seek help from Apple Store
A struggling artist with a run of bad luck turned to the SoHo Apple Store in Manhattan to complete, in a piecemeal fashion, a full-length album on the store's Macs -- with some help from some employees. Following a computer that broke down and another that was stolen, Dominican immigrant and rapper Prince Harvey told his story to some sympathetic Apple Store employees, who assisted the young artist in completing his album.
The Beats 1 that just can't go wrong today
Time once again for another episode of The MacNN Podcast, this time episode 22! Since it was quite a notable week, this week's chat between Editor Charles, Managing Editor Mike, and staffers Michelle, Bradley, and Sanjiv is pretty jam-packed. The big story of the week was the launch of Apple Music, and we spend time on both the good and bad of that, but we talk about a lot more as well. Show notes after the jump.
Third-party app combo make home video playback drop-dead easy
Today's Pointers is going to be a bit short and sweet because, like everyone else in the US, we're itching to get out of the office and engage in dangerous, noisy, polluting activities of an excessive nature. So while you are waiting in the burn unit or drunk tank for either treatment or bail money, here's a great tip for making all that waiting time easier: a simple way to get your iOS devices to play any non-DRM'd audio, photo, or video file format without taking up any space. It's like iTunes Match, but for all kinds of media files.
Latest OS X version offers preliminary support for third-party drives
Although many are celebrating the long-awaited arrival of Trim support for third-party SSD storage that can be enabled by users, Apple's implementation of it should be considered preliminary, and comes with an unusual and strongly-worded warning that offers no support if the user should experience problems. In addition, some popular SSD models, notably Samsung's 840 and 850 lines, may be subject to a data-destroying bug if Trim is activated.
TaiG updates jailbreak tool to 2.2.0, allows for iOS 8.4 hack
Jailbreak group TaiG has released an iOS 8.4 hack, mere hours after the official Apple release of the new OS. The new software revision uses the same exploit that the group used just days ago for iOS 8.3, allowing users to install the Cydia repository, and other phone software tweaks, at the cost of some device security regarding execution of arbitrary code. The hack requires a Windows PC, iTunes, and the newly released 2.2.0 version of the group's tool.
Website can mimic malware report from software, thus obtaining admin password
Users of controversial utility software MacKeeper who are not up-to-date on the latest version are vulnerable to a serious security flaw that can trick users into passing their admin passwords onto attackers, thus leaving the Mac vulnerable to a complete remote takeover. Though the problem has been fixed in version 3.4.1 of the much-maligned "cleanup" utility, the flaw is being actively exploited in the wild by attackers preying on users who have not updated.
Range of discovered vulnerabilities made it possible to intercept data between apps
Apple announced on Friday that it had implemented a server-side partial security update earlier this week to help protect Mac and iOS users against a "series of high-impact security weaknesses" discovered by researchers now collectively known as XARA vulnerabilities, that could potentially be used to obtain data being passed between sandboxed applications, such as passwords. No known cases of the exploits have been seen "in the wild," and Apple says it is working with researchers on a longer-term fix.
Proof-of-concept code posted to Github after Apple fails to close hole
As part of a slew of recent security flaws found in Apple's two operating systems (most of which, it should be noted, are either not serious or are remarkably unlikely to become common), a security researcher has turned up an issue in the iOS Mail app that has the potential to become a widespread problem. As a result, users should be wary of any ">pop-up dialogue boxes in iOS Mail that ask for the user to re-login to a given email service.
Apple quietly announces ResearchKit 1.1 on developer list, adds iPad support
Late on Tuesday, an Apple representative on the Apple ResearchKit developer mailing list announced the availability of ResearchKit 1.1, which adds multiple new tasks and other enhancements, including iPad support and improved slider support. Following an internal review for accessibility and localization in all OS X-supported languages, new audiometry and reaction-time active tasks have been added, along with a navigable ordered task option.
Conditions needed to make exploit work are untenable, but possible
A new vulnerability -- albeit one that is extremely unlikely to happen "in the wild" -- has been discovered by security researcher Pedro Vilaca, where a flaw in pre-2014 Macs could conceivably allow an attacker access to a portion of OS X that has access to the Mac's Open Firmware and EFI (what PC users might call the BIOS of the machine) and possibly exploit other vulnerabilities to perhaps overwrite it with malicious firmware.
Availability of bands for Apple Watch improves even as in-store sales remain non-existant
Though in-store sales of Apple Watch models are expected to begin soon, it is currently near-impossible to get one's hands on an Apple Watch without either ordering it online from Apple or visiting one of a handful of high-end fashion boutiques around Europe. Bands for the Watch, however, continue to become more available -- with a spot check of stores in the US showing that sport bands and Leather Loop models are now very widely available.
Is your device plugged in or is it not?
Circuit Mouse is a cheeky little app that answers a very simple question. "Is your device plugged in, or isn't it?" That might seem like a silly question -- devices tend to make a noise when plugged into, or removed from, a power source. Plus, there's usually a little lightning bolt on the battery indicator to show if it's charging, for example. Nevertheless, there are some clever ways to use that information, and Circuit Mouse provides several methods of showing it.
Thirty models planned, ranging from $10,000 to $70,000
Despite the Apple Watch not yet shipping, design company Brikk has unveiled the Lux Watch product line. Their new collection includes 30 precious metal-plated, diamond encrusted luxury models across three lines of the upcoming wearable from Cupertino.
Apple credits TaiG team in release notes
Yesterday's iOS 8.1.3 update sabotages the TaiG jailbreak tool, users say. The hack was functional through iOS 8.1.2, outdoing Pangu, which stopped working as of v8.1.1. Although the TaiG team itself hasn't confirmed the problem, Apple's notes for v8.1.3 actually credit the group with finding four security vulnerabilities.
All previous versions vulnerable, attacks on un-updated machines seen in wild
Adobe has again had to issue an update to the browser plug-in version of Flash due a critical flaw in the program that allows remote attackers to take over un-updated Macs or PCs, the latter running either Windows or Linux. The company urges users to update to the latest version, first issued on Friday, that patches the problem -- however, all previous versions should be considered at risk, and there are not yet any Chrome browser or standalone updaters available.
Transactions traced between Ulbricht, Silk Road Bitcoin accounts
The latest update in the trial of Ross Ulbricht's involvement with the controversial but now-closed Silk Road contraband market site involves Ulbricht's collection of bitcoins. A researcher who has audited the stash claims that approximately 20 percent of Ulbricht's bitcoin funds were transferred directly from Silk Road to his accounts, a transaction that would have been worth close to $3 million based on the value of the digital currency at the time.
Data on 14,241 users with passwords leaked to the Internet following hack
A counter-hack against the Lizard Squad hacking group's distributed denial of service (DDoS) tool LizardStresser has resulted in a customer data theft. Details of 14,241 users of the disruptive hacking tool have been stolen from the group's site, including user names, passwords, and other data stored in plain text, and has now been posted online.
Hacker group threatens to divulge client identities, bank is unconcerned
Some 30,000 emails from Swiss and foreign clients of the Genevan state bank BCGE have been published by a group or individual calling itself "Rex Mundi." The release of the information occurred on Friday, after the bank declined to give into demands for a payout to keep the information under wraps. The would-be blackmailer provided the bank with a sample of data from two supposed BCGE clients as proof of the hack, and threatened to publish all of the data unless €10,000 ($11,779 US) was not paid by the bank.
Unprotected home, enterprise routers said to be part of Lizard Squad botnet
The attacks against gaming services including the PlayStation Network and Xbox Live over the last month may have been carried out in part by home routers. A report claims Lizard Squad, the hacking group claiming responsibility for the attacks, has access to a large collection of hacked routers, which it is using to bolster its distributed denial of service (DDoS) attacks.
Prince of Persia, Maniac Mansion, Original Sim City, Lemmings among web-adapted games
Last November, the Internet Archive debuted their new service, The Internet Arcade, where over 900 arcade titles from the 1980's and 90's were hosted for free play over a web browser. Today the service topped itself, expanding the the Software Library to include 2,300 MS-DOS-era games, available through the EM-DOSbox in-browser emulator.
Blocks hacking tool just one day after release, locks accounts if iDict is attempted
Apple appears to have fixed a flaw in its password security just one day after a hacker announced a new tool that could conceivably breach the existing protection against "brute force" attacks on accounts by taking advantage of an exception. On January 1, a new tool called iDict emerged in a rough state that could bypass repeated password-attempt blocking due to an exception made for iPhones. On January 2, Apple closed that exception and began locking accounts iDict was being used against.
Aluminum brackets attaches to a VESA compatible wall or desk mount
NewerTech has released a new adapter that allows a 2012 or newer model iMac (including the latest Retina 5K iMac) to be hung with a universal VESA mounting system. Since 2012, Apple has made it so that iMacs must be ordered with a VESA mount at the time of ordering, which means four screw holes would be drilled into the back -- if the original purchaser did not order the custom VESA fitting, there was no option to remove the stand, or add the option to mount it later.
Restaurant chain will eat losses if banks do not compensate customers for any breach
A rash of credit and debit card fraud cases have been tracked back to accounts that were all used at various Chick-Fil-A locations around the US. The fast food restaurant joins the ranks of retailers with point of sale security issues. This particular breach appears to have run from December of 2013 to September of 2014.
'It wasn't nice getting raided at 7:30 AM'
Another arrest has been added to the string that began earlier this month in relation to alleged Lizard Squad activities. Lizard Squad is a small group of Internet miscreants that claim responsibility for an ongoing distributed denial of service (DDoS) attacks on gaming networks (including over Christmas). The group has also claimed responsibility for at least one bomb threat (grounding an airplane carrying Sony Online CEO John Smedley), and participation in the Sony hack.
New information yields the possibility of at least one ex-employee playing a role
The saga of "who really stole all that data from Sony" continues, in spite of the FBI's adherence to its findings that North Korea alone was responsible. Independent investigations by security organizations have expanded the suspect list to include ex-employees, while net vandals Lizard Squad have, in their continuing quest for attention, claimed partial credit.
Average person unlikely to be impacted
The European group that first demonstrated a hack of Apple's Touch ID using a fake fingerprint says it has discovered a way of recreating a fingerprint without a physical sample. The Chaos Computer Club's Jan Krissler, better known as Starbug, demonstrated the technique at the Club's recent 31st convention in Hamburg, using German Defense Minister Ursula von der Leyen as an example. Through commercial software called VeriFinger, Krissler says he was able to piece together Von der Leyen's thumbprint based on publicly-available photos of her digits.
'We're not even close to where we need to be,' President says
Last Friday, at President Barak Obama's year-end press conference, Carrie Budoff Brown of Politico asked the first question. Her inquiry was whether Sony had done the right thing in canceling the release of the Seth Rogan comedy The Interview, and what a "proportional" US response to the North Korean-led cyber-attack on Sony would look like. While discussing the answers to those questions, President Obama called on Congress to help create stronger cyber-security laws.
No exploits were utilized in the hacking of the bank's network
Back in July, five bank networks were hacked, the most notable of which was JP Morgan Chase, which resulted in more than 76 million households' information being leaked. At first, it was suspected that a "zero-day" exploit had been utilized to gain access, but an unidentified source has indicated the real story is somewhat more mundane.
Main Internet connection for North Korea goes down following statement attacking US government
North Korea has declared it will strike against the United States, after the Federal Bureau of Investigation (FBI) identified the rogue state as the origin of the Sony Pictures hack. However, alongside the sabre-rattling statement provided by the Korean Central News Agency of DPRK (the Democratic People's Republic of Korea, as it calls itself) are reports that the country's Internet connection has itself been the target of an attack over the weekend, with North Korea effectively being knocked offline.
A new IP, fluttering Jolly Roger, countdown clock
Earlier this month, Swedish law-enforcement raided The Pirate Bay's servers and were able to knock the venerable torrent aggregator offline. Earlier today, the domain moved to a new IP address, and displayed a fluttering Jolly Roger pirate flag only. Now, the flag waves in the background as a clock counts down to January 5, 2015. While one of the original co-founders applauded the takedown, acolytes made sure that no significant dip in torrenting activities -- illegal or legit -- resulted from the apparently-temporary closure.
Compromised servers isolated and replaced, says project developers
Last Friday, the Tor Project blog posted about a possible threat that some of its servers would be seized in an attempt to incapacitate or hijack the Tor network. Over the weekend, a group of "exit node" servers in a Dutch datacenter went down, and then came back online. The service, a volunteer network of relays aiming to provide anonymity and security, says it was warned of suspicious activity that may have been instigated by law enforcement.
US continues to claim NK responsible for Sony hack, pirate release of movie possible?
In an interview recorded on Friday, President Obama clarified his remarks last week regarding the Sony Pictures hack. The president denies swirling discussions about the hack being an act of war, and called it "an act of cyber vandalism that was very costly, very expensive." Additionally, late Sunday, tweets purport that hacker collective Anonymous is about to wade into the fray against North Korea for its role in the event.
Requires physical access, but works on OS X, Windows, Linux
A new USB microcontroller -- roughly the size of a small thumb drive -- has been demonstrated as a proof-of-concept device that leverages a serious and unfixable vulnerability in USB easily take over and install malware on any unlocked computer. Though it requires physical access or tricking the user into inserting the controller into a USB port, the device has worrying implications for any computer left unattended for more than a minute -- the time it takes for the device to gain admin access, change network settings, install a backdoor and remove any obvious sign of intrusion.
Review still under way, sparked by rape allegations and regulatory resistance
In response to the concerns of customers, legal troubles and bans in multiple markets around the world, rideshare/taxi service Uber has begun a study into ways to better screen drivers and improve overall safety. Phillip Cardenas, Uber's head of global safety, outlined the company's plans in a recent blog post today. Cardenas comes from Airbnb where he spearheaded the creation of that company's safety program.
Managing privileged operations on Linux servers key for protecting e-commerce servers
In a blog post today, AlertLogic Chief Security Evangelist Stephen Coty outlined ways to identify and protect against a Linux server exploit he has dubbed "Grinch." Citing a 2013 report from W3Tech stating that approximately 65 percent of all web servers utilize a Unix or Linux-based operating system, he said that the danger is that Grinch can be used to "steal Christmas." At the crux of this exploit is a way to access administrative permissions through JournalID, which could allow remote execution of commands on any Linux-based server.
Insecure URLs from Delta revealed boarding passes from other airlines, other passengers
Dani Grant, the founder of the security research group Hackers of NY, has reported a serious flaw in the way that Delta and potentially other airlines handle online boarding passes, often displayed on smartphone screens to gain entry to flights. Grand discovered that if she shared the URL to her Delta online boarding pass, anybody could download and potentially redeem it. Even more disturbingly, when she changed with the last digit of the seemingly random numbers in the URL, she could view someone else's online boarding pass, which might even be on an entirely different airline.
Christmas comes early as white hats totally pwn script-kiddie newbs
Since August, a hacker group calling itself the Lizard Squad -- self-described as a handful of 'guys with too much free time on their hands' -- have been entertaining themselves by spoiling other people's fun. Primarily, they've been doing this by attacking online video game services and knocking them offline. An opposing "white hat" group of network security researchers have now exposed members of the Lizard Squad group, leading to the arrest of three members, some of whom had also been involved in bomb threats and other domestic terrorism.
Un-jailbroken iOS devices safe from attack; Android, Windows smartphones at most risk
Beginning in Russia and spreading quickly to other countries, a new variation on the formerly-dormant Red October malware has been detected by security firms such as Blue Coat and Kaspersky this week. The new version -- which is notably targeting smartphones of diplomats, military leaders and business executives -- contains a level of sophistication in the function and code that suggests a rogue state, which would have the resources to assemble the talent, is backing the attack.
Employs DDoS attacks, enlists Amazon Web Services to block distribution
In a surprising twist to the ongoing saga of an attack on Sony Pictures' internal computer system by unidentified hackers (likely to be from North Korea), the studio is starting to fight back by leveraging Amazon Web Services to carry out distributed denial of service (DDoS) attacks on identified servers that contain files stolen from Sony over the last month. Taking a page from its own playbook, the media conglomerate is flooding suspect servers with dummy files, a sequel of sorts to anti-piracy attacks carried out by the firm in conjunction with Media Defender seven years ago.
Sophisticated malware used forged enterprise provisioning to enter iOS through OS X
Apple's iOS, when un-jailbroken, is so resistant to malware that three Chinese suspects had to come up with an exceedingly clever method of delivering the "WireLurker" threat to the company's mobile devices. On Monday, Chinese officials announced they had arrested the three suspects, and shut down the servers hosting the malware. The threat was never widespread because of the elaborate nature of the scheme and its China-only focus, but it was one of the few malwares able to get onto un-jailbroken iOS devices.
Supports all recent iOS devices
Pangu's iOS 8.x/8.1 jailbreak tool has been successfully ported to the Mac, its creators have announced. As with the original Windows edition of the jailbreak, it supports all iOS 8-capable devices, including even the iPhone 6, 6 Plus, iPad Air 2, and iPad mini 3. The Pangu team cautions that people should backup a device before beginning, and also restore if they've downloaded any over-the-air firmware updates.
Simple website indexing bot suggest Apple increasing its bypassing of search engines
Can affect non-jailbroken iOS devices; currently distributed through unofficial Chinese store
A new malware threat to iOS has been discovered that can invade the normally well-protected mobile system through a flaw in OS X and USB that allows packages to be installed through enterprise provisioning. Called "WireLurker," the malicious OS X application (once installed) will monitor for new iOS package installs, and then exploits a weakness in USB to install malware into the target iOS device. Once it is installed, the iOS malware tries to harvest personal data like contacts.