Flaw discovered a month ago leveraged in new adware installer
A zero-day exploit revealed last month for only OS X Yosemite has been found in "the wild." The exploit is being seen in an adware installer, and modifies the "sudoers" UNIX file that determines who has root permission for the system, and during the installation process, can give root permission to an arbitrary process without needing a password.
Card reader accessories said to be easily turned into card skimmers
Security researchers have come up with a way to turn the Square Reader into a tool for stealing data from credit cards. A group of recent graduates of Boston University will be speaking out about how they can modify the smartphone accessory, used to facilitate card payments via Square's service, to allow any other app to intercept the data and use the card owner's payment information for other, presumably illegal, uses.
Exploit still requires user permission to install, downplayed by experts
A new exploit has been developed that could threaten Mac security by leveraging vulnerabilities in firmware rather than software, making the worm nearly impossible to remove. While sounding more ominous than any threat since the original firmware-based Thunderstrike (which was limited to a proof-of-concept with no reported attacks), leading security experts say this new threat is also very low-risk.
First password manager to allow changing of passwords from Watch, company says
Dashlane, a password manager for OS X and iOS that MacNN recently reviewed, has announced that it has brought its Password Changer feature, which makes possible extensive password management on iOS devices, to the Apple Watch. The new 3.1 version for iOS includes the feature, and also offers notifications of a security breach on monitored websites, and improves Touch ID support.
Good, strong password manager
Ask anyone who uses a password manager app, and they will evangelize about it -- but they'll also make it sound as if there's only one. We're a little guilty of this ourselves: we've regarded 1Password as synonymous with password management. Yet there are really a handful of them, and Dashlane 3.0.3 has fans who will never look at anything else. They probably don't need to.
Android-based clones sold in US, leading to Chinese government raid
Acting on a tip from US law enforcement, Beijing police raided a factory producing fake iPhones and accessories. Nine suspects have been arrested in the scheme, which produced 41,000 fake phones and could have been worth up to $19 million in counterfeit electronics sales.
Dozens of apps allow unlimited login attempts, creating minor security risk
A new report has found that a number of popular iOS and Android apps have what amounts to a minor security fault, in that they allow users to make an unlimited number of attempts to login to an associated account, thus making them vulnerable to password hacking for attackers who have physical access to the device, such as thieves or overzealous law enforcement. Security firm AppBugs says "dozens" of apps are affected, including Slack, iHeartRadio, Dictionary, SoundCloud and many others.
Standard retail procedure questioned, suit represents 12K retail workers
Despite a previous dismissal of an earlier version of the lawsuit, a US District Court judge has ruled that Apple must face a trial in a class-action lawsuit over the practice of "bag checks," a standard retail loss-prevention technique that is widespread among retailers. The specific dispute in the case involving Apple was that employees complained they were being detained for up to 15 minutes after their shift had ended, without compensation for the lost time.
Tighter security, hardware authentication may be hampering products
A new report makes the claim that third-party products utilizing Apple's HomeKit technology are slow in coming to market because of the iPhone maker's changes to improve the security of the devices, including a certification requirement to use hardware-based authentication chips that makes product upgrading difficult, and products more expensive. The report also makes more questionable claims of "capricious" changes.
Purchase of chip producer may face scrutiny by US government over security fears
An alleged offer by a company backed by the Chinese government to acquire US chip producer Micron Technology faces a considerable uphill battle before it can go ahead. Tsinghua Unigroup is reportedly proposing to acquire Micron, producer of NAND and DRAM and a RAM supplier to Apple, with the supposedly low reported price of $23 billion and concerns by regulators and US lawmakers likely to torpedo the potential sale to the Chinese company for the foreseeable future.
Pair focusing on identity verification on mobile, handshake across devices
The Fast IDentity Online (FIDO) Alliance, the organization focused on changing the nature of online authentication, entered into a memorandum of understanding with the Bluetooth Special Interest Group (SIG) to use Bluetooth Smart as an alternative to using a USB dongle in Universal Second Factor (U2F) authentication. The goal of the pair is to contribute to specifications for FIDO U2F over Bluetooth Smart to extend the reach of the protocol from the desktop to the mobile device.
mount can be VESA mounted, or accommodate other MacLocks stands
Apple device-centric security firm Maclocks has unveiled the Rokku iPad stand, designed to turn an iPad into a kiosk for Apple Pay functionality. The Rokku includes a double lock and a recessed tamper-proof frame made of high-grade industrial strength
New vulnerabilities in Flash force Mozilla to take action
Mozilla is blocking Adobe Flash from being run in the Firefox browser following a series of serious security flaws in the software. As of the most recent update all versions of Flash identified with a vulnerability have been blocked by default in order to keep the browser secure, Firefox support head Mark Schmidt advised on Twitter, though he also clarified the block is not permanent, and will be lifted in the event Adobe releases a new, more secure version.
Gaming news summary for July 12, 2015
Welcome to the Game Replay, a twice-weekly look at the wider world of gaming by the staff of MacNN. In today's edition, the president of Nintendo passes away, an expansion for The Talos Principle is announced, and a game company gets attacked after its president threatens a hacker with legal action.
Latest exploits flaw marketed by Hacking Team to governments, others
Adobe has updated Flash to version 188.8.131.52 for Windows and Mac in an effort to close yet another batch of security flaws. While no active use of the exploits had been discovered, the company had been notified earlier this week that some of the exploits had been discovered to be known by Hacking Team, a group of commercial security attackers that has sold such secrets and flaws to government agencies around the world.
Keep yourself, your data safe by backing up and using a VPN from MacNN Deals
Every day, alongside our regular Daily Deals post, we are showcasing some of the sales available on our own MacNN Deals store. Today's three deals are all designed to help protect you and your system, both from a loss of data by backing up online, as well as other perils associated with going on the Internet.
High-quality cellular music streams, automatic screenshot albums among changes
The latest beta given out to developers (and now the public) for Apple's iOS 9, expected early this fall, has revealed a handful of minor changes and features, along with a significant change in how the company is going to handle two-factor authentication in iOS and OS X going forward. When enabled, two-factor authentication allows users to add and verify new devices (such as iPhones) to be allowed to access a user's established cloud services and syncing. In addition to a previously-announced change to six-digit codes for verification, Apple will be removing the 14-digit Recovery Key option.
Public beta begins despite long list of issues, problems
Apple has made available public betas for iOS 9 and OS X 10.11 El Capitan, according to reports. The new software, based on the issue-laden third developer beta released yesterday, is available to users previously registered with the company's Beta Software Program. While the company normally waits until there is a fairly stable developer beta existing before issuing the first public beta, today's releases are fraught with issues and missing functionality.
Finnish court issues two-year suspended sentence to hacker
A member of the hacking collective Lizard Squad has recently been convicted of 50,700 computer crime-related charges. Julius Kivimaki, a 17-year-old identified in the hacking group as "zeekill," will not be going to prison or facing a tough penalty, as he has been handed a two-year suspended sentence by the Finnish court, according to local media, along with an order from the court to "fight against cybercrime."
Keep your device data and your passwords safe with these three MacNN Deals
Every day, alongside our regular Daily Deals post, we are showcasing some of the sales available on our own MacNN Deals page. Today's group of offers relate to keeping your online life safe, including managing your various passwords on multiple devices, and protecting your data by backing it up online regularly.
Forums, blogs attacked in Plex breach, ransom deadline looms
Plex is under threat from a hacker, attempting to blackmail the service by holding some of its customer data up for ransom. The streaming media software developer's forums have been breached, with the hacker demanding bitcoin from the company, otherwise the attacker will release all the acquired customer data, as well as other software and files picked up in the intrusion for all to see.
Deal expected to close in 1Q 2016 after regulatory approvals are met
Today, Cisco announced its intent to acquire OpenDNS, a privately-held security company based in San Francisco. OpenDNS provides advanced threat protection through domain name system extension, adding phishing protection and content filtering to the vital service. The acquisition is expected to close in the first quarter of fiscal year 2016, subject to customary closing conditions.
First QuickTime update in nearly three months focuses on security
In addition to an avalanche of updates ranging from major to security-patches-only, Apple has released QuickTime 7.7.7 for Windows, the first update to the multimedia technology since early April. The update fixes a clutch of security issues with the QT Media Foundation, which could allow a maliciously-crafted file to lead to an unexpected application termination or arbitrary code execution. The root cause of the issue, multiple memory corruption issues, were addressed through improved memory handling.
Next version of Safari, coming in 10.11, will offer new features
Among a storm of major updates, Apple has also issues updated versions of Safari for the three versions of OS X currently supported: Mountain Lion (10.8), Mavericks (10.9), and Yosemite (10.10). In addition to the updated Safari versions (6.2.7, 7.1.7, and 8.0.7 respectively), the company also issued the first developer beta of the forthcoming Safari 9.0, which will accompany the release of OS X 10.11 this fall, and a pair of EFI updates.
MacNN and Electronista deals for June 29, 2015
Welcome to Daily Deals, the post where we scour online retailers for offers, bundles, sales, and discounts on hardware, software, and games for you, the discerning MacNN and Electronista reader. Today, we've wiped the slate clean of older deals, with the new collection including a $300 50-inch HDTV, a 1TB SSD for under $400, and a 720p IP surveillance camera for $60.
Apple Maps adds seven new cities to Flyover feature
Earlier this week, Apple expanded the Flyover feature of its Apple Maps service by adding six international and one North American city to the visual-overview feature, which combines aerial photography with computer-generated graphic enhancements to create 3D views of various locations. The new cities have been added to both the iOS and OS X version of Maps.
Website can mimic malware report from software, thus obtaining admin password
Users of controversial utility software MacKeeper who are not up-to-date on the latest version are vulnerable to a serious security flaw that can trick users into passing their admin passwords onto attackers, thus leaving the Mac vulnerable to a complete remote takeover. Though the problem has been fixed in version 3.4.1 of the much-maligned "cleanup" utility, the flaw is being actively exploited in the wild by attackers preying on users who have not updated.
New Samsung notebooks have Windows Update-disabling software installed
Samsung is preventing some of its customers from performing Windows Updates automatically, it has been discovered. A small app going by the name of Disable_Windowsupdate.exe has been found to be installed on some new Samsung notebooks, with the app's sole purpose being denying the computer from downloading any important security updates or drivers from Microsoft's service, so that Samsung's own driver-updating software can work instead.
Addition of voice search trigger command to Chromium causes outcry
Google has come under fire from privacy campaigners, for automatically installing an audio monitoring tool as part of Chromium, the core of Chrome. Developers discovered the browser was automatically downloading and installing code that listens to the user's voice for the voice search trigger "OK Google," something that is allowed within the main Chrome browser, but not within the open source Chromium browser.
Exploit targets professional-industry users through phishing emails
Adobe on Wednesday has released an emergency patch for its Flash Player browser plug-in due to a critical flaw that is being actively exploited in the wild. Flash Player 184.108.40.206 and earlier for Windows and Macintosh systems are affected by the issue, as is version 220.127.116.116 for Linux 11.x versions. The attack, called APT3 for the China-based organization from which it originates, uses spam "phishing" emails targeted at industry professionals to gain credentials used to steal intellectual property data.
How and why to get them working together
Stop us if you've heard this one: we want to share our calendar with someone, but we don't want them to know precisely what we're doing. We need them to know we're a bit busy on Tuesday morning but, on balance, we'd rather they not be able to tell that it's our DUI court case. To be fair, they don't want to know either.
Range of discovered vulnerabilities made it possible to intercept data between apps
Apple announced on Friday that it had implemented a server-side partial security update earlier this week to help protect Mac and iOS users against a "series of high-impact security weaknesses" discovered by researchers now collectively known as XARA vulnerabilities, that could potentially be used to obtain data being passed between sandboxed applications, such as passwords. No known cases of the exploits have been seen "in the wild," and Apple says it is working with researchers on a longer-term fix.
Apps collectively downloaded over 200M times insecurely transmit account credentials
A number of popular Android apps have been discovered to leak the passwords of users, due to the use of insecure authentication systems. Researchers have found the issue in Google Play Store apps run by many major companies, where a flawed implementation of HTTPS or a complete lack of HTTPS encryption at all during the login process leaves the user's credentials exposed and viewable by anyone monitoring network traffic.
Samsung Knox being used to force the update to affected smartphones
Samsung is issuing a patch to close a vulnerability in its smartphones caused through an insecure updating system for its software keyboard. The manufacturer is pushing the fix to affected smartphones over the next few days via a security policy update via Samsung Knox, its own security platform meant for enterprise use, though it is also working on a more standard firmware update for non-Knox devices that will pass through carriers.
Adobe, Wikimedia, WordPress, Yahoo among top-rated tech firms
For the second year running, the Electronic Frontier Foundation has given Apple and a handful of other tech firms a perfect "five out of five" star rating for efforts related to securing consumer data against both theft and government intrusion. The high score reflects a top initiative of Apple CEO Tim Cook, and the company generally, in believing that the business model that requires collecting and monetizing customer data is fundamentally flawed.
Safely send your files P2P from all major smartphone OS's
There's a lot of fuss over security these days, and with giant data centers being erected for the sole purpose of backlogging data, we can see why. Every time you share your pictures, videos, and personal information, there's a chance they could end up stored somewhere you didn't intend them to be. That's why BitTorrent released BitTorrent Shoot, a safer, faster way to send images to mobile devices.
Issue with insecure updates for Samsung smartphone keyboard discovered last fall
A recently-demonstrated vulnerability in Samsung smartphones could put as many as 600 million devices at risk of being misused. Demonstrated at the Blackhat security conference by NowSecure researcher Ryan Welton, the vulnerability relates to the way the update system for the software keyboard operates, allowing a malicious user the opportunity to access data, install apps, and take control of the smartphone's microphone and camera for surveillance purposes.
Wi-Fi camera from iLuv can automatically record video clips when sound or movement is detected
The first Wi-Fi camera from iLuv is said to be an easy to set up imaging device that can be used to increase security at a home or office. The mySight takes the form of a large circular camera on top of a thin-necked stand, and is capable of recording 720p video and uploading it to a cloud storage service for later retrieval or streaming by smartphones and tablets using the accompanying mobile app.
Flaw in how Apple handles secure app data storage, Keychain, WebSocket disclosed
A sextet of researchers have discovered a weakness in Apple's cross-app resource security. The researchers found a "series of high-impact security weaknesses" which allow a sandboxed malicious app, which has been previously approved by Apple's storefront, to gain access to other applications data stored in an app's private directory. Data at risk includes stored passwords for banking, iCloud passwords, WeChat photos, and Evernote contacts.
Attorney Parul Desai takes the mantle, floodgates now open for complaints
Citing comments leading up to the establishment of the Open Internet regulation, the US Federal Communications Commission (FCC) consumer and governmental affairs bureau chief today appointed Parul P. Desai to serve as the Open Internet ombudsperson, the public's primary point of contact within the agency. Desai will be responsible for fielding formal inquiries, informal questions, and any complaints that may arise related to the Open Internet rules from both consumers and industry sources.
Emails, password reminders, authentication hashes
Password repository service LastPass has suffered a data theft. In a blog post, and email to customers, the company notified its users that on Friday, "suspicious activity" was noticed on the network, and was shut down. However, LastPass account email addresses, password reminders, "server per user salts," and authentication hashes were stolen.
First transparency report suggests Amazon may have received National Security Letters
Amazon is joining the likes of Google, Facebook, and Apple, by issuing its first transparency report. Later than other online giants in providing the information, and only doing so after criticism from civil liberties and digital rights groups, the retailer's first report advises of the number of times the company has received requests from both US and non-US governments for customer data, and how many times Amazon has provided what was requested.
Apple CEO asks execs to investigate retail employee complaints
According to documents unsealed in an ongoing lawsuit brought by Apple retail workers against the company, Apple Store employees took to writing emails directly to Apple CEO Tim Cook to complain about the way employee bag check searches, which are intended to guard against pilfering and loss, are conducted. The lawsuit contends that employees are subject to "demeaning" procedures that also cost them excessive time and lost wages.
Changes intended to allow more developers access to app building without fees
The just-released Xcode 7 beta makes a change to permissions needed to build and run apps on local devices in an effort to reduce the financial burden on first-time or open-source developers -- but Apple may have inadvertently opened a door to allowing code to be compiled and installed on any iOS device, bypassing the App Store. That ability, known as "side-loading," could create issues and headaches for the company, depending on how its handled.
Proof-of-concept code posted to Github after Apple fails to close hole
As part of a slew of recent security flaws found in Apple's two operating systems (most of which, it should be noted, are either not serious or are remarkably unlikely to become common), a security researcher has turned up an issue in the iOS Mail app that has the potential to become a widespread problem. As a result, users should be wary of any ">pop-up dialogue boxes in iOS Mail that ask for the user to re-login to a given email service.
Branding, color may be a problem; camera performs well
Home security is becoming a more widely accessible option with each new stride made in technology. A few decades ago, only a handful of people had home security systems, but today upwards of 20 percent of Americans have a name-brand security system installed. Thanks to the dawn of the app and the home wireless network, there's a large do-it-yourself market for home security as well, aimed at making you feel safer without breaking the bank. We checked out SpotCam, an HD wireless camera that is designed to help you keep tabs on your home while you're away -- check our full review to see what we thought about it.
Educated guesses, wishful thinking, inaccurate reporting, likely stories
Today, many of our readers will be trying to watch the live stream from Apple's Worldwide Developer Conference, or following our coverage of the main announcements. As our reviewer Michelle noted, some people will be happy, and others will be disappointed (hint: don't invest emotionally in rumors). If you need a good laugh after the keynote, give a listen to Episode 18 of The MacNN Podcast, where we made our previously-recorded predictions.
IRS confirms tax refunds stolen because of weak security
Identity thieves have stolen the tax information of more than 100,000 people via a service ran by the Internal Revenue Service (IRS), the government agency has advised. Speaking before the Senate Finance Committee on Tuesday, IRS Commissioner John Koskinen advised that the government body is working with state governments and producers of tax software to make it more difficult for a thief to steal tax refunds destined for their rightful recipients.
Speaks strongly against government, tech firms data collection practices
Even as the Republican-dominated US Senate passed a measure attempting to restore some -- but not all -- of the government's bulk data-collection powers (which expired on Monday), Apple CEO Tim Cook reiterated his role as America's leading corporate pro-privacy advocate by speaking via teleconferencing at an event hosted by the Electronic Privacy Information Center, where he was honored as one of America's "Champions of Freedom."
Google creates My Account tool to manage security, privacy settings
Google is making it easier to manage the security and privacy of a user's account, by bringing everything within the same page. The new My Account site allows users to manage their Google account's privacy settings, device activity and notifications, and other settings that apply across all Google services. Privacy Checkup and Security Checkup tools also aim to simplify the process, taking users gradually through the account settings. A second site, privacy.google.com, has been created to explain what Google does with user data, how it is secured, and other similar queries.