No evidence of breach at present, but will force-reset account passwords
Amazon in the US and the UK has sent out emails to some users saying that the company has reset their account password after discovering that "your [Amazon] password may have been improperly stored on your device or transmitted to Amazon in a way that could potentially expose it to a third party," and thus has been resetting some accounts, though it said it is doing so out of "an abundance of caution" without any evidence of a direct breach.
Hand-crafted with rich Corinthian voices for extreme effect
Episode 42 is, first and foremost, a gorgeous-sounding episode. It features Mike and Charles, a good connection, and a fair amount to talk about even in a slow news week. As is the norm with these two, they wander around to various topics, but among the things that are for sure discussed in the repairability (or rather, the lack of it) in the Apple Pencil (and whether anyone should care), what's up with MacUpdate.com, and more.
Gaming news summary for November 22, 2015
Welcome to the Game Replay, the thrice-weekly look at the wider world of gaming by the staff of MacNN. In today's edition, Sony confirms it is working on PlayStation 2 emulation for the PlayStation 4, Valve allegedly prepares to make changes to how it runs its major Steam sales, and Rooster Teeth suffers a server breach.
Amazon adds two-factor authentication to accounts
Amazon is improving the security of its account system, just in time for the Black Friday sales, by giving the option of adding two-factor authentication to the log-in process. The online retailer is now allowing account holders to log in using an extra generated code alongside their regular username and password, potentially preventing potential fraudulent purchases from being made from the account.
Cloud storage for seven days included with Arlo Q
Networking gear company Netgear today introduced the Arlo Q 1080p HD Security Camera with Audio, model VMC3040, the newest member of the Arlo IP camera family. The new addition to the Arlo line features 1080p high-definition video and two-way communication.
Instagram account credentials sent by malicious app to third-party server
An app that harvested the account credentials of Instagram users has been pulled from the iOS App Store and Google Play, after being found to be malware. InstaAgent, an app that claimed it could track who has visited the user's Instagram feed, has been found to store and transmit the usernames and passwords of Instagram accounts to a third-party server, potentially putting hundreds of thousands of user account credentials at risk.
Lawsuit fails due to optional nature of bringing bags to stores
A class-action suit relating to Apple's employee bag search policy was shut down by a federal judge over the weekend. The ruling on Saturday halts proceedings for the suit, which sought to force the company to pay its retail staff for their time spent waiting for their bag to be inspected by managers before and after their shift, with the judge primarily dismissing the suit over the fact employees could avoid being searched by not using bags at all.
Postcard app servers breached this week, UK authorities investigating
Touchnote has become the latest online service to confirm it's servers have been breached, with a limited amount of customer details accessed by the attackers. The postcard creation app for iOS and Android advises it first discovered the data breach on November 4, with the company now contacting potentially affected customers via email while still investigating the extent of the attack and fixing any security issues.
Home-oriented security camera better than most, but issues remain
Home security is a growing industry, with millions of people dumping thousands upon thousands of dollars into it every year. Technology has finally made it so that people can get their hands on a DIY home security system, though for a lot of people it's just not worth having their whole home hardwired into a Fort Knox-like vault. If you're just looking for an easy way to keep an eye on your home, we think that the D-Link Full HD Ultra-Wide View Wi-Fi Camera, or the D-Link 2630L for short, might work - but there are some issues. Check out our full review to see what we thought.
Proposal requires UK Internet providers to hold browsing records for one year
The government of the United Kingdom is attempting to force Internet service providers to keep a record of a customer's online browsing habits, in order to assist the country's security services. The draft Investigatory Powers Bill, presented to Parliament earlier today, would require ISPs to hold onto logs of websites visited by its users for a 12-month period, letting the police and other security-related agencies legally see where suspects have been online.
Threat is greatly reduced, but still present through variant versions
Although Apple "quickly reacted" to a threat emanating from China last month where altered, pirated versions of Xcode found to contain non-threatening spyware were in use that could have been used to launch a greater attack, variant versions of the XcodeGhost malware are still present, and have been found on servers in the US in the enterprise sector. The actual danger is greatly reduced, as the command-and-control networks have mostly been disabled, but there is still some potential risk.
Unpublished iOS 9.1 exploit may be sold to government agencies
An unpublished jailbreak for iOS 9.1 and iOS 9.2 beta that works within the browser has allegedly been created, but is unlikely to be seen by the general public at all. Zerodium, an "exploit acquisition platform" that buys and sells methods to get around the security of operating systems and other software, claims its iOS 0-day bounty has been won by one hacking team, earning the creators of the exploit $1 million.
Apple TV app denied entry to App Store over hacking tuition videos
A hacking collective is complaining that Apple has rejected its app from the app store, potentially as retaliation for previous iOS hacks by its researchers. The Chaos Computer Club's app was intended for people unable to attend the Chaos Communications Congress in Germany to view streams of security talks at the event, with Apple allegedly using revelations of iOS issues at previous events as an excuse to ban the organization's Apple TV app.
Libraries will facilitate more secure third party applications
Apple has opened up its cryptographical libraries to developers in an effort to enhance the end user's security. Newly opened are the Security Framework, and Common Crypto libraries to allow developers "to help them build advanced security features," according to Apple.
DOJ no longer asking to force Apple to unlock iPhone in drug case
Apple is no longer under pressure from the Justice Department and a New York District Court for refusing to extract data from a suspect's iPhone 5s, as the defendant in the case has pleaded guilty. Jung Feng has admitted guilt on three counts related to the distribution of methamphetamine, effectively negating the need for the DOJ to try and coerce Apple into breaking its own iOS security to help the government with its case.
Move prevents downgrading, blocks further jailbreak exploits
As per usual, Apple has now stopped signing code for the most recent previous release of iOS 9, version 9.0.2, as a security measure. The move also effectively blocks users from downgrading to the previous version, which may be needed for jailbreaking. In addition to bug fixes and security updates, iOS 9.1 also introduced several new features, such as support for Unicode 8 and subsequent new emojis, along with the Live Photos feature for owners of the iPhone 6s or iPhone 6s Plus.
Controversial parallel between phone unlock and lethal injection made
The judge at the head of the iPhone unlocking controversy court hearings has upped the ante somewhat. In arguments Monday, Judge James Orenstein said that forcing Apple to extract data from a suspect's iPhone 5s would be tantamount to forcing a pharmaceutical company to provide drugs for executions against company mandate.
ISP had complied with UK data protection law prior to major breach
The head of TalkTalk has dismissed claims it hasn't done enough to protect the data of its users, in the wake of a major breach potentially affecting 4 million customers. In an interview over the weekend, Dido Harding claimed the company was not under any "legal obligation" to encrypt customer data, including bank account details and other sensitive information, and that it had done enough to try and protect their customers under United Kingdom law.
Customer identities, payment details may have been accessed during TalkTalk attack
British Internet provider TalkTalk has become the latest victim of a major cyber attack, with a breach involving the details of up to four million customers. The company has confirmed the breach took place on October 21 during a "significant and sustained" attack on its website, with details including names, addresses, dates of birth, phone numbers, email addresses, payment details and other account information potentially accessed by attackers.
Secure your important data with Backblaze for just $25 for one year
Sometimes, MacNN finds a deal that is too big or important to go into our usual deal lists, and is deserving enough to be highlighted in its own Big Deals post. This time, we are focusing on one offer from our own MacNN Deals store for Backblaze, a backup service that makes it easy to safely protect your important documents and files online.
Action follows fix for yet another critical security issue in web technology
Following a fix issued on Friday that appeared to plug the latest in a string of critical security issues plaguing Adobe's Flash, the aging web animation technology, Apple has again moved to block any version of Flash that is not the latest for the current and recent versions of OS X. Machines not running Flash version 22.214.171.124 (or 126.96.36.199 for older systems) will receive a message about a "blocked plug-in" or "Flash Security Alert" and be unable to use Flash until they update to the current version.
Device at heart of case one of 10 percent of devices Apple can unlock
Apple has filed its brief with the US legal system, reiterating that it cannot decrypt all of its phones on demand, but still has the "technical ability" to unlock older phones. However, the device in question, one of the estimated 10 percent of devices on an operating system older than iOS 8 can be unlocked by Apple, and the company will do so if has been given clear legal authority to do so -- but would rather the judge not request the company do so.
Flaw was fixed in 2012, but users of older versions not forced to migrate until now
A Microsoft engineer has revealed that one aspect of security software maker AgileBits' 1Password service -- the remote-access 1PasswordAnywhere feature -- includes unencrypted metadata in its keychain that is indexed by Google, making it possible for confidential information to be discovered. The company has responded by saying it will issue upgrades to fix the problem "soon," and blamed the issue on not forcing users of older versions of 1Password to migrate.
One model with 1080p streaming and capture, other with 720p
D-Link today announced immediate availability of two new 180 degree Ultra-Wide View Wi-Fi Cameras. The Full HD 1080p (DCS-2630L) and HD 720p (DCS-960L) are the company's first 180 degree Wi-Fi cameras, delivering the widest angle lens available on a consumer fixed camera, and allowing it to cover a larger viewable area.
Apple confirms problem, claims review process being evaluated
Following research by an analytics firm, Apple has pulled some apps from the iOS App Store that use private API calls to collect user data. Data collected by Chinese advertising company Youmi, in violation of Apple regulations, includes serial numbers of devices running iOS 7 and before, serial numbers of phone subsystems and components under all versions of the iOS, Apple ID emails, and a list of installed apps.
Exploit effective against all versions of Flash for OS X, Windows, Linux
A critical vulnerability has been identified in Adobe Flash Player by security researchers at Trend Micro. All versions for Windows, Macintosh and Linux of the problematic plugin, including this week's release, are all affected by the vulnerability. Targets of the attack can have the flaw exploited to induce a system crash and potentially allow an attacker to take control of the affected computer.
First iOS 9 jailbreak surfaces weeks after operating system ships
Pangu, a team known for its tools used to jailbreak iPhones, has released what is believed to be the first public untethered jailbreak for iOS 9. Usable on iPhones, iPads, and the iPod touch running the current generation of Apple's mobile operating system, the jailbreak tool allows device owners to bypass Apple's own App Store and associated security processes, in order to install apps from third-party stores, such as Cydia.
Judge historically an advocate for requiring warrant for digital searches
In an attempt to kickstart the discussion about the recent trend of device manufacturers being unable to unlock devices, Magistrate Judge James Orenstein has declared that he will probably not order Apple to unlock a suspect's device, but needs some answers from Apple first. As part of his statement, the judge is asking why it would be "unduly burdensome" for the Cupertino manufacturer to unlock the pre-iOS 8 iPhone.
Government agencies, like FBI, will lobby for snooping 'backdoor' nonetheless
FBI Director James Comey, a vocal advocate for forcing computer manfacturers to install "backdoors" in computers so that various law-enforcement and spy agencies can gain unfettered access to US and foreign citizens' data, announced on Friday that the Obama administration had opted not to force tech companies to decrypt encrypted communications and files in testimony before Congress. Comey added that talks with tech companies about how to help with law enforcement had, however, become "more productive."
Offending apps use own root certificates, pose security risk
Apple has removed a small number of content blockers from the App Store, with the blockers said to pose a security risk to its user base. The removed apps, which blocked online advertising from being shown on iOS devices, have been found to install their own root certificates, potentially allowing for malicious developers and other parties to steal user data by reading web traffic before it is encrypted by the browser.
Payment network not compromised, but data on the system may be stolen
Prior to Samsung Pay's rollout, the technology at its core may have been stolen. LoopPay, the company at the core of the technology, had its corporate network broken into by the Codoso Group, the same hacker collective who penetrated Forbes' security, and hosted malware to its readers. Both Samsung and LoopPay claim that customer information and transaction data was never at risk -- but the hacking collective was after data about the system itself.
Enterprise certificates misused once again, threat mostly stopped by iOS 8.4
Security researchers have revealed the "YiSpecter" malware, a strain able to affect both jailbroken and stock devices on older versions of Apple's iOS. The package utilizes compromised developer certificates, as well as private APIs, and for a brief period of time avoided detection. As with previous malware, the package was only prevalent in China, with limited worldwide infections.
Reasons to embrace or avoid upgrading, hacks and scams, and all for science
It's now October, and all the big Apple gifts we're going to get for Xmas this year are (probably) behind us. There's just one more to open: OS X 10.11 El Capitan. Should you jump to the latest and greatest? There are reasons to do so, and there are reasons to wait, depending on your situation. MacNN Editor Charles Martin and Managing Editor Mike Wuerthele discuss the pros and cons, talk about the real differences between the iPhone 6s and iPhone 6s Plus, argue whether 16GB can work on an iOS device for storage without much pain, and more.
Sturdy stand combines with ultra-secure handgrip for multi-faceted tablet protection
There's no denying iPads are great, but out of the box they can be a little limiting in some pretty common scenarios. Carrying one around is somewhat cumbersome due to their size, and leaving one out in the open isn't exactly the smartest idea either. Luckily for us, the Grip and Dock by Maclocks is designed to keep your iPad secure, whether you're toting it around town, or have it hanging out on your desk.
Released Patreon data includes 13.7GB database, user details
Data reportedly acquired from a security breach of continuous crowdfunding service Patreon has leaked online. The data, weighing in at close to 15GB, is said to consist of files from Patreon's servers acquired by hackers late last month, with the data including a 13.7-gigabyte database that includes 2.3 million email addresses and other encrypted information that may pose a security risk to the service's user base if it is decrypted.
Cook firmly against NSA surveillance, encryption back doors
Apple CEO Tim Cook took to National Public Radio's All Things Considered radio show yesterday to discuss Apple's stance on several hot-button issues. In his interview with host Robert Siegel, Cook addressed governmental information requests, as well as the requests for "back doors" into Apple's encryption. Additionally, Apple's stance on user privacy was delved into, and a conversation was had about how Apple utilizes customers' purchasing history.
Credit check details of potential T-Mobile customers acquired in Experian breach
T-Mobile has advised the personal details of approximately 15 million people have been seized as part of a data breach of another company's servers. The carrier was told by Experian, the vendor that processes T-Mobile's credit applications, that the breach occurred, and details including names, addresses, and dates of birth of both subscribers and prospective customers were acquired by an attacker, among other sensitive information used as part of T-Mobile's credit assessment.
Apple already working on patch, potential mischief would be limited in scope
A security researcher planning a presentation at the Virus Bulletin Conference in Prague on Thursday has revealed that he has discovered a relatively simple way to bypass OS X's Gatekeeper security feature, potentially allowing a malicious file buried within a trusted application free reign to run unobstructed. The exploit could be used to steal passwords by modifying a legitimate app that already has Gatekeeper approval, for example. Apple is already aware of the issue and working on a fix.
iOS update fixes minor issues, Safari 9 for Mac offers new features
[Updated with news of new iOS 9.1 beta] Ahead of the release of OS X 10.11 El Capitan, Apple has released its latest major Safari for Mac update, boosting the browser to version 9.0, for both Yosemite (OS X 10.10) and El Capitan (10.11) users. Safari's earlier supported versions for Mavericks and Mountain Lion are also likely to see minor updates released later for compatibility reasons. In addition, Apple on Wednesday released another minor update for iOS 9, bringing it to v9.0.2, and unveiled a third developer and public beta of iOS 9.1.
Updates policies on News, ad-supported services, iOS 9, OS X services
Revealer of Target breach, Brian Krebs, claims November 2014 start
While still unconfirmed, multiple independent sources have found data suggesting that the Hilton Hotel chain has suffered a massive theft of customer data from a large number of locations. Banks have sent out alerts since August about the theft, which has been tied to a point of sale intrusion at hotel front desks and gift shops at the hotel and resort chain.
Other tech CEOs in Washington following conference with Xi in Seattle
Apple CEO Tim Cook and Vice President of Environment, Policy and Social Initiatives Lisa Jackson attended a White House state dinner in honor of visiting Chinese President Xi Jinping, hosted by the President and First Lady. Cook and Jackson sat with the Obamas at the head table, and Cook had met previously with Xi at a conference in Seattle attended by numerous US tech CEOs and executives, many of whom were also at tonight's dinner. President Obama and President Xi held a joint press conference earlier in the day that covered cybersecurity, trade agreements, and military relations.
Bug is preventable with preference change, attacker must have physical access
A new flaw discovered in iOS 9 could -- assuming the attacker has physical access to the device -- allow someone access to a user's contacts and photos without a PIN code. The flaw takes advantage of the fact that Siri can be called up from the lock screen without unlocking the device first -- an ability that can be turned off in settings, if users are concerned about the possibility of others gaining access to the mobile device.
Second betas for iOS 9.1, tvOS, Xcode 7.1 issued to developer accounts
One week after it unveiled the public release of iOS 9, Apple on Wednesday issued version 9.0.1, which addresses a few security and bugfix issues. The update fixes issues where alarms and timers might not play and where some users could not complete the setup assistant after updating, among other issues. In addition, the company issued new second developer betas of iOS 9.1, tvOS, and Xcode 7.1 for testing.
VPN access, private phone numbers, security courses offered by MacNN Deals
Every day, alongside our regular Daily Deals post, we are highlighting some of the offers available from our own MacNN Deals store. Today's collection of four deals aim to help you protect yourself online, with the quartet including a pair of VPN services, a private secondary phone number, and a cyber security developer course bundle.
Chinese malware was not malicious, but points out new vector of attack
Apple has now responded publicly to the XcodeGhost malware scare, explaining in a page on its Chinese website addressed to customers that even if they used apps affected by the issue, no personally-identifiable information was gathered. The company removed any affected apps, and explained the cause (iOS programs were built using compromised Chinese versions of Xcode downloaded from other sources), while offering developers a method of ensuring that their own installations of Xcode were valid.
Possibility of 344 apps infected, claims Chinese research firm
Further research on the XcodeGhost Apple iOS App Store situation has shown that some apps beyond the Chinese market are infected with the limited malware package. According to researchers, 31 apps carrying XcodeGhost have at least some international impact beyond just the Chinese iOS App Store, including popular Rovio title Angry Birds 2. One Chinese research firm believes as many as 344 apps have fallen victim to the package.
Revamped release includes iOS 9 features
In January, we enthused about 1Password version 5.2, and then in April we found more to say over the tiniest of updates to version 5.3. Much as we like it, we knew then that it would take the makers adding something very special to give it a third full Hands On for what is, essentially, the exact same product. They've added something very special. This is now 1Password 6.0, and while it doesn't feel as giant a leap as it was to version 5.0, it's significant -- and we like it a lot. A lot.
Alteration of Xcode responsible for embed of relatively light monitoring package
The Chinese iOS app store was briefly serving two apps with very light embedded malware. Apps compiled from a modified version of Apple's Xcode development environment found on Chinese piracy sites have been found to include "XcodeGhost," a malware package that collects time, device name, and network type. In itself, the data collection is not a problem, but of more concern, Apple's vetting process for the apps clearly failed to identify the (admittedly mild) threat.
Improves VoiceOver support, adds two-factor iTunes authentication, more
In addition to iOS 9, Apple has updated its iTunes program for OS X to version 12.3 to support the new iOS release, tweak some aspects of the "love" rating, improve iTunes accessibility with VoiceOver, and add support for two-factor authentication for Apple IDs -- along with the usual "improvements to overall stability and performance." While any changes or fixes to the paid Apple Music service or its relationship to iTunes Match are not mentioned, fixes for Up Next and Recently Played are included.