Released Patreon data includes 13.7GB database, user details
Data reportedly acquired from a security breach of continuous crowdfunding service Patreon has leaked online. The data, weighing in at close to 15GB, is said to consist of files from Patreon's servers acquired by hackers late last month, with the data including a 13.7-gigabyte database that includes 2.3 million email addresses and other encrypted information that may pose a security risk to the service's user base if it is decrypted.
Cook firmly against NSA surveillance, encryption back doors
Apple CEO Tim Cook took to National Public Radio's All Things Considered radio show yesterday to discuss Apple's stance on several hot-button issues. In his interview with host Robert Siegel, Cook addressed governmental information requests, as well as the requests for "back doors" into Apple's encryption. Additionally, Apple's stance on user privacy was delved into, and a conversation was had about how Apple utilizes customers' purchasing history.
Credit check details of potential T-Mobile customers acquired in Experian breach
T-Mobile has advised the personal details of approximately 15 million people have been seized as part of a data breach of another company's servers. The carrier was told by Experian, the vendor that processes T-Mobile's credit applications, that the breach occurred, and details including names, addresses, and dates of birth of both subscribers and prospective customers were acquired by an attacker, among other sensitive information used as part of T-Mobile's credit assessment.
Apple already working on patch, potential mischief would be limited in scope
A security researcher planning a presentation at the Virus Bulletin Conference in Prague on Thursday has revealed that he has discovered a relatively simple way to bypass OS X's Gatekeeper security feature, potentially allowing a malicious file buried within a trusted application free reign to run unobstructed. The exploit could be used to steal passwords by modifying a legitimate app that already has Gatekeeper approval, for example. Apple is already aware of the issue and working on a fix.
iOS update fixes minor issues, Safari 9 for Mac offers new features
[Updated with news of new iOS 9.1 beta] Ahead of the release of OS X 10.11 El Capitan, Apple has released its latest major Safari for Mac update, boosting the browser to version 9.0, for both Yosemite (OS X 10.10) and El Capitan (10.11) users. Safari's earlier supported versions for Mavericks and Mountain Lion are also likely to see minor updates released later for compatibility reasons. In addition, Apple on Wednesday released another minor update for iOS 9, bringing it to v9.0.2, and unveiled a third developer and public beta of iOS 9.1.
Updates policies on News, ad-supported services, iOS 9, OS X services
Revealer of Target breach, Brian Krebs, claims November 2014 start
While still unconfirmed, multiple independent sources have found data suggesting that the Hilton Hotel chain has suffered a massive theft of customer data from a large number of locations. Banks have sent out alerts since August about the theft, which has been tied to a point of sale intrusion at hotel front desks and gift shops at the hotel and resort chain.
Other tech CEOs in Washington following conference with Xi in Seattle
Apple CEO Tim Cook and Vice President of Environment, Policy and Social Initiatives Lisa Jackson attended a White House state dinner in honor of visiting Chinese President Xi Jinping, hosted by the President and First Lady. Cook and Jackson sat with the Obamas at the head table, and Cook had met previously with Xi at a conference in Seattle attended by numerous US tech CEOs and executives, many of whom were also at tonight's dinner. President Obama and President Xi held a joint press conference earlier in the day that covered cybersecurity, trade agreements, and military relations.
Bug is preventable with preference change, attacker must have physical access
A new flaw discovered in iOS 9 could -- assuming the attacker has physical access to the device -- allow someone access to a user's contacts and photos without a PIN code. The flaw takes advantage of the fact that Siri can be called up from the lock screen without unlocking the device first -- an ability that can be turned off in settings, if users are concerned about the possibility of others gaining access to the mobile device.
Second betas for iOS 9.1, tvOS, Xcode 7.1 issued to developer accounts
One week after it unveiled the public release of iOS 9, Apple on Wednesday issued version 9.0.1, which addresses a few security and bugfix issues. The update fixes issues where alarms and timers might not play and where some users could not complete the setup assistant after updating, among other issues. In addition, the company issued new second developer betas of iOS 9.1, tvOS, and Xcode 7.1 for testing.
VPN access, private phone numbers, security courses offered by MacNN Deals
Every day, alongside our regular Daily Deals post, we are highlighting some of the offers available from our own MacNN Deals store. Today's collection of four deals aim to help you protect yourself online, with the quartet including a pair of VPN services, a private secondary phone number, and a cyber security developer course bundle.
Chinese malware was not malicious, but points out new vector of attack
Apple has now responded publicly to the XcodeGhost malware scare, explaining in a page on its Chinese website addressed to customers that even if they used apps affected by the issue, no personally-identifiable information was gathered. The company removed any affected apps, and explained the cause (iOS programs were built using compromised Chinese versions of Xcode downloaded from other sources), while offering developers a method of ensuring that their own installations of Xcode were valid.
Possibility of 344 apps infected, claims Chinese research firm
Further research on the XcodeGhost Apple iOS App Store situation has shown that some apps beyond the Chinese market are infected with the limited malware package. According to researchers, 31 apps carrying XcodeGhost have at least some international impact beyond just the Chinese iOS App Store, including popular Rovio title Angry Birds 2. One Chinese research firm believes as many as 344 apps have fallen victim to the package.
Revamped release includes iOS 9 features
In January, we enthused about 1Password version 5.2, and then in April we found more to say over the tiniest of updates to version 5.3. Much as we like it, we knew then that it would take the makers adding something very special to give it a third full Hands On for what is, essentially, the exact same product. They've added something very special. This is now 1Password 6.0, and while it doesn't feel as giant a leap as it was to version 5.0, it's significant -- and we like it a lot. A lot.
Alteration of Xcode responsible for embed of relatively light monitoring package
The Chinese iOS app store was briefly serving two apps with very light embedded malware. Apps compiled from a modified version of Apple's Xcode development environment found on Chinese piracy sites have been found to include "XcodeGhost," a malware package that collects time, device name, and network type. In itself, the data collection is not a problem, but of more concern, Apple's vetting process for the apps clearly failed to identify the (admittedly mild) threat.
Improves VoiceOver support, adds two-factor iTunes authentication, more
In addition to iOS 9, Apple has updated its iTunes program for OS X to version 12.3 to support the new iOS release, tweak some aspects of the "love" rating, improve iTunes accessibility with VoiceOver, and add support for two-factor authentication for Apple IDs -- along with the usual "improvements to overall stability and performance." While any changes or fixes to the paid Apple Music service or its relationship to iTunes Match are not mentioned, fixes for Up Next and Recently Played are included.
JAMF Casper 9.8 released today, now with iOS 9 support, new config options
Device management software developer JAMF Software today announced same-day support for iOS 9 with Casper Suite 9.8. Today's release allows IT administrators to manage rapid migration to iOS 9 performed by end users or through device-provisioning workflows. Casper Suite 9.8 provides an accurate inventory of all devices migrating to iOS 9 while ensuring that security standards are met. Additionally, the new version brings support of new settings and payloads added to iOS 9 configuration profiles, including trust profiles for in-house enterprise apps, Apple Watch pairing and security, and data security with AirDrop.
Touch ID, Apple Watch support added to Bank of America mobile banking app
Among its many other uses, Touch ID is great for signing-in to apps that require a secure login, such as banking apps. To that end, Bank of America has updated its mobile banking app to version 6.4.0, supporting both Touch ID login as well as an Apple Watch subset of the app that lets users check recent transactions and balances, and receive alerts on the Watch.
Voice activation, photo pre-recording stays local, not transmitted anywhere
Ahead of tonight's appearance on The Late Show with Stephen Colbert, Apple CEO Tim Cook has made a number of appearances at Apple Stores around Manhattan, all of them unannounced, meeting customers and employees. In addition, he and the company have been doing some groundwork on promoting Apple's latest technologies, including clarifying the privacy situation regarding the optional "Hey Siri" always-on feature, or the camera recording in Live Photos, both new features coming with the latest iPhones.
Apple files for new $2.26 billion Euro debt offering for stock buyback, dividends
Apple is once again turning to the debt markets to finance its stock buyback and dividend payout programs, a new filing with the US Securities and Exchange Commission has revealed. The iPhone maker will issue a new, €2 billion Euro (roughly $2.26 billion US) debt offering in order to continue to take advantage of extremely low interest rates. Only two notes will be offered, at €1 billion each, which will mature between January 2024 and the fall of 2027. The company last offered a Euro-based debt sale late last year.
Apple service lowers prices, increases privacy and value
In light of Wednesday's announcements about iCloud storage, we thought it might be a good time to go over the various services (sometimes a bit confusing) that iCloud offers these days, with a particular eye now on its value for off-site storage of data, given the new and in some cases dramatically-lower pricing. There's plenty of competition, of course, but Apple does sweeten the pot with a few, perhaps compelling, advantages that may -- for some -- be worth a second look.
In digital world, boundaries for countries, law enforcement mean little
As has been predicted for some time, the US government is clashing with technology companies over the encryption of personal data when it comes to law enforcement. The Justice Department is accusing Apple of disobeying a court order that it turn over text messages, in real time, between suspects in a guns-and-drugs case who are using iPhones. Apple has said the messages are encrypted without third-party keys, and thus it cannot comply with the order. Microsoft is also fighting the government, over whether emails stored outside the US should be given to US officials.
Computer heist in January 2014 leads to arrests
Four men have been arrested in the last week for the alleged theft of over $1 million worth of computers. including MacBook Airs, destined for use in two public high schools in New Jersey. The gang were arrested on Wednesday and put before a federal judge in New York on Wednesday, accused of "participating in a scheme to steal, transport, and sell a shipment of approximately 1,200 computers" in January last year.
Apple launches App Store Games Twitter account
Apple has launched a new Twitter account dedicated to gaming. The @AppStoreGames account will be posting more than picks by App Store editors for app of the week, with The Verge reporting the feed will include previews of games heading to the App Store, tips for popular titles, profiles of talented gamers, and will be used to interact with game developers. It is suggested the new Twitter feed may have been put in place to coincide with a rumored refresh of the Apple TV at the September 9 event, with some suggesting games may be playable on the set-top box.
Does no harm, but could be used by others to gain access to password database
The latest version of the adware toolbar malware known as Genieo now has the ability to access the OS X Keychain without user knowledge, thanks to privileges gained during the initial install where the user willingly uses their admin password. Though the program itself does not use the technique to cause any malicious harm on its own, the trick will likely be copied and used by others to possibly compromise the security of the OS X password manager. The technique exploits no hack or flaw, but abuses existing privileges.
Dual and quad-core models with two- and four-bays
Asustor has announced the launch of four high-performance tower model network attached storage (NAS) devices. The new models are the first in the world to be equipped with Intel Braswell processors, and feature the AS6202T and AS6204T powered by quad-core processors, and the AS6102T and AS6104T powered by dual-core processors.
Malware responsible for 250,000 Apple account thefts
Malware for iOS requiring a jailbroken handset, and access to Chinese software repositories has been identified. Recent research has discovered 92 samples of a new family of malware called "KeyRaider," which has resulted in the theft of 225,000 valid Apple accounts login credentials, and associated device GUID.
Temporary fix provided by Google to prevent app advertising from breaking in iOS 9
Google has advised app developers of a way to weaken the security of iOS 9, in order to serve ads to users. A post on the Google Ads Developer Blog offers code to help get around App Transport Security (ATS), a feature in iOS 9 that forces apps to use HTTPS to encrypt data sent over the Internet, with the code disabling ATS so that the apps comply with third-party advertising networks and are able to run some "custom creative code" from Google's own ad servers.
Sensor project will cost $171M, potentially help monitor soldiers, vehicles
Apple is working with the US government alongside a number of other major companies and institutions to develop new wearable technology. The Pentagon project, said to be using third-parties instead of its own development resources due to the rapid pace of creating new technologies, is aiming to create ways for sensors and other electronics to be embedded into the outwards-facing surfaces of vehicles, such as a jet, or part of the uniform worn by military personnel.
Problem troublesome in data centers, other enterprise SSD deployments
The Storage Networking Industry Association (SNIA) and its Solid State Storage Initiative (SSSI) have announced the formation of a new Data Recovery and Erase Special Interest Group (DR/E SIG) to accelerate awareness and adoption of recovery technology in the solid state storage marketplace. The first meetings, held earlier in August, brought together manufacturers as well as data recovery specialists, to hammer out a charter and a path for the group to standardize techniques, technologies, and best practices for SSD recovery and erasure, previously unique to each manufacturer.
Wyndham hotels sued by FTC over 2008 breaches
The Third US Circuit Court of Appeals in Philadelphia has ruled in a lawsuit against Wyndham hotels, that the Federal Trade Commission (FTC) has the authority to regulate and enforce corporate IT security policies and failures. The appeal ruling opens the door to the regulatory agency to take pre-emptive measures, should it see fit, but also confirms the agency's power to protect the citizenry and file lawsuits on its behalf for companies such as Wyndham, Target, Ashley Madison, and others who have failed to secure customers' personal information.
Leverages bugs to cause memory corruption which could bypass kASLR protection
Two new zero-day vulnerabilities have been uncovered by an 18-year-old Italian man that could be exploited to gain remote access in OS X 10.9.5 through 10.10.5, though the researcher has already published a version of a fix Apple could adopt in a future update. The new discoveries come on the heels of a similar vulnerability that was fixed by Apple in the last OS X software update. Details of the exploits were published by Luca Todesco on Github, just hours after he had notified Apple of the flaws.
New cross-platform backup solutions offer local, cloud backup
Data protection company Acronis, today announced the release of Acronis True Image Cloud and Acronis True Image 2016 - the newest versions of its backup solution for individuals, families and home office users. Acronis is a full image backup solution -- the new Acronis True Image Cloud provides complete protection both locally and in the cloud including pictures, videos, documents, applications, passwords, settings, contacts, events, and an entire computer. Acronis True Image Cloud features multi-device and new mobile device support -- including Android, iOS, and Windows mobile devices.
New version brings similar fixes to iOS as given to iTunes.
Alongside updates to iTunes and OS X, Apple has updated the iOS to version 8.4.1. The new version, which saw only two beta releases, provides "improvements and fixes to Apple Music" similar to those offered in the iTunes update. No data is available as to what security issues may have been addressed with this patch.
Requests for refunds from proposed $2M MacKeeper fund being collected
Purchasers of MacKeeper are now able to file a claim to be reimbursed for the software, it has been revealed. Lawyers representing parties in a class action lawsuit against ZeoBit over the software have launched a site allowing customers to claim their share of a proposed $2 million settlement, with respondents potentially receiving the entire $40 cost in full, depending on how many of the 513,000 eligible customers successfully apply.
Sophisticated attack over last two weeks targets UK mobile phone retailer
A major mobile phone retailer in the United Kingdom has become the latest major target of hackers. Carphone Warehouse has admitted some of its servers were breached on Wednesday as part of a "sophisticated cyber-attack" over the last two weeks, with it believing the personal details of up to 2.4 million people may have been accessed, potentially including names, addresses, bank details, and other sensitive customer details.
Apple store and main website combined into single entity
Yesterday late, Apple revamped its online presence. The previous separate store is gone, replaced by direct buying links on each product page, and a unified "shopping bag" icon to replace the "store" button in the top menu bar of the site. Clicking on the purchase link no longer redirects to the store.apple.com domain, instead filling the always-available shopping bag, and streamlines the product purchase process.
Malicious installer requires user password, then installs junkware
A recently-published exploit that could allow attackers to gain unchecked root-level access, following the user initially installing it, has been patched in the forthcoming OS X 10.10.5 update, and in this fall's 10.11 El Capitan upgrade. The flaw, which was introduced in Yosemite's error-logging functions. Though widely reported as hair-on-fire dangerous, the exploit merely installs adware and junkware such as Genio and MacKeeper, and requires users to actively install it before it gains root privileges.
Flaw discovered a month ago leveraged in new adware installer
A zero-day exploit revealed last month for only OS X Yosemite has been found in "the wild." The exploit is being seen in an adware installer, and modifies the "sudoers" UNIX file that determines who has root permission for the system, and during the installation process, can give root permission to an arbitrary process without needing a password.
Card reader accessories said to be easily turned into card skimmers
Security researchers have come up with a way to turn the Square Reader into a tool for stealing data from credit cards. A group of recent graduates of Boston University will be speaking out about how they can modify the smartphone accessory, used to facilitate card payments via Square's service, to allow any other app to intercept the data and use the card owner's payment information for other, presumably illegal, uses.
Exploit still requires user permission to install, downplayed by experts
A new exploit has been developed that could threaten Mac security by leveraging vulnerabilities in firmware rather than software, making the worm nearly impossible to remove. While sounding more ominous than any threat since the original firmware-based Thunderstrike (which was limited to a proof-of-concept with no reported attacks), leading security experts say this new threat is also very low-risk.
First password manager to allow changing of passwords from Watch, company says
Dashlane, a password manager for OS X and iOS that MacNN recently reviewed, has announced that it has brought its Password Changer feature, which makes possible extensive password management on iOS devices, to the Apple Watch. The new 3.1 version for iOS includes the feature, and also offers notifications of a security breach on monitored websites, and improves Touch ID support.
Good, strong password manager
Ask anyone who uses a password manager app, and they will evangelize about it -- but they'll also make it sound as if there's only one. We're a little guilty of this ourselves: we've regarded 1Password as synonymous with password management. Yet there are really a handful of them, and Dashlane 3.0.3 has fans who will never look at anything else. They probably don't need to.
Android-based clones sold in US, leading to Chinese government raid
Acting on a tip from US law enforcement, Beijing police raided a factory producing fake iPhones and accessories. Nine suspects have been arrested in the scheme, which produced 41,000 fake phones, and could have been worth up to $19 million in counterfeit electronics sales. A married couple, arrested by the police, allegedly hired hundreds of workers to assemble the devices.
Company again accused of failing to take steps to protect customer data
The US Federal Trade Commission (FTC) today alleged that security firm LifeLock has violated a 2010 settlement with the agency and 35 state attorneys general, by continuing to make deceptive claims about its identity-theft protection services, and by failing to take steps required to protect its users' data. In documents filed with the US District Court for the District of Arizona, the FTC charged that LifeLock failed to live up to its obligations under the 2010 settlement, and asked the court to impose an order requiring LifeLock to provide full redress to all consumers affected by the company's order violations.
Dozens of apps allow unlimited login attempts, creating minor security risk
A new report has found that a number of popular iOS and Android apps have what amounts to a minor security fault, in that they allow users to make an unlimited number of attempts to login to an associated account, thus making them vulnerable to password hacking for attackers who have physical access to the device, such as thieves or overzealous law enforcement. Security firm AppBugs says "dozens" of apps are affected, including Slack, iHeartRadio, Dictionary, SoundCloud and many others.
Standard retail procedure questioned, suit represents 12K retail workers
Despite a previous dismissal of an earlier version of the lawsuit, a US District Court judge has ruled that Apple must face a trial in a class-action lawsuit over the practice of "bag checks," a standard retail loss-prevention technique that is widespread among retailers. The specific dispute in the case involving Apple was that employees complained they were being detained for up to 15 minutes after their shift had ended, without compensation for the lost time.
Tighter security, hardware authentication may be hampering products
A new report makes the claim that third-party products utilizing Apple's HomeKit technology are slow in coming to market because of the iPhone maker's changes to improve the security of the devices, including a certification requirement to use hardware-based authentication chips that makes product upgrading difficult, and products more expensive. The report also makes more questionable claims of "capricious" changes.
Purchase of chip producer may face scrutiny by US government over security fears
An alleged offer by a company backed by the Chinese government to acquire US chip producer Micron Technology faces a considerable uphill battle before it can go ahead. Tsinghua Unigroup is reportedly proposing to acquire Micron, producer of NAND and DRAM and a RAM supplier to Apple, with the supposedly low reported price of $23 billion and concerns by regulators and US lawmakers likely to torpedo the potential sale to the Chinese company for the foreseeable future.
Pair focusing on identity verification on mobile, handshake across devices
The Fast IDentity Online (FIDO) Alliance, the organization focused on changing the nature of online authentication, entered into a memorandum of understanding with the Bluetooth Special Interest Group (SIG) to use Bluetooth Smart as an alternative to using a USB dongle in Universal Second Factor (U2F) authentication. The goal of the pair is to contribute to specifications for FIDO U2F over Bluetooth Smart to extend the reach of the protocol from the desktop to the mobile device.