Action rooted in security, but poses issues for jailbroken devices
Continuing with recent custom, Apple has stopped "code-signing" iOS 8.2 for security reasons. The move, intended to protect users, does make downgrading back to earlier versions impossible, and prevents users with jailbroken devices in iOS 8.2 from updating. The code-signing procedure, which applies to both Apple and iOS or OS X developers, is designed to prevent malicious apps from masquerading as legit ones, or for outside parties to inject code into applications.
Claims attackers can acquire fingerprint data before it is secured
The fingerprints of owners of some Android smartphones could be acquired by hackers, researchers claim. A flaw, said to affect the Samsung Galaxy S5 and other unnamed Android devices, allegedly allows an attacker to copy the biometric data on the device itself, suggesting that fingerprint-based security on Android is not as secure as first thought.
Exploit puts iOS devices in reboot loop, only fix to exit range of router
Security firm Skycure have divulged the existence, but not the actual exploitation method, of a exploit in iOS that allows a Wi-Fi provider to reliably crash an iOS device upon connection to a known access point. The flaw allows a maliciously-crafted SSL certificate to crash the device completely, forcing it into a "repeatable reboot cycle" as long as the device remains within range of the assaulting Wi-Fi network.
Retina 12-inch MacBook can hang during first setup, workaround posted
A new tech note from Apple details a flaw that can occur during the initial setup of the new 12-inch Retina MacBook that causes the process to stop temporarily -- sometimes for a prolonged period -- before finishing. According to the new tech note, Apple recommends that if users experience the issue they can restart the initial setup process by restarting, and can opt to disconnect from the Internet in order to allow the setup to proceed, and then connect to the Internet afterwards. The problem appears to center around Apple ID setup or iCloud account creation.
Recently-fixed AFNetworking library requires app update to close security hole
A flaw in a popular older version of an open-source networking library used by a number of iOS apps could create an exploitable vulnerability, particularly for users who do not keep their apps up-to-date. The issue could allow a hacker to bypass HTTPS security and conceivably steal passwords or other personal data. While the library in question was patched to address the problem three weeks ago, apps which include the older library are still vulnerable. According to SourceDNA, at least 1,500 iOS apps are currently exposed.
Yosemite-only patch seemingly does little to mitigate Rootpipe-based attacks
Researchers from security firm Synack have determined that Apple's latest patch for the "Rootpipe" privilege escalation flaw remain mostly unfixed, even on OS X 10.10 "Yosemite." Ex-NSA staff member Patrick Wardle examined the new patch, and found a new path around Apple's security fix, leaving the computer unprotected from hostile users with physical access. In other developments, the malware is loose in the wild and has been for some time, but is a discrete app and still not a remote attack.
CoinVault victims can use tool to decrypt files encrypted by ransomware
Victims of one strain of "ransomware" may be able to get their data back. A collaboration between the Netherlands Police's National High Tech Crime Unit (NHTCU) and security company Kaspersky, a tool has been created that can be used to decrypt data encrypted by the CoinVault malware, potentially saving many users from paying a random or having to rebuild their data if backups failed.
Trusted Voice Smart Lock option rolling out to stock Android devices
Owners of devices running stock Android will be able to unlock their smartphones and tablets by uttering "OK Google." Following changes to Google Play Services, Android Police reports that the Trusted Voice unlocking option is starting to roll out, appearing in the Smart Lock settings. Users are warned before setting up Trusted Voice that it is "less secure" than a knowledge-based security measure, such as a PIN or a pattern, as "someone with a similar voice or a recording of your voice could unlock your device."
Apple Watch hands-on reports, a look at Photos, new videos, more
Following a longer-than-expected submission process to Apple, we're pleased to report that episode 10 of The MacNN Podcast, along with all previous episodes, has finally arrived on iTunes. Listeners can now search for, subscribe to, and generally wallow in our backlog of tech news, app picks, and bad jokes. The latest episode has a couple of remote reports from Australia and the UK about the Apple Watch concierge try-on experience, the arrival of Photos with OS X 10.10.3, our new videos, and more.
Publication of regulation likely to redouble opposition efforts to regulation
The US Government has released the Federal Communications Commission's Open Internet regulation package to the Federal Register. With publication, the net neutrality and Title II regulation, as laid forth by the FCC, are effective and enforceable starting on June 12.
How and where to download software safely
Look, we're not on Windows PCs here. Yet, even though we don't have the same overwhelming problems with viruses, that doesn't mean we should invite trouble. You can download apps that don't do what they claim, and instead do all sorts of things they shouldn't. Consequently, it is a very good thing that Apple has safeguards in place – yet those same safeguards are a problem for some of the very finest Mac software around.
Exploit demonstrated with physical access, possible remote exploit
Alongside bug fixes and other improvements, Apple has patched a longstanding security flaw which could give users with physical access to a machine root privileges, regardless of assigned permissions. The flaw, indexed as CVE-2015-1130, was reported to Apple in October of 2014, but Apple requested that it be not publicly disclosed until patched due to the "substantial amount of changes" required to fix.
Widely beta-tested, each brings new features to devices
With today's release of OS X Yosemite 10.10.3, Apple is officially releasing its iPhoto replacement program Photos for the Mac. While the program has already been in use on iOS for some time, the new program sits alongside existing iPhoto or Aperture libraries with its own copy, and adds new abilities and features we have previously reported on. The update, leaked earlier today, also brings a non-beta version of iCloud Photo Library and new emoji, while the iOS 8.3 release shares the emoji improvements and adds wireless CarPlay support, along with new Siri accents and languages.
Encrypt attachments before emailing them
People do tend to believe that a Word attachment is emailed out across the Internet as exactly that, a Word attachment: they don't realize that it's converted into something else for transmission. Similarly, people tend to think that an email leaves their computer and goes directly to their recipient's machine: they don't realize how many, many and three times many other computers that email may pass through on the way. In theory, someone using one of those computers along the way could intercept the email, and obtain a copy of that Word attachment. So that's what Privacy Envelope is designed to do: it is built to stop even the incredibly remote possibility of anyone getting their paws on your attachment.
Unprotected Wi-Fi, obvious root password hampers Anonabox security efforts
The Anonabox, the controversial privacy-minded Internet router, has suffered another blow as more security issues have been uncovered. Though the device does protect users by pushing traffic through the Tor network, it has been discovered the $100 routers themselves have security flaws that can allow outside sources to control the device, as well as being able to monitor Internet use.
Extremely powerful and comprehensive backup solution
Roll up your sleeves, get a coffee, and watch ChronoSync backup your hard drives. Or alternatively, roll your sleeves back down and nip out to lunch, because you're not needed here: ChronoSync has it covered -- and you can look in on it remotely, with the companion apps ChronoAgent and InterConneX. This is surely the most comprehensive disk backup and management application we've seen, and possibly that nature ever intended. That does mean it's complex, but you're not going to turn to this if all you've used so far is Apple's Time Machine.
Indoor Flir FX security camera can be reused as sports camera
Flir, the producer of the Flir One thermal camera, has launched a multi-purpose network-enabled camera. The Flir FX is primarily a security camera that is similar to Dropcam, including remote storage of footage on its cloud service, but Flir has added a number of extra features that makes it useful for other video functions, such as a dashcam for a car or as an action camera.
Groups claim that YouTube Kids hosts content that wouldn't be allowed on TV
A series of children's and consumers advocacy groups have requested that the US Federal Trade Commission (FTC) look into Google's YouTube Kids app. The groups are claiming that Google is running afoul of laws restricting advertising to children, saying that "the videos provided to children on YouTube Kids intermix commercial and other content in ways that are deceptive and unfair to children and would not be permitted to be shown on broadcast or cable television."
Shuttered security software deemed safe to 'fork' for future products
A crowdfunded third-party security audit of popular (and shuttered) personal encryption tool TrueCrypt has concluded. The effort, led by cryptographic expert Matthew Green found that "TrueCrypt appears to be a relatively well-designed piece of crypto software," and that the audit "found no evidence of deliberate backdoors, or any severe design flaws that will make the software insecure in most instances."
Staffers discuss new book, new gaming column, new apps
We're now at episode eight of The MacNN Podcast, which this week welcomes our new Apple Gaming column, as well as reminding listeners about our weekly game news roundup. We also discuss the book Becoming Steve Jobs, and Tim Cook's latest honor from the business world. More confusion about Windows 10 pricing outside China has come to light, and tech companies are asking for changes in the Patriot Act.
Two-factor authentication, kill switch added to Slack following unauthorized access
Work-focused messaging service Slack has increased the security of its accounts, following an intrusion to company servers. The company admits on its blog that its servers were accessed by unauthorized users over a four day period in February, and though it only revealed the intrusion on Friday, it claims to have been working hard on improving the service's overall security.
Microsoft dodges questions about free versions to pirates, Parallels users
Microsoft has made a passing attempt to clarify some of its policy on free upgrades to Windows 10. In an interview, senior director of product marketing at Microsoft Aaron Woodman detailed what the company has decided about the offering -- and an alarming amount of decisions seem to have not been made yet about licensing the OS.
Other members include Microsoft, LinkedIn, Evernote, DropBox, many others
Nearly all of the tech industry, including Apple, Google, Microsoft, Yahoo, and LinkedIn have co-signed a letter to the US government, calling for reform of Section 215 of the Patriot Act before it expires and is likely renewed in May. The coalition is seeking an "effective end to bulk collection" of user metadata, "transparency and accountability mechanisms" for federal and industry reporting, and eased declassification of Foreign Intelligence Surveillance Court decisions.
Twitter starts testing automatic playing of promoted videos in iOS apps
Twitter is starting to test automatically-playing videos in its apps. According to Ad Age, the service will autoplay promoted video ads to some Twitter users in the United States using the official iOS app. While the videos will play muted, some users will see a looping six-second preview while others will see the the full video in a loop, with both groups able to select the video to view it full screen and with sound turned on.
Game streaming service resets all accounts as security measure
Twitch has warned users that their account information may have been compromised in a breach. The game streaming service has attempted to protect its users from any further potential security issues arising from the possible intrusion, by reseting the passwords and stream keys for all accounts, as well as disassociating them from linked YouTube accounts.
New Android Lollipop security function prevents locking when smartphone is held
Android users may be able to use their smartphone for longer periods without seeing their lock screen, thanks to a new feature spotted rolling out to Smart Lock on Android Lollipop devices. On-body detection will keep a smartphone or tablet unlocked if it detects it is being carried, automatically reinstating the lock when it detects it has been placed down on a surface.
Leading reseller B&H gets Apple mini-store at brick-and-mortar Manhattan HQ
Although many MacNN readers will be familiar with B&H Photo Video through the company's online site via its frequent mention in our various deals posts, the firm is actually the largest non-chain electronics retailer in the United States, having a midtown Manhattan location since 1973 and being a widely-recognized photo, video, and Apple specialist. Earlier this week, the store opened its Apple-authorized "store within a store" focusing on Apple products.
Early 2015 MacBooks, MacBook Pros get separate version
Apple on Thursday has updated OS X Yosemite 10.10.2 (only) with a new security update. While details are not available, the update could possibly be the first to address an https vulnerability known as FREAK, which can compromise secure web browsing on a variety of systems and applications. In addition, the company has issued an update for iPhoto to further help with the eventual transition to Photos, as well as clear up a few bugs.
Proposal could provide affected Target breach victims with up to $10,000
Target has agreed to a potential settlement with victims of the retailer's major breach of late 2013. Still needing to be approved by a federal judge, the settlement in the class-action lawsuit will involve Target placing $10 million in escrow for payment to victims, with the possibility of some individuals receiving as much as $10,000 in damages over the hacking.
Apple releases new Safari betas for OS X 10.9 and 10.8
On Wednesday, Apple updated the developer versions of Safari with two new betas aimed at users of older OS X versions, specifically 10.8 (Mountain Lion) and 10.9 (Mavericks). The new versions follow a slight update to the current Safari versions for OS X 10.8 and later that contains several WebKit fixes for security issues. Version 7.15 is for Mavericks, while Mountain Lion owners will see only version 6.2.5.
Potential but unwieldy security threat to those running pre-iOS 8.1.1
A new device on the market costing $300 could be used by attackers to crack the PIN codes on iOS devices running system versions older than iOS 8.1.1. While the chances of it being used on someone's personal device are extremely low -- since it requires both physical access to the device as well as a great deal of time -- users can protect their devices and foil the so-called "IP Box" attack by moving to a more complex passcode.
Company discovered breach seven months after intrusion
Washington state-based healthcare provider Premera has suffered a massive cyberattack, which has potentially led to the theft of 11 million customers' data. More than six million people affected by the breach live in Washington state, with many employees of Microsoft and Amazon at risk. The initial attack happened on May 4, 2014, with the realization that the system had been breached not occurring until January 29, the same day fellow provider Anthem realized that they had been attacked.
HTTPS bug still just a proof of concept, no proof of any successful wide attacks
Researchers at FireEye have continued looking at FREAK https attack vulnerabilities, and have found a number of top apps on Apple's iOS app store and Google Play Android apps remain vulnerable to the vector, despite a system-level patch being available on both platforms. The company found 5.5 percent of iOS apps it surveyed were still vulnerable on iOS 8.1 but only seven apps under 8.2, which contained Apple's patch. However, even with current patches, 11.2 percent of the top Android apps were susceptible.
Fingerprint scanning, face and iris recognition coming to Windows 10
Windows 10 will be including more alternative log-in systems when it launches, with Microsoft embracing biometric security on computers. The software giant also advises that the team behind Windows 10 have made changes to the way it compresses system files and how the operating system handles recovery functions, helping reduce the software's footprint on the device's storage.
Hearing before Committee on Oversight and Government Reform today
US Federal Communications Commission head Tom Wheeler is appearing before the Committee on Oversight and Government Reform today, to defend the agency's Title II and net neutrality regulation. In a prepared statement before the group, Wheeler calls the buildup to the decision "one of the most open and expansive processes" that the FCC has ever run, and decries accusations of improper influence by President Obama in drafting the Open Internet Order.
SecuTablet uses hardware from Samsung Galaxy Tab S 10.5
BlackBerry's enterprise partnership with Samsung and IBM has resulted in the launch of new hardware. The SecuTablet is a mobile device that borrows the physical design and specifications of the Samsung Galaxy Tab S 10.5 combined with BlackBerry's SecuSuite software, with the company claiming it to be secure enough for national and international public sector markets and enterprise.
Anti-terror legislation seen as license to spy, would have driven western companies away
A proposal that would have mandated that high-tech hardware and software have "backdoors" installed that would be accessible by the government, as well as forcing companies to provide keys for any encryption schemes used on the devices or in programs, has been suspended from proceeding through the legislative process. In addition, the proposal would have mandated all data created by Chinese users would have been required to remain in China, requiring hundreds of western services to build data centers in the country.
MacNN and Electronista daily deals for March 13, 2015
Welcome to Daily Deals, the weekday post when the staff of MacNN and Electronista search for discounts and deals on hardware, software, games, gadgets, and other tech for you, our discerning readers. Today, in a particularly storage-heavy edition, we've got the 1TB Samsung 850 Pro SSD, a bare 4TB hard drive intended for network-attached storage, and an inexpensive Epson WorkForce desktop printer.
The password app does so much more
We're not here to lecture. You know you need a password manager, and you know that 1Password gets praised a lot for how it stores your passwords, and how it generates stronger ones than mere mortals could. We could just point out that 1Password is now free for basic use on iOS, but instead, we're going to enthuse. Specifically, we are here to enthuse about what else 1Password does that makes it such a useful tool on our Macs.
No surprises; Title II a light touch, debate terms bandied about defined finally
The US Federal Communications Commission has published its new Open Internet order, also known as net neutrality and Title II order, in full. The document spells out specifically which aspects of the 80-year-old Title II concept will be applied to Internet Service Providers, as well as specifics of the net neutrality order.
WaterField Designs unveils Zip Brief for new MacBook
Accessory maker WaterField Designs announces the refined Zip Brief, created to protect and showcase the new 12-inch Apple MacBook. The Zip's internal pockets cradle the MacBook on one side and accessories on the other, and offer an angled front pocket that can hold a smartphone, wallet or commuter pass. The exterior combines leather with waxed canvas or ballistic nylon. TSA-friendly, the Zip can be fully opened for airport security while contents remain safely secured. The Zip Brief can be pre-ordered now for $180, with shipping starting at the end of March.
Initial 2010 Stuxnet patch left Windows PCs vulnerable for five years
Microsoft has finally fixed an issue with Windows that allowed it to be vulnerable to the Stuxnet worm, by issuing another patch. An initial fix released in August 2010 to fix the USB exploit is claimed by security researchers not to have completely solved the problem, subsequently keeping all Windows PCs susceptible to the attack over the last five years, though a patch released today as part of "Patch Tuesday" is claimed to solve it once and for all.
New Snowden documents tell of attempts to compromise Xcode
The Central Intelligence Agency (CIA) has been trying to compromise iOS devices for a number of years, a report claims. Documents leaked by whistleblower Edward Snowden reveal that a secret annual conference called the "Trusted Computing Base Jamboree" was used to discuss various ways to exploit security in consumer devices and electronics, including iPads and iPhones, as part of ongoing attempts by intelligence agencies to use consumer devices for surveillance.
Security update 2015-002 fixes problem is OS X, iOS 8.2 patches iOS version
On Monday, Apple issued a security update for OS X 10.8 or higher that resolves a recently-discovered vulnerability in the SSL/TLS protocol that could have allowed supposedly secure communications -- such as bank transactions -- to be decrypted and intercepted. The flaw, known as FREAK (meaning "Factoring RSA Export Keys") forced the security back to a weaker "fallback" standard that had since been cracked. The new update, 2015-002, fixes the flaw in OS X, while today's iOS 8.2 release patches the issue for iOS devices.
Some of the best -- and worst -- trends in tech this week
The MacNN Podcast is now up to episode five, and this week we looked at the new Microsoft Office 2016 preview; the disturbing trend of legitimate app makers inserting adware (or worse) into their apps to make a few extra bucks; the news from last week's Mobile World Congress, including the new Samsung Galaxy S6 and S6 Edge; our favorite reviewed apps of the week, and more news about Monday's public debut of the Apple Watch.
Details of Apple Pay on iPhone 5 family revealed
Apple Senior Vice President Eddy Cue made an appearance at Oakland, California's Oracle Arena, and showed off the Apple Watch's Apple Pay functionality -- and took a veiled swipe at a competitor at the same time. Sporting the stainless steel model of the Watch, Cue showed how the device functions with the iPhone 6 series family, as well as confirmed an important detail of how the Apple Watch will bring Apple Pay to the iPhone 5 series of phones.
Move comes just days before Apple Pay comes to Apple Watch
In the wake of erroneous reports in the mainstream media that Apple Pay was in some fashion vulnerable, compared to our more accurate analysis of the issue, they at least got one point right -- many banks had light security on Apple Pay card account establishment. Over the course of the week, and in light of the negative publicity, this appears to be changing. Reports are coming in that some of the more vulnerable banks are tightening up Apple Pay account establishment, with multiple identification steps required, where there may have previously only been one, poorly-secured, method of adding credit cards.
Product debut build-up resulting in rare access to CEO and design chief
A new interview with Apple design head Sir Jonathan Ive and recent remarks by CEO Tim Cook are shedding some light (and building up hype) for both the Apple Watch and the current outlook of the company and the men who run it. Ive, in an interview with London's Financial Times, explains the rationale behind the development of the Apple Watch, while Cook expanded on his view on privacy, and Apple's industry leadership. In other news, a forthcoming Apple Watch app has already set the bar to a new low.
Toolbar removable by deleting in the browser extension menu
Oracle's Java Update 8 Update 40 for OS X has an unexpected surprise for installers. The update instructions note that the company has "partnered with companies that offer various products" and will install the borderline-malware Ask.com toolbar into unsuspecting OS X users' systems.
Some claim that installation was without user permission
BitTorrent client µtorrent is plaguing its users by installing a virtual currency miner alongside its latest revision. While the company denies tricking users into installation, the torrent client does come bundled with "Epic Scale," a Windows application that is used to mine Litecoin. Some users claim to have discovered it only after noticing significant processor load following installation of the client.