toggle

AAPL Stock: 104.83 ( + 1.84 )

Subscribe to this page now.

Apple to drop support of SSL 3.0 due to POODLE vulnerability

10/22, 11:55pm

Will use transport layer security for push notifications starting October 29

In a note to developers, Apple has announced that due to a serious security flaw in SSL version 3.0, the company will be dropping support for the protocol beginning Wednesday, October 29 for all of its push notifications, which are delivered through Apple's own servers. The company will switch to Transport Layer Security (TLS) for the service, and notes that developers will need to build in support for TLS in their apps to ensure uninterrupted push notification compatibility if they haven't already.

more

Tim Cook posts photo from latest China visit

10/22, 10:10pm

CEO as already met with Vice Premier Ma Kai over China iCloud attacks

Apple CEO Tim Cook has posted a picture from his latest trip to China on Twitter, showing him sharing a laugh with a factory worker named Zhang Fan, who helps assemble the iPhone 6 at a factory in Zhengzhou. While Foxconn's factories manufacture equipment for a wide variety of technology firms including Google, Microsoft and others, Cook is the only CEO to routinely visit the facilities and personally investigate conditions and safety at the plants. He called the meeting with Zhang "an early highlight" of the trip.

more

FBI director asks Congress to update law to circumvent encryption

10/22, 3:50pm

Comey seeking update to CALEA to give law enforcement a 'front door' into devices

Federal Bureau of Investigation (FBI) Director James Comey isn't giving up his crusade to persuade the government and businesses that law enforcement should have access to encrypted phone data. Comey took his fight to Congress recently, asking that it update the Communications Assistance for Law Enforcement Act (CALEA) to cover newer technologies.

more

Avast 2015 adds Home Network Security, SecureDNS

10/22, 3:20pm

Mac will have to wait for key features

Avast Software has launched Avast 2015, an update of its multi-platform security suite. The main addition this year is a tool called Home Network Security, which scans a local network for potential vulnerabilities. These may include things like weak or default router passwords, unprotected IPv6 use, and already-compromised Internet connections. A related new feature is called SecureDNS, which offers encrypted traffic between a computer and an Avast-operated DNS server, reducing the chance of DNS hijacking.

more

Apple CEO meets with Chinese official to discuss iCloud hijacks

10/22, 9:51am

Chinese government so far denying involvement

Apple CEO Tim Cook met with China's Vice Premier Ma Kai in Beijing on Wednesday to discuss man-in-the-middle attacks against iCloud users, according to Reuters and China's state-run Xinhua news agency. Reuters notes that the Chinese government has so far denied allegations of involvement, which in particular tied the attacks to the state firewall used to censor Internet access in the country. As for the meeting, Xinhua says only that the pair shared views on "protection of users' information" and "strengthening cooperation and in information and communication fields."

more

Apple says it's aware of Chinese iCloud hijacks, servers not affected

10/21, 4:20pm

Involvement of Chinese government uncertain

Apple is aware of "intermittent organized network attacks" against people trying to sign into iCloud.com, says Dow Jones. It insists, however, that iCloud servers haven't been breached, and that people using iOS or the latest version of OS X -- Yosemite -- should be unaffected. The company doesn't specifically mention China, which is where the browser hijacks are taking place.

more

Google adds physical security to accounts with USB-based Security Key

10/21, 1:58pm

USB drives with FIDO U2F support can be used to secure Google accounts

Google is giving users of its services an extra security option, on top of its existing procedures and protocols, with a physical token. The search company's "Security Key" is allowing for users to nominate a USB drive to allow access to the Google account when it is plugged into a computer's USB port, as an alternative to the two-step verification process.

more

Staples likely latest company suffering customer payment info breach

10/21, 11:12am

Unknown number of victims, data taken from PA, NY, NJ

Office supply store Staples appears to be the latest victim of a breach of customer payment information. The company issued a brief statement saying that they were looking into the matter, after several banks reported fraudulent activity with a pattern pointing to the source being Staples stores in the northeastern US.

more

Follow-up: Apple clarifies use of data in Spotlight searches

10/21, 1:21am

Emphasizes user privacy through short-lived session IDs

While it may sound like a report from the Department of the Obvious, the new version of Spotlight included in Yosemite includes searching beyond the local drive, and consequently gathers and sends to Apple some information on what users are searching for, their (city-level) location -- if Location Services is turned on -- and what Spotlight Suggestion was selected. That one needs to get certain data to perform a web search has apparently come as a surprise to some, and thus Apple has released a statement clarifying exactly what data is gathered, how it is used, and reminding users of how to turn it off if desired.

more

Yosemite uploads location, search data to Apple via Spotlight

10/20, 6:46pm

Functions raise privacy concerns

The Yosemite version of Spotlight is automatically uploading both location and search data to Apple whenever the tools is used, reports say. The information is mentioned in an official "About Spotlight & Privacy" document, but may be missed by the average person. "If you have Location Services on your device turned on, when you make a search query to Spotlight the location of your device at that time will be sent to Apple," one part of the document reads.

more

Obama signs BuySecure executive order to hasten US EMV adoption

10/20, 1:57pm

Initiative adds EMV support to government channels, more identity theft protections, reporting

Last week US President Barack Obama signed an executive order that will help consumers that a victims of identity theft, as well as speed up the adoption of the Europay, MasterCard, and Visa (EMV) chip standard for credit and debit cards. In the executive order signed by the president, parts of the federal government will be adopting EMV measures, as well as strengthening the public's ability to monitor financial health or seek help when necessary.

more

Chinese government hijacking iCloud, Microsoft logins, reports say

10/20, 12:40pm

Users being redirected to dummy sites

China's state firewall is currently hijacking attempts to visit iCloud.com or Microsoft's login gateway, login.live.com, redirecting people to dummy websites, reports say. People visiting iCloud.com through Firefox or Chrome will see a warning page, but visitors with Qihoo -- the most popular browser in China -- are being forwarded directly to a dummy site with no obvious signs it isn't Apple's. It's believed that the Chinese government may be trying to harvest iCloud and Microsoft logins.

more

MasterCard prepares credit card with fingerprint sensor for 2015

10/19, 1:59pm

Zwipe, MasterCard team up to combine fingerprint authentication, contactless payments

At a press event last week, MasterCard and Zwipe announced a new type of payment card dubbed the Zwipe MasterCard. Where the new card is different from the the standard credit or debit card is in the payment process, looking to biometrics to approve purchases. The Zwipe MasterCard uses authentication via fingerprint for MasterCard contactless payment terminals, while retaining Europay, MasterCard and Visa (EMV) chips on cards.

more

Anonabox project killed by Kickstarter over security, hardware issues

10/18, 10:35am

Hardware appeared to be sourced from Alibaba, software straight OpenWRT

Following allegations casting doubt on the project, the TOR-based Anonabox Kickstarter project has been terminated. Since the launch of the security-minded Anonabox, and nearly instant completion of funding goals, commenters and other figures questioned the source of the hardware, the actual security of the device, and criticized the lack of a promised and complete open-sourcing of the code.

more

Mac version of 1Password 5 gets Yosemite makeover, sync upgrades

10/17, 2:45pm

Wi-Fi sync starts automatically once iOS devices are in range

AgileBits has released v5.0 of its password and credit card manager for the Mac, 1Password. The software has been redesigned to match the look of OS X Yosemite, including support for the OS' new dark mode. AgileBits is also exploiting changes to iCloud for "faster and more robust syncing;" the company warns, though, that iCloud sync now requires v5.0 on both iOS and OS X.

more

FBI director warns Apple, Google away from encrypting devices

10/17, 1:32pm

Encryption of smartphones hampers security efforts, claims FBI head

The head of the Federal Bureau of Investigation (FBI) has asked for companies to back away from encrypting consumer devices by default. Echoing similar comments made last month, Director James Comey spoke to the Brookings Institute yesterday about the issue, which is claimed will make it difficult for law enforcement officials to collect evidence from mobile devices.

more

Briefly: Office 2011 Mac security patch, DevonTechnologies updates

10/16, 4:13pm

Microsoft Office for Mac 2011 receives security update

Microsoft released a security update for its Office for Mac 2011 software the latest release being v14.4.5. Resolving vulnerabilities, the update prevents the possibility of remote code execution if a specially crafted file is opened in an affected version. Attackers could gain the same user rights as the current user if successful, and subsequently install programs, view, change or delete data; or create new accounts with full user rights. Full details can be found in Mircosoft's latest security bulletin on the matter.

more

Validity of Anonabox project examined over hardware sources

10/16, 11:15am

Reddit users suggest Anonabox created from existing routers sold in China

A Kickstarter campaign for a privacy-focused Wi-Fi router has drawn the ire of some Internet users, with the suggestion that all may not be as it seems. Reddit users are complaining about the Anonabox Tor router's claimed "open hardware," with components apparently being sourced from Chinese resellers rather than being designed specifically for the project.

more

Apple's iAd now tracking iOS 8 users' in-app browsing behaviors

10/16, 10:56am

Apple pitching tech to advertisers as an alternative to cookies

Something quietly introduced alongside iOS 8 has been the ability for advertisers to retarget iAds based on in-app browsing actions, a new report says. Apple is, in fact, said to be pitching this to advertisers as a way of circumventing the absence of mobile cookie tracking in iOS. In a given example, someone who adds a pair of shoes to a cart in a retailer's iPhone shopping app -- but decides not to buy them -- may later see an ad for that same pair of shoes from the same retailer, even in another app on his or her iPad. Tapping that ad might redirect the person to their abandoned checkout page and add the shoes back to it.

more

Google warns of 'Poodle' SSL 3.0 vulnerability in browsers, servers

10/15, 8:41am

SSL 3.0 design flaw allows attackers to view contents of encrypted web traffic

Another Secure Sockets Layer (SSL) vulnerability has been discovered by Google, just six months after HeartBleed was first unveiled. Padding Oracle on Downloaded Legacy Encryption ("Poodle") is an issue affecting SSL 3.0, though researchers claim the issue this time is less severe than HeartBleed, despite potentially affecting nearly all browsers and a large number of servers.

more

Crowdfunding Critic: Anonabox Tor hardware router

10/14, 1:26pm

Kickstarter campaign for Anonabox vastly exceeds target in first day

Welcome to another edition of Crowdfunding Critic, an article series where the staff of MacNN and Electronista will highlight a new crowdfunded project from sites such as Kickstarter and Indiegogo, with this edition focusing on the popular Anonabox. As always, we are not endorsing a project or warning of any potential funding risks associated with crowdfunded projects, so it is advisable to do your own research before investing.

more

Dropbox denies 7M account leak caused through server hack

10/14, 6:44am

Third party services likely to blame for Dropbox account leak

Passwords from a supposed pool of 7 million Dropbox accounts have allegedly leaked by hackers, though Dropbox denies its service has been hacked. A thread on Reddit linked to batches of account credentials, with the user hoping to receive Bitcoin donations for the leaks, though the exact source of the leaked account details is unknown.

more

Kmart suffers huge breach, all shoppers since September likely victims

10/11, 11:22am

Kmart offering identity theft protection, credit monitoring

Sears-owned retailer Kmart has declared that it has suffered a massive data breach. The company said late Friday that a malware attack that began harvesting data from it its point-of-sale computer systems in early September was "new form of malware" and "similar to a computer virus." Few details have been released by Kmart, but the company warns that it could include every shopper between September 1 and Thursday, October 9. Online shoppers were not impacted by the breach.

more

Dairy Queen chain latest victim of Backoff POS malware

10/10, 1:42pm

August infection subjects customers of 395 stores to data theft

Restaurant chain Dairy Queen has confirmed that 395 of its 4,500 US locations have been affected by the "Backoff" malware, which has in turn, compromised customer's credit card information. Restaurants in 46 states were affected, with customers in Hawaii, Louisiana, Rhode Island and Vermont escaping the malware.

more

Third party SnapChat tools compromised; 13GB of photos stolen, leaked

10/10, 12:33pm

Breach from either Android app or third party web tool SnapSaved

Some supposedly ephemeral messages sent through the SnapChat service have been leaked to the Internet. Private photos collected for years through the either the SnapChat archiving Android app Snapsave or the shuttered SnapChat web client SnapSaved have been stolen, and posted en masse to chat forum 4chan, and other similar locations.

more

Symantec confirms pursuit of split into two independent companies

10/09, 8:03pm

Two publicly traded companies will emerge in areas of security, information management

Rumors of Symantec's possible company split look to be true, as the company announced today that a plan was voted on to break the company up. The company, which is known for its line of Norton security products, said that its board of directors unanimously approved a new plan that would create two publicly traded companies, each with their own focus.

more

Adobe Digital Editions e-book reader collecting, reporting data

10/08, 4:02pm

Information on ePubs sent in plain text over unencrypted channels to Adobe servers

If Adobe didn't enough problems with its reputation for security because of the frequency of the company's products being used for attack vectors, then the claim that the company collects detailed, personal data through Digital Editions 4 will undoubtedly further alienate some customers. The program, which is used to enforce digital rights management on borrowed books from libraries or other online avenues, is reporting details on the use of the ePub files back to Adobe - and is unencrypted, inviting further privacy and security issues.

more

Some Belkin routers not connecting to the Internet, workaround posted

10/07, 4:50pm

List of affected Belkin devices, cause of incident both unknown

Some of accessory manufacturer Belkin's router customers are experiencing connectivity issues, predominantly with older models. For reasons unknown, possibly due to a silent, automatic firmware update, some Belkin networking products are refusing connection to the Internet, but maintaining local area network connectivity. Some models can be restored by pointing Domain Name Services to Google's or other providers' services.

more

AT&T warns of customer data breach instigated by employee

10/07, 11:08am

Letter to Vermont attorney general advises of August intrusion

AT&T has admitted that it has suffered a data breach, and is warning customers about the intrusion. The communications provider has written to the Vermont attorney general about the breach, which took place in August, though unlike similar breaches at Home Depot, Target, and itself, this was instigated by an employee rather than an outside force.

more

Briefly: 1Password 5.1, Cycloramic both updated for iPhone 6

10/06, 9:36pm

Latest 1Password improves Touch ID support, adds iPhone 6 Plus support

A new version of password manager 1Password has been released for the iPhone and iPad, offering support for the iPhone 6 and iPhone 6 Plus in the form of 3x higher resolution images and improved icons. The update also improves Touch ID support to be more reliable, and simplifies the app's security settings. A new option has been added to disable third-party keyboards inside the 1Password app (since theoretically such keyboard could transmit keystrokes), and users can now create tags to help sort data. The app itself is free, but a "pro" in-app purchase to unlock additional features costs $10.

more

Apple updates OS X malware definitions to block 'iWorm'

10/06, 10:02am

Should halt further infections

Apple has issued a silent update to Xprotect, the anti-malware system in OS X, to detect and block the inaccurately-named "iWorm" trojan uncovered last week. The new definitions actually mention three variants, identified as "OSX.iWorm.A," "OSX.iWorm.B," and "OSX.iWorm.C." It's not clear what the differences between them might be.

more

Google fires back at celeb photo threat, claims decisive action taken

10/04, 11:12am

Search engine has scrubbed 'tens of thousands' of links to stolen photos

Google has responded to the letter threatening legal action should Google not purge the Internet of stolen, and sometimes intimate, photos of celebrities. The search engine has denied that it is intentionally profiting on the scandal, and instead has acted quickly and appropriately to takedown requests by removing "tens of thousands" of images from Google search results.

more

States launching independent investigation of JP Morgan Chase hack

10/04, 7:59am

Scope of theft makes consumer protection agencies wary of uptick in phishing

Despite JP Morgan Chase claiming that it isn't seeing enhanced fraud activity, two states have launched an investigation of the event that caused the reveal of 76 million household's information, with the promise of more to come. A recent regulatory filing showed the leak, with customers' names, addresses, phone numbers, and email addresses stolen -- the bank, however, claims no financial information was stolen.

more

Belgian teenager racks up over $46,000 in in-app purchases

10/03, 4:51pm

iOS and 'free-to-play' game blamed

A 15-year-old from Antwerp, Belgium has managed to accumulate over 37,000 euro ($46,000) in iTunes charges on a credit card through in-app purchases, according to local publication Nieuwsblad. The teenager was reportedly playing a free-to-play iOS game called Game of War: Fire Age; several months in, his mother asked him to buy some e-books using her credit card. The boy then discovered he could buy virtual gold in-game using real money, greatly accelerating his progress. The title even has a casino minigame.

more

New OS X malware 'iWorm' discovered in pirated software [u]

10/03, 2:57pm

Formerly used Reddit as go between to steal user data

[Updated with corrected information and further details] A new Trojan threat, possibly disguised as a fake unauthorized build of OS X 10.10 Yosemite, is making the rounds by taking in users who attempt to pirate software. The new malware, dubbed "iWorm" by Russian research firm "Dr. Web," has supposedly been installed by duped users on over 17,000 unique IP addresses worldwide thus far. Users would have had to have downloaded and installed the software in order to be victimized by the Trojan, which is mostly aimed at gathering user data.

more

Google's Schmidt says Google encryption superior to Apple's

10/03, 8:22am

Google chairman defends company against implied Tim Cook remarks

Google chairman Eric Schmidt has fought back against comments over the company's security and privacy, following comments laid out by Apple CEO Tim Cook. In an interview which touched upon a recent open letter about privacy from Cook, Schmidt claims "Someone didn't brief [Cook] correctly on Google's policies. It's unfortunate for him."

more

JPMorgan Chase breach outlined in SEC filing, 76M households exposed

10/02, 9:58pm

Number of people affected revealed more than three months after breach discovered

A filing made with the United States Securities and Exchange Commission (SEC) Thursday revealed new information on the scope of the breach that JPMorgan Chase witnessed earlier in the summer. In July the company, along with at least four other financial institutions, discovered an attack by hackers that reportedly resulted in gigabytes of data stolen after they gained high-level access to 90 of JPMorgan Chase's servers worldwide.

more

EFF: ComputerCop software endorsed by law enforcement is spyware

10/02, 8:36pm

Tests reveal keylogger information unencrypted when sent, 'software is unreliable'

A program that is touted as the first step in Internet security for children was examined by the Electronic Frontier Foundation (EFF), only to discover that the software isn't very safe itself. ComputerCop, which the EFF says is distributed by approximately 245 agencies involved in law enforcement in 35 states, is nothing more than branded spyware that is unreliable and sends unencrypted key logs, the foundation says.

more

Facebook apologizes over emotion research, implements new guidelines

10/02, 5:42pm

Proposals for Facebook research to undergo more stringent reviews

Facebook has admitted fault over its handling of user-based research, a matter which erupted this summer, and is taking steps to prevent such incidents from happening again. The social network is putting in place measures that it hopes will place a greater degree of scrutiny on future research projects, at the time of proposal, and at the time of publication.

more

Source code for critical USB firmware exploit posted on GitHub

10/02, 3:14pm

Pair of researchers engineer hack, post code to shame companies into action

Security researchers Adam Caudill and Brandon Wilson have published source code for a theoretically-unpatchable USB firmware bug called "BadUSB." First revealed at at the Black Hat security conference in July, the two researchers who reverse-engineered the original finding say that they published for the public good, and "so people can defend against it." More severe exploits are possible using their method, but Caudill and Wilson are hesitant to release them, fearing more dangerous exploits.

more

Briefly: Google+ adds Audience setting, iLuv's new compact chargers

10/02, 3:11pm

Google+ now offering ability to restrict viewers based on age, location

Google's social network, Google+, has added a new privacy feature, allowing its users to limit who views their content based on age and location. The new section, found within Profile Settings, is called Audience; here, an age limit can be selected on content viewing, and users can also select what countries the content can be viewed from. Varying age restrictions can be chosen for each country if desired.

more

Pro-democracy protesters targeted with malware on iOS, Android

10/02, 1:47am

Malware entry vector not yet identified; may capitalize on jailbreak compromise

In an almost unheard-of claim, Lacoon Mobile Security has said that it has discovered a new spyware attack that targets both iOS and Android devices and which appears to be aimed specifically at Hong Kong pro-democracy protesters. Lacoon says it made the discovery while investigating the Android version, but did not clarify how the malware might be installed, or overcome the security built into iOS that has, thus far, kept it largely immune to serious malware or viruses.

more

Find My iPhone web page lets users check on Activation Lock status

10/02, 12:03am

Users can enter IMEI to learn more; technology is on by default in iOS 8

Users who are unsure if their iOS device has the anti-theft feature Activation Lock turned on can now easily check through a new page based on Apple's iCloud site. While the page is currently not linked to the main menu on iCloud.com -- suggesting it may still be undergoing testing -- it offers users a chance to input the devices serial number or IMEI identifier, and returns information on whether the device is protected.

more

Google increases cash rewards for Chrome bug bounties

10/01, 5:20pm

New $15,000 award for successful submissions, up from $5,000.

Google is increasing the rewards in its bug bounties program, as it tries to make its software more secure. The search company is updating its reward pricing range to between $500 and $15,000 per bug, up from the previous maximum of $5,000 for a high-quality report, with an increased focus on discovering potential vulnerabilities within the Chrome browser.

more

Second round of POS breaches strikes Albertson's, Supervalu chain

10/01, 3:14pm

Newest range of grocery store breaches spans 20 states

Supervalu and Albertson's shoppers may be in for another round of personal information theft notifications. The companies said that a second hack took place in late August or early September, with the company finding malicious software on systems that process credit and debit card sales at some of the company's 1,081 stores. Additionally, the malware was also found at Shoppers Food and Pharmacy, plus Shop 'n Save stores -- but the company believes that the installation was not successful, and failed to capture payment data.

more

FTC head speaks out against proposed FCC Title II regulation of ISPs

09/30, 12:56pm

Dueling regulatory boards fight over future of ISP regulation

Allegedly concerned about protecting the American consumer, US Federal Trade Commission (FTC) head Maureen Ohlhausen has come out as strongly against Federal Communications Commission (FCC) Chairman Tom Wheeler's net neutrality provision -- specifically, the possibility of Title II regulation of ISPs. The comment against the possibility of regulating Internet providers as a utility is the FTC's second in September.

more

Apple releases fix for 'Shellshock' Unix flaw

09/29, 6:13pm

Updates bash for OS X Lion, Mountain Lion and Mavericks

Although nearly all Mac users are unaffected by the issue Apple has made good on its word to quickly fix a serious security flaw in bash, a Unix shell that comes as part of OS X. Apple acknowledged the problem on Friday, and today released OS X bash update 1.0 for OS X Lion (10.7), Mountain Lion (10.8) and Mavericks (10.9). The flaw, known as "Shellshock," could potentially allow users who have set up advanced Unix services that interact with the web to be vulnerable to remote intrusion.

more

CloudFlare rolls out free SSL website encryption to all users

09/29, 1:41pm

SSL added after Google's decision to rank encrypted sites higher in search rankings

CloudFlare is pushing its users toward security in a good way, as it is adding secure socket layer (SSL) encryption to all of its customer accounts starting today. Where the company says that only around two million sites supported encrypted connections previously, CloudFlare believes it will double that number by the end of the day. The SSL encryption is being adding to all accounts, even free users.

more

Russia social media law starts early; Twitter, Google, Facebook warned

09/26, 9:26am

Fines not the central means of enforcement -- violators face wide block

Russia's Internet watchdog has sent formal notices to Google, Facebook, and Twitter this week, enforcing early compliance with the country's social media law, requiring services with more than 3,000 readers in a day to register with the overseeing governmental agency and store data within the country. Deputy chief Maxim Ksenzov of Roskomnadzor, the agency in charge of enforcement of the law, has said that the trio will be "forced one way or another to obey the law" despite being international companies.

more

Follow-up: most Mac users 'not at risk' from Bash vulnerability

09/26, 12:06am

Only those running advanced UNIX services should be concerned, fix is on the way

An Apple spokesperson has reassured Mac users that the "vast majority" of users are not at risk from a serious bug discovered in the UNIX shell Bash that some researchers have called "potentially bigger than the Heartbleed vulnerability." Apple says that only those who have configured "advanced UNIX services" using the Terminal in OS X could be a risk of the flaw -- which would mean that nearly all OS X users would be unaffected. Nevertheless, the company is said to be working on a fix.

more

MacNN Sponsor

MacNN Newsletter

FREE Apple, iPhone and Mac Newsletter

  • We will not share your email address with anyone.

    toggle

    Most Popular

    MacNN Sponsor

    Recent Reviews

    Sound Blaster Roar Bluetooth speaker

    There could very well be a new king of the hill for Bluetooth speakers, with Sound Blaster's recent entry into the marketplace. Bring ...

    Kenu Airframe Plus

    Simple, stylish and effective, the Kenu Airframe + portable car mount is the latest addition to Kenu's lineup. Released earlier this ...

    Plantronics Rig Surround 7.1 headset

    Trying to capture the true soundscape of video games can be a daunting task. Looking to surround-sound home theater options, users hav ...

    toggle

    Most Commented