The Guardian:
Criminals in the US are using the new Apple Pay mobile payment system to buy high-value goods – often from Apple Stores – with stolen identities and credit card details.
This is a short term issue, a weakness with bank verifications, not an issue with Apple Pay.
A malicious app can track your movement without getting permission to access your GPS info. Just tracking your power usage can help malware track your location.
Spoiler alert, best bet is to make a reliable backup of your Mac, enable FileVault encryption, use a password everywhere you can and use a different password at every opportunity. This is worth reading.
The Mac firewall is designed to block incoming connections. This article digs into the process of working with a firewall and explains why the Mac firewall is not necessary for most users.
Links to the official FBI update on the Sony hacking, as well as an interesting offer to Sony from the hacker quarterly 2600.
There’s been a lot of discussion over the past few days about Apple ID two-step verification and the fact that Apple can’t restore your account if you lose your recovery key. Here’s how to do it.
Sometime next year, residents of Iowa will be able to download an app that will act as their driver’s license. Is this a job for the secure element?
Interesting speculative piece on the vulnerability of Uber’s rider database.
Sony Pictures was hacked last week, bringing its operations to a halt. Now, Sony has discovered that at least five screeners (review copies of unreleased motion pictures) have been leaked on-line.
This New York Times article calls out a specific piece of malware, but there appear to be many others:
A particularly nasty mobile malware campaign targeting Android users has hit between four million and 4.5 million Americans since January of 2013, according to an estimate by Lookout, a San Francisco mobile security company that has been tracking the malware for about two years.
Know anyone that uses a remote webcam or baby monitor so they can keep an eye on things while they are not at home? You might want to pass this along.
This is one of the most sophisticated malware campaigns I’ve ever heard of. It targets individuals and waits six months before activating.
At first blush, this malware, known as WireLurker, seems reasonably innocuous, since it is initially delivered solely via an app store for jailbroken iOS devices in China. It’s a little more complicated than that, which makes it potentially a lot more of an issue.
A security breach at the worst possible time.
Charles Arthur, writing for The Guardian, makes the case that Apple’s new iPad release is much more than a speed bump release. Rather, the addition of Touch ID to the iPad line is a huge milestone marker and a critical element in Apple’s Apple Pay rollout and pursuit of acceptance/adoption in the business sector.
Maurits Martijn, writing for Medium:
In his backpack, Wouter Slotboom, 34, carries around a small black device, slightly larger than a pack of cigarettes, with an antenna on it…Wouter removes his laptop from his backpack, puts the black device on the table, and hides it under a menu. A waitress passes by and we ask for two coffees and the password for the WiFi network. Meanwhile, Wouter switches on his laptop and device, launches some programs, and soon the screen starts to fill with green text lines. It gradually becomes clear that Wouter’s device is connecting to the laptops, smartphones, and tablets of cafe visitors.
On his screen, phrases like “iPhone Joris” and “Simone’s MacBook” start to appear. The device’s antenna is intercepting the signals that are being sent from the laptops, smartphones, and tablets around us.
Part of this is an education problem, teaching people how to be careful. But it’s foolish to think that any public WiFi connection is safe. It’s just far too easy to spoof trusted networks.
Thoughtful editorial from Wired. The upshot:
However it got there, Apple has come to the right place. It’s a basic axiom of information security that “data at rest” should be encrypted. Apple should be lauded for reaching that state with the iPhone. Google should be praised for announcing it will follow suit in a future Android release.
Also worth reading, this essay from Salon, entitled America’s huge iPhone lie: Why Apple is being accused of coddling child molesters.
There’s a new strain of malware that specifically targets OS X. Read on to learn about the malware itself and to learn how to tell if you are infected.
Yoni Heisler does an excellent job of demystifying Apple Pay. Here’s my take on how all this works. Now with corrections.
Getting ready to buy a used iPhone or iPad? Ask the seller for the device’s IMEI or serial number, then go to this page.
There’s a new vulnerability that impacts most Unix installs, including many embedded systems (devices that run Unix but don’t expose the OS interface) as well as OS X, the operating system at the heart of all modern Macs.
The issue is a flaw in the Bash shell that allows you to redefine a shell variable from the command line.
Spend a few minutes browsing Apple’s privacy pages. Privacy is a big issue and Apple has clearly made protecting user privacy a primary design pillar in its products. That’s great for consumers, but privacy also offers a significant competitive advantage against competitors like Google and Facebook.
iOS 8 allows you to select a third party keyboard to replace Apple’s built-in keyboard. The linked article takes a look at three of these, SwiftKey, Swype, and Fleksy, comparing them to the default iOS 8 keyboard.
Twitter user @hackappcom posted a proof of concept, called iBrute, to GitHub on Saturday, that took advantage of an alleged hole in Find My iPhone…
[VIDEO] The FLIR ONE personal thermal imager is an infrared camera that snaps on to the back of your iPhone 5, allowing you to shoot infrared videos and stills. I’ve played with one and they are fun, easy to use and work well.
The down side of the FLIR ONE is that it can be used to pick up pin codes and other lock combinations by tracking the heat signature left by your fingers. The video embedded below shows how this is done and how to prevent it. Worth a watch.
New York Times:
A Russian crime ring has amassed the largest known collection of stolen Internet credentials, including 1.2 billion user name and password combinations and more than 500 million email addresses, security researchers say.
Replacing our existing ID system needs to become a priority.
Last week, a Houston TV station reported on the arrest of a man on charges of child pornography, purely based on a tip from Google. Should Google, Apple, and others be reading your email?
Quartz:
When you install an app on an Android smartphone or tablet, it asks for access to data such as your location or address book. If you say no, you can’t install the app.
Apple handles things differently. On its mobile operating system, iOS, apps don’t ask permission when they’re installed. Instead, iOS takes some permissions as a given—internet access for instance—but for more sensitive data, such as your photos or location, the app has to ask for access when you use it. That more closely relates the decision to grant access to the reason for asking for it.
That there should be a difference between Android and iOS, which between them control 96.3% of the smartphone market, isn’t surprising. They have different overarching philosophies: Android is free for any smartphone maker to use while iOS is for iPhones only. Developers can freely upload their apps to the Google Play Store while Apple has tight gatekeeping. Android is easily customized; iOS is not.
My two cents:
Last week, security consultant and former iOS jailbreaker Jonathan Zdziarski made headlines with his talk, “Identifying Back Doors, Attack Points, and Surveillance Mechanisms in iOS Devices”. Here’s a link to a PDF of the slides. The talk gave a sense that Apple left a backdoor for easy access to pairing records (the records that pair an iOS device to a trusted computer). Apple responded.
The good thing about web-site cookies is that they are blockable. Cookies are the devil-you-know and web browsers are set up to deal with/delete them.
Now there’s a new insidious devil in town called canvas fingerprinting which can’t be blocked by your browser’s privacy settings or plugins.