Archive

Posts Tagged ‘security’

Sensationalising Apple news

June 10, 2010 Leave a comment

I saw a fine example of the way news is reported today, with a story presented in two very different ways. Here’s the headline and first few sentences from the two stories.

Massive Apple iPad data breach reveals 114,000 subscriber emails

An iPad security breach in the US has revealed 114,000 email addresses of AT&T subscribers, according to the hacking group Goatse Security.
Goatse has previously identified holes in web browsers such as Safari and Firefox, but this is perhaps their biggest profile security hole find to date.

And the second story:

AT&T website scraped to reveal iPad 3G owners’ email addresses

Unfortunately for AT&T’s security infrastructure — and equally unfortunately for customers who bought and activated iPad 3G units on the company’s network — a freelance security research team has reportedly scraped two key tidbits of information from thousands of iPad registrations. As Gawker reports, the hackers exploited a script on AT&T’s site by feeding it ICC-IDs (the GSM SIM card’s identifier code) harvested from iPad user screenshots and interpolated to cover a wider range. The AT&T site obligingly gave back the email address associated with each of the ICC-IDs.

Seeing the first headline certainly got my attention, is there a problem with the iPad? Has Apple screwed up? Then the second followed a few posts down my RSS feed list, calmly stating the facts. Can you tell which site I trust for news?

Advertisements
Categories: apple, ipad Tags: , , ,

Mozilla blocks Microsoft’s Firefox plugin

October 19, 2009 Leave a comment

Monday mornings are not known for amusing news, but today is different. I fired up Firefox on my work Laptop and up poped a dialogue warning me that the Windows Presentation Foundation had been disabled.

Firefox_says_NO

The Windows Presentation Foundation plugin caused a stink earlier this year when it was installed into Firefox by a Microsoft update without the users consent or knowledge. Uninstalling the plugin proved initially difficult (later resolved with another update) and last week Microsoft announced it contained a critical security vulnerability.

The block came into effect late Friday, but since I’m a Macintosh user at home I do not (yet) suffer intrusive Microsoft updates that install components without my permission.

Gmail security advice

August 20, 2008 2 comments

Google Mail has recently added the ability to use SSL to encrypt your browsers connection to the web client, and Webmonkey.com is recommending you turn it on. It appears that a Gmail account hacking tool is due for release in a couple of weeks that will make the process of hacking an email account a whole lot easier. It’s easy to enable SSL from the Gmail web setting page, so my advice to anyone using Gmail is to read the article and switch it on.

I’ve had a look at Mail on my Macs and iPod, and they use the SSL option by default. This only really applies if you use the Gmail web client, but since you never know when you might need to check your mail online it’s worth doing.

Categories: email, internet, security Tags: , ,

Security Update 2008-005 released

August 1, 2008 Leave a comment

The latest Apple security update is now avaliable, and has installed fine on my hackintosh. There’s no major changes with this, and the kernel is still version 9.4. As usual be sure to make a backup before installing. For more information on what security fixes are included visit http://support.apple.com/kb/HT2647

Serious OSX Security Vulnerabilty

June 29, 2008 Leave a comment

This one broke around a week ago but I’ve only just had the chance to try it out. And an OSX security flaw is big news so no harm in spreading the cure. The advisory at Washingtonpost.com concerns the Apple Remote Desktop Agent which runs as root and accepts applescript commands. Typing the following into terminal, you can copy and paste and it works fine.

osascript -e ‘tell app “ARDAgent” to do shell script “whoami”‘;

On my 10.5.3 installation this returns ‘root’, so the vulnerability can be used to do anything on the mac. The following code will change the file access permissions of ARDagent

osascript -e ‘tell app “ARDAgent” to do shell script “chmod 0555 /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent”‘;

Again this can be copied and pasted into the terminal. Running the first commands again should now return your username rather than ‘root’.

Read the full article at the Washingtonpost.com

Bypassing FileVault and BitLocker security

February 22, 2008 Leave a comment

padlockThe latest security flaw to Mac OS and Windows is revealed in an article I found on ZDNet today. Microsoft’s BitLocker, Apple’s FileVault and the open-source TrueCrypt are all rendered insecure because memory contents are not deleted when the computer is rebooted. Sounds pretty scary until you read the rest of the article. To achieve this feat you need to supercool the memory cards and transfer them to another computer, or follow a long and involved procedure using specially developed software and lots of technical knowledge.
Transferring memory to another computer is not difficult, but won’t much of the memory be overwritten when the recipient computer boots? And as for the other method using another computer attached via ethernet cable and network booting the mac, using an open firmware password will block this. The other point worth mentioning is that the Windows version used was Vista, but the Mac OS was Tiger. Is Leopard still vulnerable to this type of attack?