Archive
Sensationalising Apple news
I saw a fine example of the way news is reported today, with a story presented in two very different ways. Here’s the headline and first few sentences from the two stories.
Massive Apple iPad data breach reveals 114,000 subscriber emails
An iPad security breach in the US has revealed 114,000 email addresses of AT&T subscribers, according to the hacking group Goatse Security.
Goatse has previously identified holes in web browsers such as Safari and Firefox, but this is perhaps their biggest profile security hole find to date.
And the second story:
AT&T website scraped to reveal iPad 3G owners’ email addresses
Unfortunately for AT&T’s security infrastructure — and equally unfortunately for customers who bought and activated iPad 3G units on the company’s network — a freelance security research team has reportedly scraped two key tidbits of information from thousands of iPad registrations. As Gawker reports, the hackers exploited a script on AT&T’s site by feeding it ICC-IDs (the GSM SIM card’s identifier code) harvested from iPad user screenshots and interpolated to cover a wider range. The AT&T site obligingly gave back the email address associated with each of the ICC-IDs.
Seeing the first headline certainly got my attention, is there a problem with the iPad? Has Apple screwed up? Then the second followed a few posts down my RSS feed list, calmly stating the facts. Can you tell which site I trust for news?
Mozilla blocks Microsoft’s Firefox plugin
Monday mornings are not known for amusing news, but today is different. I fired up Firefox on my work Laptop and up poped a dialogue warning me that the Windows Presentation Foundation had been disabled.
The Windows Presentation Foundation plugin caused a stink earlier this year when it was installed into Firefox by a Microsoft update without the users consent or knowledge. Uninstalling the plugin proved initially difficult (later resolved with another update) and last week Microsoft announced it contained a critical security vulnerability.
The block came into effect late Friday, but since I’m a Macintosh user at home I do not (yet) suffer intrusive Microsoft updates that install components without my permission.
Gmail security advice
Google Mail has recently added the ability to use SSL to encrypt your browsers connection to the web client, and Webmonkey.com is recommending you turn it on. It appears that a Gmail account hacking tool is due for release in a couple of weeks that will make the process of hacking an email account a whole lot easier. It’s easy to enable SSL from the Gmail web setting page, so my advice to anyone using Gmail is to read the article and switch it on.
I’ve had a look at Mail on my Macs and iPod, and they use the SSL option by default. This only really applies if you use the Gmail web client, but since you never know when you might need to check your mail online it’s worth doing.
Bypassing FileVault and BitLocker security
The latest security flaw to Mac OS and Windows is revealed in an article I found on ZDNet today. Microsoft’s BitLocker, Apple’s FileVault and the open-source TrueCrypt are all rendered insecure because memory contents are not deleted when the computer is rebooted. Sounds pretty scary until you read the rest of the article. To achieve this feat you need to supercool the memory cards and transfer them to another computer, or follow a long and involved procedure using specially developed software and lots of technical knowledge.
Transferring memory to another computer is not difficult, but won’t much of the memory be overwritten when the recipient computer boots? And as for the other method using another computer attached via ethernet cable and network booting the mac, using an open firmware password will block this. The other point worth mentioning is that the Windows version used was Vista, but the Mac OS was Tiger. Is Leopard still vulnerable to this type of attack?