Hundreds of dollars being stolen from Starbucks app users – weak/duplicated passwords blamed

starbucks

Starbucks has confirmed multiple reports of users of its smartphone app having three-figure sums stolen from their accounts in the form of gift certificates, reports CNN.

One user lost $550 in a matter of minutes, his account auto-reloaded each time it was emptied by a hacker sending a series of $50 gift cards. Other users have also reported three-figure losses within a matter of seconds or minutes …  Read more

Security flaw allows attackers to crash carrier iOS devices within range of a fake WiFi hotspot

Security researchers yesterday demonstrated a method of creating a ‘No iOS zone,’ inside of which all carrier iPhones and iPads on iOS 8 are rendered impossible to use, reports Skycure. Most apps that connect to the Internet crash on opening (shown above), and it’s even possible to put iOS devices into a constant boot loop (shown below).

The approach exploits an SSL bug in iOS, causing an app to crash when it attempts to establish a secure connection to a server. Although the exploit requires the iPhone or iPad to connect to a fake WiFi hotspot, the researchers were able to force devices to do so …  Read more

OS X 10.10.3 update failed to fix Rootpipe vulnerability, says former NSA staffer

A former NSA staffer says that the OS X 10.10.3 update which Apple claims fixed a significant security vulnerability has failed to do so, reports Forbes. Patrick Wardle, who now heads up research at security firm Synack, demonstrated the vulnerability in a video (without revealing exactly how it was done) to allow Apple time to issue a further fix.

The Rootpipe vulnerability allows an attacker with local access to a Mac to escalate their privileges to root – allowing them full control of the machine – without further authentication. A second security researcher confirmed the flaw …  Read more

HTTPS bug leaves 1,500 iOS apps vulnerable to man-in-the-middle attacks, finds analytics company

The buggy code highlighted by arsTechnica

The buggy code highlighted by arsTechnica

A bug in the way that 1,500 iOS apps establish secure connections to servers leaves them vulnerable to man-in-the-middle attacks, according to analytics company SourceDNA (via arsTechnica). The bug means anyone intercepting data from an iPhone or iPad could access logins and other sensitive information sent using the HTTPS protocol.

A man-in-the-middle attack allows a fake WiFi hotspot to intercept data from devices connecting to it. Usually, this wouldn’t work with secure connections, as the fake hotspot wouldn’t have the correct security certificate. However, the bug discovered by SourceDNA means that the vulnerable apps fail to check the certificate …  Read more

Apple, Google & other large tech companies urge the White House & Congress not to renew the Patriot Act

patriot-act-reform

Apple is one of ten tech giants to once again call on the US Government not to reauthorize the Patriot Act in its current form. The Act expires on 1st June unless it is renewed by Congress. Apple was joined by AOL, Dropbox, Evernote, Facebook, Google, LinkedIn, Microsoft, Twitter and Yahoo.

In an open letter to President Obama, NSA Director Admiral Rogers and other prominent government figures, the companies urge Congress to end the bulk collection of communications metadata–the logs that determine how and when ordinary citizens contact each other.

The letter says that mass surveillance must end, and that a revised bill must contain mechanisms to ensure that future government surveillance is both transparent and accountable …  Read more

Snowden: The CIA has been working “for years” to break iPhone, iPad and Mac security

cia

The Central Intelligence Agency has conducted “a multi-year, sustained effort to break the security of Apple’s iPhones and iPads,” claims The Intercept, referencing new Snowden leaks of a document from the CIA’s internal wiki system.

A presentation on the attempts, focusing on breaking Apple’s encryption of iOS devices, was said to have been delivered at an annual CIA conference called the Jamboree.

Studying both “physical” and “non-invasive” techniques, U.S. government-sponsored research has been aimed at discovering ways to decrypt and ultimately penetrate Apple’s encrypted firmware. This could enable spies to plant malicious code on Apple devices and seek out potential vulnerabilities in other parts of the iPhone and iPad currently masked by encryption.

One route reportedly taken by the CIA was to create a modified version of Xcode, which would allow it to compromise apps at the point at which they are created …  Read more

Security flaw places Mac, iOS & Android users at risk from hacking on some major websites

freak

Cryptographers have discovered that a security flaw dating back to the ’90s is placing OS X, iOS and Android users at risk from hacking attacks when visiting some major websites, including American Express, Airtel, Bloomberg, Business Insider, Groupon, Marriott and many more.

The FREAK exploit allows an attacker to force a website to use lower-grade encryption for HTTPS connections, which can be cracked within a few hours when using a small botnet of just 75 computers. Once cracked, attackers would be able to hack the website as well as steal personal data from those visiting the site …  Read more

Tim Cook talks Snowden, Apple Car and Steve Jobs as the best teacher he’s ever had

2,w=993,c=0.bild

Tim Cook appears to be using his international tour, which so far includes Israel, Germany and the UK, to push a second product every bit as hard as the Apple Watch: privacy. In an interview with the German newspaper BILD posted yesterday (paywall), Cook went as far as to praise Edward Snowden for his role in prompting discussion of the issue.

If Snowden did anything for us at all, then it was to get us to talk more about these things. [Apple’s] values have always been the same.

The comments follow a meeting with German Chancellor Angela Merkel, at which data privacy was reportedly a key topic. Cook also told the Telegraph last week that “none of us should accept that the government or a company or anybody should have access to all of our private information.” Cook has in the past resisted FBI pressure to compromise its strong encryption, and was the only tech CEO to attend a recent White House cybersecurity summit.

In the BILD interview, Cook reiterated Apple’s stance on privacy, and also said that as Apple had grown larger, it had taken deliberate decisions to be less secretive about some aspects of its business …  Read more

Watch: Apple CEO Tim Cook talk cybersecurity at White House Summit

Tim Cook White House Summit on Cybersecurity

As we mentioned earlier this week, Apple CEO Tim Cook is in attendance at the White House Summit on cybersecurity today at Stanford University where he’s expected to discuss Apple, privacy, and security. Notably, Tim Cook is the only technology company chief executive participating in the event with the White House as CEOs at Facebook, Yahoo, and Google each declined deciding to send lower-level staff instead. Other CEOs in attendance include the heads of Apple Pay partners Bank of America and Visa as well as the chief executive officer of AIG. You can view a stream of the event below: Read more

Tim Cook only CEO taking part in today’s White House cybersecurity summit

washington-038-Edit

We learned earlier this week that Tim Cook would be speaking at a White House cybersecurity summit today, and it now appears he will be the only tech CEO to do so. USNews is reporting that CEOs of other top tech companies all declined President Obama’s invitation, sending lower-ranking execs in their place.

Unlike Apple’s Cook, other top executives at key Silicon Valley companies declined invitations to the summit. Facebook’s Mark Zuckerberg, Yahoo’s Marissa Mayer and Google’s Larry Page will not attend amid the ongoing concerns about government surveillance. Facebook spokesman Jay Nancarrow said Zuckerberg is unavailable to attend and that Chief Security Officer Joe Sullivan will speak during a panel at the event.

It’s believed other CEOs consider refusing to take part to be the best way to express their objections to increased government surveillance of electronic communications, while Cook takes the opposite view: that it is important to speak up in defence of user privacy …  Read more

Tim Cook scheduled to speak at White House cybersecurity summit this Friday

Cook

Apple CEO Tim Cook is scheduled to speak at a White House “cyber summit” at the end of the week, The Hill reported today. The White House is expected to unveil a new cybersecurity program during the summit, and is bringing together leaders in technology and government to address the issue.

Cook’s exact talking points haven’t been revealed, but Apple has previously taken strong stances on issues of customer privacy—putting it in direct conflict with the Department of Justice at times.

Read more