Apple responds to iCloud network attacks with guide on verifying browser security

Screen Shot 2014-10-21 at 18.59.33

Following the recent attack by Chinese institutions on iCloud.com to attempt to steal account information, Apple has posted a new how-to article about verifying the page you visit when you type iCloud.com into your web browser is the genuine Apple site.

The page doesn’t offer a fix per se, but walks through how to check the certificates of the page in Safari, Chrome and Firefox.

Read more

Chinese government apparently phishing iCloud account info with man-in-the-middle attack (Update: Apple confirms)

B0UTDYfCYAAHPRK

 

Update: Apple is aware of the attack, via CNBC. As expected, Apple’s own servers were not compromised.

Although unconfirmed, GreatFire is reporting that Apple is now the subject of Chinese government hacking attempts. According to the report, the government is using the institutional firewall to redirect traffic directed at iCloud.com to a fake page that resembles the iCloud.com interface almost perfectly.

Like other phishing attacks, this page is pretending to be Apple’s portal but instead intercepts entered usernames and passwords for other means. Although some browsers in China are set up to warn users about these kind of man-in-the-middle attacks, many don’t and (assumedly) many citizens disregard the warnings as the site appears quite genuine otherwise.

Read more

More details on how iOS 8’s MAC address randomization feature works (and when it doesn’t)

Screen Shot 2014-09-26 at 5.57.54 PM

A few days ago Apple published a new privacy page on its website that detailed the various measures it has put in place to protect Mac and iOS users’ personal data. One of those features, which is new in iOS 8, is the automatic randomization of MAC addresses when the device is searching for a Wi-Fi network. This makes it much more difficult to track a device by seeing which Wi-Fi networks have spotted its unique identifier.

A new two-part study by AirTight Networks into how well this security feature works has turned up some interesting results, including several conditions that will stop the phone from randomizing a MAC address. Part one of the study breaks down what exactly needs to happen in order to start this function…

Read more

Apple aware of iCloud brute-force vulnerability six months before ‘Celebgate’

celebgate

The software developer credited by Apple for discovering last year’s developer center flaw says that he informed Apple of an iCloud weakness that may have been used to obtain celebrity nudes more than six months before the photos were accessed.

The Daily Dot reports that Ibrahim Balic advised Apple in March of a Find My Phone weakness that would allow brute-force attacks on iCloud accounts. It has been suggested that this may have been one of the methods used to access the accounts – or even complete iPhone backups – of celebrities …  Read more

App developer warns not to enter personal info using in-app browsers due to security issue

App developer Craig Hockenberry has published an article today titled “in-app browsers considered harmful” warning both devs and users of security issues related to apps that take advantage of the feature. “Would it surprise you to know that every one of those apps could eavesdrop on your typing? Even when it’s in a secure login screen with a password field?” Read more

Apple removes language from Transparency Reports signaling new government requests for data

Tim Cook

Just as Apple published a new letter from Tim Cook and an update on privacy and security policies, a new report points to evidence the company has recently received new government demands for user data under the Patriot Act. GigaOM reports that language previously included in Apple’s Transparency Reports noting the company had “never received an order under Section 215 of the USA Patriot Act” has since been removed. That could signal, according to the report, Apple’s involvement with controversial National Security Agency programs that demand data from companies: Read more

Tim Cook reiterates commitment to user privacy and security in letter on Apple website, launches new security page

 

tim-cook-bloomberg-cover-01

As reported by the Wall Street Journal, Apple CEO Tim Cook has published a letter (below) on the company’s website expressing his commitment to the privacy and security of iOS and Mac users. Cook says that he will now issue annual updates on how user data is being handled, and the company will become even more transparent how its data collection tactics.

The executive also reiterated previous claims that neither he nor any part of the company has collaborated with governments to provide access to user information, noting again that Apple does not read users’ email, iMessages, and other communications. He also pointed out that there is no “profile” being created about user browsing habits or other data points that often interest advertisers.

Read more

Apple Watch uses constant skin contact to validate Apple Pay purchases

apple-watch-edition

A couple of reports yesterday and today have highlighted a little tidbit of information many have been wondering about the upcoming Apple Watch: How will the device make sure payments via Apple Pay are secure? Both the iPhone 6 and iPhone 6 Plus have the convenient Touch ID sensor to validate that your purchases are indeed being done by you, but new information suggests that the Apple Watch is going to accomplish this security in a slightly different way…

Read more

Security researcher says many of his iOS ‘backdoor’ vulnerabilities are fixed in iOS 8 GM, but not all

iOS 8 hero

Jonathan Zdziarski, who flared up the initial round of iOS surveillance claims a couple of months ago, is now reporting that some of these flaws have been rectified with iOS 8. Apple said that these services were used for debugging purposes, and had no connection to government agencies. It then proceeded to detail these processes in a support note.

Zdziarski’s post explains that many issues have been addressed, particularly with File Relay. Before, this service blindly sent data from the device to an external source, without authentication. In iOS 8, he says that the service has been disabled. It seems that data is no longer available either through physical connection or wirelessly. Zdziarski notes law enforcement will not be able to use current tools to access any of this previously-exposed information.

Read more

Apple now sending email notifications when users sign in to iCloud.com

Screen Shot 2014-09-08 at 15.39.22

Apple is now sending emails to users when they log in to iCloud.com. This is part of Apple’s latest security upgrades to iCloud, which Tim Cook announced late last week. In the interview, Cook said Apple planned to launch the feature within two weeks, but obviously it has been deployed much sooner. The notification is supposed to act as a warning for users, to detect account infiltrations as early as possible. Supposedly, these emails will only be sent once, the first time an account logs in to a particular device, so it shouldn’t spam your inbox with login notifications.

Read more

Apple denies iCloud/Find my iPhone breach, says ‘very targeted attack’ hit certain celebrities

icloud

Apple has responded to this week’s hackings of celebrity iCloud accounts, which resulted in postings of private photographs. Here’s Apple’s statement in full:

CUPERTINO, Calif.–(BUSINESS WIRE)–We wanted to provide an update to our investigation into the theft of photos of certain celebrities. When we learned of the theft, we were outraged and immediately mobilized Apple’s engineers to discover the source. Our customers’ privacy and security are of utmost importance to us. After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved.

To protect against this type of attack, we advise all users to always use a strong password and enable two-step verification. Both of these are addressed on our website at http://support.apple.com/kb/ht4232.

Apple says that it conducted an investigation for more than 40 hours, and denies that iCloud or Find my iPhone was actually breached. Apple is presenting this as a very targeted username, password, and security questions hack on “certain celebrity accounts.” Apple recommends that users utilize the 2-step verification service for Apple IDs/iCloud. The company also says it is continuing to work with law enforcement on finding the hackers involved.

Read more