Apple outlines iOS diagnostics capabilities in response to backdoor data breach claims

screen-shot-2014-07-21-at-5-18-07-pm

Earlier this week, Apple denied claims that it had hidden secret backdoors in its iOS platform that could allow the government or malicious users to extract a variety of critical and personal details about a device’s user from an iPhone or iPad, sometimes storing that data in unencrypted formats.

Today, the company published a new document on its support website explaining the diagnostic tools that iOS uses to collect data for troubleshooting and other purposes. According to the document:

Read more

Apple blocks all outdated versions of Adobe Flash in Safari due to vulnerabilities

adobe-flash

Due to a security flaw discovered in its Flash Player software, Adobe released an update to the web plugin earlier this week. Today Apple confirmed that it had updated its plugin blacklist for OS X to stop the system from using a version of Flash Player older than 14.0.0.145 (or 13.0.0.231 on older systems).

According to Apple’s product security team:

Due to security issues in older versions, Apple has updated the web plug-in blocking mechanism to disable all versions prior to Flash Player 14.0.0.145 and 13.0.0.231.

Read more

Apple patent details automatically adjusting security settings based on location, biosensors & behavior

Apple-Patent-app-july-3-01

A new patent application published today by the United States Patent & Trademark Office details a system Apple could use to automatically configure security and other settings of a device based on its location or the habits of its user (Google filed for the same patent 2 months prior but who’s counting?). The majority of the patent discusses intelligently adjusting settings by detecting a device’s location while using retinal scans, DNA, fingerprints, or other biosensors to present an appropriate level of security to the user: Read more

Apple denies iCloud breach was responsible for device lockout attack, advises users to change passwords

icloud

Last night we reported that several Mac and iOS users were finding their devices remotely locked by hackers who had gained access to the users’ Find My iPhone accounts and demanded a ransom to return the devices to a working state.

Today Apple issued a statement on the problem, noting that—as suspected—the iCloud service itself was not actually breached, but individual user accounts may have been compromised through password reuse or social engineering:

Read more

Report: Apple planning iOS-controlled smart home automation platform for WWDC unveiling

According to a report from The Financial Times, Apple is working on a new software platform that would “turn the iPhone into a remote control for lights, security systems and other household appliances.” Apple’s iOS ecosystem is of course already home to an increasing number of connected products for the home like the Philips Hue WiFi connected light bulbs, the Nest thermostat and a number of iPhone controlled appliances, but the report claims that Apple will soon unveil a new central platform that will make for a more seamless experience: Read more

Apple patches another major security hole in its website that allowed access to all developer personal information

Screen Shot 2014-04-28 at 3.13.55 PM

Imagine our surprise when an email from a complete stranger showed up in our tips box containing the personal contact information—including cell phone numbers—of several 9to5Mac staffers, as well as a few high ranking Apple executives.

Last night Apple pulled the Developer Center offline for maintenance, but as is usually the case, no noticeable changes were visible when it came back up. As it turns out, the company was patching a very serious security breach that was discovered over the weekend, allowing anyone to access the personal contact information for every registered iOS, Mac, or Safari developer; every Apple Retail and corporate employee; and some key partners.

The issue was discovered by developer Jesse Järvi and brought to our attention on Saturday. A video of the exploit is below.  We ensured that the problem was reported to Apple and ran it up the ladder. Due to the critical nature of the problem, we would never reveal this type of flaw to the public until it had been dealt with and we had contacted Apple . As of last night, the hole has been patched. Keep reading for the full details of how the breach was executed and exactly what information was at risk.

Read more

Apple says Heartbleed security flaw did not affect its software or services

heartbleed

With an estimated half a million sites vulnerable to the “Heartbleed” vulnerability revealed earlier this week, which allows an attacker to access user details of websites previously believed to be secured by industry-standard SSL/TLS, your favorite social networks, stores, and other services around the web could potentially be handing out your password or other personal information to anyone who exploits the issue.

The bug exists in a library called OpenSSL, which is an open-source SSL implementation that many—but not all—web services use to secure sensitive traffic. If a website you use is affected by the bug, your personal data could be given to just about anyone. Unfortunately, changing your password on an unsecure site won’t even help unless the site’s owners have installed a fix (because the attackers can simply exploit the bug again to get your new password).

This serious issue affects a number of high-profile sites, but it seems your Apple ID is safe. Today, Apple gave the following statement to Re/code:

Read more

Report: EA Games server compromised, hackers stealing Apple ID, credit card & Origin account info

Update: EA said in a statement that it’s investigating the reports (via TheVerge):

“Privacy and security are of the utmost importance to us, and we are currently investigating this report… We’ve taken immediate steps to disable any attempts to misuse EA domains…”

According to a report from internet security and research company Netcraft, hackers have compromised an EA Games server and are currently using it to host a phishing site that steals Apple IDs and more from unsuspecting users. The company published its report today and says it contacted EA yesterday to report the discovery, but as of publishing the compromised server and the phishing site stealing Apple IDs were still online.

Netcraft claims the phishing site being hosted on EA’s servers not only asks for an Apple ID and password but also the user’s “full name, card number, expiration date, verification code, date of birth, phone number, mother’s maiden name, plus other details that would be useful to a fraudster.” Netcraft also reports that EA Games is being targeted in other phishing attacks that are attempting to steal user data from its Origin game distribution service: Read more

Apple’s two-step verification for Apple IDs arrives in Canada, France, Germany, Japan, Italy, & Spain

Apple-Two-Step-Verifiication

Back in May of last year, a long list of readers in countries around the world reported having access to Apple’s two-step verification security feature for their Apple ID. Shortly after the news broke, the feature disappeared in many countries signaling it had been launched prematurely. The only officially supported countries listed on Apple’s website included the “U.S., UK, Australia, Ireland, and New Zealand.” However, today the feature has appeared in several new countries including Canada, France, Germany, Japan, Italy, & Spain. Apple has also updated its support pages for two-step verification here and here to list the new countries. 

Read more