Apple patches another major security hole in its website that allowed access to all developer personal information

Screen Shot 2014-04-28 at 3.13.55 PM

Imagine our surprise when an email from a complete stranger showed up in our tips box containing the personal contact information—including cell phone numbers—of several 9to5Mac staffers, as well as a few high ranking Apple executives.

Last night Apple pulled the Developer Center offline for maintenance, but as is usually the case, no noticeable changes were visible when it came back up. As it turns out, the company was patching a very serious security breach that was discovered over the weekend, allowing anyone to access the personal contact information for every registered iOS, Mac, or Safari developer; every Apple Retail and corporate employee; and some key partners.

The issue was discovered by developer Jesse Järvi and brought to our attention on Saturday. A video of the exploit is below.  We ensured that the problem was reported to Apple and ran it up the ladder. Due to the critical nature of the problem, we would never reveal this type of flaw to the public until it had been dealt with and we had contacted Apple . As of last night, the hole has been patched. Keep reading for the full details of how the breach was executed and exactly what information was at risk.

Read more

Apple says Heartbleed security flaw did not affect its software or services

heartbleed

With an estimated half a million sites vulnerable to the “Heartbleed” vulnerability revealed earlier this week, which allows an attacker to access user details of websites previously believed to be secured by industry-standard SSL/TLS, your favorite social networks, stores, and other services around the web could potentially be handing out your password or other personal information to anyone who exploits the issue.

The bug exists in a library called OpenSSL, which is an open-source SSL implementation that many—but not all—web services use to secure sensitive traffic. If a website you use is affected by the bug, your personal data could be given to just about anyone. Unfortunately, changing your password on an unsecure site won’t even help unless the site’s owners have installed a fix (because the attackers can simply exploit the bug again to get your new password).

This serious issue affects a number of high-profile sites, but it seems your Apple ID is safe. Today, Apple gave the following statement to Re/code:

Read more

Report: EA Games server compromised, hackers stealing Apple ID, credit card & Origin account info

Update: EA said in a statement that it’s investigating the reports (via TheVerge):

“Privacy and security are of the utmost importance to us, and we are currently investigating this report… We’ve taken immediate steps to disable any attempts to misuse EA domains…”

According to a report from internet security and research company Netcraft, hackers have compromised an EA Games server and are currently using it to host a phishing site that steals Apple IDs and more from unsuspecting users. The company published its report today and says it contacted EA yesterday to report the discovery, but as of publishing the compromised server and the phishing site stealing Apple IDs were still online.

Netcraft claims the phishing site being hosted on EA’s servers not only asks for an Apple ID and password but also the user’s “full name, card number, expiration date, verification code, date of birth, phone number, mother’s maiden name, plus other details that would be useful to a fraudster.” Netcraft also reports that EA Games is being targeted in other phishing attacks that are attempting to steal user data from its Origin game distribution service: Read more

Apple’s two-step verification for Apple IDs arrives in Canada, France, Germany, Japan, Italy, & Spain

Apple-Two-Step-Verifiication

Back in May of last year, a long list of readers in countries around the world reported having access to Apple’s two-step verification security feature for their Apple ID. Shortly after the news broke, the feature disappeared in many countries signaling it had been launched prematurely. The only officially supported countries listed on Apple’s website included the “U.S., UK, Australia, Ireland, and New Zealand.” However, today the feature has appeared in several new countries including Canada, France, Germany, Japan, Italy, & Spain. Apple has also updated its support pages for two-step verification here and here to list the new countries. 

Read more

Apple SVP Phil Schiller shares report showing Android had 99% of mobile malware last year

Like he has done before, Apple’s Senior Vice President of Marketing Phil Schiller has taken to his Twitter account to share a new report highlighting a much higher amount of security threats on Android compared to iOS. Schiller linked to Cisco’s 2014 annual security report covering mobile malware trends over the last year, which happens to highlight a rise in malware on Android as one of its key takeaways:

Ninety-nine percent of all mobile malware in 2013 targeted Android devices. Not all mobile malware is designed to target specific devices, however… Many encounters involve phishing, likejacking, or other social engineering ruses, or forcible redirects to websites other than expected. An analysis of user agents by Cisco TRAC/SIO reveals that Android users, at 71 percent, have the highest encounter rates with all forms of web-delivered malware

That 71% encounter rate for web-delivered malware on Android mentioned above compares to just 14 percent for iPhone users, according to the report. The report’s finding that 99 percent of all mobile malware last year targeted Android marks an increase for Android when comparing to the last report Schiller shared. In March of last year, Schiller shared a report from security firm F-Secure that estimated Android had around 79% of all mobile malware for 2012 compared to just 0.7 percent for iOS.
Read more

1Password for Mac updated with a new layout option, improved search, custom password fields, and more

8DE1B837-17FB-4549-9043-85923D4D83F7@hsd1.il.comcast.net.

1Password for Mac, the popular password management app that we love here at 9to5Mac, has been updated to version 4.1 with a huge list of improvements, fixes, and additions. The first of these new additions is a new multi-column display mode with customizable column sizes.

One of the key changes to the app’s browser plugin is an updated auto-save system for new logins. Whenever you enter a password on a site you haven’t previously saved, 1Password will offer to store the password for you. With today’s update, you’ll now be able to use this feature to update existing passwords that have been previously saved. You can also tag your new auto-saved items right from the auto-save panel.

Read more

The inner workings of Touch ID: Each fingerprint sensor is paired to a specific A7 chip

TouchID-iPhone5S-fingerprint-sensor-01

When Apple introduced Touch ID on the new iPhone 5s, the company provided some basic information about the kinds of security used to protect users’ fingerprints and data. A new discovery by iMore reveals that Apple has even more security in place than they discussed with the public.

According to iMore, each individual Touch ID sensor is paired with its corresponding A7 processor. To confirm the pairing theory, iMore switched the Touch ID sensors from two brand new iPhones and attempted to setup each device. Each phone failed to recognize the sensors and returned an error until the sensors were swapped back to their original phones.

Read more

Review: 1Password 4 for Mac is a massive, feature-packed update

hero

Back in December, AgileBits released 1Password 4 for iPhone and iPad. The app presented a completely revamped take on password security, but lacked feature parity with the Mac version of the software.

Today, 1Password for Mac has been updated to version 4, bringing a ton of new features to the Mac. In fact, the update brings so many new capabilities that the Mac version of 1Password has now surpassed the iOS version in features. This is a massive release with a completely redesigned interface, overhauled browser extensions, support for new types of saved items, enhanced security, and more.

Find our complete review below:

Read more

Norwegian government blocking Apple from capturing 3D Flyover Maps data in Oslo

Screen Shot 2013-08-11 at 1.10.10 PM

Oslo, Norway in Apple Maps (No 3D available)

Update: From a 9to5mac Reader in Norway:

Regarding the issues where the Norwegian government is blocking Apple from mapping the capital, Oslo, in 3D: it seems the law that is being sited actually was withdrawn in 2005, but issues with an old computer system in the police department blocks the update from being put to use! http://www.osloby.no/nyheter/Loven-som-hindrer-Apple-a-flyfotografere-Oslo-ble-vedtatt-opphevet-i-2005-7277631.html

Apple is being blocked from capturing 3D, aerial footage of Norway capital Oslo for its iOS and Mac Maps applications, according to Norway-based newspaper Aftenposten. As part of removing Google Maps from iOS, Apple, last year with iOS 6, launched its in-house Maps app with 3D “Flyover” data being a premier feature. Flyover allows users to see a 3D representation of many cities across the globe.

According to today’s report, Norway’s National Security Authority is not allowing Apple from capturing the 3D data needed for the feature. Apple uses small aircraft equipped with advanced camera systems and actually flies them around buildings. The data is then processed at Apple and formatted for the Maps app…

Read more

Apple’s Developer Center is back after over a week offline

Screen Shot 2013-07-26 at 11.50.33 PM

After being offline for more than a week, Apple’s Developer Center is back. Access to the portal was removed by Apple after it was discovered that a breach into the system granted individuals access to the names, mailing addresses, and email addresses of registered developers. Apple confirmed that sensitive personal data such as credit card information and developer passwords were encrypted and secure.

The Developer Center looks the same as it was prior to its removal, but we assume Apple has followed through with its promise to overhaul the entire system by updating its server software and rebuilding its databases from scratch so as to prevent another intrusion.

While most of the main developer services have returned, Apple is still in the process of restoring the entire portal to normal. Some areas of the site such as the forums, pre-release documentation, and development videos, are still offline as per Apple’s System Status page.

Apple has also emailed developers with this new information:

Read more