iPhone Notifications to Google Glass

Google has already released a MyGlass Companion app for Android via the Play Store, and although a corresponding iOS version has yet to manifest itself  in the App Store, the company has already noted that iPhone users will not be neglected when it comes to the early 2014 public launch of Google Glass.

In the meantime, the PostOffice tweak will work just fine for those with a jail-broken iPhone, and although there’s not much to it aside from one or two settings, it does what it purports to do in pushing notifications through Glass.  The free tweak is available via the BigBoss repository in Cydia, To configure the way your notifications are re-routed to Glass you navigate to your native Settings and configure the way your notifications are re-routed.  Google Glass currently may only be in the hands of creative individuals, some competition winners and a handful of developers, but that has not prevented the tech world from getting itself excited about the internet giant’s technological headgear. Last month, one such creative individual, Adam Bell, had managed to route iOS notifications through to Google Glass using some kit he has thrown together, and now a tweak has emerged offering a simpler way for such a process to be achieved.

Google Glass

Since Google Glass is based on Android, its hacking potential is huge, and although we are likely to be treated to some interesting and potentially groundbreaking apps, the things that could be achieved when developers work inside Glass’ framework cannot be underestimated.  With support for iOS likely to be a step behind Android and thanks to the jailbreak community, iPhone users with that developer mentality will be able to have large amounts  of fun with Google Glass once it eventually does become available to the general public.  Google has indicated that it’s product will become available early next year, although this could naturally be subject to delays. But as this amazing new technology is so fresh, it is likely going to cost a month’s salary (depending where you work!)

Apple closes QuickTime vulnerabilities on Windows

appleApple has released a security update for its QuickTime media framework for Windows. Version 7.7.4 of the software closes 12 critical security holes causing memory corruption and buffer overflows when processing a number of media formats. The vulnerabilities affect Windows 7, Vista and XP SP2 or later and could be exploited to cause arbitrary code execution and application crashes.

The vulnerabilities affected the playback of MP3, H.263, H.264, TeXML, JPEG, QTIF, Sorenson Video and FPX files as well as the handling of dref, enof and mvhd atoms within the program. All of the problems were reported by researchers working with HP’s Zero Day Initiative, five of them by Tom Gallagher and Paul Bates from Microsoft.

At the time of writing, Apple is not yet listing details about the fixed bugs on its security web site, but has announced that it will do so soon. The 40MB update for the free product can be downloaded from Apple’s Support Downloads web site.

via h-online

Apple adds two-step verification option for Apple IDs

A new security option gives Apple’s customers a way to secure their Apple ID password using their phone.

Apple 2step Verification

Cross-posted from Cnet:

Apple today added an extra layer of security to its Apple ID system that can harden the password people use to log in to various Apple services.

Users with an Apple ID can now sign up for two-step verification of their password, a system that sends a four-digit passcode by text message to a user’s phone, and must be used on top of a regular password. In practice, this could keep an account from being compromised by an attacker, unless that person had access to the mobile device too.

The move comes a little less than a year after Apple required users to set up security questions for their online accounts, a common security measure that was notably absent. Once two-step verification is enabled, there are no longer security questions to remember.

“Apple takes customer privacy very seriously, and two-step verification is an even more robust process to ensure our user’s data remains protected,” an Apple spokesperson told CNET. “We are now offering our users the choice to take advantage of this additional layer of security.”

Of note, the feature is currently available only in the U.S., U.K, Ireland, Australia and New Zealand.

Apple is the latest tech company to employ the security feature, which was discovered earlier by 9to5mac, as an option. Google, which has quite a few more online services than Apple, added it as an option in early 2011. Others, including Facebook, Yahoo, PayPal, and Dropbox already had the option.

The need for that extra layer of security was highlighted in the woes of journalist Mat Honan, who was targeted in a cascade of account hacking last year. That all kicked off with Honan’s iCloud account and eventually led to access of his personal e-mail and Twitter accounts. That ultimately led to Apple reviewing its security processes for resetting account passwords. Evernote also said it plans to add it later this year, following a cyberattack earlier this month.

More recently, Apple itself was the target of a coordinated attack that used a vulnerability in the Java plug-in to gain access to corporate systems as well as employee computers. In a statement last month, the company said there was no evidence any data was taken. Apple was just one of several companies involved in a series of attacks that also targeted Facebook, The New York Times, The Wall Street Journal, and The Washington Post.

Apple’s user base at its various stores and other online stores continues to grow. Its last official number, released in January, put it at “over 500 million active accounts.”

Dropbox Makes PDF Viewing Less Painful, Adds Push Notifications For Shared Folders

Dropbox-Logo-BGJust a few days after adding a new set of features to Dropbox for Teams, the cloud storage company rolled out a new version of its iOS application which introduces a few useful additions as well. For starters, it has added an improved PDF viewer, which lets you navigate to any page in the document by tapping on the thumbnail. It’s rather awesome, in fact. The update also introduces push notifications for folders shared with you – a feature that’s now available on Android, too.

dropbox-pdf-viewerThe revamped PDF viewer will be particularly welcome for business users, as it not only offers the multi-page layout for easier navigation, it lets you search for keywords or phrases in the PDF file, too. An interesting side note on this – Dropbox is actually using a paid, third party component called PSPDFKit for the viewer. Dropbox’s Stephen Poletto shared this news on Twitter earlier today.

Another new addition which will again appeal to professionals on the service, is the ability to now sort files by the date they were modified – that’s handy for those using shared folders as they collaborate on files that are under revision.

A small thing, perhaps, in the grand scheme of things, but one that’s going to make life easier on a large number of users.

It’s also shows that Dropbox is thinking about the kind of things its business users need. The little pain points that, when combined, can add up to an overall poor experience.

The push notifications option will alert users when someone shares a folder with them. This feature will be handy for both consumers and enterprise alike. While it’s new to Android and iOS, the PDF viewer has not yet made its way to Android at this time. That should change soon, though, as Dropbox tries to keep its platform releases relatively close together.

The updated app is here on iTunes, and the Android version is here.

Credit: TechChurch

1 million Apple Device IDs leaked, claim hackers

appleAccording to the AntiSec hacker group, they claim to hold more than 12 million Apple iOS Unique Device IDs, in addition to other personal information from device owners. As a move to back up such a claim, the AntiSec hacker group is said to have released slightly more than a million Apple Device IDs to the masses. This particular expose was unveiled on Pastebin, which is said to hold a detailed description of the method that the hacking group were said to have obtained the IDs from the FBI.

AntiSec claims, “During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of “NCFTA_iOS_devices_intel.csv” turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc.”

Just a little bit of background information here, Apple Unique Device Identifiers (UDID) are actually sequences which comprise of 40 letters and numbers that are unique to each Apple device. Alone, they do not tell much, but in obtaining them, hackers can also gain access to majority of the information which most iOS app developers are able to obtain. Do you think this alleged Device ID leak is true?


Not so secure: Text messaging on iPhone can be hacked

A hacker Friday revealed a security flaw that he claimed could make Apple’s iPhone particularly vulnerable to text message cheating.FirstPost: A hacker Friday revealed a security flaw that he claimed could make Apple’s iPhone particularly vulnerable to text message cheating.

The flaw has existed since iPhone was first launched in 2007, and is still not solved in the beta version of iOS 6, the next operating system for iPhone, the hacker under the name “Pod2g” said in a blog post, reported Xinhua.

Under the protocols handling the exchange of SMS (Short Message Service) text between mobile phones, the sender of a message can technically change the reply-to phone number to something different from the original number, Pod2g explained.

In a good implementation, the receiver of the message would see both the original phone number and the reply-to one.

But using iPhone’s SMS feature, when receivers see the message, it seems to come from the reply-to number, while the original phone number of the sender is hidden.

The loophole means that someone could send iPhone users messages pretending to be from the receivers’ banks or other trusted sources, asking for some private information, or cheating them to go to a dedicated website to obtain users’ information.

Pod2g called the security flaw “severe” and urged Apple to fix it before the final release of the iOS 6 software.

“Now you are alerted. Never trust any SMS you received on your iPhone at first sight,” Pod2g wrote in the blog post.

Apple Inc could not be reached for comments.


QuickTime for Windows update plugs security holes

Quicktime_120The H-Online: Version 7.7.2 of QuickTime for Windows has been released to address a total of 17 security vulnerabilities in the media player. According to Apple, these include integer, stack and buffer overflows, as well as memory corruption issues, all of which could be could exploited by an attacker to crash the application or execute arbitrary code on a victim’s system. For an attack to be successful, a user must first open a malicious web site or a specially crafted file.

The company notes that, on Mac OS X, many of the holes have already been fixed in Mac OS X 10.7.3 and 10.7.4 Lion, and Security Updates 2012-001 and 2012-002 for Mac OS X 10.6.8 Snow Leopard systems. A majority of these vulnerabilities were discovered by members of TippingPoint’s Zero Day Initiative (ZDI).

Further information about the QuickTime update can be found in Apple’s security advisory. QuickTime 7.7.2 for Windows is available for Windows 7, Vista and XP SP2 or later from Apple’s Support Downloads site. Alternatively, those who have the Software Update for Windows tool installed can update by selecting “Apple Software Update” from the Start menu.

Kaspersky: Mac security is ’10 years behind Microsoft’

MacVSWindowsTabair_270x189Cnet: Forrester’s CEO isn’t the only one spouting doom and gloom for Apple today.

Now Eugene Kaspersky, the CEO of security firm Kaspersky Lab, says Apple is headed for a rough patch. However, this one’s in the world of computer security, and he says Apple is already getting into the thick of it.

Speaking to Computer Business Review at Info Security 2012 show in London this week, Kaspersky said that when it comes to computer security, Apple’s Mac platform was a decade behind Microsoft‘s, and that it’s got some things to learn from its rival.

“They will understand very soon that they have the same problems Microsoft had 10 or 12 years ago,” Kaspersky said in an interview. “They will have to make changes in terms of the cycle of updates and so on and will be forced to invest more into their security audits for the software.”

“That’s what Microsoft did in the past after so many incidents like Blaster and the more complicated worms that infected millions of computers in a short time,” he added. “They had to do a lot of work to check the code to find mistakes and vulnerabilities. Now it’s time for Apple [to do the same].”

The statements come on the heels of Flashback, a high-profile piece of Mac malware that is estimated to have infected more than 600,000 Macs at its peak. More recent figures put its current infection somewhere at less than 185,000 machines worldwide.

Apple patched the system vulnerability the Flashback attacks were using, and released a removal tool for infected machines. But the company got flack from security experts for not fixing it sooner. Security companies — including Kaspersky — also made Apple look slow to react by offering up their own detection and removal tools ahead of an official fix.

Apple has, in fact, hardened Mac OS X against attackers in recent years, as well as shown off plans for added protective measures in future versions of the software. The last two major versions of Mac OS X has a built-in malware scanner called XProtect that is able to spot and quarantine known malware. Soon the company will also mandate that apps sold on its App Store will be compliant with new sandboxing rules designed to keep apps from doing any damage to user files, or other parts of the OS.

Apple’s also announced Gatekeeper, a technology that will be built into the upcoming release of OS X Mountain Lion, that gives users a way to install only software that’s been signed by registered developers.

Even with those things on tap, Kaspersky argues that Apple’s success will continue to make the Mac a bigger target.

“Cyber criminals have now recognized that Mac is an interesting area. Now we have more [malware], it’s not just Flashback or Flashfake,” Kaspersky told CBR. “Welcome to Microsoft’s world, Mac. It’s full of malware”

An Apple spokesman declined to comment on Kaspersky’s remarks.

Apple releases Java update with Flashback removal tool

Software_Update_Mac_OS_X_LionThe H-Online: As expected, Apple has released an updated version of the Java implementation for its Mac OS X operating system that includes a removal tool for the Flashback trojan. According to the company, the update, labelled “Java for OS X 2012-003“, finds and removes the “most common variants” of the malware which had infected approximately 600,000 systems using flaws in the previous version of Java.

Additionally, the new Java update for Mac OS X 10.7 Lion prevents Java applets from being automatically executed by disabling the Java web plugin by default. Users can re-enable the automatic execution of Java applets via the Java Preferences application (Applications ➤ Utilities ➤ Java Preferences). However, if the plugin detects that Java applets have not been run for “an extended period of time”, it will automatically disable applet support again.

The company has also released another Java update (Java for Mac OS X 10.6 Update 8) for systems running Mac OS X 10.6 Snow Leopard which removes the Flashback trojan. However, unlike the update for 10.7 Lion, it does not disable Java applets by default. Apple recommends that users who do not use Java applets should manually disable the Java web plugin in their browser; instructions for disabling the Java plugin in Safari are provided.

Java for OS X Lion 2012-003 and Java for Mac OS X 10.6 Update 8 are available to download from Apple’s Support Downloads site. Alternatively, users who previously installed Java on their systems can upgrade using the built-in Software Update function. All users are advised to install the updates.

Russian AV company claims 600,000 Macs infected by Flashback [Removal Manual]

map2The H-Online: A Russian AV company, Dr. Web, says it has conducted research to determine the spread of the Flashback trojan on systems running Mac OS X and says that 550,000 systems are infected, mostly in the US and Canada. A later update raised that number to 600,000 and claimed 274 infected systems in Cupertino, California.

Dr. Web says it employed a sinkhole technique to intercept the bot installed by the newest Flashback trojan, and directed the bots to its own servers where it could analyse the traffic. Each bot includes a unique ID of the machine it has infected in the query string it sends to the command and control server; it is these unique IDs that Dr. Web has used to calculate the infection count. According to its estimates, of the original 550,000 estimate, 56.6% of the systems were in the United States, 19.8% in Canada, 12.8% in the United Kingdom and 6.1% in Australia.

The latest generations of Flashback are different from previous Flashback trojans. According to an F-Secure advisory the newest version attempts to use old vulnerabilities in the Java implementation on Mac OS X to install its payload silently unless it detects security applications such as Little Snitch, VirusBarrier X6, iAntiVirus, ClamXav, HTTPScoop and Packet Peeper, or XCode, the Mac OS X development environment, in which case it deletes itself. If the Java vulnerabilities fail to allow installation it will then prompt for an administrator password and, if it gets a valid administrator password, inject malware into the system’s installation of Safari or Firefox. If it doesn’t get a valid administrator password, it attempts to use a different infection technique, but checks for Microsoft Word and Skype first and deletes itself if they are present, as it is known that this alternative infection method causes those applications to crash.

Users are recommended to install the recent Apple Java update to close the hole which allows malicious web pages to drop the trojan onto a system and to always check which application is actually asking for your password when requested.

To detect if a system is infected with Flashback, run each of the following commands in the Mac OS X Terminal:

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES
defaults read /Applications/Safari.app/Contents/Info LSEnvironment
defaults read /Applications/Firefox.app/Contents/Info LSEnvironment

If all these commands respond with “The domain/default pair of … does not exist”, then there is no Flashback infection. Otherwise consult the F-Secure advisory for manual removal instructions.