• apple,  ios 9,  iphone 6 plus,  iphone 6s,  security

    The Curious Case of the iOS 9.3.1 “Hey, Siri” Contacts, Photos Vulnerability

    April 5, 2016 /

    Late last night, my father of all people, tipped me off to a story making the rounds on the Internet about a security vulnerability with an iPhone 6s or iPhone 6s Plus running iOS 9.3.1.  The reported vulnerability allowed a malicious user to by-pass the iPhone’s lock screen using the hands free “Hey, Siri” command.  When successfully executed, an attacker would be able to see all of the contacts and photos on the device.

    Quartz has an article up on their site that starts off with:

    “You might want to wait before downloading the latest version of Apple’s operating system for iPhones.

     If you own an iPhone 6S or 6S Plus and have upgraded to iOS 9.3.1, other people can access your contacts and photos without entering a passcode to unlock the phone. It’s an elaborate and finicky but nonetheless startling loophole.”

    With my iPhone 6s Plus unlocked and running iOS 9.3.1, the “finicky” exploit worked.  However, if I repeated the process with my iPhone locked, the attack was stopped dead in it’s tracks.

    This morning I tried to reproduce the attack, I received a notice from Siri that I needed to unlock my iPhone first.  I made this short video that was posted to YouTube this afternoon.

    [youtube https://www.youtube.com/watch?v=O_BrmKI3W9Y]

    Oddly, the security settings that AppleInsider.com reported as needing to be turned off to prevent the attack were still enabled on my iPhone.  Curious.

    So what happened?

    This afternoon, Fortune.com has an article up that the Siri-related problem was corrected by Apple from Apple HQ.

    “While initial reports and claims from the bug’s discoverers said that the issue was an iOS 9 glitch, it turns out it was a Siri problem. On Tuesday morning, after seeing the rash of reports on the issue, Apple issued an update to Siri fixing the problem. Therefore, users who were previously subject to the issue are now safe and do not require a software update to get the fix.”

    Security and privacy conscious iPhone 6s and iPhone 6s Plus users can go back to their day without further worry.

    Read More
  • apple,  ios 8,  iphone,  security,  touch id

    Apple To Enhance iPhone Unlock Security with iOS 8.3 [Updated]

    March 28, 2015 /
    Apple is further enhancing their iPhone unlock security with the upcoming release of iOS 8.3; which is currently in beta testing.
    PIN code required when TouchID is not
    used to unlock the device in 48 hours
    Update

    My pal, and fellow 1SRC Palm Podcast host, Jeff Kirvin, has informed me that iOS requires a PIN or passcode if not used for 48 hours right now with iOS 8.2.

    I hate it when he’s right.  I still think this is a good feature.

    In the future, if you have not unlocked your iPhone using Touch ID in the past 48 hours, you be required to reenter your PIN or passcode.  With iOS 8.0 up to and including iOS 8.2, Apple only required that you enter your PIN or passcode after restarting your iPhone.  

    The above screen appeared after I left my iPhone 5S running a beta version of iOS 8.3 at home for two days.
    I think that while this may generate a few help desk calls when iOS 8.3 is deployed to corporate iOS devices that get left at work or unused over the weekend, it is  a really good move for people who may accidentally lose their device.
    Apple has not announced when iOS 8.3 will ship.  The pre-release software is being tested by registered developers (a $99 annual fee is required to join the program) and by select members of the iOS and OS X public beta testers.
    Some bloggers believe that iOS 8.3 will ship next month at about the same time the Apple Watch is released.
    Read More
  • adobe,  flash,  linux,  security,  windows

    Upgrade to Adobe Flash Player 14.0.125 Now

    July 9, 2014 /

    Adobe has issued a security bulletin urging Flash users to upgrade to the latest release, version 14.0.125.  Windows PCs, Macs, and machines running Linux with unlatched versions of Flash are vulnerable that could allow an attacker to take control of the computer.

    “Adobe has released security updates for Adobe Flash Player 13.0.0.214 and earlier versions for Windows and Macintosh and Adobe Flash Player 11.2.202.359 and earlier versions for Linux. These updates address vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe recommends users update their product installations to the latest versions[.]”

    You can download the latest version of Adobe Flash Player for your Windows PC, Macintosh, or Linux machine from Adobe Flash Player download website.

    Today’s full APSB14-16 security bulletin can be read on the Adobe website.

    Read More
  • security,  target

    Target Had Warning of Security Risks

    February 15, 2014 /

    A new article by The Wall Street Journal says that officials at Target were made aware of the potential security risks that lead to the November 27 – December 18 attack last year.

    “Target Corp.’s computer security staff raised concerns about vulnerabilities in the retailer’s payment card system at least two months before hackers stole 40 million credit and debit card numbers from its servers, people familiar with the matter said.”

    In Target’s defense, the Journal also reports:

    “The sheer volume of warnings that retailers receive makes it hard to know which to take seriously. Target has an extensive cybersecurity intelligence team, which sees numerous threats each week and could prioritize only so many issues at its monthly steering committee meetings, the former employee said.”

    As an IT professional, I find a report like this to be disappointing.  It’s a constant battle between setting business objectives and setting priorities and “good house keeping” such as installing infrastructure and security upgrades and patches.  Sometimes those priorities get muddy.
    As a Target customer who had their personal data stolen in the breach, I’m more than annoyed to learn that the situation was preventable.  It is also my opinion that most of these types of breaches are preventable with frequent software updates.
    I think security breaches, both large and small, along with the ever growing data stockpile that companies are amassing about their customers is a growing concern for customers and IT departments alike.  We all know that our online habits are being tracked and that companies are collecting an amazing amount of personal data about who we are so that this information can be used to either make more money from you with targeted advertising or by selling the collected information to third-parties.
    While I don’t think that personal data collection will go away anytime soon, if ever, I would hope that as a society, we put new laws and limits on what businesses and clearing houses can do with the data they collect about us.
    Click the source link below to read the full article online (login required).
    [Via WSJ.com…]
    Read More
  • apple,  security

    Apple Developer Center Hacker Identified

    July 23, 2013 /

    Earlier today, Ibrahim Balic, a “security researcher” identified himself as the hacker who breached Apple’s Developer Center portal.

    According to AppleInsider, Balic identified himself as the person who hacked into Apple’s servers on the TechCrunch website.

    “Balic said he found a total of 13 bugs on Apple’s site, one of which provided him with access to user information. He claims to have taken 73 user details — all of whom are Apple employees — and given them to the company as an example.”

    “Security researcher” or “hacker,” I think we should let the courts decide, don’t you?

    [Via AppleInsider.com…]

    Read More