Paul Ducklin manages to make an article on Apple ships jolly uninteresting iOS 6.1.4 update prettyinteresting.
From the point of view of iOS security, though, the only interesting feature is that it doesn’t add any security features. More specifically, it doesn’t fix the lockscreen bug introduced in 6.1.3. And in fact unless you have an iPhone 5, there’s nothing there for you at all.
David Harley
Small Blue-Green World
ESET Senior Research Fellow
Posted in Apple, David Harley, ESET, iOS, iPhone, Sophos | Tags: Naked Security
I came across (by way of @teamcymru) an interesting article from Zack Whittaker on the implications of Apple’s hard-to-find privacy policy regarding Siri and Dictation data. (not that hard to find, fortunately: Whittaker dug up this document on the Apple site, which tells us that:
By using Siri or Dictation, you agree and consent to Apple’s and its subsidiaries’ and agents’ transmission, collection, maintenance, processing, and use of this information, including your voice input and User Data, to provide and improve Siri, Dictation, and dictation functionality in other Apple products and services.
Siri and Dictation have very similar privacy policies that are only accessible, according to Whittaker, from “the iPhone 4S, iPhone 5, and certain iPad models.”
I’m not suggesting that this is a cause for fear and loathing in Cupertino, but if you are concerned about what access Apple has and what use it might make of your user data, the article is a good starting point: Apple stores your voice data for two years. Now where did I put my iGadgets?
David Harley CITP FBCS CISSP
Posted in Apple, David Harley, iOS, iPad, iPhone, iPod Touch | Tags: Dictation, iOS policy, privacy, Siri
If you’ve used the Softonic download site recently, you might want to be aware of Intego’s blog on Softonic Download Site Briefly Delivers Trojan Adware Installer.
Lysa Myers reports on “…packages [that] purported to install a toolbar… related to ChatZum. Even if the user declined the offer to install … the package would silently install an Internet plug-in called Zako, and would change the browser’s search option to point to ChatZum’s site.”
David Harley CITP FBCS CISSP
Small Blue-Green World
ESET Senior Research Fellow
Further to yesterday’s post Krebs on Flashback, which cites F-Secure’s report, Virus Bulletin has now made available the video of Broderick Aquilino’s presentation at Virus Bulletin’s 2012 conference, on VB’s new YouTube channel.
David Harley CITP FBCS CISSP
Mac Virus
ESET Senior Research Fellow
Posted in David Harley, F-Secure, Virus Bulletin | Tags: Broderick Aquilino, OSX/Flashback
Brian Krebs offers some useful research and insight into “Who Wrote the Flashback OS X Worm?“. The F-Secure report he cites in that article, by the way, is this one.
The comparison with Conficker is interesting, but it’s not a perfect fit, even if you measure ‘success’ by the number of machines infected, which seems a slightly old-fashioned way of looking at it. Conficker infections are very much still there, even though the botnet itself is defunct. Apple’s inclusion of known malware detection in OS X, while not perfect, does tend to reduce the attack surface once malware is known. Improvements in the company’s communication with the security/AV industry probably doesn’t do any harm, either.
David Harley
Posted in Anti-malware, Apple malware, David Harley, F-Secure | Tags: Brian Krebs, Conficker, OSX/Flashback
…was presented in 1997 at the Virus Bulletin conference in San Francisco. In fact, it’s already available on this site, but I’m in the process of putting all – well, most – of my available papers and articles together on the same site, so it’s now also available, along with a gradually increasing number of other VB papers and articles, at The Geek Peninsula. It’s the only Mac-related paper there at the moment, but that will change.
David Harley CITP FBCS CISSP
ESET Senior Research Fellow
Posted in David Harley, papers, Virus Bulletin | Tags: conference papers
What forensic examination of your smartphone might say about you, according to the ACLU (and Andy Greenberg): commentary for Infosecurity Magazine in If Your iPhone Could Talk…
David Harley
Small Blue-Green World
ESET Senior Research Fellow
Posted in David Harley, forensics, Infosecurity Magazine | Tags: mobile forensics
Or dancing the authentication pas de deux….
Stephen Cobb, my colleague at ESET, has just looked at Apple’s two-step authentication in rather more depth than I did here.
Another friend from the security industry, Sorin Mustaca, is a little more brutal: “We are happy to inform you that Apple finally decided to join the club of companies who care about the security of its customers…” Being in Germany, he is not yet able to test the process, but has promised a detailed how-to in due course. (Stephen has also promised a blog on the topic.)
David Harley CITP FBCS CISSP
Small Blue-Green World
ESET Senior Research Fellow
Posted in authentication, David Harley, ESET, Sorin Mustaca, Stephen Cobb
The Verge yesterday reported that “Major security hole allows Apple passwords to be reset with only email address, date of birth“ which pretty much sums up the story, except that the 4th update to the story indicates that the vulnerability has been fixed. It’s worth noting that the exploit apparently didn’t work where Apple’s new two-factor authentication was enabled. Unfortunately, it turns out that the sign-up process for that also has some problems: some people have been told that they can’t sign up for three days. (Tested and confirmed by Sophos.)
So, as Paul Ducklin also pointed out in the Sophos blog, it’s been something of a “good-bad-good-bad week” for Apple, security-wise.
Hat tip to Anders Nilsson for drawing my attention to the issue.
David Harley
Small Blue-Green World
ESET Senior Research Fellow
