Apple credits TaiG team in release notes
Yesterday's iOS 8.1.3 update sabotages the TaiG jailbreak tool, users say. The hack was functional through iOS 8.1.2, outdoing Pangu, which stopped working as of v8.1.1. Although the TaiG team itself hasn't confirmed the problem, Apple's notes for v8.1.3 actually credit the group with finding four security vulnerabilities.
All previous versions vulnerable, attacks on un-updated machines seen in wild
Adobe has again had to issue an update to the browser plug-in version of Flash due a critical flaw in the program that allows remote attackers to take over un-updated Macs or PCs, the latter running either Windows or Linux. The company urges users to update to the latest version, first issued on Friday, that patches the problem -- however, all previous versions should be considered at risk, and there are not yet any Chrome browser or standalone updaters available.
Transactions traced between Ulbricht, Silk Road Bitcoin accounts
The latest update in the trial of Ross Ulbricht's involvement with the controversial but now-closed Silk Road contraband market site involves Ulbricht's collection of bitcoins. A researcher who has audited the stash claims that approximately 20 percent of Ulbricht's bitcoin funds were transferred directly from Silk Road to his accounts, a transaction that would have been worth close to $3 million based on the value of the digital currency at the time.
Data on 14,241 users with passwords leaked to the Internet following hack
A counter-hack against the Lizard Squad hacking group's distributed denial of service (DDoS) tool LizardStresser has resulted in a customer data theft. Details of 14,241 users of the disruptive hacking tool have been stolen from the group's site, including user names, passwords, and other data stored in plain text, and has now been posted online.
Hacker group threatens to divulge client identities, bank is unconcerned
Some 30,000 emails from Swiss and foreign clients of the Genevan state bank BCGE have been published by a group or individual calling itself "Rex Mundi." The release of the information occurred on Friday, after the bank declined to give into demands for a payout to keep the information under wraps. The would-be blackmailer provided the bank with a sample of data from two supposed BCGE clients as proof of the hack, and threatened to publish all of the data unless €10,000 ($11,779 US) was not paid by the bank.
Unprotected home, enterprise routers said to be part of Lizard Squad botnet
The attacks against gaming services including the PlayStation Network and Xbox Live over the last month may have been carried out in part by home routers. A report claims Lizard Squad, the hacking group claiming responsibility for the attacks, has access to a large collection of hacked routers, which it is using to bolster its distributed denial of service (DDoS) attacks.
Prince of Persia, Maniac Mansion, Original Sim City, Lemmings among web-adapted games
Last November, the Internet Archive debuted their new service, The Internet Arcade, where over 900 arcade titles from the 1980's and 90's were hosted for free play over a web browser. Today the service topped itself, expanding the the Software Library to include 2,300 MS-DOS-era games, available through the EM-DOSbox in-browser emulator.
Blocks hacking tool just one day after release, locks accounts if iDict is attempted
Apple appears to have fixed a flaw in its password security just one day after a hacker announced a new tool that could conceivably breach the existing protection against "brute force" attacks on accounts by taking advantage of an exception. On January 1, a new tool called iDict emerged in a rough state that could bypass repeated password-attempt blocking due to an exception made for iPhones. On January 2, Apple closed that exception and began locking accounts iDict was being used against.
Aluminum brackets attaches to a VESA compatible wall or desk mount
NewerTech has released a new adapter that allows a 2012 or newer model iMac (including the latest Retina 5K iMac) to be hung with a universal VESA mounting system. Since 2012, Apple has made it so that iMacs must be ordered with a VESA mount at the time of ordering, which means four screw holes would be drilled into the back -- if the original purchaser did not order the custom VESA fitting, there was no option to remove the stand, or add the option to mount it later.
Restaurant chain will eat losses if banks do not compensate customers for any breach
A rash of credit and debit card fraud cases have been tracked back to accounts that were all used at various Chick-Fil-A locations around the US. The fast food restaurant joins the ranks of retailers with point of sale security issues. This particular breach appears to have run from December of 2013 to September of 2014.
'It wasn't nice getting raided at 7:30 AM'
Another arrest has been added to the string that began earlier this month in relation to alleged Lizard Squad activities. Lizard Squad is a small group of Internet miscreants that claim responsibility for an ongoing distributed denial of service (DDoS) attacks on gaming networks (including over Christmas). The group has also claimed responsibility for at least one bomb threat (grounding an airplane carrying Sony Online CEO John Smedley), and participation in the Sony hack.
New information yields the possibility of at least one ex-employee playing a role
The saga of "who really stole all that data from Sony" continues, in spite of the FBI's adherence to its findings that North Korea alone was responsible. Independent investigations by security organizations have expanded the suspect list to include ex-employees, while net vandals Lizard Squad have, in their continuing quest for attention, claimed partial credit.
Average person unlikely to be impacted
The European group that first demonstrated a hack of Apple's Touch ID using a fake fingerprint says it has discovered a way of recreating a fingerprint without a physical sample. The Chaos Computer Club's Jan Krissler, better known as Starbug, demonstrated the technique at the Club's recent 31st convention in Hamburg, using German Defense Minister Ursula von der Leyen as an example. Through commercial software called VeriFinger, Krissler says he was able to piece together Von der Leyen's thumbprint based on publicly-available photos of her digits.
'We're not even close to where we need to be,' President says
Last Friday, at President Barak Obama's year-end press conference, Carrie Budoff Brown of Politico asked the first question. Her inquiry was whether Sony had done the right thing in canceling the release of the Seth Rogan comedy The Interview, and what a "proportional" US response to the North Korean-led cyber-attack on Sony would look like. While discussing the answers to those questions, President Obama called on Congress to help create stronger cyber-security laws.
No exploits were utilized in the hacking of the bank's network
Back in July, five bank networks were hacked, the most notable of which was JP Morgan Chase, which resulted in more than 76 million households' information being leaked. At first, it was suspected that a "zero-day" exploit had been utilized to gain access, but an unidentified source has indicated the real story is somewhat more mundane.
Main Internet connection for North Korea goes down following statement attacking US government
North Korea has declared it will strike against the United States, after the Federal Bureau of Investigation (FBI) identified the rogue state as the origin of the Sony Pictures hack. However, alongside the sabre-rattling statement provided by the Korean Central News Agency of DPRK (the Democratic People's Republic of Korea, as it calls itself) are reports that the country's Internet connection has itself been the target of an attack over the weekend, with North Korea effectively being knocked offline.
A new IP, fluttering Jolly Roger, countdown clock
Earlier this month, Swedish law-enforcement raided The Pirate Bay's servers and were able to knock the venerable torrent aggregator offline. Earlier today, the domain moved to a new IP address, and displayed a fluttering Jolly Roger pirate flag only. Now, the flag waves in the background as a clock counts down to January 5, 2015. While one of the original co-founders applauded the takedown, acolytes made sure that no significant dip in torrenting activities -- illegal or legit -- resulted from the apparently-temporary closure.
Compromised servers isolated and replaced, says project developers
Last Friday, the Tor Project blog posted about a possible threat that some of its servers would be seized in an attempt to incapacitate or hijack the Tor network. Over the weekend, a group of "exit node" servers in a Dutch datacenter went down, and then came back online. The service, a volunteer network of relays aiming to provide anonymity and security, says it was warned of suspicious activity that may have been instigated by law enforcement.
US continues to claim NK responsible for Sony hack, pirate release of movie possible?
In an interview recorded on Friday, President Obama clarified his remarks last week regarding the Sony Pictures hack. The president denies swirling discussions about the hack being an act of war, and called it "an act of cyber vandalism that was very costly, very expensive." Additionally, late Sunday, tweets purport that hacker collective Anonymous is about to wade into the fray against North Korea for its role in the event.
Requires physical access, but works on OS X, Windows, Linux
A new USB microcontroller -- roughly the size of a small thumb drive -- has been demonstrated as a proof-of-concept device that leverages a serious and unfixable vulnerability in USB easily take over and install malware on any unlocked computer. Though it requires physical access or tricking the user into inserting the controller into a USB port, the device has worrying implications for any computer left unattended for more than a minute -- the time it takes for the device to gain admin access, change network settings, install a backdoor and remove any obvious sign of intrusion.
Review still under way, sparked by rape allegations and regulatory resistance
In response to the concerns of customers, legal troubles and bans in multiple markets around the world, rideshare/taxi service Uber has begun a study into ways to better screen drivers and improve overall safety. Phillip Cardenas, Uber's head of global safety, outlined the company's plans in a recent blog post today. Cardenas comes from Airbnb where he spearheaded the creation of that company's safety program.
Managing privileged operations on Linux servers key for protecting e-commerce servers
In a blog post today, AlertLogic Chief Security Evangelist Stephen Coty outlined ways to identify and protect against a Linux server exploit he has dubbed "Grinch." Citing a 2013 report from W3Tech stating that approximately 65 percent of all web servers utilize a Unix or Linux-based operating system, he said that the danger is that Grinch can be used to "steal Christmas." At the crux of this exploit is a way to access administrative permissions through JournalID, which could allow remote execution of commands on any Linux-based server.
Insecure URLs from Delta revealed boarding passes from other airlines, other passengers
Dani Grant, the founder of the security research group Hackers of NY, has reported a serious flaw in the way that Delta and potentially other airlines handle online boarding passes, often displayed on smartphone screens to gain entry to flights. Grand discovered that if she shared the URL to her Delta online boarding pass, anybody could download and potentially redeem it. Even more disturbingly, when she changed with the last digit of the seemingly random numbers in the URL, she could view someone else's online boarding pass, which might even be on an entirely different airline.
Christmas comes early as white hats totally pwn script-kiddie newbs
Since August, a hacker group calling itself the Lizard Squad -- self-described as a handful of 'guys with too much free time on their hands' -- have been entertaining themselves by spoiling other people's fun. Primarily, they've been doing this by attacking online video game services and knocking them offline. An opposing "white hat" group of network security researchers have now exposed members of the Lizard Squad group, leading to the arrest of three members, some of whom had also been involved in bomb threats and other domestic terrorism.
Un-jailbroken iOS devices safe from attack; Android, Windows smartphones at most risk
Beginning in Russia and spreading quickly to other countries, a new variation on the formerly-dormant Red October malware has been detected by security firms such as Blue Coat and Kaspersky this week. The new version -- which is notably targeting smartphones of diplomats, military leaders and business executives -- contains a level of sophistication in the function and code that suggests a rogue state, which would have the resources to assemble the talent, is backing the attack.
Employs DDoS attacks, enlists Amazon Web Services to block distribution
In a surprising twist to the ongoing saga of an attack on Sony Pictures' internal computer system by unidentified hackers (likely to be from North Korea), the studio is starting to fight back by leveraging Amazon Web Services to carry out distributed denial of service (DDoS) attacks on identified servers that contain files stolen from Sony over the last month. Taking a page from its own playbook, the media conglomerate is flooding suspect servers with dummy files, a sequel of sorts to anti-piracy attacks carried out by the firm in conjunction with Media Defender seven years ago.
Sophisticated malware used forged enterprise provisioning to enter iOS through OS X
Apple's iOS, when un-jailbroken, is so resistant to malware that three Chinese suspects had to come up with an exceedingly clever method of delivering the "WireLurker" threat to the company's mobile devices. On Monday, Chinese officials announced they had arrested the three suspects, and shut down the servers hosting the malware. The threat was never widespread because of the elaborate nature of the scheme and its China-only focus, but it was one of the few malwares able to get onto un-jailbroken iOS devices.
Supports all recent iOS devices
Pangu's iOS 8.x/8.1 jailbreak tool has been successfully ported to the Mac, its creators have announced. As with the original Windows edition of the jailbreak, it supports all iOS 8-capable devices, including even the iPhone 6, 6 Plus, iPad Air 2, and iPad mini 3. The Pangu team cautions that people should backup a device before beginning, and also restore if they've downloaded any over-the-air firmware updates.
Simple website indexing bot suggest Apple increasing its bypassing of search engines
Can affect non-jailbroken iOS devices; currently distributed through unofficial Chinese store
A new malware threat to iOS has been discovered that can invade the normally well-protected mobile system through a flaw in OS X and USB that allows packages to be installed through enterprise provisioning. Called "WireLurker," the malicious OS X application (once installed) will monitor for new iOS package installs, and then exploits a weakness in USB to install malware into the target iOS device. Once it is installed, the iOS malware tries to harvest personal data like contacts.
Tool begins to reach masses
The Pangu iOS 8.1 jailbreak tool is now being bundled with Cydia, and will get an English translation within 24 hours, its developers say. Cydia is commonly used to simplify jailbreaking, partly by offering an easy way to install unapproved apps. When the Pangu code was released earlier this month, it was only in Chinese and in a rudimentary form intended for developers.
Supports Macs going back to 2008
A new user-created tool enables OS X Yosemite's Continuity function on Macs that are officially unsupported. Dubbed the Continuity Activation Tool, it checks for strict hardware compatibility -- namely the presence of Bluetooth 4.0 -- and disables an Apple blacklist that shuts off Continuity on some Mac models. It also whitelists Mac board-ids inside Yosemite's Wi-Fi code. Before making any changes, the tool creates system driver backups.
Driver changes fake FTDI chip settings, renders it unusable
A recent Windows Update is causing trouble for people working with Arduino microcontrollers and other similar projects, by making some hardware inoperable. A driver update for FTDI chips as part of the Windows Update is apparently damaging the software on some USB-to-serial components, with counterfeit chips suddenly becoming inoperable.
Lack of antenna for NFC radio hobbles unit for Apple Pay retail buying
A new teardown of the iPad Air 2 has confirmed much of what was speculated about the device, but has also revealed some minor surprises. The team at iFixit have rated the new iPad a "two" on a scale of 10, with 10 being the most repairable. The company says that while the new "fused" display is better visually, and sturdier when opening up the iPad, it will also increase the cost of repair for a cracked screen. The teardown also revealed that the latest full-size iPad features a smaller battery and more RAM.
Said to support latest iPhones, iPads
The Pangu jailbreak team has developed a new hack for iOS 8 and 8.1 devices, reports and the team's website note. The initial release is said to be intended strictly for app developers, since it doesn't install Cydia or other services designed to make jailbreaking simple and practical. The public version is in fact waiting on those services being brought up to speed for iOS 8.
Search engine has scrubbed 'tens of thousands' of links to stolen photos
Google has responded to the letter threatening legal action should Google not purge the Internet of stolen, and sometimes intimate, photos of celebrities. The search engine has denied that it is intentionally profiting on the scandal, and instead has acted quickly and appropriately to takedown requests by removing "tens of thousands" of images from Google search results.
Crowd funding effort 33 percent over target, tablet will be made
The Modbook Pro X tablet modification Kickstarter has blown past its goals. Earlier this week, the project passed its $150,000 milestone, with 36 people having contributed to receive a full conversion from the company. Notably, none of the donors chose to send in an existing computer, with all contributors receiving the tablet choosing for Modbook to source the entire project.
POSReady updates rolled into single service pack, release client being worked on
Windows XP hold outs might be able to put off upgrading to a new version of Windows for the time being, as long as they don't mind patching the operating system through unofficial channels. While support for the operating system was officially dropped by Microsoft on April 8, a new service pack has been released by a community project that's keeping the aging operating system alive.
Enterprise Signing Key, Activation Lock keys could have been compromised
An unidentified Twitter user is claiming that recent changes to Gatekeeper in OS X Mavericks and OS X Yosemite which has forced developers to re-sign their app credentials is actually the result of a security breach that successfully pilfered the Gatekeeper keys and possibly "many other keys for many other things," according to the user. A corraborating source was located by TUAW that has allegedly confirmed the breach and tied it to the recent alleged Activation Lock hack.
Report is very questionable, claims product will be called '6L'
Taiwanese Apple blog Apple Daily has published pictures of three components it claims are parts from the oft-discussed but little-seen 5.5-inch version of the "iPhone 6." The photos show what are said to be the display, logic board and battery of the device, but at least two of the three parts are identical to the claimed 4.7-inch iPhone, casting doubt on the entire report. The battery, however, may be a genuinely new part, and is said to be nearly double in capacity compared to the current iPhone 5s battery.
Company aims to fight ruling, calls decision 'not progressive'
Berlin, Germany has banned the Uber unlicensed cab service from city limits, citing concerns for passenger safety and the unregulated nature of the drivers for the service. The firm itself is liable for a fine of $33,000 per fare, with drivers themselves seeking riders likely to be hit with a $26,500 charge by authorities as well.
Third iteration of modified Apple tablet heads to Kickstarter
Last week, we launched the Crowdfunding Critic here on MacNN and Electronista, and promised that every Tuesday and Thursday we'd highlight a new campaign. While we were working on yesterday's selection, we got wind of this -- the Modbook Pro X, by Modbook, Inc., a modification of Apple's 15.4-inch MacBook Pro into a massive pen-enabled tablet. Based on it, we decided to do our second article in the series a day late, but we think this one is worth the wait.
Gmail for iOS now leverages Google Drive directly for archiving and attachments
Google has updated its Gmail for iOS (free) to allow users to leverage the company's Google Drive in two new ways: users can now save attachments in emails directly to Google Drive, and users can now access Google Drive directly from within the Gmail app to add attachments to outgoing messages. The update to version 3.14159 (yes, pi) also gives users more options with account management, such as deciding which of their Gmail account is seen without removing other accounts, and changing the Gmail profile pic.
Fixes boot loops
The team responsible for the Pangu jailbreak has released its first version in English, also the first to support OS X. The tool offers untethered breaks of iOS 7.1.x devices, but last week was released exclusively in Chinese and for Windows. It also gave people an option to install 25PP, an unofficial Chinese app store. For English-speaking users, 25PP installation is disabled by default. The update also solves a problem with iOS devices getting stuck in boot loops.
Public parking spot resale service claims legitimacy, will continue to operate
Startup public parking spot sale app Monkey Parking has vowed to fight the cease-and-desist served onto it earlier this week. The company is claiming that the order is a misinterpretation and invalid use of San Francisco police code, and believes that the model of selling a parking spot that a driver is about to depart is protected by free speech rights.
Security researchers find September vulnerability attack to Germany
According to Dell's security researchers, a single piece of software, surrepitiously installed on some Synology network attached storage devices, has mined $620,000 of virtual currency Dogecoin. A combination of a vulnerability discovered in September and users not updating the system software of the appliances enabled the hack to occur, which installed the mining package, forcing the devices to run hot and transfer data slowly due to the load from the miner.
Streamlines several tasks
Cydia, the app distribution platform for jailbroken iOS devices, has been updated to v1.1.10. The software has been given improved handling of sources and packages, namely by relocating functions that were previously buried within three different sections in the Manage tab. That tab has in fact been renamed Installed, and only contains what was in Manage's "Packages" section, along with a quick User/Expert/Recent selector at the top.
Based on 'beautiful kernel bug,' vulnerability may be difficult to quickly fix
Not one but two well-known hack researchers have now posted evidence of working jailbreaks for iOS 7.1.1, which until now had closed the existing loopholes used by other techniques such as evasi0n. While interest in and use of jailbreaks has waned as Apple has gotten better at closing vulnerabilities, enthusiasts and die-hard customizers continue to want the ability to use unofficial apps or tweak settings in the latest iOS releases.
Embattled studio shift to mobile so far failing to gain traction
In conjunction with Zynga's quarterly results, new CEO Don Mattrick revealed that founder Mark Pincus is stepping down as chief product officer at the embattled game producer. Mattrick also announced that Alex Garden, ex-general manager of Xbox Live, has been hired as president of Zynga Studios.
Nested folders still not officially supported in iOS
A bug in iOS 7.1 lets people place folders within folders, or even hide icons, users note. To pull off the folder trick, a person has to first completely fill an iOS homescreen with apps -- including both the regular grid and the dock, which in the case of an iPad can fit up to six apps. A user must then create a new folder by dragging one app on top of another. As the folder animation starts, though, a person has to quickly drag the folder they want nested into the new one.