Apple’s most hacker-resistant hardware to date – the iPad 2 and the iPhone 4S, which are built around the Apple A5 chip – can now be jailbroken.
Should you rush to slither free of Apple’s fiscal tentacles?
Naked Security – Sophos
Tag: Apple
A new patent from Apple shows how a power cable could help users access their computing devices when they forget their passwords – and perhaps improve security.
Naked Security – Sophos
John Shier joined Chet this week as they discussed the death of UNIX and C co-creator Dennis Ritchie, the Virus Bulletin 2011 conference, Apple’s release of iOS 5 and OS X 10.7.2, Microsoft Patch Tuesday, and the German R2D2 Trojan.
Naked Security – Sophos
Are you desperate to install iOS 5.0 on your iPad or iPhone?
If so, beware of “Error 3200″ which has troubled many early adopters.
Naked Security – Sophos
Slightly less than two weeks after the first public signs of DigiNotar being compromised, Apple has revoked their certificates.
The Apple update is available for users of Snow Leopard (10.6) and Lion (10.7), but mysteriously not offered to users of Leopard or earlier versions.
After applying the update Mac users should no longer see DigiNotar as a trusted root certificate in the Keychain Access application.
You can check for updates by clicking the Apple logo in the upper-left corner of the screen and choosing Software Update.
If you are running an older Mac you can still protect yourself, but you will need to do it manually. You can follow the excellent instructions posted over at the ps | Enable blog.
Apple (along with Microsoft, Google and RIM) have not released any updates for their mobile platforms.
This is an opportunity for Apple to get ahead of the competition.
It is much easier for Apple to patch iDevices then Google to fix Androids, get the handset makers to apply the fixes and then convince the carriers to deploy the updates.
Apple users should apply this update as soon as they can and hope that the other CAs the hacker is claiming he hacked won’t end up in a similar situation to DigiNotar.
When a NakedSecurity reader forwarded us a suspicious email he received today, it served as a healthy reminder for all computer users to be on their guard against phishing attacks.
The email claims to come from Apple, and appears to have targeted our correspondent because he is a user of Apple’s MobileMe service.
Apple is planning to shut down its MobileMe service in mid-2012, as it is readying its new iCloud service (which will store music, photos, calendars, documents etc in ‘the cloud’ and wirelessly push them to all of your devices).
Understandably, a lot of MobileMe users are interested in how they will migrate to iCloud and this is the issue that the phishing email uses as bait.
Subject:
Welcome to iCLOUD
Message body:
Important information for MobileMe members.
Dear MobileMe member,
Please sign up for iCloud and click the submit botton, you'll be able to keep your old
email address and move your mail, contacts, calendars, and bookmarks to the new service.Your subscription will be automatically extended through July 31, 2012, at no additional charge.
After that date, MobileMe will no longer be available.Click here to update iCLOUD
Sincerely,
The Apple store Team
If you make the decision to click on the link in the email, however, you are not taken to an official Apple website – but instead a third-party site that is trying hard to present itself in an Apple style.
Yes, it’s a phishing website.
And just look what it’s asking for: your credit card details, your address, your social security number, your full date of birth, your mother’s maiden name and your Apple ID credentials.
Crumbs! Imagine the harm a fraudster could cause with all that information.
Make sure you have your eyes peeled for phishing attacks, and be on your guard regarding unsolicited messages you receive in your inbox. It could be you who gets hit by a phishing attack next.
Hat tip: Thanks to Naked Security reader Jeff for alerting us to this phishing campaign.
For the past few weeks, it looks as though Safari on OS X 10.6.8 has not been handling website cookies correctly, as a Naked Security reader from Toronto pointed out recently.
This issue has also popped up on Apple’s own Support Communities forum.
The problem is that even if you tell Safari to block all cookies, it doesn’t. Websites use cookies to keep track of your browsing during and between sessions, so that cookies and browsing privacy go hand-in-hand. It’s therefore rather a worrying sort of bug when a browser doesn’t deal with cookies precisely as you’d expect.
On OS X 10.6.7, setting the Safari 5.05 (build 6533.21.1) option Accept cookies: Never would do just that. Cookies would neither be stored nor transmitted by the browser.
Upgrade to OS X 10.6.8, however, and even though the Safari version and build number remain the same, the browser’s behaviour does not. Some, but not all, cookies, are stored and transmitted by the browser, even when you’ve insisted that Safari allow no cookies at all.
There’s no obvious rhyme or reason to the cookies which sneak through when they aren’t supposed to – in my tests (I visited apple.com/startpage, sophos.com and bing.com) a mixture of session, short-term and long-life cookies appeared in the mix.
In Safari 5.1, Apple’s terminology does an about-face, so that you need to Block cookies: always – a command which somehow sounds even stronger than never allowing them – but the bug persists, at least on OS X 10.6.8.
(Note that the Privacy tab of the Preferences pane no longer shows you the actual cookies which are set, as it did in Safari 5.0.5. To view cookies in 5.1 you need to use Develop|Show Web Inspector|Resources|Cookies.)
Interestingly, this bug does not seem to appear on OS X 10.7, better known as Lion. Apple seems to have fixed the underlying fault, since Block cookies: always works as you would expect.
Nevertheless, this is cold comfort to those of us who can’t, or won’t, spend the $ 30 needed to upgrade to Lion. (As I mentioned before, I’m waiting until I can purchase an official, bootable, installable distribution of Lion before I’ll go near it.)
You need to be able to rely on your browser to do the right thing with cookies. Wrongly managed, they represent a potentially significant privacy risk, since cookies are used for a variety of tasks from post-login session authentication to long-term user identification.
So, if you’re a 10.6.8 user, why not report this bug to Apple? I did. It’s easy: just visit Apple’s official OS X Feedback page.
