Category: Technology


iPhones, iPads vulnerable to hacking: Apple

A major flaw in Apple software for mobile devices could allow hackers to intercept email and other communications that are meant to be encrypted, the company said Friday.

If attackers have access to a user’s network, such as by sharing the same unsecured wireless service offered by a restaurant, they could see or alter exchanges between the user and protected sites such as Gmail and Facebook, experts said.

“It’s as bad as you could imagine, that’s all I can say,” said Johns Hopkins University cryptography professor Matthew Green.

Apple did not say when or how it learned about the flaw in the way iOS handles sessions in what are known as secure sockets layer or transport layer security, nor did it say whether the flaw was being exploited. But a statement on its support website was blunt: The software “failed to validate the authenticity of the connection.”

Apple released software patches and an update for the current version of iOS for iPhone 4 and later, 5th-generation iPod touches, and iPad 2 and later.

Without the fix, a hacker could impersonate a protected site and sit in the middle as email or financial data goes between the user and the real site, Green said.

Apple did not reply to requests for comment.

The flaw appears to be in the way that well-understood protocols were implemented, an embarrassing lapse for a company of Apple’s stature and technical prowess. The company was recently stung by leaked intelligence documents claiming that authorities had 100 percent success rate in breaking into iPhones.

Friday’s announcement suggests that enterprising hackers could have had great success as well if they knew of the flaw.

Ryan:  Kinda told you Apple lovers that this gear is very insecure.. did ya listen to me?

Missing Xbox One Dolby audio options coming post-launch

The Xbox One will add support for Dolby 5.1 and 7.1 digital audio through a post-launch patch, director of product planning Albert Penello said today.

“Dolby Digital is coming post launch,” Penello said on NeoGAF. “This was a [software] scheduling issue pure and simple, and I know people are disappointed, but we will have it.”

No timetable for the patch’s release was provided. This means that until the Xbox One audio patch is released, Microsoft’s next-generation system is not capable of doing optical audio on the level of the Xbox 360, PlayStation 3, or PlayStation 4.

Penello explained that anyone with an HDMI receiver “should be fine” because uncompressed 5.1 and 7.1 audio is passed through HDMI and DTS.

“Even if you have a Dolby only HDMI receiver (which I’m not sure exists), you will still get 5.1 or 7.1 sound since those receivers should accept uncompressed surround,” he said.

For Dolby-only headsets, Penello said he understands that these should work on Xbox One from launch, though users will only receive stereo audio.

“I have not tested this myself, but I’m told it works. Regardless, I understand this is an inconvenience, but again we’re going to have Dolby coming,” he said.

Headset company Astro, which said previously that its products would work without issue on Xbox One, released a statement on the matter following Microsoft’s announcement, confirming that because the Xbox One will not have Dolby support at launch, there will be ramifications for Astro products.

“While our products do not process DTS signals, we do have on-board Dolby encoding in both our A50 Wireless Transmitter as well as our Wired MixAmp Pro. An Xbox One gamer will need to select Stereo output for game audio, but our MixAmps will process that stereo signal with Dolby ProLogic II and encode it with Dolby Headphone,” the company said.

 

Source: GameSpot

PS4 blinking blue light fault is due to ‘TV compatibility’

PlayStation_FourSony has identified four likely reasons for the most commonly reported PlayStation 4 error, including issues with the hard drive and power supply.

Although Sony claim the failure rate for the PlayStation 4 is only 0.4 per cent if they’ve already sold over 1 million consoles in North America then that still means 4,000 faulty machines are out there in the wild.

Although reports last week, primarily from American press, suggested a problem with the HDMI output that doesn’t seem to be a factor in Sony’s latest update on the problems.

According to official PlayStation Support staff, writing on the PlayStation forums, ‘Some reports have been coming in from users with PS4 units blinking blue, but not entering the powered on state indicated by a white light’.

As well as the blue indicator light blinking, new PlayStation 4 owners have been reporting no video or audio output on their television and the console turning itself off once the light starting flashing.

This could apparently mean any of a number of things, including TV compatibility problems, issues with the PlayStation 4 power supply, issues with PlayStation 4 hard drive, and what support vaguely refer to as ‘issues with other PS4 hardware’.

They suggest that the TV compatibility issue can be resolved by updating the firmware on your TV (implying the problem is primarily with smart TVs).

The other issues are more complicated and it’s implied they may involve returning the console to Sony for repair or replacement.

There are more details at the link, but bear in mind that the contact details are for North America not Europe. So if you do have problems with your launch machine it’s best to visit the official UK support website here.

 

Anyone Can Bypass Your iOS 7 Lockscreen to See (and Share!) Your Photos

Got fancy new iOS 7 on that iPhone of yours? Beware. There’s a super simple bug that can let anyone blow right by your lockscreen and look through your pictures, and even share them.

The process was discovered by Jose Rodriguez, and even though it has quite a few steps, it’s super easy to master. Here’s how it works:

  • Swipe up on the locked phone to get to the control panel
  • Open the stopwatch app
  • Go over to alarm clock
  • Hold the power button until you get the “Power down” prompt
  • Hit the cancel button and immediately hit the home button twice, holding it down just a little longer on the second press. Like, buh-baah. It takes a try or two to get the hang of.

Then, bam, you’re in the target’s multitasking menu and can start goofing around. If you go to the camera app, you’ll be treated to unrestricted access to the Photo Stream, and can share the pictures from there with email, Twitter, and more. It’s pretty scary. This isn’t the first time a bug like this has showed up in iOS either. Hopefully it’s the last.

We were able to replicate the bug on an iPhone 4s and an iPhone 5, and Jose. We can’t tell for sure if it works on the iPhone 5S or 5C yet, but there’s little reason to think it wouldn’t.

We’ve reached out to Apple for comment, and there’s no doubt they’ll be issuing a fix in the near future. But in the meantime, just be aware that your photos aren’t safe from prying eyes. The prying eyes of an up-to-date nerd, at least.

Update: You can fight this by turning off the Control Center access on the lockscreen. Just go to Settings, Control Center, and set Lockscreen Access to off. But man, lockscreen Control Center is awesome and it’s on by default. So maybe just don’t leave your phone with creeps?

Ryan says: I’ve been able to get into iPhone’s for a LONG time now.. when is Apple fixing these holes?

‘Critical’ security warning for BlackBerry Z10

A vulnerability in the BlackBerry Protect software built into Z10 smart phones could allow hackers to gain access to the passwords of some devices, according to a security advisory issued by BlackBerry

By taking advantage of “weak permissions” malicious applications will be able to:

  • Gain the device password if a remote password reset command had been issued through the BlackBerry Web site
  • Intercept and prevent the phone from acting on BlackBerry Protect commands, such as remote wipe
BlackBerry said the issue is with the BlackBerry Protect software and not the Z10’s operating system.

“The most severe potential impact of this vulnerability requires a BlackBerry Z10 smart phone user to install a specially crafted malicious app, enable BlackBerry Protect and reset the device password through BlackBerry Protect,” the advisory said.

With the device password and physical access to the phone, an attacker can:

• Access the functionality of the smartphone (including the BlackBerry Hub, apps, data, and the phone) by unlocking the smartphone.
• Unlock the work perimeter on a BlackBerry Z10 smartphone that has BlackBerry Balance technology enabled if the work perimeter password is the same as the device password.
• Access the smartphone over a USB tether with either BlackBerry Link or the computer’s file viewer, allowing access to the smartphone’s personal files, contacts, PIM data, and so on. The attacker could also access work perimeter content on BlackBerry Balance smartphones if the work perimeter is unlocked and access over a USB tether is allowed by a policy that the IT administrator sets.
• Enable development mode after accessing the smartphone over a USB tether, allowing remote access as a low privilege development user.
• Change the current device password, allowing the attacker to deny access to the legitimate user of the smartphone.
• Access any other local and enterprise services for which the legitimate user has used the same password as the smartphone’s password.

An attacker can also gain Wi-Fi access to the phone if the owner enables Wi-Fi storage access on the Z10 and sets a storage access password that is the same as the device password.

Researchers describe hacking iOS devices with malicious charger

Researchers from the Georgia Institute of Technology will be demonstrating a proof-of-concept method of hacking an iPhone using a malicious USB charger. Billy Lau, Yeongjin Jang, Chengyu Song announced the demonstration for Black Hat USA 2013, an annual conference for hackers and security researchers that begins on July 27th in Las Vegas.

The short version is the three researchers found a way to use USB protocols to bypass some of Apple’s security features in iOS that prevent unauthorized software from being installed on your iOS device. The three built a charger based on a BeagleBoard (see below)—a US$125 computer-on-a-circuit-board—that was able to successfully insert malware onto an iPhone plugged into it.

Worse, they can do so in under a minute.

“Despite the plethora of defense mechanisms in iOS, we successfully injected arbitrary software into current-generation Apple devices running the latest operating system (OS) software,” the researchers wrote on their BlackHat presentation description. “All users are affected, as our approach requires neither a jailbroken device nor user interaction.”

In the demonstration, they said will discuss Apple’s existing security mechanisms that protect against “arbitrary software installation,” which in layman’s terms essentially means malware. They will then describe how standard USB capabilities can be, “leveraged to bypass these defense mechanisms.” To finish it off, they will demonstrate how this same process can be used to then hide the resulting malware from the user the same way Apple hides its own built in software.

The three researchers named their malicious charger “Mactans.”

The BeagleBoard it is based on is an off-the-shelf circuit board that can be used to create all manner of tiny computing devices running Angstrom (Open Embedded), Debian, Ubuntu, and Gentoo. There are other BeagleBoard products as well, including a slightly larger model with a 1GHz Sitara ARM Cortex-A8 processors that can run Android.

The point the researchers are making is that their method can be accomplished with readily available technology.

“While Mactans was built with limited amount of time and a small budget,” they wrote, “we also briefly consider what more motivated, well-funded adversaries could accomplish.”

The researchers will offer methods for protecting yourself against such an attack—we’ll throw out that you should probably be choosy about using a charger whose provenance you can’t verify—and what Apple can do to make this attack, “substantially more difficult to pull off.”

Source: UPI

Canada’s new wireless rules are great, but let’s not kid ourselves

The CRTC, determined to reform Canada’s usurious wireless phone cartel, has just issued a strict new “Code of Conduct.”

Effective this December, three-year phone contracts will be available, but unenforceable. If you’re stuck in one of these abusive long-term relationships, you’ll be able to sever it at the two-year mark without penalty.

You know those bill-shocker stories about customers getting hit with thousands of dollars in data overage fees after letting their kids watch YouTube on their iPhones while vacationing in Cuba? Roaming data overage will now be limited to $100 a month, domestic to $50.

You’ll be able to have your subsidized phone unlocked after 90 days, you’ll have a right to a simpler contract and you’ll be able to negotiate changes to that contract.

Hooray, right?

Yes and no. The CRTC’s new pro-consumer stance is, without question, a good thing. But our big three carriers (Bell, Rogers and Telus) still control 95 per cent of the mobile market. Canadians are not going to start using less mobile anytime soon, regardless of the terms we’re offered. In fact, a wireless industry lobby group just sponsored a major study which (they claim) proves that Canadians are actually willing to pay more than we already do for our smart phones. Industry lobbiests are already using the report to suggest that Canadian consumers are getting a bargain. I say charging $50 for an umbrella during a thunderstorm isn’t a good deal just because people would still buy them at $60.

The point is, if the big three can’t maintain their globally-envied RPUs (revenue per user) under the old rules, they’ll find other ways to keep profits up while colouring within the lines of the new ones.

What will that mean? You can expect monthly fees to climb, and new “bonus” add-ons to be fabricated  marketed. We already see carriers offering 4G speed-upgrades — for a fee. I predict that any new speed capacity will be chopped into separate products at separate price points, in a move akin to offering regular, premium and super-premium gasoline. That’s off the top of my head. If there are other ways to sneak new costs into our bills, wireless companies will find them.

The missing ingredient in Canadian wireless is not a tough regulator, but tough competition, backed by unrestrained foreign investment. However, even if Ottawa steps in to untangle the red tape and make this possible, our international reputation may be too tarnished. After the recent experiences of Mobilicity and Wind, who felt “left to the dogs” by Canada’s government once they were wooed in, the Canadian market may be a no-go zone for international mobile firms.

All around the world, smart phones are getting cheaper, wireless speeds are getting faster and people are doing more and more new things with their mobile devices. It’s happening here too. Just less so.

Ryan:  Having worked for the big 3 (Rogers, TELUS & Bell) I can speak on behalf of most Canadians by stating that this is a positive step in the right direction.  Now they just need to adjust the price fixing problems / incorrect roaming bills.  Why not just shut off service to phones when a certain point is reached? Why are we as Canadians still paying for Call Display / Voicemail?  

Source: Maclean’s

BitTorrent’s Secure Dropbox Alternative Goes Public

BitTorrent Inc. has opened up its Sync app to the public today. The new application is free of charge and allows people to securely sync folders to multiple devices using the BitTorrent protocol. Complete control over the storage location of the files and the absence of limits is what sets BitTorrent’s solution apart from traditional cloud based synchronization services.

Dropbox, Google Drive, Microsoft Skydrive and Mega are just a few examples of the many file-storage and backup services that are available today.

All these services rely on external cloud based hosting to back up and store files. This means that you have to trust these companies with your personal and confidential files, and that your storage space is limited.

For those people who want to be in control of their own data there haven’t been many alternatives, but BitTorrent Sync has the potential to trigger a small revolution on this front.

BitTorrent Sync’s functionality is comparable to services such as Dropbox and Skydrive, except for the fact that there’s no cloud involved. Users sync the files between their own computers and no third-party has access to it.

Besides increased security, BitTorrent sync transfers also tend to go a lot faster than competing cloud services. Another advantage is that there are no storage or transfer limits, so users can sync as many files as they want, for free.

Earlier this year BitTorrent started a closed Alpha test with a limited number of users, and today Sync is being released to the public for the first time.

“We’re really excited about opening up this Alpha. The feedback has been universally positive. Those in the closed Alpha have already synced more than 200TB since we started the program,” BitTorrent announces.

Over the past weeks many improvements have been made to the Sync application, prompted by user feedback. Among other things it is now possible to allow one-way synchronization and to exclude files or directories from being shared.

While Sync uses BitTorrent technology, people’s files are not accessible to outsiders. Only those who have the unique private key can access the shared folder.

“All the traffic is encrypted using a private key derived from the shared secret. Your files can be viewed and received only by the people with whom you share your private secret,” BitTorrent explains.

To increase security, the latest Sync version also has the option to let the secret key expire after a day so new devices can’t be added, even if outsiders have the private key.

BitTorrent stresses that Sync is still in Alpha development but tests carried out by TorrentFreak confirm that it works very well. It is an ideal tool for people who want to share large amounts of data between computers without going through third-party services.

The application is also surprisingly easy to configure. There’s no need to create an account and it only takes a few clicks to get going.

The Sync application is available for Windows, OSX, Linux and has the ability run on NAS devices through a web-interface. Readers who are interested in giving it a spin can head over to BitTorrent labs, where the Sync app can be downloaded.

Download BitTorrent Sync for Windows here.
Download BitTorrent Sync for Mac 10.6 or newer here.

Source: TorrentFreak

Russian BadNews bug found in Android app store

Security researchers have identified 32 separate apps on Google Play that harboured a bug called BadNews.

On infected phones, BadNews stole cash by racking up charges from sending premium rate text messages.

The malicious program lay dormant on many handsets for weeks to escape detection, said security firm Lookout which uncovered BadNews.

The malware targeted Android owners in Russia, Ukraine, Belarus and other countries in eastern Europe.

The exact numbers of victims was hard to calculate, said Lookout, adding that figures from Google Play suggest that between two and nine million copies of apps booby trapped with BadNews were downloaded from the store.

In a blogpost, Lookout said that a wide variety of apps were harbouring the BadNews malware. It found the programme lurking inside recipe generators, wallpaper apps, games and pornographic programmes.

The 32 apps were available through four separate developer accounts on Play. Google has now suspended those accounts and removed all the affected apps from its online store. No official comment from Google has yet been released.

Lookout said BadNews concealed its true identity by initially acting as an “innocent, if somewhat aggressive, advertising network”. In this guise it sent users news and information about other infected apps, and prompted people to install other programmes.

BadNews adopted this approach to avoid detection systems that look for suspicious behaviour and stop dodgy apps being installed, said Lookout.

This masquerade ended when apps seeded with BadNews got a prompt from one of three command and control servers, then it started pushing out and installing a more malicious programme called AlphaSMS. This steals credit by sending text messages to premium rate numbers.

Users were tricked into installing AlphaSMS as it was labelled as an essential update for either Skype or Russian social network Vkontakte.

Security firm Lookout said BadNews was included in many popular apps by innocent developers as it outwardly looked like a useful way to monetise their creations. It urged app makers to be more wary of such “third party tools” which they may include in their code.

Half of the 32 apps seeded with BadNews are Russian and the version of AlphaSMS it installed is tuned to use premium rate numbers in Russia, Ukraine, Belarus, Armenia and Kazakhstan.

Source: BBC News

New next-gen Xbox details emerge, reinforcing reports that used games will be unplayable

The mystery surrounding Sony’s (SNE) PlayStation 4 will soon dissipate when the company unveils its next-generation video game console on February 20th. Meanwhile, Microsoft’s (MSFT) upcoming rival console is still very much a mystery, though pieces of the puzzle continue to come together. The latest report comes from Edge, which cites multiple unnamed people with “first-hand experience of Microsoft’s next generation console” in claiming that the new Xbox will require an always-on internet connection to check disc registration in order to function. The report reinforces earlier rumors that Microsoft will restrict or even completely block owners’ ability to play used games.

BGR also reaffirms specs reported earlier, including a 1.6GHz eight-core AMD CPU, D3D11.x 800MHz graphics and 8GB of RAM, and it says we should expect a new Kinect sensor to launch alongside the console.

Microsoft’s next Xbox is expected to be unveiled during the E3 gaming conference this summer.

Source: BGR

Ryan:  Limiting the ability to play used XBOX games on the new console is will be their downfall. If this happens, I won’t be buying one. PS4 FTW?!?!

Blacklist created to fight smartphone theft

Canada’s wireless carriers are targeting smartphone theft by setting up a database that will blacklist lost or stolen phones to prevent them from being reactivated.

The move would also help protect personal data on such devices, the Canadian Wireless Telecommunications Association said Thursday.

Smartphones are worth $600 to $700 and can be resold on the black market, noted association president Bernard Lord.

“With this database, it makes that a lot less attractive because the buyer of the stolen phone will not be able to connect to any network in Canada,” Lord said from Ottawa.

“It eliminates the incentive for stealing a device.”

The idea is also to reduce the black market value of a smartphone in the eyes of criminals, Lord added.

Once consumers call their wireless carrier to report their smartphone lost or stolen, the device’s internal identification number goes on the electronic blacklist.

Lord said even though more smartphones are lost than stolen, law enforcement officials have raised concerns about the issue.

The database for the Canadian wireless industry will be up and running by September 2013 and Canada’s carriers will also be contributing to an international database to help prevent smartphone theft, he said.

However, consumers who have their smartphones lost or stolen are “not off the hook” for paying their smartphone contracts.

A website will also be set up by the association to help consumers protect their smartphone data and help protect themselves from theft.

Lord said the smartphone’s ID number — called the international mobile electronic number — will be verified by carriers to make sure the device has not been lost or stolen.

The Canadian Radio-television and Telecommunications Commission congratulated the wireless industry for the initiative, but would like the database running sooner rather than later.

“I would strongly encourage the industry to implement the database before September 2013 to ensure Canadians benefit from this added protection as soon as possible,” chairman Jean-Pierre Blais said in a statement.

The creation of a database and collaboration to make sure stolen or lost devices aren’t reactivated will help make them less desirable to thieves, Blais said.

“The CRTC has been concerned for some time about reports of an increase in crimes involving lost or stolen cellphones.”

Telus said while the wireless industry, law enforcement, and regulators all have a role to play, smartphone users need to think about where they’re buying their devices.

“We ask consumers to reconsider buying phones on sites like eBay, Craigslist, or Kijiji and instead buy their devices from a verified dealer,” Telus spokesman Shawn Hall said.

“If you buy a phone from Craig’s List it might be legitimate, but it could be stolen and then you will likely be unable to get it activated,” he said.

Smartphone use in Canada is among the highest in the world and penetration has exceeded 50 per cent, Lord said.

Canada’s wireless industry will spend about $20 million on the initiative, he said.

The United States is also taking steps and will have a similar database to fight the black market for smartphones in November 2013, Lord said.

Ryan says:  This should change the market in the way deals are made on classified for sale sites.  Phones will be checked first to see if they work properly before buying.  New tricks will be implemented ie. IMEI / IMSI masking so I do not see this as a long term solution for blacklisting phones but its a move in the right direction.

Source:  CTV News