Friday, September 21, 2012

Apple iPhone 5 Operating System Already Hacked

The iPhone 4S, and probably the iPhone 5 as well, are vulnerable to attacks from malicious Web pages that can steal the user’s pictures, contact information and browsing history and send it all to a remote server.

Yesterday (Sept. 19) at the Mobile Pwn2Own contest at the EUSecWest conference in Amsterdam, a pair of Dutch security researchers successfully exploited a completely patched iPhone 4S.

The duo, Daan Keuper and Joost Pol from The Hague-based computer security company Certified Secure, said their proof-of-concept hack works on both iOS 5.1.1 and the version of iOS 6 that was given to developers several months ago.

Keuper and Pol said iPads are also vulnerable to this attack. While the two haven’t had a chance to test an iPhone 5 running the final build of iOS 6, it is likely also at risk, they told Computerworld.

The malicious code — technically, a drive-by download — took only a few weeks to create and can be embedded anywhere on a website to work, Pol said.

When placed in a graphic or advertisement on a blog visited by Mobile Safari, the code figures out a workaround for Safari’s sandboxing and signing mechanisms.

Users don’t need to do anything but visit the booby-trapped page for the malware to work. While the attack is able to steal a lot of sensitive data, email and SMS messages are separately encrypted and are not vulnerable to this particular attack.

Keuper and Pol wouldn’t reveal exactly how their attack works, but told ZDNet that it involved a zero-day exploit, one that’s not yet known to most security specialists.

They also told ZDNet that they wouldn’t do it again.

“We shredded it from our machine,” Pol said. “The story ends here. … It’s time to look for a new challenge.”

He said that BlackBerry and Android devices, which that run the same WebKit rendering in their browsers as iOS’s Safari, could also be open to this exploit, but haven’t been tested. Pol hopes Apple fixes the exploit soon and that users download the patch as soon as possible.

Last year, security researcher Charlie Miller snuck a malicious proof-of-concept app into Apple’s iTunes App Store that could also steal data from iPhones.

For their successful hack of Mobile Safari, Pol and Keuper together took home $30,000.

Thursday, September 20, 2012

New Apple maps app under fire from users

Inaccuracies and misplaced towns and cities in Apple's new map software have provoked anger from users.
In June Apple announced it would stop using Google Maps in favour of its own system, created using data from navigation specialist TomTom.

Apple is yet to comment on the complaints about the software, which comes already installed on the new iPhone.

TomTom said it provided only data and was not responsible for how it worked.

The software is packaged with iOS6, the latest version of Apple's operating system, which runs on the iPhone, iPad and iPod Touch.

Previously, the system had an app running mapping software from Google.

But users are now forced to use Apple's new maps once they upgrade or buy the latest iPhone - which goes on sale on Friday.

There is not currently a Google Maps app available in Apple's App Store, although Google's system is still accessible via the phone's web browser.

Is Apple trying to drown me?
Museum in river

Among the user complaints regarding Apple's maps sent to the BBC were:
Users have complained about the quality of satellite images in the new software (bottom)

Some towns appear to be missing, such as Stratford-upon-Avon and Solihull.

Others, like Uckfield in East Sussex, are in the wrong location.

Satellite images of various locations, particularly in Scotland, are obscured by cloud.

A search for Manchester United Football Club directs users to Sale United Football Club, a community team for ages five and above.

Users also reported missing local places, such as schools, or strange locations. Another screenshot showed a furniture museum that was apparently located in a river.

TomTom, which also licenses data to a range of other mobile manufacturers, defended its involvement.

A spokesman told the BBC that its maps provided only a "foundation" to the service.

"The user experience is determined by adding additional features to the map application such as visual imagery," a spokesman said.

"User experience fully depends on the choices these manufacturers make.

"We are confident about our map quality, as selling 65 million portable navigation devices across the world and more than 1.4m TomTom apps for iPhone in the past two years reaffirms this quality."

Prior to the release of iOS6, several developers had expressed concerns over the capability of the mapping app, in particular its ability to find businesses via search.

Spot the difference
"This is incredibly different from using Google Maps," one Denver-based blogger wrote on 13 September.

"It's a tremendous step backwards and something that cripples iOS for Apple's customers.

"I [searched] 'iPhone Repair' and 'iPad Repair' since that's relevant to our business. The results broke my heart.

"All of the work I've put into our local recognition is completely gone."

Not exactly a "magical" experience now is it?

Tuesday, September 18, 2012

Users apparently aren't getting the iMessage

No, no they can not.
In the wake of Apple's recent iCloud e-mail outage, a number of people are now experiencing delays and lost messages with its iMessage instant-messaging service.

Apple is apparently having trouble getting its iMessage across.

IMessage is Apple's proprietary instant messaging services for iOS and Mac OS. Users have outlined their issues in several Apple support forum discussions (here and here), where they complain about being unable to send or receive messages. The problems appear to affect users across the globe, suggesting that the problem is on Apple's end as opposed to that of a service provider.
Apple introduced iMessage as part of iOS 5 last October, offering users on the iPhone, iPod, and iPad a way to communicate with one another for free as long as they had an Internet connection. Apple added the functionality to its Macs as part of Mountain Lion in July.
The reported iMessage problems follow an outage at Apple's iCloud service a few days ago, in which millions of users were unable to access e-mail for a couple of days. Apple said little about that problem except that it was working on it and would have it corrected ASAP. ICloud e-mail is now operational.
Apple's iCloud status page currently states that "all services are online." This status page, however, has been unreliable, or at least slow to update, where outage are concerned.
poll on tech site 9to5mac shows that about half of users are experiencing problems with the service and cannot reliably send or receive messages.
Apple so far has not commented on the outage.

What was that about Apple products "just working"?  How's that "magical experience" working out?

Friday, September 14, 2012

Five reasons iPhone 5 disappoints

Born to disappoint

A new iPhone is Apple's chance to drive competitors nuts, to take technological innovation to new heights and to leave the stage with a justified smug look, but as the dust settles from yesterday's launch event the new handset feels dated already. The Cupertino, Calif.-based corporation should smash the competition to bits but that hasn't happened, has it?

iPhone 5 is not the revolutionary product that could set the world on fire and just like my colleage Wayne Williams I wonder "Hey, Apple, where’s the innovation?" There is a saying that's perfect for landmark product releases: "Go big or go home" and Apple should have followed the former not the latter for what will most likely be flagship device over the next year. It's not enough to sway the current cutting-edge Android smartphones to the curb, so how can it when there will be fierce competition from Windows Phone 8 devices like the Nokia Lumia 920 or Samsung ATIV S?

The new iPhone 5 is a disappointment and here are five reasons why it fails to impress. (Ha! Wayne struggles to find five things to like about iPhone 5).

1. 4-inch display is straight from the history books. The new iPhone sports a 4-inch display with a 1136 x 640 resolution at 326 pixels per inch. It clearly bests the iPhone 4S display in terms of resolution and size, but a 4-inch display in 2012 is still subpar compared to other smartphones like the popular Samsung Galaxy S III or Nokia Lumia 920, which both come with bigger display and higher resolution. The original iPhone was a game-changer with its 3.5-inch display, but five years later and just a minor size increase is a clear sign of stagnation.

The rules of the game have changed over time, with bigger displays being better suited for web browsing, reading emails and the social media experience that is ever present in the digital lifestyle, and cramming it all on a 4-inch display is not the way to go.

2. Looks similar to the iPhone 4S. The design coming from Cupertino is (yet again) repetitive, with minor differences from its predecessor that was (again) quite similar to its predecessor. The last three Apple iPhone smartphones are very similar in appearance, begging the question: "Is Apple's design team on vacation?" Visually it looks like Apple took the iPhone 4S, put it on a diet to lose some millimeters from it's already "chunky" sides, stretched it so it could accommodate the display and changed the back a bit so there is one visual cue to separate it from its predecessor. That is, if you look hard enough to spot the difference up close.

Apple leaves similarities aside, and instead used bold statements like "inventing entirely new technology" to describe the "entirely new design", with a clear emphasis the "entirely new" factor that should sway potential buyers from thinking it's darn similar to the old one.

3. iOS 6 is no match for the hardware. If there is one good thing that iPhone 5 has over the iPhone 4S is the hardware it packs. Yet the very same advantage is not matched by a revolutionary, new iOS. Apple plays catchup (again) by offering features similar to Android, but fails to deliver one that is actually fit for the hardware -- true multitasking without any limitations. iOS 6 does not focus on iPhone 5, instead it's taking a one-OS-fits-all approach that is antiquated. Why not add multiple home screens support or even widgets? No wonder it's sipping on battery...

4. No (amazing) new tricks. iPhone 4S introduced one of the most interesting and highly-discussed features -- Siri. The virtual assistant made voice search popular and drove Google to improve its own offering into what Google Now is today. But with the iPhone 5 the inspiration runs out and what we're seeing is more or less the same software that every other iPhone is going to get once iOS 6 launches on September 19. Instead of being innovative, Apple tweaked Siri to better compete with Google Now that was introduced with Android 4.1 Jelly Bean in June, basically playing catchup to Google's mobile operating system.

As far as hardware goes, near field communication and wireless charging are nowhere to be seen on the iPhone 5, even though the Samsung Galaxy S III or the Nokia Lumia 920 have both. LTE? Plenty other smartphones already had it long before Apple introduced iPhone 5. Bottom line: no new "amazing" feature.

5. Unjustified pricing differences. iPhone 5 storage pricing differences are simply absurd. The 16GB model costs $199, which does not sound unreasonable, but the same can not be said about the 32GB model that costs $299 or the 64GB model goes for $399. That 16GB storage is insufficient when there is a 1080p video recording camera that can also take 8-megapixel photos, both of which (videos and photos) will fill the onboard storage reasonably fast to warrant going for a more expensive model. The lack of expandable storage forces potential buyers to spend 50 percent or 100 percent on the base price of an iPhone 5 to get a properly spec'd model.

Apple needs to get down to Earth with its pricing; it's unjustified considering the competition comes with expandable storage at a lower price point.

Apple Chose Wrong

Time to face the truth: as it stands, iPhone 5 is just an upgrade from the iPhone 4S, and nowhere near the smartphone that I was expecting. Disappointed? Yes, badly and I do not consider myself alone in thinking so. Apple chose the wrong ingredients and focused on minor improvements that diminish its appeal, especially so with all the leaks that pointed towards a 4-inch display months before the announcement. It's better than the iPhone 4S, but the bottom line is this: iPhone 5 does not shine.
On top of those reasons, Apple really had a chance to "wow" people with features like a burst mode for the camera or expandable storage. And what's the deal with the new connector? In one fell swoop they rendered all cables and dock accessories useless for any idiot that wants the new model.  All in all, it was nice to see so many negative comments from consumers and reviewers on the iPhone 5.  Apple seriously dropped the ball here by releasing what boils down to an upgraded 4S.  Now, I wonder what companies like Samsung will go after first: the fact that Apple copied the usage of a larger screen because that's what sells or the 4G LTE?  Everyone ready for another patent war?

Wednesday, September 12, 2012

iCloud Mail Outage Enters Second Day

No silver lining here...

Just about 24 hours ago, we began receiving the first reports of users having difficulties accessing their iCloud mail. Apple acknowledged the outage on its iCloud system status page relatively soon afterward, but noted that the issue only affected about 1% of customers.

Unfortunately for that small fraction of users, the issue has become a relatively major one, as their outage is now extending into a second day with Apple's regular system status updates providing no sign of improvement in holding steady at 1.1% of users being affected.

Apple has given no timeframe for a resolution of the issue beyond stating that "normal service will be restored ASAP", and an Apple spokesperson declined further comment upon being contacted by Macworld.

Tuesday, September 4, 2012

Hackers Release 1 Million iOS Device UDIDs Obtained from FBI Laptop


Hacker group Antisec has released a dump of 1 million unique identifiers (UDIDs) from Apple iOS devices tonight. The records reportedly came from a file found on an FBI laptop back in March.

During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of "NCFTA_iOS_devices_intel.csv" turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc. the personal details fields referring to people appears many times empty leaving the whole list incompleted on many parts. no other file on the same folder makes mention about this list or its purpose.
The file that was found was said to contain over 12 million device records, including Apple UDIDs, usernames, push notification tokens, and in some instances, names, cell phone numbers, addresses and zip codes.

The group released 1 million of these records but stripped most personal information. The final release includes Apple UDIDs, APNS (push notification) Tokens, Device Name (e.g. "Arnold's iPhone") and Device Type (e.g. "iPhone"). MacRumors has been able to confirm that the UDIDs appear to be legitimate.

The source of the data is not entirely clear, though the type of data is typical for the kind of information an iOS app developer would collect to deliver push notifications to users. It seems an App developer or developers are the original likely source of the information, though no specific information is yet available. Right now there's no easy way to determine if your device's UDID was included in the list, beyond downloading the list yourself.

The actual implications of the leak, even if your UDID is found, aren't entirely clear. The UDIDs themselves are rather harmless in isolation. Apple has previously come under fire for the use of these globally identifying ids. The privacy risks, however, typically come from these ids being used across ad networks and apps to piece together a more complete picture of activity and interests of the user. But it was reported back in 2011 that by leveraging existing networks, information and even login access can be obtained from UDIDs. It's not yet clear if the released push tokens can be used in any manner.

Sunday, September 2, 2012

Spyware Matching FinFisher Can Hijack IPhones

FinFisher spyware made by U.K.-based Gamma Group can take control of a range of mobile devices, including Apple Inc. (AAPL)’s iPhone and Research in Motion Ltd. (RIM)’s BlackBerry, an analysis of presumed samples of the software shows.

The program can secretly turn on a device’s microphone, track its location and monitor e-mails, text messages and voice calls, according to the findings, being published today by the University of Toronto Munk School of Global Affairs’ Citizen Lab. Researchers used newly discovered malicious software samples to further pull back the curtain on the elusive cyber weapon.

The hunt for clues to the software’s deployment has gained speed since July, when research based on e-mails obtained by Bloomberg News identified what looked like a FinFisher product that infects personal computers. In that case, the malware targeted activists from the Persian Gulf kingdom of Bahrain.

The latest analysis, led by security researcher Morgan Marquis-Boire, may demonstrate how such spyware can reach a broader range of devices to follow their owners’ every move.

“People are walking around with tools for surveillance in their pockets,” says John Scott-Railton, a doctoral student at the University of California Los Angeles’ Luskin School of Public Affairs who assisted with the research. “These are the tools that can be used to turn on your microphone and turn your phone into a tracking device.”

Transforming Surveillance
The findings -- which are consistent with Gamma’s own promotional materials for a FinFisher product called FinSpy Mobile -- illustrate how the largely unregulated trade in offensive hacking tools is transforming surveillance, making it more intrusive as it reaches across borders and peers into peoples’ digital devices.

FinFisher products can secretly monitor computers, intercepting Skype calls, turning on Web cameras and recording keystrokes. They are marketed by Gamma for law enforcement and government use.

“I can confirm that Gamma supplies a piece of mobile intrusion software -- FinSpy Mobile,” Gamma International GmbH Managing Director Martin J. Muench said in an Aug. 28 e-mail. “I certainly don’t intend to discuss how or on what platforms it works. I do not wish to inform criminals of how any of our detection systems are used against them.”

Muench, who is based in Munich, said his company didn’t sell FinFisher spyware to Bahrain. “I am still investigating how a piece of our software went astray,” he said in his e- mail.

In a news release today, Gamma said that information from its sales demonstration server had been stolen at an unknown time by unknown methods.

FinSpy Marker
“The information that was stolen has been used to identify the software Gamma used for demonstration purposes,” the release said. “No operations or clients were compromised by the theft.” The Gamma statement said that while its demo products contain the word “FinSpy” -- a marker the researchers used to help identify samples -- its more sophisticated operational products don’t.

Gamma International GmbH in Germany is part of U.K.-based Gamma Group. The group also markets FinFisher through Andover, England-based Gamma International UK Ltd. Muench leads the FinFisher product portfolio.

Muench says that Gamma only sells to governments and their agencies and complies with the export regulations of the U.K., U.S. and Germany.

More Samples
The July report on Bahrain led security professionals and activists to give Marquis-Boire’s team additional samples of malware for testing.

Several of those samples became the basis of the new report, and include what appear to be a FinSpy Mobile demonstration copy and live versions sent to actual targets.

The report contains no information about any individuals who were targeted, or whether devices were infected.

In December, anti-secrecy website WikiLeaks published a promotional brochure and video for FinSpy Mobile. The video shows a BlackBerry user receiving a message to click on a link for a fake update -- and then making the mistake of doing so.

“When FinSpy Mobile is installed on a mobile phone it can be remotely controlled and monitored no matter where in the world the Target is located,” a FinSpy brochure published by WikiLeaks says.

Systems that can be targeted include Microsoft Corp. (MSFT)’s Windows Mobile, the Apple iPhone’s iOS and BlackBerry and Google Inc. (GOOG)’s Android, according to the company’s literature. Today’s report says the malware can also infect phones running Symbian, an operating system made by Nokia Oyj (NOK1V), and that it appears the program targeting iOS will run on iPad tablets.

Simple Process
A mobile device’s user can become infected by being tricked into going to a Web link and downloading the malware, which can be disguised as something other than FinSpy.

As Gamma’s promotional video illustrates, the process can be as simple as sending someone a text message with a link that looks as if it comes from the phone maker, and asking the user to “please install this system update,” Marquis-Boire says.