In light of last week's security breach by a security analyst, Apple has proactively introduced an online status page, much like the iCloud status page, but for the Developer Center. This status page allows registered Apple developers to track the progress as systems become available while Apple overhauls their backend services with added security. As you can observe there's still a lot of green missing. Here's a road map statement of their approach in bringing their services back online.
We plan to roll out our updated systems, starting with Certificates, Identifiers & Profiles, Apple Developer Forums, Bug Reporter, pre-release developer libraries, and videos first. Next, we will restore software downloads, so that the latest betas of iOS 7, Xcode 5, and OS X Mavericks will once again be available to program members. We'll then bring the remaining systems online. To keep you up to date on our progress, we've created a status page to display the availability of our systems. - Apple
Read More | MacRumors
The Syrian Electronic Army strikes again at another VoIP provider, this time, Viber. We reported the cyber attacks on Tango, now it seems that the pro-Assad militant cyber group claims allegedly that it was able to download backups of Viber's database, which includes but it's not limited to phone numbers, device IDs and, supposedly, push notification tokens. Along with the purported intrusion, some Viber pages have been defaced. Viber has come forward and has stated that the intrusion is mostly harmless to customers of their VoIP services since they claim that the most vital user information is kept in a different database that can't be exploited by outsider threats. As always, Viber requests that 200,000 users be vigilant and report any suspicious activity with their accounts.
Today the Viber Support site was defaced after a Viber employee unfortunately fell victim to an email phishing attack. The phishing attack allowed access to two minor systems: a customer support panel and a support administration system. Information from one of these systems was posted on the defaced page.
It is very important to emphasize that no sensitive user data was exposed and that Viber’s databases were not “hacked”. Sensitive, private user information is kept in a secure system that cannot be accessed through this type of attack and is not part of our support system.
We take this incident very seriously and we are working right now to return the support site to full service for our users. Additionally, we want to assure all of our users that we are reviewing all of our policies to make sure that no such incident is repeated in the future. - Viber
Read More | Arstechnica
The Syrian Electronic Army (SEA) has come forward claiming that it has stolen millions of user email addresses, phone numbers and contact information of the popular video messaging service Tango. The 1.5 terabyte worth of compromised data has been confirmed by Tango on Twitter.
SEA has stated that it will hand over the information to its country's government lead by embattled President Bashir al-Assad. The compromise was possible due to an outdated WordPress installation.
Traditional telecommunication is to be avoided due to current war in Syria that has resulted in the rising death toll of over 100,000 lives. Thus, popular messaging services with VoIP capabilities are very popular in that part of world. So, it comes to no surprise that the exploit is for the sole purpose of monitoring, stamping out and finding rebel forces and sympathizers.
"Tango experienced a cyber intrusion that resulted in unauthorized access to some data. We are working on increasing our security systems. We sincerely apologize for any inconvenience this breach may have caused our members." -Tango
Read More | Syrian Electric Army
The Apple Developer Center portal has been in hiatus since last Thurday. Reasons for it being down took many by surprise as they were led to be believe it was related to a mundane web maintenance. However, Apple has come forward with information that the Dev site was compromised. Now, a security researcher named Ibrahim Balic has come forward claiming responsibility for the exploit several hours before the Dev site went into full lockdown.
Balic managed to see and copy Apple developer's full names and corresponding Apple ID and emails with an unavoidable injection tool attack. No other information was garnered from the exploit such as credit card information or App codes. Such information is under additional lock and key encryption housed in other servers.
Balic claims that he was also able to get a hold of the Apple ID of regular users. He stresses that this is for security research purposes only and he does not intend to give out any information to the general public as to how he managed the exploit. Full Apple statement below. Still, no apologies from Apple over the faux linen landing page. Here's a video of Balic discribing vulnerabilities within Apple's web services.
Read More | AllThingsD
A SIM card vulnerability has been uncovered in the encryption used in millions of phones that could allow hackers to send spoof texts. These texts would execute nefarious software that enables them the ability to listen in on calls, as well as read and send text messages, all within a couple of minutes. It could even copy your SIM card.
Cryptographer Karten Nohl and his security team has estimated that 750 million phones in circulation today are using an old 56-Bit DES encryption standard used in SIM cards that can be exploited. Nohl will present his findings at the annual BlackHat security conference held in Los Vegas. It is estimated that 25% of 1000 SIM cards tested in North America and Europe were vulnerable to the exploit.
In addition, it has been reported that Nohl has fully disclosed his findings to the GSM association, and that they have notified carriers and SIM venders of who exactly can be exploited. Nohl suggested that older obsolete systems should be replaced with new triple-based DES encryption.
Read More | PCMag
Video security surveillance app maker, SKJM, has updated its iCam app to version 2.2 and added some useful features. iCam now supports 256-Bit AES encryption, motion event image thumbnail gallery style, and supports the iPhone 5 4-inch display size. The update also includes various bug fixes and optimizations. I highly recommend this invaluable app. iCam has motion detection functionality sent via push notifiation alert with support for a bevy of third-party of security surveillance cameras. iCam is universal binary iOS app. Most notable feature: iCam for iPhone can support up to 12 simultaneous live video streams and the iPad up to 16. Don't don't have it? iCam is priced at $4.99 in the App Store.
What's New in Version 2.2
- Added support for 256-bit AES encryption.
- Added support for Motion Event Image Thumbnails.
- Added iPhone 5 screen size optimizations.
- Fixed various minor bugs.
Be sure to also update the iCamSource application running on your computer(s) to the latest version: http://skjm.com/icam/support.php
Read More | iCam
A new patch by Adobe Systems fixes the two Flash player vulnerabilities currently under attack. The attacks install malware and targets both Macs and PCs. The targets all seem to be Flash versions for OS X and Windows. The patch, however, is also available for Linux and Android.
The exploits target Safari as well as Firefox, of which the vulnerability is classified as CVE-2013-0634. The vulnerability is also reportedly tricking Windows users into opening Word documents containing the Flash content.
The bug, according to Adobe, was discovered by members of the Shadowserver Foundation, Lockheed Martin's Computer Incident Response Team and MITRE.
The vulnerability leaves these devices open to malware downloaded in remote apps, which can then read user data and even brick your phone completely. "The good news is we can easily obtain root on these devices and the bad is there is no control over it," said xda-developers user Alephzain. Usually, vulnerabilities like this require physical access to the phone, while this vulnerability allows it to be attacked from apps downloaded from the Google Play Store.
Samsung is apparently aware of the problem, but has not publicly acknowledged the problem. Millions of devices are reportedly at risk right now as public knowledge of the issue spreads.
Read More | The Verge
Microsoft, the parent company of Skype, has patched a password recovery tool bug that Russian hackers utilized to exploit and gain access to user's accounts with nothing more than their account name and email. According to The Next of Web, they independently verified the five step process and confirmed that it works. Skype made this announcement on its website blog:
Early this morning we were notified of user concerns surrounding the security of the password reset feature on our website. This issue affected some users where multiple Skype accounts were registered to the same email address. We suspended the password reset feature temporarily this morning as a precaution and have made updates to the password reset process today so that it is now working properly. We are reaching out to a small number of users who may have been impacted to assist as necessary. Skype is committed to providing a safe and secure communications experience to our users and we apologize for the inconvenience.
Read More | Skype
Yet another case of malware found on Google Play. A 20-year-old man suspected of an elaborate Android Trojan SMS scheme was arrested in France. The alleged hacker tallied over 17,000 Android users that installed malicious software posed as copy cat apps. The scheme works by sending SMS messages at a premium cost. The hacker then earns a micro-transaction fee, leaving the unsuspecting user with an unexpected hefty monthly bill.
The hacker informed French authorities that he was more motivated by the technical aspect than monetary gain and had goals of becoming a software engineer. Cyber criminals have made inroads into making malware in the Android platform partly because the Google Play Store is open and is not curated and vetted for security like Apple's App Store. Hackers have created clone malware of popular apps like Skype, Instagram, and Angry birds. Some of these apps steal personal information and passwords and can capture pretty much anything you type.
Computer venders Security, like Sophos, strongly advise Android users to be vigilant and also install their free anti-virus security suite.
Read More | The Register
© Gear Live Inc. – User-posted content, unless source is quoted, is licensed under a Creative Commons Public Domain License. Gear Live graphics, logos, designs, page headers, button icons, videos, articles, blogs, forums, scripts and other service names are the trademarks of Gear Live Inc.