Welcome to nsane.forums

Welcome to nsane.forums, like most online communities you need to register to view parts of our community or to make contributions, but don't worry: this is a free and simple process that requires minimal information. Be a part of nsane.forums by signing in or creating an account.

  • Access special members only forums
  • Start new topics and reply to others
  • Subscribe to topics and forums to get automatic updates

Search the Community

Showing results for tags 'apple'.

More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station

Found 356 results

  1. Apple chief calls on governments and technology companies to crack down on misinformation in public discourse Apple CEO Tim Cook is urging governments and technology firms like his own to help stem the spread of falsehoods Fake news is “killing people’s minds”, Tim Cook, the head of Apple, has said. The technology boss said firms such as his own needed to create tools that would help stem the spread of falsehoods, without impinging on freedom of speech. Cook also called for governments to lead information campaigns to crack down on fake news in an interview with a British national newspaper. The scourge of falsehoods in mainstream political discourse came to the fore during recent campaigns, during which supporters of each side were accused of promoting misinformation for political gain. “We are going through this period of time right here where unfortunately some of the people that are winning are the people that spend their time trying to get the most clicks, not tell the most truth,” Cook told the Daily Telegraph. “It’s killing people’s minds, in a way.” He said: “All of us technology companies need to create some tools that help diminish the volume of fake news. We must try to squeeze this without stepping on freedom of speech and of the press, but we must also help the reader. Too many of us are just in the ‘complain’ category right now and haven’t figured out what to do.” He said that a crackdown would mean that “truthful, reliable, non-sensational, deep news outlets will win”, adding: “The [rise of fake news] is a short-term thing. I don’t believe that people want that.” While instances were seen among supporters of both sides of the recent US election battle, Donald Trump’s campaign was seen by many as a particular beneficiary of fake news reports. And the US president’s team has been caught sending aides out to insist that a huge crowd had attended his inauguration, when the evidence showed a relatively modest audience was there. Trump’s spokesman, Sean Spicer, insisted that the event had attracted “the largest audience ever to witness an inauguration ” and Trump said he believed the crowd went “all the way back to the Washington Monument”. Images from the moment Trump was taking the oath showed the crowd was relatively small and went nowhere near as far back down Washington’s National Mall as the monument. Other evidence suggested a relatively small crowd in attendance. Senior aide Kellyanne Conway later characterised the Trump administration’s falsehoods as “alternative facts”. Fake anti-Trump stories during the election included one in which it was falsely claimed that he had groped the drag queen and television presenter RuPaul. Hillary Clinton was scrutin ised over her claim that there was “no evidence” her emails had been hacked because the FBI director, James Comey, had concluded it was likely they had been. A study by economists at Stanford University and New York University published two months after November’s US presidential election found that in the run-up to the vote, fake anti-Clinton stories had been shared 30 million times on Facebook, while those favouring her were shared eight million times. It said: “The average American saw and remembered 0.92 pro-Trump fake news stories and 0.23 pro-Clinton fake news stories, with just over half of those who recalled seeing fake news stories believing them.” But it called into question the power of fake news reports spread on social media to alter the outcome of the election, saying that, “for fake news to have changed the outcome of the election, a single fake article would need to have had the same persuasive effect as 36 television campaign ads”. Nevertheless, Cook demanded action to decrease the reach of fake news. “We need the modern version of a public service announcement campaign. It can be done quickly, if there is a will.” He added: “It has to be ingrained in the schools, it has to be ingrained in the public. There has to be a massive campaign. We have to think through every demographic... It’s almost as if a new course is required for the modern kid, for the digital kid. “In some ways kids will be the easiest to educate. At least before a certain age, they are very much in listen and understand [mode], and they then push their parents to act. We saw this with environmental issues: kids learning at school and coming home and saying why do you have this plastic bottle? Why are you throwing it away?” By Kevin Rawlinson https://www.theguardian.com/technology/2017/feb/11/fake-news-is-killing-peoples-minds-says-apple-boss-tim-cook
  2. If you think clearing your web browsing history on your iPhone or Mac is going to make your online habits permanently disappear, you'd be wrong. Very wrong. According to the CEO of Russian hacking tool creator Elcomsoft, Apple is storing Safari histories in the iCloud going back more than a year, possibly much longer, even where the user has asked for them to be wiped from memory. Customers check out the new Apple iPhone 7 at the Apple Store at the Grove in Los Angeles on Friday, Sept. 16, 2016 If you think clearing your web browsing history on your iPhone or Mac is going to make your online habits permanently disappear, you'd be wrong. Very wrong. According to the CEO of Russian hacking tool creator Elcomsoft, Apple is storing Safari histories in the iCloud going back more than a year, possibly much longer, even where the user has asked for them to be wiped from memory. Elcomsoft chief Vladimir Katalov told FORBES the iPhone maker kept a separate iCloud record, titled "tombstone," in which deleted web visits were stored, ostensibly for syncing across devices. Katalov told me he came across the issue "by accident" when he was looking through the Safari history on his own iPhone. When he took Elcomsoft's Phone Breaker software to extract data from the linked iCloud account, he found "deleted" records going back a year. (Apple calls them "cleared" in Safari, not "deleted"). "We have found that they stay in the cloud, probably forever," Katalov claimed. Your reporter tried clearing his Safari (version 10.0.2 on Mac OS X) history and then ran the Phone Breaker tool on his iCloud account. It returned nearly 7,000 "deleted" records going back to 27 November 2015. They were accompanied by a visit count as well as the date and time the history item was deleted. There were also Google searches, the full terms of which were visible in the Elcomsoft control panel. Fresh Safari activity that I hadn't cleared was given the status "actual." FORBES also had an iOS forensics expert validate Katalov's claims. The expert, who asked to remain anonymous, found the Elcomsoft Phone Breaker tool recovered 125,203 browsing history records going back to the same 2015 date, even though the Safari cache had been cleared. The expert also found Notes they'd supposedly deleted, but the Notes went back only a short period, less than 30 days, indicating Apple was purging them regularly. It's unclear just how or why Apple is storing cleared browsing history for such a long period. It would appear to be a design issue rather than anything suspicious, and is likely to do with the syncing mechanism between iOS, Mac OS X and Apple servers. Consumer cloud services like iCloud, by their nature, require records of delete requests to remain accessible for stretches of time, as users may have devices turned off that need to come alive again before they can sync and remove the browsing history. The fact that Apple didn't hide the deleted records indicates it wasn't a purposeful data retention effort, but an oversight, according to the forensics expert. Effective encryption and a different design would help hide the information from both Apple and probing tools like Elcomsoft's Phone Breaker, the source added. Jay Stanley, senior policy analyst at the American Civil Liberties Union (ACLU), said companies had to be very careful to follow best practice and delete users' data when requested. "Overall, assuming this was a mistake, it's a reminder that storing and retention of data is the default as a technical matter," Stanley said. Not that he appears that bothered. "Money is not the main thing we work for," said Katalov, in our email correspondence. "But we are still going good. There are enough features in our products that are quite useful for many customers, from consumers to law enforcement, that do not rely on vulnerabilities. And finally, quite a lot of research is in progress - we will always find something new." Elcomsoft is best known not for aiding any law enforcement activity, but for a salacious episode in the history of Apple hacks: reports alleged it was used by snoops who stole celebrities' nude pictures stored in the iCloud. The so-called "Fappening" attacks saw images belonging to the likes of Jennifer Lawrence and Kate Upton leaked online, and the perpetrators sentenced to prison. Apple in patch mode... and an easy fix Apple declined to comment on Elcomsoft's findings. But a source with knowledge of the matter told me Apple has updated iOS and Safari to make it harder. Starting with Safari 9.1 and iOS 9.3, when users delete browsing history, the URLs are turned into hashes -- that's when plaintext is represented by a collection of digits and letters after being put through an algorithm. That goes some way to stopping any potential snoops looking at the data, though it hasn't prevented Elcomsoft's tool from grabbing the information from the latest versions of Safari. Expect Apple to continue plugging holes that Elcomsoft finds, though, as it has done with other recent public disclosures by Katalov. In cases such as this, the user won't need to do a thing, as the fixes will be done on Apple's servers. Nevertheless, as the Cupertino giant recommends, using the most recent software versions will keep customers' safer from privacy invasions. In the meantime, it's possible to turn Safari syncing off to avoid the problem altogether. Apple has a good guide about how to turn iCloud features on and off here. UPDATE Shortly after publication, FORBES was contacted by Katalov and another source, who claimed that their old records were disappearing. It appears, they said, that Apple is purging. There was no update from Apple, however. By Thomas Fox-Brewster https://www.forbes.com/sites/thomasbrewster/2017/02/09/apple-safari-web-history-deleted-stored-icloud/
  3. Apple appears to have disabled a tool that helps buyers of pre-owned iOS devices check to see if the devices have been lost or stolen. Find My iPhone Activation Lock— which can disable stolen a iPhone, iPad, iPod or Apple Watch— previously included a feature that let people find out whether the lock had been activated by typing in the device's serial number online. That option, accessed from an iCloud page, appears to have disappeared over the weekend, according to MacRumors. As of Monday afternoon, the website that previously displayed the Activation Lock checker (icloud.com/activationlock) resulted in an error. And as MacRumors notes, the reference to the status checker appears to have been removed from the Activation Lock support page. The page still offers advice to prospective owners of used iOS devices, including a warning not to "take ownership of any used iPhone, iPad, or iPod touch until it's been erased." Unless the seller of a pre-owned device provided its serial number to the prospective buyer in advance, however, the activation lock checker would have been of little use as verification that the device was not stolen. Still, it's unclear why Apple removed the functionality. A company spokesperson did not immediately respond to a request for comment. Introduced with iOS 7 as a way to deter theft, Activation Lock has frequently served as a target for hackers. In 2014, a team of hackers published a workaround that requires users to plug a bricked device into their computer and alter the "hosts" file inside. The iPhone or iPad is then tricked into connecting to the hacked server, which unlocks the gadget. Another loophole involving the iOS Wi-Fi login system was discovered last month. Source
  4. How to Opt Out of iOS Beta Updates and Reinstall iOS 10.2.1 on Your iPhone/iPad The tutorial also applies to iPod touch devices iOS 10.2.1 is the first point release to the iOS 10.2 series. It received a total of four Beta/Public Beta versions during its entire development cycle since mid-December last year. The last one was seeded only ten days ago. Like many of us running the iOS 10.2.1 Public Beta 4 release, it turns out you'll not receive the final version of iOS 10.2.1, which some will say it's identical with the last Beta, but what if your device is not working properly and you are still experiencing bugs. For example, we found out that, since we've installed the last Public Beta versions of iOS 10.2.1 on our iPhone 6 device, some applications were very slow to load and not so responsive like they used to be. Also, we noticed major battery drains. Removing the iOS Public Beta profile If you're experiencing the same issues on your iPhone, iPad, or iPod touch device, it's time to refresh it by reinstalling the operating system. First off, make sure that you have a recent iCloud backup, or at least a local backup in iTunes. It's time to remove the Public Beta profile (you can always reinstall it at a later time if you still want to use upcoming Beta versions), so open the Settings app, go to General, scroll down to the Profile section and click it. Then, remove the iOS Beta profile by pressing the red "Delete Profile" button. Restoring the device and reinstalling iOS Connect your device to your personal computer, where the latest version of iTunes needs to be installed (make sure you have the latest version installed, 12.5.5 at the moment of writing). With the device connected to your PC, enter DFU mode. Entering DFU Mode is as simple as pressing and holding both the Power and Home buttons on your device until you see the Apple logo on the screen. Release the Power button but keep holding the Home one until the "Connect to iTunes" logo appears. iTunes will soon offer you the option to "Restore and Update" the device. Click the "Restore and Update" button and the application will tell you that iOS 10.2.1 is available. Click OK and let it download the update. Once iTunes completes downloading iOS 10.2.1 from Apple's servers, it will soon begin installing it on your device. You don't have to do anything at this point, just don't touch anything and make sure your computer has enough battery or that it's plugged in. Reset and erase the device to restore it from a backup Just before iOS 10.2.1 finishes installing, iTunes will display a message saying "Congratulations, your iPhone has been unlocked. To set up and sync this iPhone, click Continue." Click the "Continue" button and iTunes will immediately detect your device. At this point, you need to set up your device by pressing the Home button. Choose your preferred language and region. On the next screen, you'll have to connect to your Wi-Fi network. Then, enable the location services, or simply don't. It doesn't matter, because we're going to reset and erase the device anyway, so there's no need to set up Touch ID now. When you reach the home screen, open the Settings app, go to the Reset section and press on "Erase All Content and Settings." Erase your device, which will bring you to the setup screen again. So, this time, make sure that you set up everything correctly, including Touch ID, location services, etc., and, after entering your Apple ID, you can finally choose to restore from a backup. Select the restore method you want (we prefer the iCloud backup) and let your device restore the backup, which can take a few good minutes. Once everything is restored, you can unlock your device and access the home screen. Most of the apps will continue to download and install in the background, so you'll have to wait a little longer for everthing to be exactly like it was before you've started all this. Congratulations, you refreshed your device and have the final iOS 10.2.1 installed, too. Source
  5. Mozilla: The Internet Is Unhealthy And Urgently Needs Your Help Mozilla argues that the internet's decentralized design is under threat by a few key players, including Google, Facebook, Apple, Tencent, Alibaba and Amazon, monopolizing messaging, commerce, and search. Can the internet as we know it survive the many efforts to dominate and control it, asks Firefox maker Mozilla. Much of the internet is in a perilous state, and we, its citizens, all need to help save it, says Mark Surman, executive director of Firefox maker the Mozilla Foundation. We may be in awe of the web's rise over the past 30 years, but Surman highlights numerous signs that the internet is dangerously unhealthy, from last year's Mirai botnet attacks, to market concentration, government surveillance and censorship, data breaches, and policies that smother innovation. "I wonder whether this precious public resource can remain safe, secure and dependable. Can it survive?" Surman asks. "These questions are even more critical now that we move into an age where the internet starts to wrap around us, quite literally," he adds, pointing to the Internet of Things, autonomous systems, and artificial intelligence. In this world, we don't use a computer, "we live inside it", he adds. "How [the internet] works -- and whether it's healthy -- has a direct impact on our happiness, our privacy, our pocketbooks, our economies and democracies." Surman's call to action coincides with nonprofit Mozilla's first 'prototype' of the Internet Health Report, which looks at healthy and unhealthy trends that are shaping the internet. Its five key areas include open innovation, digital inclusion, decentralization, privacy and security, and web literacy. Mozilla will launch the first report after October, once it has incorporated feedback on the prototype. That there are over 1.1 billion websites today, running on mostly open-source software, is a positive sign for open innovation. However, Mozilla says the internet is "constantly dodging bullets" from bad policy, such as outdated copyright laws, secretly negotiated trade agreements, and restrictive digital-rights management. Similarly, while mobile has helped put more than three billion people online today, there were 56 internet shutdowns last year, up from 15 shutdowns in 2015, it notes. Mozilla fears the internet's decentralized design, while flourishing and protected by laws, is under threat by a few key players, including Facebook, Google, Apple, Tencent, Alibaba and Amazon, monopolizing messaging, commerce and search. "While these companies provide hugely valuable services to billions of people, they are also consolidating control over human communication and wealth at a level never before seen in history," it says. Mozilla approves of the wider adoption of encryption today on the web and in communications but highlights the emergence of new surveillance laws, such as the UK's so-called Snooper's Charter. It also cites as a concern the Mirai malware behind last year's DDoS attacks, which abused unsecured webcams and other IoT devices, and is calling for safety standards, rules and accountability measures. The report also draws attention to the policy focus on web literacy in the context of learning how to code or use a computer, which ignores other literacy skills, such as the ability to spot fake news, and separate ads from search results. Source Alternate Source - 1: Mozilla’s First Internet Health Report Tackles Security, Privacy Alternate Source - 2: Mozilla Wants Infosec Activism To Be The Next Green Movement
  6. PhoneClean 4 - Full Version - 1 Year[365 Days] Promo by iMobile Overview: Enjoy a cleaner, faster and better iPhone, in almost every way By bringing you the hands-free cleaning, in-depth privacy protection, ultimate speed-up and an array of innovative iOS maintaining features, PhoneClean 4 comes to elevate your iPhone, iPad experience, even at a whole new scale. More Info: Product Homepage Links: Offer: https://www.imobie.de/promotion/2016-weihnachtsgiveaway.htm Note: Limited Period Offer. Page in German. Translated Page here. Current Status: Open. Steps: Visit the offer page link above. Enter name and email in the required fields. Click on "Gratis holen " or "Free get" Check email for license key. Downloads: https://dl.imobie.com/phoneclean-setup.exe More Advent Kalender Giveaways:
  7. Like many loyal Apple customers, I’m greatly disappointed by the 2016 MacBook Pro upgrades, especially for the 15″. Here are the most important reasons not to upgrade at this time: Expensive, the base cost is $2,399, an increase of $400 from before. No low end version of the 15″ MacBook Pro. The lower cost 15″ at $1,999 is more than a year old and only moderately faster than my 2013 laptop. iPhones can’t connect to the MacBook Pro without yet another dongle Performance improvement for common tasks is incremental, not worth the price increase The critically important magnetic, break-free MagSafe adaptor is gone The built-in SD card slot is gone so you’ll need a peripheral to upload camera photos The headphone jack won’t work with your new lightning-based iPhone 7 headphones A lot of developers are frustrated that the memory limit remains at 16 GB due to battery life issues No USB 3 ports: external hard drives, thumb drives et al. now require a dongle Reduced key press like on the MacBook No power extension cable like they’ve always had Space gray is for Windows laptops The positives just don’t outweigh all the above negatives. Michael Tsai has the best rundown of developer frustration I’ve read (via Daring Fireball). Source:: http://jeffreifman.com/2016/11/02/reasons-not-buy-new-macbook-pro/
  8. Alongside its 4K counterpart Apple is reducing the price of its new 5K LG UltraFine Display by more than 25 percent as part of an effort to ease the transition to its new line of MacBook Pros. The special promotion, which amounts to a $349 price cut for the $1,299.95 monitor, brings the product’s price under $1,000. The company is also reducing the price on the 4K version from $699.95 to $524. Both products, designed in partnership between Apple and LG, are available on Apple’s online store, with the 4K model available now and the 5K model going on sale next month. In addition to these display promotions, Apple is temporarily reducing the cost of its many USB-C adapters now that the new MacBook Pro only contains Thunderbolt 3 ports. In a statement, the company said it recognized that many professionals rely on legacy ports and older devices, and that the price cuts would stay in effect until the end of the year. “We recognize that many users, especially pros, rely on legacy connectors to get work done today and they face a transition. We want to help them move to the latest technology and peripherals, as well as accelerate the growth of this new ecosystem,” Apple said. “Through the end of the year, we are reducing prices on all USB-C and Thunderbolt 3 peripherals we sell, as well as the prices on Apple's USB-C adapters and cables.” - Via: MacRumors - Original Source: Apple.com Source: http://www.theverge.com/2016/11/4/13527590/apple-lg-ultrafine-5k-display-price-cut
  9. More Information here: https://support.apple.com/en-us/HT201222 Name and information link Available for Release date iTunes 12.5.2 for Windows Windows 7 and later 27 Oct 2016 iCloud for Windows 6.0.1 Windows 7 and later 27 Oct 2016 Xcode 8.1 OS X El Capitan v10.11.5 and later 27 Oct 2016
  10. Yesterday Apple released updates for macOS, iOS, Safari, tvOS, and watchOS to fix a variety of security holes as well as to introduce new features. With these releases, Apple fixed 26 vulnerabilities, with over 10 allow code execution. Code execution is the most critical of security vulnerabilities as it would allow an attacker to execute almost any command they wish on the affected device. For a full list of vulnerabilities for each Apple product, you can consult the table below. Name and information link Available for Amount of Security Updates Release date watchOS 3.1 All Apple Watch models 8 24 Oct 2016 tvOS 10.0.1 Apple TV (4th generation) 12 24 Oct 2016 Safari 10.0.1 OS X Yosemite v10.10.5, OS X El Capitan v10.11.6, and macOS Sierra 10.12 3 24 Oct 2016 macOS Sierra 10.12.1 OS X Yosemite v10.10.5, OS X El Capitan v10.11.6, and macOS Sierra 10.12 18 24 Oct 2016 iOS 10.1 iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later 13 24 Oct 2016 Once again, due to the critical nature of some of these vulnerabilities, it is strongly advised that you upgrade your Apple devices as soon as possible. Article source
  11. Starts pushing 4.8GB upgrade to eligible Macs today; users still have to authorize install Apple today began automatically downloading macOS Sierra to Macs that have yet to upgrade to the new operating system, taking a step that rival Microsoft was criticized for last year. Although the upgrade to macOS 10.12 will automatically download to eligible Macs, it will not automatically install. Instead, users must authorize the upgrade after being notified that it has been retrieved and is ready to install. Users may also decline the upgrade at that same notification. This marks a change from past practice for the Mac's operating system, formerly dubbed "OS X" but now labeled "macOS." "On Mac [automatic downloading] has been available for all software except major releases until today [emphasis added]," an Apple spokeswoman said today via email. Previously, step updates -- those identified, for instance, as 10.11.4 -- were automatically downloaded to appropriate Macs. But what the Apple spokeswoman called "major releases," the now-annual upgrades, had not been automatically pushed to Macs. Jim Dalrymple, who blogs at The Loop, first reported on the download change earlier today. Computerworld confirmed Dalrymple's account with Apple. The auto-download of Sierra puts macOS on equal footing with other operating systems from the Cupertino, Calif. company. Both iOS and tvOS automatically download major upgrades to devices. An iPhone, for example, will eventually retrieve updates and upgrades without additional authorization, even if the user has repeatedly postponed downloads through the nag-like alerts. Sierra will auto-download to Macs running 10.11.5 or 10.11.6, the last two updates to OS X Yosemite, said Apple, assuming the systems' users have left the settings in the App Store section of Preferences unchanged from their defaults. Those out-of-the-box settings include enabling of automatic downloads; the pertinent line in the App Store's options reads "Download newly available updates in the background." Apple has taken steps to reduce possible criticism of the change: The Sierra upgrade -- which tips the scales at 4.8GB -- will not auto-download to a Mac short of storage space. And if the Mac's storage shrinks sufficiently before Sierra is installed but after the upgrade has downloaded, the file will be automatically deleted. Microsoft made a similar change to its decades-old upgrade and update practices last year with Windows 10. As the July 2015 launch approached, Microsoft automatically downloaded the Windows 10 upgrade to Windows 7 and Windows 8.1 machines whose owners had "reserved" a copy via an auto-installed app. Weeks later, Microsoft went even further, automatically downloading the Windows 10 upgrade to devices whose owners had not expressed any interest in the new OS. The change upset some users, who complained that the unsolicited downloads caused them to exceed their Internet providers' data caps or seized storage space without their consent. A support document that was revamped on Friday to account for Sierra's auto-download made mention of one way that Apple figured to pre-empt bandwidth-theft critics. "Large automatic downloads don't occur when your Mac is using a Personal Hotspot," the document stated, referring to the feature that lets a Mac access the Internet using an iPhone's cellular modem. Macs running Yosemite 10.11.5 and later, with the 'Download newly available updates in the background' item checked, will be served the Sierra upgrade as an automatic download. Source: http://www.computerworld.com/article/3126885/apple-mac/apple-adopts-windows-10-tactic-to-auto-download-sierra-to-macs.html
  12. After an upcoming update MacOS and iOS will not trust new certificates issued by WoSign Following a Mozilla-led investigation that found multiple problems in the SSL certificate issuance process of WoSign, a China-based certificate authority, Apple will make modifications to the iOS and macOS to block future certificates issued by the company. Although there is no WoSign root certificate in Apple's trusted certificate store, a WoSign intermediate CA certificate is cross-signed by two other CAs that Apple trusts: StartCom and Comodo. This means that until now Apple products have automatically trusted certificates issued through the WoSign intermediate CA. Because WoSign experienced multiple control failures in their certificate issuance processes for the WoSign CA Free SSL Certificate G2 intermediate CA, "we are taking action to protect users in an upcoming security update," Apple said in support notes for both iOS and macOS. "Apple products will no longer trust the WoSign CA Free SSL Certificate G2 intermediate CA." The ban is only for future certificates issued by WoSign and not for those that have already been issued and published to public Certificate Transparency (CT) log servers by Sept. 19. Those existing certificates will continue to be trusted until they expire, are revoked, or Apple decides to ban them at a later date. This is similar to the decision that Mozilla's CA team is considering after discovering multiple problems at WoSign, including mis-issuing of certificates and a strong suspicion, backed by evidence, that the CA issued SHA-1-signed certificates after Jan. 1 and then back-dated them in violation of industry rules. "Mozilla’s CA team has lost confidence in the ability of WoSign/StartCom to faithfully and competently discharge the functions of a CA," the Mozilla team said in a detailed analysis of the incidents. "Therefore we propose that, starting on a date to be determined in the near future, Mozilla products will no longer trust newly-issued certificates issued by either of these two CA brands." The inclusion of StartCom, an Israel-based CA, in this decision is due to the fact that WoSign silently acquired StartCom in November 2015. Although WoSign said in September that the two companies are operated and managed independently, there is evidence that StartCom has been using WoSign's certificate-issuing infrastructure and processes. In its own analysis and response, WoSign claims that only 8 SHA-1 certificates have been incorrectly issued after the SHA-1 cutoff date of Jan. 1, 2016, and that those incidents were the result of a bug in its system and API. "WoSign remains committed to continually evolve our technology, processes, and offerings to help keep our customers and the Internet safe," said in its final report after the investigation. "We believe that the steps we have taken will ensure that this type of incident never happens again, and we believe that full support for CT is our commitment of supervision." Source: http://www.infoworld.com/article/3127132/security/after-mozilla-inquiry-apple-untrusts-chinese-certificate-authority.html
  13. When a user sends someone a message through Apple’s iMessage feature, Apple encrypts that message between Apple devices so that only the sender and recipient can read its contents. But a Wednesday report from news site the Intercept is a good reminder that not all data related to iMessage has that same level of protection -- and that information can still be turned over to law enforcement authorities. That may be surprising to everyday users who view Apple as a privacy champion after it's legal battle with the Justice Department this year over a court order that would force the company to break its own security measures. But to experts, it's just a fact of how communication systems work. For instance, as security expert and noted iPhone hacker Will Strafach notes, Apple needs to know things such as whom you're chatting with via iMessage so that it can deliver your messages. According to a document obtained by the Intercept, Apple logs information about whom you're contacting in iMessage while the app figures out if the person you are texting is also using an iOS device. If they are using iOS, the message gets encrypted and routed through iMessage, which is signaled by blue chat bubbles. If the recipient is not using an Apple device, the message gets routed as a standard text without that extra layer of encryption, and messages appear in green bubbles in the iMessage app. According to the document, which the Intercept says originated "from within the Florida Department of Law Enforcement’s Electronic Surveillance Support Team," these logs don’t necessarily show that you messaged someone. Instead, they show when you opened up a chat window and selected the contact or entered a phone number. Apple says those logs are wiped every 30 days. But because that data exists at all, police can use court orders to force the company to hand it over. And, as the Intercept notes, in ongoing investigations it's possible to extend court orders to get new data, which would allow law enforcement to build a record that goes beyond just 30 days. "When law enforcement presents us with a valid subpoena or court order, we provide the requested information if it is in our possession," Apple told The Washington Post in a statement. "In some cases, we are able to provide data from server logs that are generated from customers accessing certain apps on their devices." Apple emphasized that because iMessages are encrypted, the company is not able to give police access to the content of conversations. Nor do the message logs "prove that any communication actually took place." All of this seems consistent with Apple’s legal process guide, which notes that information about your contacts is among the data it may turn over to investigators when served with a court order or subpoena. Of course, metadata can still be incredibly revealing, especially when analyzed over time: Knowing whom you're messaging (or even thinking about messaging) can reveal who's in your social network or expose personal data. For instance, if you’re regularly sending text messages to a suicide crisis line someone reviewing your log could assume that you’re having a serious mental health crisis. That type of privacy concern is among the reasons why civil liberties advocates pushed back so hard on the now defunct National Security Agency program that allowed the government to collect bulk metadata about Americans' phone calls, including the numbers they dialed and duration of calls. The Intercept also raised another issue about the logs: They appear to contain IP addresses, which can be used to determine a user's general location. Revealing that information, the Intercept argues, seems to run counter to a statement Apple made in the wake of Edward Snowden’s revelations about the extent of the NSA’s spying powers. “[W]e do not store data related to customers’ location, Map searches or Siri requests in any identifiable form,” Apple said in the June 2013 statement. But it’s worth noting that the geolocation information that can be determined by IP addresses is typically less specific than what you’d get from GPS data or from looking up a specific address. And Apple’s legal process guide also notes that IP addresses are among the information that police can request with a court order or subpoena. Source: https://www.washingtonpost.com/news/the-switch/wp/2016/09/30/why-apple-can-be-forced-to-turn-logs-of-your-imessage-contacts-over-to-police/
  14. A friend has a imac with a 1TB hDD with only 60ish of space used. Normally if this was a NTFS (Win) drive Macrium Reflect would clone it if that space used would fit on the new drive, but it reads the partitions as though they are full and of course it won't clone. How do I go about this asides from using Disk Utility or a fresh install and Migration Assistant.
  15. Why Real Hackers Prefer Linux Over Windows And Mac Why do hackers prefer Linux over Mac, Windows, and other operating systems? We have published many tutorials for hackers and security researchers. You may have noticed that most tutorials are based on Linux operating systems. Even the hacking tools out there are based on Linux barring a few which are written for Windows and Mac. The moot question here is that why do hackers prefer Linux over Mac or Windows? Today we look at the reason why hackers always prefer Linux over Mac, Windows, and other operating systems. You may have your own reasons for choosing Linux but what do hackers really look forward to while working with Linux. Reason #1: Command line interface vs graphical user interface Linux was designed around a strong and highly integrated command line interface. Windows and Mac don’t have that. This grants hackers and Linux far greater access and control over their system and awesome customization. This is the reason that most hacking and pentesting tools are built into Linux have greater functionality above and beyond their windows counterparts. In contrast, Windows was built around the graphic user interface (GUI). This restrict user interaction to point-and-click navigation (slower) and application/system menu options for configuration. Windows has a command line structure, such as command prompt and Power Shell, however, these don’t give hackers/developers the complete functionality and integration compared with Linux. This hampers their work as hacking is usually going beyond the well-defined command lines. This is the reason that though hacking tools like Metasploit or nmap are ported for Windows, they don’t have capabilities like Linux. Compared to Windows, Linux is more granular. That means Linux gives users infinite amount of control over the system. In Windows, you only can control what Microsoft allows you to control. In Linux, everything can be controlled by the terminal in the most miniscule to the most macro level. In addition, Linux makes scripting in any of the scripting languages simple and effective. Reason #2: Linux is lighter and more portable This is arguably the best reason for choosing Linux over Mac and Windows. Hackers can easily create customized live boot disks and drives from any Linux distribution that they want. The installation is quick and its light on resources. To memory, I can only think of one program that lets you create Windows live disks and it wasn’t nearly as light or as quick to install. Linux is made even lighter as many distros are specifically customised as light-weight distros. You can read about the top lightweight Linux distros here. Reason #3: Linux is typically more secure Ask a pro hacker or security researcher which operating system is the most secure of them all, and perhaps 101 out 100 will unflinchingly swear by Linux. Windows is popular because of its reach among average users and popularity amongst programmers because it is more profitable to write a program for Windows. In more recent years, popularity has grown for UNIX based operating systems such as Mac OS, Android, and Linux. As a result, these platforms have become more profitable targets for attackers. Still, Linux is a great deal more secure than Windows and Mac out of the box. Reason #4: Linux is pretty much universal Just about everything runs some form of UNIX (Internet of Things, routers, web-servers, etc.). Doesn’t it make sense that you would target those systems from a device running the same platform? After all, the goal is to make things easier on yourself. You don’t want to worry about compatibility problems. Reson #5: Linux Is Open Source Unlike Windows or Mac, Linux is open source. What that means for us is that the source code of the operating system is available to us. As such, we can change and manipulate it as we please. If you are trying to make a system operate in ways it was not intended, being able to manipulate the source code is essential. Think of it this way. Could you imagine Microsoft giving us a plug-in/MMC or whatever to manipulate or change the kernel of Windows for hacking? Of course NOT! Reason #6: Linux Is Transparent To hack effectively, you must know and understand your operating system and to a large extent, the operating system you are attacking. Linux is totally transparent, meaning we can see and manipulate all its working parts. Not so with Windows. Actually, the opposite is true. Microsoft engineers work hard to make it impossible for users or hackers to find the inner workings of their operating system. On Windows, you are actually working with what Microsoft has given you rather that what you want. Here Linux differs philosophically from Microsoft. Linux was developed as an operating system to give users more control over it rather than make them do what the developers want. Summary : Linux vs Windows and Mac You have to understand that hackers and security researcher are here to make money. Hackers hack platforms that are profitable. Windows has been the preferred choice within enterprise environments and with the average consumer. It’s the preferred choice for developers (apple licensing costs and restrictions), which is why Windows is so compatible. Apple has been too expensive for consumers and Linux is frankly not that user-friendly (buggy, lack of GUI, etc.). You don’t have an average Joe just switching on a Linux PC/laptop and doing what he wants. However, this is changing. With the arrival of Android smartphones, there has been a paradigm shift in user’s preferences. As more users switch to Mac/iOS and Android/Linux, attackers will shift to targeting these platforms. With Internet of Things predicted to the next game-changer in tech, Linux will emerge as a formidable challenger to Microsoft’s Windows or Apple’s Mac. As of today, most Internet of Things connected devices are powered by Linux and given the transparency and control available in Linux, it will remain so. Hacking isn’t for the uninitiated. Hacking is an elite profession among the IT field. As such, it requires an extensive and detailed understanding of IT concepts and technologies. At the most fundamental level, Linux is a requirement for hackers and security researchers. Source
  16. Apple’s Newly Released iOS 10 Has Hardcore Porn Hiding In It (NSFW) iOS 10 has actual hardcore porn GIFs in iMessage You couldn’t have expected this from Apple. Its newly released iOS 10 operating system seems to be hiding real porn inside. iOS 10 has a new GIF search feature to help iPhone users post GIFs directly into iMessage. But somehow, hardcore porn seems to be baked into the same. If you type the word “butt” into iOS 10’s new, baked-in GIF search, it leads you to a certain My Little Pony in a fairly compromised position. The issue was first noticed by Deadspin who noted down in a blogpost. Deadspin says that Apple immediately fixed the butt search issue but the iOS 10 Porn problem persists. For example, if you type in “huge” into the new GIF feature, and you’ll find an unpixelated version of this: It seems that the Apple engineers have somehow baked in NSFW hardcore porn into iOS 10’s new messaging App. Another woman emailed The Verge explaining a similarly embarrassing situation. She said that her eight-year-old daughter while trying to send a message to her dad, was presented with “a very explicit image” of “a woman giving oral sex to a well-endowed male.” Her daughter had also searched for “huge”and got the image shown above. The lady, Tassie Bethany was contacted over the phone by Verge and she told them, “I see the image come up like, holy shit, whoa whoa whoa, that’s a hardcore porn image.” “I grabbed the phone from her immediately. She typed in the word ‘huge,’ which isn’t sexual in any nature. It’s just a word, not like butt or anything else,” she added. Apple has been particularly strict with sexual content up to now but it seems to have slipped up with the new GIF search built into iMessage in iOS 10. It’s quite usual for any search to throw up NSFW results if you search for words like “boobs” and “penis” and “butt, ” but it’s a real problem for porn to slip through for an otherwise normal term like “huge.” Other iOS 10 users have also reported seeing NSFW images but not something as explicit as the result for “huge.” Apple is still to respond to the iOS 10 porn search issue, however, it fixed the “butt” issue within 10 hours after Deadspin’s blogpost while searches for “huge” have already been banned. Bethany says her daughter is fine — “she had no idea” — but she’s concerned about the possibility of other kids being accidentally exposed to porn through what’s supposed to be a goofy feature. “My daughter uses it because there’s cartoons and fart jokes, that kind of stuff,” she told Verge. “That’s hardcore porn. People making out she might see on ABC. That’s something that could potentially be pretty traumatizing for a small child.” It looks like Apple has a big big porn problem in its hands. Source
  17. Trend Micro Offers $250K to Hack iPhone in Pwn2Own Contest A new iteration of the P2wn2Own mobile hacking contest takes aim at iOS and Android. The mobile Pwn2Own hacking contest is back for 2016, this time offering top prize of $250,000 to any security researcher who forces an Apple iPhone to unlock. The Pwn2Own contest has undergone a bit of a transition as Hewlett Packard Enterprise sold the Zero Day Initiative (ZDI) group that sponsors the event to Trend Micro earlier this year. The browser edition of the Pwn2Own event was held in March and was jointly sponsored by HPE and Trend Micro. The mobile Pwn2Own 2016 contest being held next month will be the first time a Pwn2Own event doesn't benefit from HPE sponsorship. "To us, it's still Pwn2Own," Brian Gorenc, senior manager of vulnerability research at Trend Micro, told eWEEK. "We always hope each contest brings us something new we haven't seen before, but if you've seen the contest, it should look very familiar." During the 2016 Pwn2Own browser event, which was held at the CanSecWest conference in Vancouver, ZDI awarded a total of $460,000 in prize money to researchers for publicly demonstrating new zero-day exploits in web browsers. The mobile Pwn2Own event will be held Oct. 26-27 at the PacSec Security Conference in Tokyo, and the total available prize pool is set to top $500,000. For the 2016 mobile event, ZDI is asking researchers to target three specific mobile devices: the Apple iPhone 6x, the Google Nexus 6p and the Samsung Galaxy Note7. Across all of the targeted devices, ZDI is tasking researchers with a number of challenges. The first is to obtain sensitive information from a device. ZDI is awarding $50,000 to those who exploit a device to get access to sensitive information on the iPhone or the Google Nexus. A researcher who is able to get sensitive information off a Galaxy will be awarded $35,000. Another challenge at mobile Pwn2Own 2016 is to install a rogue application on a targeted device. A $125,000 prize will be awarded for the installation of a rogue app on the iPhone; on the Google Nexus, the reward is $100,000; and on the Samsung Galaxy, $60,000. "Each phone will be running the latest operating system available at the time of the contest, and all available patches will also be applied," Gorenc said. "This can lead to some late nights as ZDI researchers update phones in the days leading up to the contest, but we feel it's best to have the latest and greatest targeted." Gorenc said all of the targeted devices will be in their default configuration. On iOS, that means Pwn2Own contestants must target Safari, as this is the default browser and most common, realistic scenario for users of that device. In the past, Pwn2Own contestants have demonstrated many WebKit browser rendering engine related vulnerabilities. WebKit is the core rendering engine behind Safari and has many components that are also used in Google's Chrome. "The threat landscape shifts so much from contest to contest that it's hard to predict what component will be targeted," he said. "WebKit will likely make an appearance, but we're hoping to see some new techniques and research as well." For the installation of the rogue application, Gorenc said that ZDI has no requirements for the app. "We will leave it up to the contestant to express their creativity during the public demonstration," he said. iPhone Unlock The biggest single prize at the mobile Pwn2Own 2016 event goes to the researcher who is able to successfully force an iPhone to unlock. The challenge of unlocking an iPhone has been a hot topic in recent months. The FBI reportedly paid as much as $1.3 million to bypass the iPhone lock screen. And Apple started its own bug bounty program, with a $200,000 prize, while security firm Exodus Intelligence will pay a top prize of $500,000 for an iOS zero-day flaw. Gorenc believes offering $250,000 for an iPhone unlock exploit is a good size prize. "We feel this amount is not a bad payday for what will clearly be a significant amount of research needed to accomplish this hack," he said. "Along with the money, the researcher will get the recognition that comes with winning Pwn2Own." In the end, Gorenc said, it's the marketplace that will let ZDI know if $250,000 is a fair price; he's optimistic that someone will actually attempt to publicly force an iPhone to unlock. "Finally, by reporting this through ZDI, the bugs will actually get fixed by the vendor," Gorenc said. "That's better than some of the alternatives." Source
  18. Microsoft is fighting the US Justice Department in an attempt to quash a law that prevents companies informing customers that the government is requesting their data. The technology giant has the backing of other tech companies as well as media outlets. Amazon, Apple, Google, Fox News, Electronic Frontier Foundation and Mozilla are among those offering their support to Microsoft. The lawsuit says that blocking companies from keeping their customers informed is unconstitutional, and it comes at a time when tech companies in particular are keen to be as open and transparent as possible about government requests for data. Legal experts say that the Fourth Amendment should offer protection against "unreasonable searches", including searches of electronic data stored in the cloud. As EFF Senior Staff Attorney Lee Tien puts it: "Whether the government has a warrant to rifle through our mail, safety deposit boxes, or emails stored in the cloud, it must notify people about the searches. When electronic searches are done in secret, we lose our right to challenge the legality of law enforcement invasions of privacy. The Fourth Amendment doesn't allow that, and it's time for the government to step up and respect the Constitution". The EFF is lending its support to Microsoft because the subject is something very close to its heart. EFF Staff Attorney Sophia Cope says: When people kept personal letters in a desk drawer at home, they knew if that information was about to be searched because the police had to knock on their door and show a warrant. The fact that today our private emails are kept on a server maintained by an Internet company doesn’t change the government's obligations under the Fourth Amendment. The Constitution requires law enforcement to tell people they are the target of a search, which enables them to vindicate their rights and provides a free society with a crucial means of government accountability. Another company to throw its support behind the legal battle is Mozilla. The company explains its reasons for backing Microsoft in a blog post: Mozilla today is joining a coalition of technology companies, including Apple, Lithium, and Twilio, in filing an amicus brief in support of Microsoft’s case against indiscriminate use of gag orders. Such orders prevent companies from notifying users about government requests for their data. Transparency is the core pillar for everything we do at Mozilla. It is foundational to how we build our products, with an open code base that anybody can inspect, and is critical to our vision of an open, trusted, secure web that places users in control of their experience online. Our reform efforts in the areas of vulnerability disclosure and government surveillance are also centered on the transparency ideal. And transparency -- or more appropriately the lack thereof -- is why we care about this case. When requesting user data, these gag orders are sometimes issued without the government demonstrating why the gag order is necessary. Worse yet, the government often issues indefinite orders that prevent companies from notifying users even years later, long after everyone would agree the gag order is no longer needed. These actions needlessly sacrifice transparency without justification. That’s foolish and unacceptable. We have yet to receive a gag order that would prevent us from notifying a user about a request for data. Nonetheless, we believe it is wrong for the government to indefinitely delay a company from providing user notice. We said this when we released our transparency report in May, and we said then that we would take steps to enforce this belief. That is just what we've done today. Article source
  19. Google Just Agreed to Pay $5.5 Million to Settle Claims It Hacked Apple's Browser But consumers get none of the money. Google agreed to a settlement on Monday that could finally end the legal fall-out from a scheme by the search giant to circumvent privacy settings on Apple’s Safari browser. The tactic, discovered by security researchers in 2012, involved Google tricking consumers’ browsers into accepting ad-tracking software. Under the terms of the proposed settlement, filed in Delaware federal court, Google (GOOG v -0.05%) will pay $5.5 million to resolve a long-running class action lawsuit—but affected consumers will see none of that money. Instead, some of the cash will go to legal fees and settlement expenses while the rest will go to a handful of privacy groups. (You can read a copy of the settlement here.) The deal will also permit Google to deny any fault over the browser hacking, which caused a major controversy when it was discovered, and raised questions about the extent to which tech companies track consumers’ online behavior. The hack itself involved a default setting on Apple’s (AAPL ^ 0.19%) desktop and mobile Safari browser that rejected so-called “cookies”—small bits of software code that keep track of the websites a consumers visits in order to serve them ads. Google got around the setting by disguising their cookies in a way that qualified for a loophole in the Safari settings. (You can read a technical explanation here.) After Google’s practice came to light, the company agreed to pay $17 million to state attorneys general over privacy violations, and another $22.5 million to the Federal Trade Commission for violating the terms of an earlier settlement. In both cases, Google denied any wrong-doing—an outcome an FTC Commissioner then described as “inexplicable.” The effect of Monday’s deal is that it could put an end to the related class action litigation, which has bounced around the courts for years. Last year, the Third Circuit Court of Appeals revived parts of a case a lower court judge had dismissed, leading the parties to ask Supreme Court earlier this year to review parts of the appeal. The proposed settlement, however, must be approved by a judge and that outcome is not a sure thing. While judges are typically quick to bless class action settlements, some have decided to reject arrangements—like the one involving Google—in which the settlement money is paid to outside groups rather than consumers. Google declined to comment about the settlement, and lawyers for the plaintiffs did not respond to a request for comment. News of the settlement came in June, but its details were only filed this week. Source
  20. Apple facing record bill for Irish tax Apple could be ordered to pay billions of euros in back taxes in the Republic of Ireland by European Union competition officials. The final ruling, expected on Tuesday, follows a three-year probe into Apple's Irish tax affairs, which the EU has previously identified as illegal. The Financial Times reports that the bill will be for billions of euros, making it Europe's biggest tax penalty. Apple and the Irish government are likely to appeal against the ruling. Under EU law, national tax authorities are not allowed to give tax benefits to selected companies - which the EU would consider to be illegal state aid. According to EU authorities, rulings made by the Irish government in 1991 and 2007 allowed Apple to minimise its tax bill in Ireland. EU competition chief Margrethe Vestager is leading the probe into Apple's tax affairs BBC North America technology reporter Dave Lee says that the US Treasury is concerned that if there is a big EU tax bill for Apple, as expected, then Apple will offset at least some of that against the tax it would be paying in the US. "So it's essentially shifting billions of dollars from the US economy, from the US tax-pot, into Europe. The US says Europe simply doesn't deserve that money, because all the hard work that goes into creating the iPhone and other Apple products... takes place in the US, and not in Europe." Apple is not the only company that has been targeted for securing favourable tax deals in the European Union. Last year, the commission told the Netherlands to recover as much as €30m (£25.6m) from Starbucks and Luxembourg was ordered to claw back a similar amount from Fiat. Apple is potentially facing a much bigger bill, but with cash reserves of more than $200bn (£153bn), the company will have little problem paying up. Nevertheless, Apple may have to restate its accounts following the ruling. Apple currently has a stock market value of around $600bn Analysis: Dominic O'Connell, Today business presenter The current focus is on the size of the bill - how much the European Commission thinks Apple should pay Ireland in back taxes. That will be big enough, but there are even larger issues at stake, including one fundamental question - who really runs the world, governments or giant corporations? At present, it is difficult to tell. Individual governments appear impotent in their attempts to apply their tax laws to multinationals like Apple. They have systems designed to deal with the movement and sale of physical goods, systems that are useless when companies derive their profits from the sale of services and the exploitation of intellectual property. In Apple's case, 90% of its foreign profits are legally channelled to Ireland, and then to subsidiaries which have no tax residence. At the same time, countries can scarcely afford not to co-operate when Apple comes calling; it has a stock market value of $600bn, and the attraction of the jobs it can create and the extra inward investment its favours can bring are too much for most politicians to resist. There is an echo here of the tycoons of the early 20th Century who bestrode America. Andrew Carnegie, Cornelius Vanderbilt and John Rockefeller were judged so powerful that they were almost above the law, something that successive US administrations sought to curb. The European Commission's attempt to bring Apple to heel is on the surface about tax, but in the end about the power of the multinational and the power of the state. There is more to come; Margarethe Vestager, the Danish commissioner who is leading the charge against Apple, is warming up to take on Google. Europe versus the giants of corporate America will be a battle royale, and one that will run and run. http://www.bbc.com/news/business-37216176
  21. Spyware Sold to Governments Behind Recent iOS Zero-Days Apple fixes three zero-days used by Pegasus spyware According to the two organizations, the zero-days were part of a software suite called Pegasus, developed and sold by Israeli company NSO Group to governments around the world, which deployed it against targets of interest. Pegasus, described as surveillance software developed for law enforcement agencies, is nothing different from spyware developed and sold on underground hacking forums. Governments, security vendors, and news agencies knew of Pegasus and NSO's existence for many years, but the company has always been outshined by its more powerful competitors, Gamma Group, which sells FinFisher, and HackingTeam which sells the RCS surveillance package. Apple patched zero-days that enabled Pegasus spying features Apple released a fix today to address Pegasus features that allowed it to spy on iOS users without them ever being aware. These features were powered by three zero-days that allowed a remote attacker to compromise iOS devices by fooling a victim into accessing a malicious website. Once the zero-day exploit code was executed, the attacker would use the Pegasus software to control the victim's iPhone or iPad. According to Lookout, the attackers had full control over the device, and could exfiltrate data, listen on conversations via the microphone, detect the user's GPS position, follow IM conversations, and many more others. Zero-Day Description Exploit Capability CVE-2016-4655 Information leak in Kernel – A kernel base mapping vulnerability that leaks information to the attacker allowing him to calculate the kernel’s location in memory. An application may be able to disclose kernel memory CVE-2016-4657 Kernel Memory corruption leads to Jailbreak – 32 and 64 bit iOS kernel-level vulnerabilities that allow the attacker to silently jailbreak the device and install surveillance software. An application may be able to execute arbitrary code with kernel privileges CVE-2016-4658 Memory Corruption in Webkit – A vulnerability in the Safari WebKit that allows the attacker to compromise the device when the user clicks on a link. Visiting a maliciously crafted website may lead to arbitrary code execution "Pegasus is the most sophisticated attack we’ve seen on any endpoint because it takes advantage of how integrated mobile devices are in our lives and the combination of features only available on mobile," the Lookout team explained. A further, in-depth analysis of Pegasus also revealed traces of a kernel mapping table that has values that target previous iOS version, way back to iOS 7, meaning the spyware was used for years without being detected until this past month. Meet Ahmed Mansoor, the most spied on activist in the world One of the people targeted with Pegasus, and the one that detected something wrong and led to the discovery of the three zero-days, was Ahmed Mansoor, a human rights activist from the United Arab Emirates (UAE). Coincidentally, Mansoor was also targeted in the past with both FinFinsher and RCS spyware. As such, he was able to quickly recognize a phishing lure he received via SMS, which promised new details about torture practices in the UAE. Mansoor forwarded the SMS messages to Citizen Lab, an investigative interdisciplinary laboratory at the Munk School of Global Affairs at the University of Toronto, Canada, specialized in political cyber-espionage. Pegasus software also sold to Mexico and Kenya Recognizing the sophisticated campaign behind this SMS message, Citizen Lab brought in Lookout to investigate the technical side of the attack. Lookout discovered the three zero-days, while Citizen Lab connected the zero-days to the Pegasus software and the NSO Group, an Israeli company bought by US firm Francisco Partners in 2014. Citizen Lab tracked down the Pegasus software and discovered export licenses for various governments. The organization tied NSO's Pegasus suite used against a Mexican journalist who uncovered corruption by Mexico's President, and a few attacks against unknown targets in Kenya. "While these spyware tools are developed in democracies, they continue to be sold to countries with notorious records of abusive targeting of human rights defenders," the Citizen Lab team explains. "Such sales occur despite the existence of applicable export controls." Lookout provides a technical look at the three iOS zero-days fixed in iOS 9.3.5 in its report, while Citizen Lab's report focused on the morals and political background behind these recent attacks. Source
  22. Apple releases 'important security update' for iPhone after spyware discovery The patch comes after the discovery of spyware circulating in the Middle East. Apple has released a security fix for iPhones and iPads following the discovery of malware targeting the platform that was found circulating in the Middle East. The iPhone and iPad maker released the patch, iOS 9.3.5, on Thursday, calling it an "important security update". The patches fix three vulnerabilities, dubbed "Trident" by security firm Lookout, which could be used to access the device's location, read contacts, texts, calls, and emails, as well as turn on the device's microphone. The company said that spyware that exploited the vulnerabilities were developed by an Israel-based company specializing in zero-day exploits. Citizen Lab explained in a blog post that it had uncovered an operation by the security services of the United Arab Emirates to try to get into the iPhone of a renowned human rights defender, Ahmed Mansoor. The Canada-based security lab said that the UAE, which has long been criticized for its poor human rights record, could turn an affected iPhone into "a sophisticated bugging device", adding: "They would have been able to turn on his iPhone's camera and microphone to record Mansoor and anything nearby, without him being wise about it. They would have been able to log his emails and calls -- even those that are encrypted end-to-end. And, of course, they would have been able to track his precise whereabouts," said the blog post. Lookout said that the flaws included a memory corruption flaw in WebKit, which would let an attacker exploit a device when a user clicks on an affected link. Two other kernel vulnerabilities would let an attacker jailbreak the device, and then the attacker can silently install malware to carry out surveillance. Apple fixed the vulnerabilities within 10 days of being informed by Citizen Lab and Lookout. A spokesperson for Apple said in an email to ZDNet: "We advise all of our customers to always download the latest version of iOS to protect themselves against potential security exploits." Users can install the update over the air through the phone or tablet's settings. Source
  23. Upcoming iPhones Could Collect Fingerprints and Photos of Thieves Apple is working on enhanced security tools Apple filed a patent application for a method of storing biometric information of an unauthorized user, so that smartphone security would be enhanced. The patent surfaced over at Patently Apple and it will apparently make it very easy for authorities to identify thieves. iPhones will be able to capture pictures and record videos of thieves, as well as collect their fingerprints. The patent states that the feature could be triggered by repeated failed attempts to unlock the device or if the phone owner enables protections using Find My iPhone feature from another device. The patent also mentions that smartphones will be able to capture more than one fingerprint, photo or video of the thief, as well as audio files, forensic interface use information and more. Apple also offers Activation Lock and Find My iPhone security features This new feature would join all other tools that Apple has for helping users find their phones. The Find My iPhone feature helps users mark their devices as lost and their locations tracked, so that they could have a strong chance at recovering them. Aside from this, Apple also offers Activation Lock feature that doesn't allow anyone to reset smartphones without the approval of the owner using their Apple ID and password. Apple also offers its users the option to remotely wipe phones in case of loss or theft or to secure information using high end encryption. One must take into consideration that smartphone manufacturers often patent various projects and ideas, but that doesn't necessarily mean that they will be implemented into future products. However, considering that this is a security feature, Apple would have all the more reasons to actually incorporate this tool into its devices. Source
  24. 'Touch Disease' Breaking Apple iPhone 6 And 6 Plus Screens -- Millions Of Devices At Risk The iPhone is a great device, but a growing number of users are reporting a problem that affects the iPhone 6 and 6 Plus. Nicknamed "Touch Disease" by repair specialists iFixit, the problem starts with a flickering gray bar at the top of the screen and reduced touch functionality. Over time the bar spreads and eventually the whole screen stops responding to touch. iFixit spoke to several repair professionals who confirmed they had seen numerous devices exhibiting the same flaw. It isn’t known how many of the millions of iPhone 6 and 6 Plus devices are affected, but Jason Villmer, owner of Missouri board repair shop STS Telecom told iFixit "This issue is widespread enough that I feel like almost every iPhone 6/6+ has a touch of it (no pun intended) and are like ticking bombs just waiting to act up". There are pages of complaints regarding the issue to be found on Apple’s support forums. Replacing the screen doesn’t fix the problem as the flaw appears to relate to the touch screen controller chips inside the device. So what’s the cause of the problem and why is it coming to light now, two years after the iPhone 6 and 6 Plus launched? One theory is it relates to Bendgate. The iPhone 6 and 6 Plus are susceptible to bending (a problem fixed in the 6s and 6s Plus) and this could be what is causing the controller chips to lose contact. The problem seems to mostly affect the iPhone 6 Plus, and that was also the phone most affected by the bending issue. The 6s and 6s Plus were strengthened, and the Touch IC chips moved from the logic board to the display assembly, which is why the problem doesn’t affect them. So how do you fix a device afflicted with "Touch Disease"? The options appear to be replacing the phone, replacing the logic board, or replacing both Touch ICs (the cheapest option). Have you experienced this problem with an iPhone 6 or 6 Plus? Source