OS X Lion security flaw allows anyone to change your password

By on September 19, 2011 at 3:25 PM.

OS X Lion security flaw allows anyone to change your password

Security blog Defense in Depth has found a glaring security flaw in OS X Lion that enables hackers to change the password of any user on a machine running Lion. “[While] non-root users are unable to access the shadow files directly, Lion actually provides non-root users the ability to still view password hash data,” Patrick Dunstan from Defense in Depth explained in a recent blog post. The result is that anyone could use a simple Python script, created by Dunstan himself, to discover a user’s password. It gets worse. Reportedly, OS X Lion does not require its users to enter a password to change the login credentials of the current user. That means typing the command: “dscl localhost -passwd /Search/Users/Roger” will actually prompt you to set a new password for Roger. As CNET points out, a hacker could only take advantage of the known bug if he or she has local access to the computer and Directory Service access. CNET suggests disabling automatic log-in, enabling sleep and screensaver passwords and disabling guest accounts as some preventative measures to keep your Mac secure. More →

68 Comments

Apple to patch iPhone, iPad security hole

By on July 7, 2011 at 9:40 AM.

Apple to patch iPhone, iPad security hole

Apple has promised to patch a security hole found in the iPhone and iPad following a report published by Germany’s Federal Office for Information Security. Reportedly, a PDF security hole could allow hackers to gain unauthorized access to personal data — such as messages and passwords — stored on an iPhone or iPad and could “infect the mobile device with malware without the user’s knowledge.” Apple’s PR team was quick to respond to the allegations. “[Apple is] aware of this reported issue and developing a fix that will be available to customers in an upcoming software update,” Bethan Lloyd, an Apple spokesperson told AFP on Thursday. Apple has not yet confirmed when it will push out the security update. More →

15 Comments

Passcode-stealing iPhone app banned by Apple

By on June 15, 2011 at 9:45 AM.

Passcode-stealing iPhone app banned by Apple

In a move that should surprise no one, Apple has banned the “Big Brother Camera Security” app that developer Daniel Amity used to swipe his customers’ passcodes. BGR reported on Tuesday about an application that attempted to trick users into setting a passcode identical to the pin used to lock their iPhones. The app then transmitted the PIN numbers in the background to the developer — albeit anonymously — who used them to publish a report covering the most commonly used iPhone passcodes. While the developer’s intentions hardly seemed malicious, there was no way Apple was going to sit back and watch while a developer published data about private PINs, even if they could not be directly tied to individual iPhone users. As such, the app has been banned from the App Store. “As of today at 4:58pm EST, Big Brother has been removed from the App Store,” Amity wrote in a blog post. “I’m certainly not happy about it, but considering the concerns a few people have expressed regarding the transfer of data from app to my server, it is understandable.” More →

46 Comments

Sly developer reveals most common iPhone passcodes

By on June 14, 2011 at 5:45 PM.

Sly developer reveals most common iPhone passcodes

Daniel Amitay, the iPhone developer who created “Big Brother Camera Security” application, has released a list of the top 10 iPhone passcodes. Amity implemented code into his last software update that allowed the application to record passwords entered in by its users. Since his app’s lock and passcode screens look identical to the iPhone’s, he argues that his data reflects an iPhone user’s actual password. Of the 204,508 recorded passcodes collected, the most popular was, not surprisingly, 1234. That’s followed by 0000, 2580, 1111, 5555, 5683, 0852, 2222, 1212, and 1998. Amity says those codes represent 15% of all passwords in use. As you might expect, many of them follow simple patterns on the keyboard. “iloveyou” has always been a popular password and 5683, the No. 6 passcode on the list, can be translated into ‘LOVE’ on a standard alphanumeric keypad. Amitay also found that the numbers 1990-2000 were all in the top 50 passcodes, and 1980 – 1989 were all in the top 100, suggesting that many users may be entering in the year of their birth or graduation. Hit the jump for another chart. More →

24 Comments

New website answers the question on all our minds: Has Sony been hacked this week?

By on June 13, 2011 at 11:45 AM.

New website answers the question on all our minds: Has Sony been hacked this week?

BGR has provided extensive coverage of an ongoing saga that has seen numerous digital properties belonging to Sony fall under attack. To date, personal information belonging to well over 100 million Sony customers has been compromised, and nearly 13 million credit card numbers have been stolen. For IT professionals or other tech enthusiasts with weak stomachs, we can understand if reading one story after another about Sony’s security woes might make you a bit queasy. As such, a new site launched recently that has you covered. Hassonybeenhackedthisweek.com answers a single question for those who simply want to cut to the chase: Has Sony been hacked this week? The answer right now, by the way, is “yes.” More →

2 Comments

Sony’s PlayStation Network password reset page compromised

By on May 18, 2011 at 12:06 PM.

Sony’s PlayStation Network password reset page compromised

According to reports from numerous gaming sites, the password reset page for Sony’s PlayStation Network has been exploited. Sony built the page in an effort to allow users, whose accounts were already compromised during a major security breach last month, to reset their security credentials. However, hackers who stole the information from Sony can reset users’ passwords by knowing and account holder’s email address and birthday — information they’ve already stolen. Forum members on Nyleveia have suggested that PSN users create a new email address specifically for use with PSN. Sony has taken the website offline, and said: “Unfortunately this also means that those who are still trying to change their password via PlayStation.com or Qriocity.com will still be unable to do so for the time being.” Sounds like Sony really needs to get those new security measures in place, stat. More →

52 Comments

Firefox 4 leaked a day early, download it now

By on March 21, 2011 at 10:43 PM.

Firefox 4 leaked a day early, download it now

Firefox 4 has been leaked for Mac and PC a day before the company said it would be officially available. Mozilla promises the user interface in Firefox 4 is sleeker and easier to use, and it enables users to keep open tabs, bookmarks, history, and passwords in sync with other devices running a Firefox browser. Firefox 4 also has a new feature that allow you to drag and drop open tabs into groups that can be arranged and named. The leaked downloads aren’t available direct from Mozilla, so we suppose there’s still a chance the team could pull the launch date tomorrow and issue an RC2 release, but we doubt it. We won’t keep you waiting, though, so hit the jump for a link to download Firefox 4 for PC or Mac. More →

15 Comments

iPhone 5 to support portable computing using NFC

By on November 1, 2010 at 3:50 PM.

iPhone 5 to support portable computing using NFC

A new report from Cult of Mac suggests that Apple may have some nifty new features in store for the upcoming iPhone 5. Rumors that the iPhone 5 will utilize NFC are nothing new at this point, but this morning’s claims cover a very unique feature for the underutilized technology. The report suggests that the iPhone 5 will include a new portable computing function, allowing users to store data and settings from Mac computers on their iPhones. When a handset is waved near any other compatible NFC-equipped Mac computer, the user’s “applications, settings and data” will become available on the computer. “It will be as though they are sitting at their own machine at home or work,” the report states. In short, the feature would provide a new type of remote computing that could eliminate the need for virtual network computing (VNC) or similar technologies. This new feature is anything but confirmed for the time being, but it certainly would be a welcome addition for Mac users. What’s more, it might help give customers with aging Mac computers an extra push to upgrade to newer NFC-enabled machines. More →

26 Comments

Want Someone’s Apple ID Password? Just Ask Apple for it

By on July 8, 2008 at 9:28 AM.

Want Someone’s Apple ID Password? Just Ask Apple for it

Wow. Just wow. Marko Karppinen, head of a Finnish software development firm specializing in Mac software, just found himself on the wrong end of a security breach. According to his blog post from this morning Karppinen was the victim of a complex, crafty and well-executed scheme clearly carried out by a team of unscrupulous professional hackers. The end result; Karppinen’s Apple ID account was compromised and access to personal data was established for an unknown period of time. So how did this guerrilla team pull it off? They sent the following, umm, complex malicious code to Apple via email:

am forget my password of mac,did you give me password on new email marko.[redacted]@yahoo.com

No, seriously. That’s how easy it was for some grammar-stallion to have Apple change the email account associated with Karppinen’s account and issue a reset password to the new address. Luckily the culprit wasn’t quite smart enough (surprising, we know) to change Karppinen’s security question so he was able to regain control of his account rather quickly. Well, at least no one can say Apple customer service doesn’t act fast. They responded almost immediately to the thief’s email and accommodated him without hesitation. Kudos, Apple Support!

Read

36 Comments