ℹ️ This is an archived legacy site for link purposes only.
Apple statement regarding the wirelurker thing, via The Loop:
We are aware of malicious software available from a download site aimed at users in China, and we’ve blocked the identified apps to prevent them from launching. As always, we recommend that users download and install software from trusted sources.
Malware target Macs and iOS devices, delivered through a Chinese Mac app store:
Palo Alto Network explains that the malware has so far infected 467 applications designed for Apple’s Mac OS X operating system. It’s done that via a third-party Chinese Mac application store called the Maiyadi App Store. Over the last six months, those applications have been downloaded over 356,104 times—possibly infecting the Macs of hundreds of thousands of users.
But the malware also appears to infect iOS devices when they’re plugged into a Mac via USB.“WireLurker monitors any iOS device connected via USB with an infected OS X computer and installs downloaded third-party applications or automatically generated malicious applications onto the device, regardless of whether it is jailbroken,” explains Palo Alto Networks. “This is the reason we call it ‘wire lurker.’”
This is the price of being the industry leader, being targeted by these sorts of things. The Mac has been more or less malware and virus free for so long, it was bound to change. As for iOS, it’s obviously less sensitive for malware and viruses since they’d have to get into the App Store first, but it both can and will happen. Then there’s workarounds such as the one mentioned above, and if you jailbreak you need to take additional measures.
Do you think your OneDrive files are safe from NSA and Prism? Think again. Scary stuff if true, and hopefully something Microsoft will address in the future, although I’m not holding my breath. It seems like Apple is the only cloud player that’s taking a firm stand against these sort of things.
Facebook’s got a special URL for Tor browsers:
Considerations like these have not always been reflected in Facebook’s security infrastructure, which has sometimes led to unnecessary hurdles for people who connect to Facebook using Tor. To make their experience more consistent with our goals of accessibility and security, we have begun an experiment which makes Facebook available directly over Tor network at the following URL:
https://facebookcorewwwi.onion/
[ NOTE: link will only work in Tor-enabled browsers ]
Facebook’s onion address provides a way to access Facebook through Tor without losing the cryptographic protections provided by the Tor cloud.
There’s a nasty Drupal security issue that, well, this is how bad it is:
Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE–2014–005 – Drupal core – SQL injection. You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement.
If you’re running a Drupal 7 based website, you need to read this now, and take this seriously.
It might be a good idea to change your Dropbox password, because some 7 million accounts are allegedly out in the wild. Dropbox, already in trouble with the data loss snafu, says they weren’t hacked and that you shouldn’t worry, but naturally you should, and also consider turning on two-factor authentication. Better safe than sorry, after all.
Fascinating piece on how the FBI found the Silk Road server and thus its owner, or rather, if there was foul play involved in the discovery.
The FBI also provided the defense with the traffic logs from the Silk Road server, but Weaver didn’t like the look of those either. He suggested that the logs didn’t show the FBI getting an IP address from a leaky CAPTCHA, but a PHPMyAdmin configuration page.
So now another question arises. If the FBI didn’t find the server because of a leaky CAPTCHA, how did it find a PHPMyAdmin page instead?
Lots of unanswered things according to this report, that’s for sure.
I’ve been a paying Dropbox user since forever, and I don’t intend to stop, despite some pretty serious competition. Assuming Dropbox won’t go all evil on us, it’s a resource I want to use. I’m trusting it with the bulk of my data right now, and I have for years.
That said, I trust Apple more than I trust Dropbox. Apple entering the cloud game with iCloud Drive is great news, and my initial reaction to the announcement was, literally, ABOUT FUCKING TIME!!! That still stands, but I think Dropbox is more important than ever. The recent iCloud outages notwithstanding, I’m just not sure if Apple is ready for this. Data is important, and while an online sync and storage service isn’t a backup (seriously, backup your stuff elsewhere), the nuisance of losing data because of weird things happening is bad enough. And while I’ve yet to lose data from iCloud in any way, I have had some pretty poor syncing experiences. Granted, most of those are in third-party apps and the developers might be to blame, but still. That rarely happens with Dropbox, and when shit hits the fan, Dropbox has its versioning safety net, which I’ve been forced to use on a few occassions.
The BadUSB hack is out, released into the wild by researchers Adam Caudill and Brandon Wilson. This means that malicious types can make trouble for you just by accessing your USB ports. There is no fix for this at the moment, the problem is in the USB firmware and that’s not something that gets patched easily.
Why release something like this, especially when the original BadUSB creator Karsten Nohl chose not to? From Wired:
“The belief we have is that all of this should be public. It shouldn’t be held back. So we’re releasing everything we’ve got,” Caudill told the Derbycon audience on Friday. “This was largely inspired by the fact that [SR Labs] didn’t release their material. If you’re going to prove that there’s a flaw, you need to release the material so people can defend against it.”
The reasoning is that known exploits gets fixed faster, which is true, but with the USB hack it’s not quite a simple as releasing a system update. On the flip-side, knowing that this USB security flaw exists and is widely available will make it possible to take to proper measures to protect sensitive data from malicious people. And yes, that includes government agencies.