Apple is Aware of Apple ID Exploit, is Working on a Fix

Soon after word hit about the unbelievably easy Apple ID exploitApple has responded by saying it’s already working on a fix. As it should be. If it’s not happening on the mobile side, issues are springing up elsewhere.

In a statement to The Verge, the company lamented the glaring issue and said it takescustomer privacy very seriously. Let’s hope Apple can tie this one up quick, too. All someone needs to take control of someone else’s Apple ID is their email and date of birth—you can get that kind of information on Facebook very easily.

As of now, Apple has taken down its iForgot password reset tool as a temporary solution. That might be an acceptable short-term fix, but in the long run, let’s hope Apple develops a stricter protocol when reseting a password. Apple IDs are the key to Apple’s content kingdom; if user IDs start running rampant, who knows what kind of backlash the company will face.

[Source: TechnoBuffalo]

Hacker sentenced to 41 months for exploiting AT&T iPad security flaw

Hacker Andrew "Weev" Auernheimer was found guilty last year of spoofing iPad user IDs to gain access to an AT&T email database, and he's now been sentenced to 41 months in prison. The time was chalked up to one count of identity fraud and one count of conspiracy to access a computer without authorization. In addition to the nearly three and a half years behind bars, Auernheimer also faces another three years of supervised release, and restitution payments of $73,000 to AT&T.

Prosecutors in the case were asking for a four-year sentence, and reports say that they used both a Reddit Ask Me Anything post that Auernheimer did as well as quotes from the Encyclopedia Dramatica wiki. Auernheimer did give a statement before the sentencing, where he both read out a John Keats poem, and said that he was "going to jail for doing arithmetic."

Auernheimer has promised that he will appeal the sentencing, so this may not be the last we've heard of "Weev" just yet.

[Source: TUAW]

Evernote plans two-factor authentication following last week's hack

In a move that's often more reactive than proactive these days, Evernote has shared plans to add two-factor authentication to its login process. This latest announcement follows last week's hacking attack and subsequent site-wide password reset, and will be available to all of the site's 50 million users beginning later this year, according to an InformationWeek report. It's too early to say exactly how the Evernote team plans to implement the new security feature, whether through a dedicated app or text message password, but given the service's scale, we can likely count out a hardware fob option, at least. For now, your best course of action is to create a secure password, or, if you're especially paranoid, you may consider delaying your return until the security boost is in place.

[Source: Engadget]

Evernote forcing users to change password after hacking attempt

Evernote, the popular cross-platform note taking and sharing app, has issued a statement about some recent "suspicious activity on the Evernote network". All users will have to change their password, and it seems that user names, and other data that includes the encrypted version of passwords has been accessed. In a letter sent out to users, Evernote says the following:

The investigation has shown, however, that the individual(s) responsible were able to gain access to Evernote user information, which includes usernames, email addresses associated with Evernote accounts, and encrypted passwords. Even though this information was accessed, the passwords stored by Evernote are protected by one-way encryption. (In technical terms, they are hashed and salted.)

While our password encryption measures are robust, we are taking steps to ensure your personal data remains secure. This means that in an abundance of caution, we are requiring all users to reset their Evernote account passwords. Please create a new password by signing into your account on evernote.com.

After signing in, you will be prompted to enter your new password. Once you have reset your password on evernote.com, you will need to enter this new password in other Evernote apps that you use. We are also releasing updates to several of our apps to make the password change process easier, so please check for updates over the next several hours.

As we've seen recently, there's a rash of coordinated attempts to hack the big players in online services. Hopefully Evernote's encryption methods are solid, but having users change their password at log in is a great way to keep everyone safe. Visit Evernote's blog for more information.

[Source: AndroidCentral]

Yet another Java vulnerability discovered, researchers recommend disabling browser plug-in

Following an attack on a smaller number of corporate Macs that exploited exploited a flaw in the Java browser plug-in, researchers from security firm FireEye are warning users of yet another new Java zero-day vulnerability. According to a blog post published yesterday (via IDG), browsers running Java v1.6 Update 41 and Java v1.7 Update 15 are currently vulnerable to a malware attack that installs a remote access tool known as McRAT. The exploit is reportedly different from the one used to attack Facebook, Twitter, Apple and several other companies last month. Following the earlier attack, Apple released an updateto Java for users to version 1.6.0_41. These recent vulnerabilities come after several updates over the past year to Java addressing exploits.

FireEye is recommending users disable Java until Oracle addresses the issue:

We have notified Oracle and will continue to work with Oracle on this in-the-wild discovery. Since this exploit affects the latest Java 6u41 and Java 7u15 versions, we urge users to disable Java in your browser until a patch has been released; alternatively, set your Java security settings to “High” and do not execute any unknown Java applets outside of your organization.

Oracle provides the instructions below for uninstalling Java on Mac:  

  1. Click on the Finder icon located in your dock
  2. Click on Applications tab on the sidebar
  3. In the Search box enter JavaAppletPlugin.plugin
  4. This will find the JavaAppletPlugin.plugin file
  5. Right click on JavaAppletPlugin.plugin and select Move to Trash

[Source: 9to5Mac]

Microsoft was hacked in the same wave as Apple and Facebook

Microsoft has been hacked, in the same wave of attacks targeting Facebook and Apple. The company made the announcement in a blog post on its website.

You can sleep safe if you use Windows 8 or Windows Phone 8 though, as Microsoft says there's no evidence of any customer data being compromised. Funnily enough, the company says some of its computers in its Mac business unit were among those hacked.

Microsoft says it didn't make a statement immediately, as first it wanted to find out what exactly happened. Only a "small number" of computers were infected by malicious software "using techniques similar to those documented by other organisations."

Last week, Apple announced it had been hit by malware that attacked Java, and a few days earlier, Facebook said it too had been targeted. Just don't tell Jeff JarvisTwitter was also hacked last month, with 250,000 accounts affected.

Newspapers including The New York TimesWashington Post and Wall Street Journal have all accused China of cyber attacks, though the origins of the hack targeting Microsoft haven't been revealed. Google's Eric Schmidt has penned a book on the subject, calling China "the world's most active and enthusiastic filterer of information", as well as the "most sophisticated and prolific hacker of foreign companies."

Microsoft acknowledged these kind of attacks are par for the course in the modern tech landscape. It said in its blog post: "This type of cyber attack is no surprise to Microsoft and other companies that must grapple with determined and persistent adversaries… We continually re-evaluate our security posture and deploy additional people, processes, and technologies as necessary to help prevent future unauthorised access to our networks."

[Source: CNET]

Twitter Attacked and 250,000 Accounts Potentially Compromised

Twitter is sending out emails to 250,000 users of the service that may have had their accounts compromised this week to change their passwords.

If you’re a user of Twitter and receive an email similar to the one you see above – as I did earlier this evening – congratulations, your account may be one of the 250,000 that were potentially compromised this week. In a blog post on the company’s site this evening the situation was explained as clearly as it could be.

This week, we detected unusual access patterns that led to us identifying unauthorized access attempts to Twitter user data. We discovered one live attack and were able to shut it down in process moments later. However, our investigation has thus far indicated that the attackers may have had access to limited user information – usernames, email addresses, session tokens and encrypted/salted versions of passwords – for approximately 250,000 users.

Twitter explained that it decided to be very public about this situation as it believes this was the work of a sophisticated group and that this isn’t the only attack that it has been orchestrated against companies as of late.

Should you be unfortunate enough to receive one of these emails, make sure to change your password immediately.

[Source: TechnoBuffalo]

Hack gives HTC Droid DNA the bootloader unlock that Verizon took away

Custom ROM fans were briefly teased with the prospect of Verizon loosening its anti-modding stance when the HTC Droid DNA first arrived: in the pre-release days, the official HTCDev portal allowed unlocking the DNA's bootloader. While the carrier unfortunately clamped down and denied the option by the time the giant smartphone was in stores, that hasn't stopped Android Police and Sean Beaupre from keeping the dream alive through very unofficial means. A special backup file, a carrier ID generator app, a shell script and judicious use of ADB tweak the carrier information to trick HTCDev and let the unlock work once again. To call this a risky procedure would be an understatement, however -- venturing past a certain point raises the real possibility of bricking the device, and HTC's bootloader tool already puts limits on post-unlock support even when it's blessed by carriers. Should the urge to liberate the Droid DNA overwhelm a sense of caution (or a wait for the Deluxe), you'll find both the hack and unofficial help through the source links.

[Source: Engadget]