Thursday, November 14, 2013

iOS 7.0.4 Security Update

--


Apple has released the iOS 7.0.4 update. As with the previous three iOS 7 updates, this one patches a critical security hole. This update specifically patches the App Store app:
APPLE-SA-2013-11-14-1 iOS 7.0.4
iOS 7.0.4 is now available and addresses the following:

App Store 
Available for:  iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and later.

Impact: App and In-App purchases may be completed with insufficient authorization.

Description:  A signed-in user may be able to complete a transaction without providing a password when prompted. This issue was addressed by additional enforcement of purchase authorization.

CVE-ID
CVE-2013-5193
IOW: Sounds like another kids-gone-wild-buying-stuff flaw in iOS. I'm glad that's locked again!

:-Derek



MacRumors Forum Accounts Hacked!
Change your password ASAP

--

In case you haven't heard, this week it was revealed that ~860,000 account passwords were hacked from the MacRumors.com forum website. Therefore: Change your MacRumors password immediately! And of course, use unique passwords at each and every website.

There are two dangers when website accounts are hacked:

1) The hackers will mess over your account at the source website. They can pretend to be you, say anything and do anything as you. They can change your password and lock you out.

2) If you were as dopey as I used to be and used the same ID and password at different websites, the hackers can get into and mess over those accounts as well!

Here are some articles relevant to the MacRumors.com hyper-hack:

MacRumors Forums: Security Leak
Tuesday November 12, 2013 2:48 pm PST by Arnold Kim
Yesterday, the MacRumors Forums were targeted and hacked in a similar manner to the Ubuntu forums in July. We sincerely apologize for the intrusion, and are still investigating the attack with the help of a 3rd party security researcher. We believe that at least some user information was obtained during the attack.
In situations like this, it's best to assume that your MacRumors Forum username, email address and (hashed) password is now known. What this means for you, if you have a MacRumors Forums account, is the following:  
1. Change your password on our forums. If you have any problems, please contact us.  
2. If you used the same password on any other site, change it there also. . . 
Hack of MacRumors forums exposes password data for 860,000 users
by Dan Goodin - Nov 12 2013, 11:05pm EST
Readers who had MacRumors accounts would do well to follow Kim's advice and immediately change login credentials that use the same or similar password. They should also be vigilant of phishing attempts, since their user names and e-mail addresses have also been exposed.
MacRumors hacker who took 860,000 passwords speaks: “We’re not terrorists”
No plans to mass compromise accounts on other sites, post says.
by Dan Goodin - Nov 13 2013, 3:30pm EST
"We're not logging in to your gmails, apple accounts, or even your yahoo accounts (unless we target you specifically for some unrelated reason)," the user known simply as Lol wrote. "We're not terrorists. Stop worrying, and stop blaming it on Macrumors when it was your own fault for reusing passwords in the first place."
He continued: "Consider the 'malicious' attack friendly. The situation could have been catastrophically worse if some fame-driven idiot was the culprit and the database were to be leaked to the public."
In subsequent posts here and here, Lol expanded on the thinking behind the hack. "Outside of this hobby, *cough*, I do partake in whitehat activities and try to contribute to some open source projects etc. It builds quite the resumé." The MacRumors breach, Lol added, was taken on "to test myself. I never defaced the site, I never bragged about it anywhere, I just got in and got out."
Are hackers usually arrogant and superior in tone like this? Oh yes. But setting aside the overcompensation-for-personal-insecurity-issues, hackers are a good thing. This hacker is a self-proclaimed 'white hat', meaning that his aim is to test via hacking then reveal the security flaw to the creators of the source software or website.


Here is one description of a white hat hacker:

http://en.wikipedia.org/wiki/White_hat_hacker
The term "white hat" in Internet slang refers to an ethical computer hacker, or a computer security expert, who specializes in penetration testing and in other testing methodologies to ensure the security of an organization's information systems. Ethical hacking is a term coined by IBM meant to imply a broader category than just penetration testing. White-hat hackers may also work in teams called "sneakers", red teams, or tiger teams.
Despite what this guy says, I'd get busy changing your password at MacRumors.com, and anywhere else you used the same password. Here's where to change your MacRumors password:

http://forums.macrumors.com/profile.php?do=editpassword

White Hat ≈ Hacker
Black Hat ≈ Cracker

I recently heard Leo Laporte of TWiT and Steve Gibson of Gibson Research Corporation (GRC) speculate that the terms 'Hacker' and 'Cracker' were dead, essentially replaced by 'White Hat' and 'Black Hat'. I've seen no evidence of this assertion. Within the computer community, all four words retain significant descriptive meaning. Despite drawbacks using either set of terms, I don't expect any of them will disappear from the technology vocabulary.

:-Derek