security - page 12

Apple’s Gatekeeper feature was designed to keep even the most advanced users from accidentally installing malicious software on their computers, but a super-simple exploit lets hackers sneak malware onto your Mac.

The exploit was discovered by Patrick Wardle, director of research at security firm Synack. Wardle found that the exploit is made possible thanks to a key design shortcoming in Gatekeeper that lets an attacker use a binary file already trusted by Apple to execute malicious files.

Here’s how it works:

Logitech wants to help keep your home safe — and push devices like the Nest Cam out of it.

Its new Circle smart camera, which is being launched under the new Logi brand, delivers real-time HD video that lets you monitor your home remotely from an Android or iOS device.

The App Store suffered its worst security breach in history over the weekend, when it was discovered that hundreds of Chinese apps have a malicious program dubbed ‘XcodeGhost’ embedded in their software.

The huge security lapse made its way into legitimate apps thanks to Chinese developers who used a counterfeit version of Apple’s Xcode software that was uploaded to file sharing service Baidu. By using XcodeGhost to compile their apps, developers accidentally allowed the malicious code to be distributed through the App Store.

Apple has pulled infected apps off the store to stop stop the spread, but users still need to delete XcodeGhost apps off their devices manually. Most of the apps infected are mostly used in China, however some big name apps like WeChat, Angry Birds 2, and Didi Chuxing (Uber’s biggest rival in China) were also hit.

Here’s a full list of infected apps:

Hackers have just given iPhone and iPad users a big reason to upgrade to iOS 9 due out later today: it fixes a serious AirDrop security vulnerability.

Mark Dowd, an Australian security researcher with Azimuth Security, revealed this morning that iOS 8.4.1 contains a critic security flaw in AirDrop that could allow an attacker to install malware on any device within range. Worst of all, even if a victim tried to reject the incoming AirDrop file, the bug lets attackers tweak the iOS settings so the exploit will still work.

Check out the lethal bug in action:

We’ve all been using a passcode to secure our iPhones and iPads since forever, right? You’ve had the option to use an alphanumeric passcode since iOS 7, but if you chose to use a simple numeric code, you were limited to four digits.

Not anymore! Apple added the ability to use a six-digit passcode in iOS 9, and this quick settings tweak will make your iPhone or iPad far more secure.

Worried about the security of your Dropbox files, even if you use two-step verification? Dropbox has your back now with a new USB key-based system to ensure that you are the only one able to access your files in the Dropbox cloud.

“Today,” Dropbox writes on its website, “we’re adding Universal 2nd Factor (U2F) security keys as an additional method for two-step verification, giving you stronger authentication protection.”

After the discovery of several dangerous flaws in a few short weeks, Android’s security — or lack thereof — has been big news. Google has acted quickly to eliminate the Stagefright flaw that left 95% of Android devices vulnerable to attack, but others have since wormed their way out of the woodwork.

Now fans are asking how these flaws made their way into public Android releases, compromising the security of more than 1 billion users worldwide. Could Google be doing more to prevent it? And are its hardware partners doing all they can to patch holes in their own software?

Join us in this week’s Friday Night Fight between Cult of Android and Cult of Mac as we fight it out over these questions and more!

Tim Cook might be a guy who can take care of himself, judging from the impressive amount of time he spends in the gym each day, but Apple’s not taking any chances: The company shells out close to $700,000 each year on security for its CEO.

And who can blame them?

Apple plans to issue an update fixing two severe OS X Yosemite security flaws “as soon as possible,” according to a new report.

One bug is the recently discovered Thunderstrike 2, which allows attackers to overwrite a computer’s firmware in a way that is impossible to reverse unless users have the wherewithal to open up their Mac and manually reflash the chip.

The other is a “privilege escalation” bug known as DYLD that allows a program to run as though it has administrator access without prompting users to enter their passwords.

Apple has touted the Mac’s resistance to viruses for decades as a selling point over Windows PCs, but a team of researchers have created a new firmware worm for Mac that might just make you want to go back to doing work on good old pencil and paper.

Two white-hat hackers discovered that several vulnerabilities affecting PC makers can also bypass Apple’s renowned security to wreak havoc on Mac firmware. The two created a proof-of-concept of the worm called Thunderstrike 2 that allows firmware attacks to be spread automatically from Mac to Mac. Devices don’t even need to be networked for the worm to spread, and once it’s infected your machine the only way to remove it is to open up your Mac and manually reflash the chip.

Here’s a preview of Thunderstrike 2 in action:

Apple’s plans for HomeKit to become the de facto platform for the connected home is taking longer than expected to happen because of the company’s obsession with security, according to a recent report.

If you’re afraid of ever being in a dangerous situation without any witnesses or good samaritans nearby, you might want to consider downloading this new app appropriately named Witness. Calling itself the ‘panic button for the smartphone age,’ one tap broadcasts live video and your current location to a list of preset emergency contacts, who can then decide if it’s appropriate to take action.

Of course, if they do nothing, they could potentially have front-row seats to a very morbid and disturbing show.

Though Adobe Flash has been dying a slow death over the past few years, it’s far from dead yet. However, it seems like some people are getting pretty impatient with it and Facebook’s new chief security officer Alex Stamos is one of those people. He publicly tweeted yesterday calling out Adobe to just set a date already to kill Flash and make an announcement to put an end to its misery.

Apple has been eager to point out lately that unlike Google and Facebook it doesn’t collect or sell your personal information. It’s been a great way for the company to differentiate itself from its competitors and Apple has apparently won over Edward Snowden in the process.

In a recent interview, Snowden was asked whether he thinks Tim Cooks perspective on privacy has been genuine and honest, to which Snowden replied, “it doesn’t matter if he’s being honest or dishonest,” but “that’s a good thing for privacy. That’s a good thing for customers.”

Snowden pointed out that Apple obviously has a financial incentive to differentiate itself from competitors, and we should incentivize other companies to follow their path:

A group of six university researchers claim to have successfully bypassed Apple’s tight App Store approval processes to publish Mac and iOS malware apps. According to the report, the team presented the zero-day vulnerability to Apple back in October 2014 and were told to keep quiet about it for at least six months.

Luyi Xing, a security researcher who helped expose the zero day vulnerability, still has yet to hear back from Apple on a possible fix.

iOS security researchers Jan Souček has discovered a new bug in iOS’s mail client that could trick users into accidentally giving attackers their AppleID and password.

The Mail app exploit was discovered at the beginning of 2015, and Apple’s engineers were quickly notified of its existence, but a fix for the bug hasn’t been released in any of the updates following iOS 8.1.2. According to Souček, the bug allows remote HTML content to be loaded, making it possible to build a password collector that looks just like an iCloud sign-in prompt.

Here’s a video of the bug in action:

In a speech to nonprofit research firm Electronic Privacy Information Center (EPIC) at its annual “Champions of Freedom” awards dinner last night, Apple head Tim Cook had some strong words about online security, government monitoring, and corporate data mining.

Cook was the first business leader to receive recognition from EPIC, which lauded his “corporate leadership” on matters of maintaining Apple customers’ privacy.

Thinking about a new career in IT management and security, but not sure where to start? We’ve made it easy. This bundle from iCollege packages together four essential certification courses that train you exactly on what you need to know. Get it for $59 at Cult of Mac Deals today—at 94% off, a deal this good doesn’t come around often.

Anyone you exchange messages with via Facebook Messenger could know where you’ve been at any point. Chatted with your boss? He could use a newly discovered hack to figure out your sick days weren’t spent at home.

Facebook intern Aran Khanna found he could figure out where his friends were going daily with a bit of code, based solely on whether he had Facebook Messenger conversations with them. It even worked with people he wasn’t Facebook friends with if he had been in the same Facebook Messenger chat group.

He calls this code Marauders Map, and anyone can use it. Luckily, it’s fairly simple to hide your location from potential stalkers.

If you’re looking to plan a heist, you’d probably best stay clear of Hangouts: Google has inadvertently confirmed that its chat platform is susceptible to police and government monitoring.

While the tech giant usually keeps quiet about Hangouts’ security features, the revelation (of sorts) came out of an “Ask Me Anything” session Friday on Reddit that included members of Google’s public policy department and legal team. Its proposed topic was “the current status of U.S. government surveillance law reform and how Google thinks about these issues,” but the questions were less about laws or reform and more about Google’s practices.

So, you just got that shiny new Apple Watch. It’s amazing, right?

So amazing that someone may try to steal it from you. Sure, that sucks, but it could happen.

Here’s how to clear the credit card info from the stolen device if you no longer have physical possession of your Apple Watch.

A significant security flaw affecting OS X Yosemite hasn’t been fixed as previously thought, according to a former NSA staffer.

The flaw, known as Rootpipe, is said to have existed since 2011, and could allow an attacker to gain full control of another user’s Mac without requiring authentication.

Slack, the cool new communications app that many of the world’s top companies have flocked to, just revealed that it’s been hacked.

Attackers were able to access a Slack database, the company said Friday morning. There’s no indication the hackers were able to decrypt passwords stored on the server, but Slack is immediately ramping up security efforts in response.

Touch ID might be a more convenient and secure security implementation than PIN codes, but for now at least PINs are sticking around — which makes your iPhone vulnerable to anyone who gets their hands on it.

Of course, your iPhone only gives you a certain number of failed guesses, which means that unless the hacker somehow quickly guesses the correct code out of the 10,000 possible combinations, your iPhone’s contents remain safe.

A new video which has surfaced online, however, shows off a brute-force machine capable of trying every possible four-digit numerical combination in turn, while also resetting your iPhone to try again when it runs out of attempts. You can check it out below.

Passwords are easy to forget. They’re even easier to steal. Now Yahoo has unveiled a new scheme to make permanent passwords as outdated as Morse code.

Yahoo is rolling out its “on-demand” email passwords that utilize phone notifications so you’ll never have to memorize a password again. It works kind of like two-factor authentication, except you don’t ever have to type in your primary password.