Developer Nick Lee has managed to hack a working version of Windows 95 onto his Apple Watch. The utility of this is close to zero — but it is hilarious to watch. It highlights how smart wristwatches like Apple Watch are now as powerful as (if not more than) desktop computers from the turn of the century. Watch the full video of the ‘microsoftOS’ Apple Watch in action after the jump …
Hundreds of apps infected by fake Xcode tools, Apple removing known malicious software from App Store
Apple has admitted that it is App Store integrity was compromised as apps were secretly infected by fake Xcode tools before submission to the App Store. The company has now officially acknowledged the problem and is now removing apps affected by this ‘hack’ from the App Store.
Developers were inadvertently submitting malware by using counterfeit versions of Xcode, Apple’s development software, to submit apps. The fake Xcode, dubbed XcodeGhost, would inject malicious code into otherwise-legitimate apps during the submission process.
Respected developer Hamza Sood, who earlier this month helped us discover hints at an upcoming more powerful iPad mini, today has shared his latest tweak: the ability to use custom watch faces on Apple Watch. Sood posted a video to Twitter, which can be seen below, showing two custom watch faces running on his stainless steel Apple Watch.
Well-known developers Steve Troughton-Smith, Saurik and Adam Bell have managed to hack the Apple Watch on watchOS 2 to run truly native apps on the device. Although Apple is advertising native apps with watchOS 2, it isn’t as ‘native’ as some developers wanted or expected. The logic code now runs on the watch, but raw access to the user interface is still not allowed on watchOS 2.
This means frameworks like UIKit cannot be used to draw truly custom UI. Instead developers must rely on the same techniques employed with current WatchKit apps that revolve around image sequences to create more interesting effects.
In the demo, video embedded below, the team managed to get a fully interactive 3D object running on the Apple Watch powered by Apple’s SceneKit framework.
Update: Apple confirmed it’s aware of the issue and working on a fix:
“We are not aware of any customers affected by this proof of concept, but are working on a fix for an upcoming software update.”
If you are reading mail on your iPhone and iPad and a popup appears asking you to re-login to iCloud (or anything else), beware. Security researcher Jan Soucek discovered a bug in the iOS Mail app that allowed an attacker to run remote HTML code when an email is opened. That code could easily imitate an iCloud login prompt, fooling users into giving away their Apple ID credentials …
A serious vulnerability in Macs more than a year old would allow an attacker to take permanent control of the machine, retaining control even if the user reinstals OS X or reformats the drive.
The vulnerability was discovered by security researcher Pedro Vilaca, who found a way to reflash the BIOS – code stored in flash memory, not on the drive. This means that the machine remains compromised even if the hard drive is physically replaced …
One user lost $550 in a matter of minutes, his account auto-reloaded each time it was emptied by a hacker sending a series of $50 gift cards. Other users have also reported three-figure losses within a matter of seconds or minutes …
A former NSA staffer says that the OS X 10.10.3 update which Apple claims fixed a significant security vulnerability has failed to do so, reports Forbes. Patrick Wardle, who now heads up research at security firm Synack, demonstrated the vulnerability in a video (without revealing exactly how it was done) to allow Apple time to issue a further fix.
The Rootpipe vulnerability allows an attacker with local access to a Mac to escalate their privileges to root – allowing them full control of the machine – without further authentication. A second security researcher confirmed the flaw …
A bug in the way that 1,500 iOS apps establish secure connections to servers leaves them vulnerable to man-in-the-middle attacks, according to analytics company SourceDNA (via arsTechnica). The bug means anyone intercepting data from an iPhone or iPad could access logins and other sensitive information sent using the HTTPS protocol.
A man-in-the-middle attack allows a fake WiFi hotspot to intercept data from devices connecting to it. Usually, this wouldn’t work with secure connections, as the fake hotspot wouldn’t have the correct security certificate. However, the bug discovered by SourceDNA means that the vulnerable apps fail to check the certificate …
Security company MDSec has been testing a black box device that manages to gain access to iPhones running up to iOS 8.1 by brute-forcing the passcode over a USB connection to simulate keypad entry. Normally, trying every possible 4-digit PIN would be prevented by automated lockout or data wipe after ten incorrect attempts, but the IP Box manages to bypass this.
The IP Box is able to bypass this restriction by connecting directly to the iPhone’s power source and aggressively cutting the power after each failed PIN attempt, but before the attempt has been synchronized to flash memory.
After each attempt, it measures light levels on the screen to see whether it got access to the homescreen; if not, it restarts the phone fast enough that the PIN counter doesn’t get updated.
It’s not a very practical means of attack in the real world. Restarting the phone after every single attempt means that testing every single PIN would take around 111 hours, and thus take an average of around 55 hours to get access. You need physical access to the phone for those 55 hours, and need to have stopped it from gaining any kind of network access in that time to prevent the owner using Find My iPhone to remotely wipe it. But it’s an interesting proof of concept.
Apple appears to have fixed the vulnerability in iOS 8.1.1, as companies selling the kit note that it is not compatible with this version of iOS.
Although this isn’t something to worry about, it’s still good practice to use a complex passcode–not a great hardship on a recent iPhone, where you’ll be using Touch ID most of the time. Just go into Settings > Touch ID & Passcode and slide off the Simple Passcode switch.
Cryptographers have discovered that a security flaw dating back to the ’90s is placing OS X, iOS and Android users at risk from hacking attacks when visiting some major websites, including American Express, Airtel, Bloomberg, Business Insider, Groupon, Marriott and many more.
The FREAK exploit allows an attacker to force a website to use lower-grade encryption for HTTPS connections, which can be cracked within a few hours when using a small botnet of just 75 computers. Once cracked, attackers would be able to hack the website as well as steal personal data from those visiting the site …
Android Wear is great, but if you’re an iOS user, it looks like the Apple Watch is going to be your only option for a while. Google has yet to make any of Android Wear’s functionality compatible with Apple’s operating system, and it doesn’t look like they plan to do so any time soon. But that’s not stopping one developer, Mohammad Abu-Garbeyyeh, from hacking Android Wear to at least support notifications from iOS devices.
Update: We are now receiving reports that the vulnerability has been patched. People trying to use the tool are apparently now being correctly locked out from repeated password attempts.
A new tool submitted to GitHub claims to be able to perform password dictionary attacks on any iCloud account, seemingly able to evade detection from Apple’s rate-limiting security that is supposed to prevent such dictionary attacks from happening. In September, Apple reported it had closed one such hole that allowed brute-force attacks to occur.
The sourcecode for the tool has been released onto GitHub. Upon inspection, the tool is really rather crude in its complexity. It simply tries every possible word in its 500-long word-list as the password for a given iCloud account email. This means whilst it will succeed “100%” at trying 500 times over, the tool is by no means guaranteed to succeed at cracking your password.
Security researcher rewrites Mac firmware over Thunderbolt, says most Intel Thunderbolt Macs vulnerable
A security researcher speaking at the Chaos Computer Congress in Hamburg demonstrated a hack that rewrites an Intel Mac’s firmware using a Thunderbolt device with attack code in an option ROM. Known as Thunderstrike, the proof of concept presented by Trammel Hudson infects the Apple Extensible Firmware Interface (EFI) in a way he claims cannot be detected, nor removed by reinstalling OS X.
Since the boot ROM is independent of the operating system, reinstallation of OS X will not remove it. Nor does it depend on anything stored on the disk, so replacing the harddrive has no effect. A hardware in-system-programming device is the only way to restore the stock firmware.
Apple has already implemented an intended fix in the latest Mac mini and iMac with Retina display, which Hudson says will soon be available for other Macs, but appears at this stage to provide only partial protection…
Password managers are a great way to have strong, unique passwords for each website you access – but vital as it is these days, there’s no denying that it’s a chore to change them. Dashlane, a Mac and Windows password manager app, aims to take away the pain by doing it for you automatically across 50 top US websites like Apple, Amazon, Dropbox, Facebook, PayPal, WordPress and Twitter.
Importantly, the app can even cope with sites that employ two-factor authentication to login or change a password, prompting you for the code when required …
If, like me, you skipped over the recovery key step when switching on two-factor authentication for your Apple ID, thinking that having the password plus a trusted device was sufficient, you’ll want to correct that.
TheNextWeb‘s Owen Williams recently found that if someone tries to hack your account, and you get locked out, there’s no way back in without a recovery key.
While Apple states on its website that a new recovery key can be generated so long as you know your password and have access to one of your trusted devices, this is not true once the account is locked. No recovery key, no access. No amount of pleading by Williams would persuade Apple to help. Apple increased its security measures following the phishing attack on iCloud.
In Owen’s case, he did have a key, he just couldn’t find it. It was only by digging it out of a Time Machine backup that he was able to regain access to his account.
So, if you don’t yet have a recovery key, or can’t lay your hands on one, here’s what you need to do:
Go to My Apple ID
Select Manage your Apple ID and sign in with your password and trusted device
Select Password and Security
Under Recovery Key, select Replace Lost Key
CurrentC, the much discussed infamous competitor to the Apple Pay mobile payments platform, has some more bad press coming its way. According to an email sent out this morning to its pilot program customers, the MCX service has already been hacked. According to the notice, “unauthorized third parties” obtained email address information for an unannounced number of users:
Thank you for your interest in CurrentC. You are receiving this message because you are either a participant in our pilot program or requested information about CurrentC. Within the last 36 hours, we learned that unauthorized third parties obtained the e-mail addresses of some of you. Based on investigations conducted by MCX security personnel, only these e-mail addresses were involved and no other information.
In an abundance of caution, we wanted to make you aware of this incident and urge you not to open links or attachments from unknown third parties. Also know that neither CurrentC nor Merchant Customer Exchange (MCX) will ever send you emails asking for your financial account, social security number or other personally identifiable information. So if you are ever asked for this information in an email, you can be confident it is not from us and you should not respond.
MCX is continuing to investigate this situation and will provide updates as necessary. We take the security of your information extremely seriously, apologize for any inconvenience and thank you for your support of CurrentC.
For those not following the MCX vs. Apple Pay saga, MCX powers a payments platform utilized by key retailers such as WalMart, CVS, and RiteAid. After initially supporting NFC-based payments via Apple Pay and Google Wallet, those aforementioned retailers shut down their industry standard NFC-based payment processing systems in favor of the CurrentC app from MCX.
MCX has since responded to this controversy on its website, and Apple CEO Tim Cook referred to the entire situation as a “skirmish.” Meanwhile, reports have indicated that retailers are playing along with MCX in order to avoid fines discussed in early contractual agreements. Nonetheless, Apple Pay has already amassed over a million activations, becoming the most ubiquitous mobile payments platform in just about a week.
Hackers claim to have a database of nearly 7 million Dropbox credentials, service denies it was breached
A database containing login information for nearly 7 million users of the private cloud storage provider Dropbox has been accessed by hackers, according to a partial dump posted on Pastebin earlier this evening (via The Next Web). However, Dropbox has issued a statement denying that this breach occurred on its end, saying that Dropbox itself was not attacked, but rather a third-party service that had stored user credentials:
Dropbox has not been hacked. These usernames and passwords were unfortunately stolen from other services and used in attempts to log in to Dropbox accounts. We’d previously detected these attacks and the vast majority of the passwords posted have been expired for some time now. All other remaining passwords have been expired as well.
A forensics consult and security researcher who analyzed metadata from leaked photos of Kate Upton said that the photos appear to have been obtained using software intended for use by law enforcement officials, reports Wired. The software, Elcomsoft Phone Password Breaker (EPPB), allows users to download a complete backup of all data on an iPhone once the iCloud ID and password have been obtained.
If a hacker can obtain a user’s iCloud username and password with iBrute, he or she can log in to the victim’s iCloud.com account to steal photos. But if attackers instead impersonate the user’s device with Elcomsoft’s tool, the desktop application allows them to download the entire iPhone or iPad backup as a single folder, says Jonathan Zdziarski, a forensics consult and security researcher. That gives the intruders access to far more data, he says, including videos, application data, contacts, and text messages …
The USB standard has a fundamental security flaw that allows an attacker to take over any device it is connected to, whether PC or Mac, say security researchers in a frightening piece by Wired.
Describing the proof-of-concept Karsten Nohl and Jakob Lell plan to present at the Black Hat conference next week, they say the weakness is fundamental to the way in which USB works. Rather than storing malicious files on a USB device, the researchers managed to hack the USB controller chip that enables a USB device to communicate with a computer, changing its firmware. That means it can allow absolutely any USB device, from a USB key to a keyboard, to be compromised.
“These problems can’t be patched,” says Nohl, who will join Lell in presenting the research at the Black Hat security conference in Las Vegas. “We’re exploiting the very way that USB is designed.”
“You can give it to your IT security people, they scan it, delete some files, and give it back to you telling you it’s clean, [but] the cleaning process doesn’t even touch the files we’re talking about.”
Unlike most malware, which targets Windows, this exploit allows any USB device to emulate a keyboard or mouse, taking complete control of both PCs and Macs.
As it’s undetectable, the exploit could be silently added to a USB key when it is inserted into a PC, and then infect the next device it’s connected to. There is, say the researchers, no protection at all against the method of attack short of never sharing USB devices – treating them as you’d treat a hypodermic needle: only ever using one you know to be brand new, and not dreaming of allowing anyone else to share it.
Apple denies iCloud breach was responsible for device lockout attack, advises users to change passwords
Last night we reported that several Mac and iOS users were finding their devices remotely locked by hackers who had gained access to the users’ Find My iPhone accounts and demanded a ransom to return the devices to a working state.
Today Apple issued a statement on the problem, noting that—as suspected—the iCloud service itself was not actually breached, but individual user accounts may have been compromised through password reuse or social engineering:
Australian Mac and iOS users find devices remotely locked, held for ransom (and how to keep yours safe)
The Sydney Morning Herald reports that several Australian Mac, iPhone, and iPad users are finding that their devices have been locked remotely through Apple’s Find My iPhone service by someone using the name “Oleg Pliss.” The hacker (or hackers) then demand payments of around $50 to $100 to an anonymous PayPal account in order to restore the devices to their owners.
An active thread on Apple’s support forum was started yesterday as users started to discover that they had been targeted by the attack. According to that discussion, users are finding all of their devices locked at once rather than a single device per user. Based on that report and the fact that Find My iPhone is being used to hold the devices hostage, it seems likely that the perpetrator has gained access to these users’ iCloud accounts—possibly through password reuse by those users—rather than some device-specific malware or hack.
After seeing an eager Redditor discuss their setup for deploying iPads online with just an Ethernet connection, I was curious myself to see if I could get my iPad Air to be wireless-less as well.
It’s obviously not an ideal way to use a tablet in 2014, as it’s probably easier and cheaper to travel with an inexpensive router than the equipment required to get your iPad wired in. But if you have the equipment lying around or just want to experience the proof-of-concept for yourself, it’s certainly a strange thing to witness.
Check below for the setup I used as well as my video experience.
Evernote, Adobe, even Apple … just a few of the companies who have found their user data compromised by hackers in recent times. The possibility of a hacker being able to access one of your web accounts is worrying enough – but if you use the same email address and password for almost all the websites you use, the risk becomes huge.
The first thing a hacker does when they get hold of a list of usernames and passwords is to use automated software to fire them at a whole bunch of popular websites. That means your online security is only as good as the most vulnerable of the websites you visit. Not good.
The answer, of course, is to use a unique – and strong – password for each website you access. But that creates its own hassles. Strong passwords aren’t easily memorised. Sure, we can ask our browsers to store logins for us, but when you might use several different computers, an iPhone and an iPad, you’d have to login once from each device as soon as you chose the password so it gets stored before you forget it. Not very convenient.
Which is where password managers come in. When you see the instructions, it’ll look like a long process, but it in fact takes only 10-20 mins if you have two or three devices …