Les contrôles d’accès censés protéger les données personnelles comme le carnet d’adresses peuvent être contournés, comme vient de le démontrer un chercheur en sécurité. Depuis hier, 24 septembre, les utilisateurs d’ordinateurs Mac peuvent installer la dernière version du système d’exploitation macOS Mojave. Malheureusement, celle-ci est déjà impacté par une importante faille de sécurité qui met à mal la protection des données personnelles. Avec macOS Mojave, Apple a en effet musclé les contrôles d’accès aux fichiers et aux applications sensibles tels que le carnet d’adresses, l’historique des messages, la base de données d’email, le microphone, la caméra, etc. Mais ces contrôles d’accès peuvent être court-circuités, comme le démontre le chercheur en sécurité Patrick Wardle.
Cet expert a développé une application baptisée « breakMojave » capable de siphonner en douce le carnet d’adresses de l’utilisateur sans rien lui demander. Il a montré le déroulement du hack dans une vidéo Vimeo. Au départ, on constate qu’aucune application tierce n’a accès au carnet d’adresses. Le chercheur ouvre ensuite une fenêtre Terminal et tente d’accéder directement aux données du carnet d’adresses, sans succès. Le lancement de breakMojave provoque enfin l’extraction des données, qui se retrouvent copiées en vrac sur le bureau.
Les contrôles d’accès censés protéger les données personnelles comme le carnet d’adresses peuvent être contournés, comme vient de le démontrer un chercheur en sécurité. Depuis hier, 24 septembre, les utilisateurs d’ordinateurs Mac peuvent installer la dernière version du système d’exploitation macOS Mojave. Malheureusement, celle-ci est déjà impacté par une importante faille de sécurité qui met à mal la protection des données personnelles. Avec macOS Mojave, Apple a en effet musclé les contrôles d’accès aux fichiers et aux applications sensibles tels que le carnet d’adresses, l’historique des messages, la base de données d’email, le microphone, la caméra, etc. Mais ces contrôles d’accès peuvent être court-circuités, comme le démontre le chercheur en sécurité Patrick Wardle.
Cet expert a développé une application baptisée « breakMojave » capable de siphonner en douce le carnet d’adresses de l’utilisateur sans rien lui demander. Il a montré le déroulement du hack dans une vidéo Vimeo. Au départ, on constate qu’aucune application tierce n’a accès au carnet d’adresses. Le chercheur ouvre ensuite une fenêtre Terminal et tente d’accéder directement aux données du carnet d’adresses, sans succès. Le lancement de breakMojave provoque enfin l’extraction des données, qui se retrouvent copiées en vrac sur le bureau.
Many of OS X’s most popular apps were recently revealed to be vulnerable to man-in-the-middle (MiTM) attacks.
The vulnerability specifically targets those that use Sparkle — a third-party software update framework — and unencrypted HTTP connections.
A security engineer from Vulnsec, known as Radek, said the vulnerability works on both El Capitan and its predecessor, Yosemite.
The total number of apps affected isn’t known, but Radek did estimate the number to be “huge.” Some of those confirmed as vulnerable are:
Camtasia 2 (v2.10.4) DuetDisplay (v1.5.2.4) uTorrent (v1.8.7) Sketch (v3.5.1) Additionally, security researcher Jonathan Zdziarski told Ars Technica that the ‘Hopper’ reverse engineering tool and ‘DXO Optics Pro’ are also susceptible.
Many of OS X’s most popular apps were recently revealed to be vulnerable to man-in-the-middle (MiTM) attacks.
The vulnerability specifically targets those that use Sparkle — a third-party software update framework — and unencrypted HTTP connections.
A security engineer from Vulnsec, known as Radek, said the vulnerability works on both El Capitan and its predecessor, Yosemite.
The total number of apps affected isn’t known, but Radek did estimate the number to be “huge.” Some of those confirmed as vulnerable are:
Camtasia 2 (v2.10.4) DuetDisplay (v1.5.2.4) uTorrent (v1.8.7) Sketch (v3.5.1) Additionally, security researcher Jonathan Zdziarski told Ars Technica that the ‘Hopper’ reverse engineering tool and ‘DXO Optics Pro’ are also susceptible.
Many of OS X’s most popular apps were recently revealed to be vulnerable to man-in-the-middle (MiTM) attacks.
The vulnerability specifically targets those that use Sparkle — a third-party software update framework — and unencrypted HTTP connections.
A security engineer from Vulnsec, known as Radek, said the vulnerability works on both El Capitan and its predecessor, Yosemite.
The total number of apps affected isn’t known, but Radek did estimate the number to be “huge.” Some of those confirmed as vulnerable are:
Camtasia 2 (v2.10.4) DuetDisplay (v1.5.2.4) uTorrent (v1.8.7) Sketch (v3.5.1) Additionally, security researcher Jonathan Zdziarski told Ars Technica that the ‘Hopper’ reverse engineering tool and ‘DXO Optics Pro’ are also susceptible.
"No iOS Zone" denial-of-service vulnerability could lead to your iPhone or iPad constantly crashing.
The researchers say that they first informed Apple of the problem in early October 2014, and that iOS 8.3 appears to resolve some of the issues they uncovered.
Chances are that this won’t be the last time that a serious denial of service flaw is found in iOS. Just last month, Apple released iOS 8.2 which fixed a flaw that allowed hackers to restart iPhones by sending them a maliciously-crafted Flash SMS.
No iOS Zone" denial-of-service vulnerability could lead to your iPhone or iPad constantly crashing.
The researchers say that they first informed Apple of the problem in early October 2014, and that iOS 8.3 appears to resolve some of the issues they uncovered.
Chances are that this won’t be the last time that a serious denial of service flaw is found in iOS. Just last month, Apple released iOS 8.2 which fixed a flaw that allowed hackers to restart iPhones by sending them a maliciously-crafted Flash SMS.
No iOS Zone" denial-of-service vulnerability could lead to your iPhone or iPad constantly crashing.
The researchers say that they first informed Apple of the problem in early October 2014, and that iOS 8.3 appears to resolve some of the issues they uncovered.
Chances are that this won’t be the last time that a serious denial of service flaw is found in iOS. Just last month, Apple released iOS 8.2 which fixed a flaw that allowed hackers to restart iPhones by sending them a maliciously-crafted Flash SMS.
Apple diffuse une mise à jour pour son navigateur Safari. Elle permet de corriger plusieurs vulnérabilités de sécurité affectant le moteur de rendu WebKit.
Apple publie Safari 8.0.4, Safari 7.1.4 et Safari 6.2.4. Ces mises à jour pour le navigateur de la firme à la pomme sont à destination du système d'exploitation OS X Mountain Lion, Mavericks et Yosemite.
Ces mises à jour peuvent être obtenues depuis le menu Apple et le bouton " Mises à jour " ou depuis le Mac App Store. Elles ont pour but de corriger un total de dix-sept vulnérabilités de sécurité affectant le moteur de rendu WebKit.
Apple diffuse une mise à jour pour son navigateur Safari. Elle permet de corriger plusieurs vulnérabilités de sécurité affectant le moteur de rendu WebKit.
Apple publie Safari 8.0.4, Safari 7.1.4 et Safari 6.2.4. Ces mises à jour pour le navigateur de la firme à la pomme sont à destination du système d'exploitation OS X Mountain Lion, Mavericks et Yosemite.
Ces mises à jour peuvent être obtenues depuis le menu Apple et le bouton " Mises à jour " ou depuis le Mac App Store. Elles ont pour but de corriger un total de dix-sept vulnérabilités de sécurité affectant le moteur de rendu WebKit.
Apple diffuse une mise à jour pour son navigateur Safari. Elle permet de corriger plusieurs vulnérabilités de sécurité affectant le moteur de rendu WebKit.
Apple publie Safari 8.0.4, Safari 7.1.4 et Safari 6.2.4. Ces mises à jour pour le navigateur de la firme à la pomme sont à destination du système d'exploitation OS X Mountain Lion, Mavericks et Yosemite.
Ces mises à jour peuvent être obtenues depuis le menu Apple et le bouton " Mises à jour " ou depuis le Mac App Store. Elles ont pour but de corriger un total de dix-sept vulnérabilités de sécurité affectant le moteur de rendu WebKit.
Major cyber security incidents continue to hit the headlines. Security and privacy are top concerns for IT and security professionals, especially after 2014’s highly publicized data breaches.
Companies around the globe were victim to malware, stolen data and exploited vulnerabilities. Big companies weren’t immune to this, with Target, JPMogan Chase, Home Depot and Sony Pictures suffering the painful sting of data breaches. Even celebrities were targeted, with compromised iCloud accounts.
It really isn’t surprising that almost everyone anticipates the need to prepare for security challenges in the coming months. According to a recent survey by Tech Pro Research, 84 percent of IT professionals are more concerned about security and privacy in 2015.
Gust MEES's insight:
Major cyber security incidents continue to hit the headlines. Security and privacy are top concerns for IT and security professionals, especially after 2014’s highly publicized data breaches.
Companies around the globe were victim to malware, stolen data and exploited vulnerabilities. Big companies weren’t immune to this, with Target, JPMogan Chase, Home Depot and Sony Pictures suffering the painful sting of data breaches. Even celebrities were targeted, with compromised iCloud accounts.
It really isn’t surprising that almost everyone anticipates the need to prepare for security challenges in the coming months. According to a recent survey by Tech Pro Research, 84 percent of IT professionals are more concerned about security and privacy in 2015.
Major cyber security incidents continue to hit the headlines. Security and privacy are top concerns for IT and security professionals, especially after 2014’s highly publicized data breaches.
Companies around the globe were victim to malware, stolen data and exploited vulnerabilities. Big companies weren’t immune to this, with Target, JPMogan Chase, Home Depot and Sony Pictures suffering the painful sting of data breaches. Even celebrities were targeted, with compromised iCloud accounts.
It really isn’t surprising that almost everyone anticipates the need to prepare for security challenges in the coming months. According to a recent survey by Tech Pro Research, 84 percent of IT professionals are more concerned about security and privacy in 2015.
Is there any (Mac) OS X-specific malware around? Oh yes. But for some odd reason I haven't said anything interesting on this topic for quite a while… The last time was two and a half years ago. Yes...
So what can we deduce from these data?
First: cybercriminals find it easiest making money with mostly legal (well, almost legal) approaches. Persistent advertising also makes money, and coupled with large-scale infections – big money.
Second: OS X virus writers are a fairly rare but sophisticated species. Unlike the Windows virus scene, the OS X virus scene bypassed the childish stage of ‘viruses for fun’ and went straight to the grown-up – Mac OS – stuff with all the attendant hardcore malware tricks that are necessary for it. These are serious folks, folks! It’s very likely they honed their skills on the Windows platform first, and then went over to Mac to conquer new, uncharted territory in search of new untapped money-making possibilities. After all, the money’s there, and the users are relatively blasé about security, which means there are plenty of opportunities – for those blackhatters who are willing to put in the work.
Third: professional espionage groups have really taken to exploiting OS X. Many APT attacks in the last few years acquired Mac-modules, for example Careto, Icefog, and the targeted attacks against Uyghur activists. Yes, here we’re talking pinpointed –exclusive as opposed to mass – attacks, aimed at specially chosen victims; this is why they don’t figure in the top-20. Not that they are any less dangerous; especially if your data may be interesting to intelligence agencies.
Is there any (Mac) OS X-specific malware around? Oh yes. But for some odd reason I haven't said anything interesting on this topic for quite a while… The last time was two and a half years ago. Yes...
So what can we deduce from these data?
First: cybercriminals find it easiest making money with mostly legal (well, almost legal) approaches. Persistent advertising also makes money, and coupled with large-scale infections – big money.
Second: OS X virus writers are a fairly rare but sophisticated species. Unlike the Windows virus scene, the OS X virus scene bypassed the childish stage of ‘viruses for fun’ and went straight to the grown-up – Mac OS – stuff with all the attendant hardcore malware tricks that are necessary for it. These are serious folks, folks! It’s very likely they honed their skills on the Windows platform first, and then went over to Mac to conquer new, uncharted territory in search of new untapped money-making possibilities. After all, the money’s there, and the users are relatively blasé about secu
The Quran-Coaching is the best platform for the quran learning by taking online quran classes. http://goo.gl/st4aLZ Like/Share/Comment. #quran #onlineQuran #islam #Tajweed
Sometimes I wish the internet could just be a place to exchange wholesome information, such as cooking recipes and tips on Linux, but sadly, there is a dark side. There are deviant people lurking on the web doing all sorts of horrible things. Yesterday, a hacker leaked the private pictures and videos (nude and semi-nude) of many celebrities, and they have spread across the net. For these celebrities, who are real people, I am sure it has been a very trying time; their privacy has been destroyed and I offer my sympathies. For the many people (if they can be called that) viewing and spreading the pictures, the occasion has been dubbed
It is pretty clear that iCloud has become a threat to most Apple users due to the recent "Celebrity nudes" scandal. I strongly believe that you shouldn't be worried about people being able to get a hold of photographs and videos of personal moments, such as family dinners and Christmas parties. This incident really makes you wonder just how easy it is to hack in to Apple's software systems, and how much Apple's developers have seen of our personal lives. Scandals such as thing will keep things talking, but will Apple release a statement regarding everything that has happened?
Security for Macs is often a hotly-debated topic, perhaps because Apple has a reputation for security that is based more on a brand promise than reality.
Apple users are updating to OS X Mavericks in large numbers, but not fast enough. Corporate users in particular have been slow to upgrade, which could have serious security implications.
Apple is famous for the secrecy around its product and service launches.
===> It's unfortunate it has decided that the safety of Mac users should also require reading tea leaves. <===
Gust MEES's insight:
===> It's unfortunate it has decided that the safety of Mac users should also require reading tea leaves. <===
Are Mac Users safe from Malware? Not as much as you might think. Symantec's Security Expert Kevin Haley breaks down the Mac's invincibility myth. Learn why M...
Auf Virus Total ist ein Trojaner für OS X aufgetaucht, der allem Anschein nach zu einem Spionage-Tool der Firma Hacking Team gehört. Sind die Italiener zurück und hacken wieder?
Auf Virus Total ist ein Trojaner für OS X aufgetaucht, der allem Anschein nach zu einem Spionage-Tool der Firma Hacking Team gehört. Sind die Italiener zurück und hacken wieder?
Auf Virus Total ist ein Trojaner für OS X aufgetaucht, der allem Anschein nach zu einem Spionage-Tool der Firma Hacking Team gehört. Sind die Italiener zurück und hacken wieder?
Eine Auswertung der CVE-Liste zeigt, für welche Programme und Betriebssysteme 2015 die meisten Sicherheitslücken gemeldet wurden. Wie sicher die Software ist, lässt sich daraus jedoch nicht ableiten.
Auf der wichtigsten Liste öffentlich bekannter Sicherheitslücken tauchten im Jahr 2015 besonders häufig Mac OS X, iOS und Flash auf. Das geht aus einer Auswertung von CVEDetails.com hervor, die auf der CVE-Liste (Common Vulnerabilities and Exposures) basiert.
Im Rahmen des CVE-Projektes vergeben wichtige Software-Hersteller wie Apple, Adobe, Microsoft und Mozilla eindeutige IDs für Sicherheitslücken, in Zusammenarbeit mit der Non-Profit-Organisation Mitre.
Eine Auswertung der CVE-Liste zeigt, für welche Programme und Betriebssysteme 2015 die meisten Sicherheitslücken gemeldet wurden. Wie sicher die Software ist, lässt sich daraus jedoch nicht ableiten.
Auf der wichtigsten Liste öffentlich bekannter Sicherheitslücken tauchten im Jahr 2015 besonders häufig Mac OS X, iOS und Flash auf. Das geht aus einer Auswertung von CVEDetails.com hervor, die auf der CVE-Liste (Common Vulnerabilities and Exposures) basiert.
Im Rahmen des CVE-Projektes vergeben wichtige Software-Hersteller wie Apple, Adobe, Microsoft und Mozilla eindeutige IDs für Sicherheitslücken, in Zusammenarbeit mit der Non-Profit-Organisation Mitre.
Le mythe vient de s'effondrer : un chercheur en sécurité vient de démontrer combien il était facile de contourner les mécanismes de sécurité mis en place par Apple dans OS X pour polluer le système avec des malwares.
Finalement, Apple ne fait pas mieux que les autres fabricants ni même éditeurs de solutions de protection, puisque la conférence a démontré que la plupart des outils de protection pouvaient être contournés.
Apple reste toutefois moins sujet aux attaques pour l'instant, mais les choses pourraient changer à l'avenir.
Le mythe vient de s'effondrer : un chercheur en sécurité vient de démontrer combien il était facile de contourner les mécanismes de sécurité mis en place par Apple dans OS X pour polluer le système avec des malwares.
Finalement, Apple ne fait pas mieux que les autres fabricants ni même éditeurs de solutions de protection, puisque la conférence a démontré que la plupart des outils de protection pouvaient être contournés.
Apple reste toutefois moins sujet aux attaques pour l'instant, mais les choses pourraient changer à l'avenir.
Le mythe vient de s'effondrer : un chercheur en sécurité vient de démontrer combien il était facile de contourner les mécanismes de sécurité mis en place par Apple dans OS X pour polluer le système avec des malwares.
Finalement, Apple ne fait pas mieux que les autres fabricants ni même éditeurs de solutions de protection, puisque la conférence a démontré que la plupart des outils de protection pouvaient être contournés.
Apple reste toutefois moins sujet aux attaques pour l'instant, mais les choses pourraient changer à l'avenir.
FREAK heißt die Abkürzung für eine Sicherheitslücke, die Millionen Android- und iOS-Nutzer gefährdet. Weil in den Browsern von Android und iOS seit vielen Jahren eine ernste Schwachstelle steckt, die das Mitlesen der Daten auch bei verschlüsselten HTTPS-Verbindungen ermöglicht. So prüfen Sie, ob Sie betroffen sind.
FREAK heißt die Abkürzung für eine Sicherheitslücke, die Millionen Android- und iOS-Nutzer gefährdet. Weil in den Browsern von Android und iOS seit vielen Jahren eine ernste Schwachstelle steckt, die das Mitlesen der Daten auch bei verschlüsselten HTTPS-Verbindungen ermöglicht. So prüfen Sie, ob Sie betroffen sind.
Apple and Google are preparing patches for a newly-revealed bug in the web encryption protocols used by the two companies' mobile browsers.
The FREAK bug disclosed yesterday is the latest in a series of vulnerabilities affecting the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols used to encrypt traffic between an HTTPS website and a browser.
A man-in-the-middle attacker can force connections between affected browsers and websites to downgrade from 'strong' RSA encryption to a weaker version known as 'export grade' RSA. That weaker version is a by-product of laws from the 1990s that made it illegal to export from the US products with strong cryptography.
Apple and Google are preparing patches for a newly-revealed bug in the web encryption protocols used by the two companies' mobile browsers.
The FREAK bug disclosed yesterday is the latest in a series of vulnerabilities affecting the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols used to encrypt traffic between an HTTPS website and a browser.
A man-in-the-middle attacker can force connections between affected browsers and websites to downgrade from 'strong' RSA encryption to a weaker version known as 'export grade' RSA. That weaker version is a by-product of laws from the 1990s that made it illegal to export from the US products with strong cryptography.
Patches are released for Mavericks, Mountain Lion, OS X Server and iTunes. A fix for the POODLE bug is included where appropriate. Most of the bugs are old ones in iTunes.
And NOBODY talks about it!!! Are THEY ALL on NAIVETY status!!!???
Gust MEES's insight:
Patches are released for Mavericks, Mountain Lion, OS X Server and iTunes. A fix for the POODLE bug is included where appropriate. Most of the bugs are old ones in iTunes.
Patches are released for Mavericks, Mountain Lion, OS X Server and iTunes. A fix for the POODLE bug is included where appropriate. Most of the bugs are old ones in iTunes.
Before you sync your iCloud or reinstall your apps, you need to lock down your iPhone or iPad. Here are seven important tweaks (and more) you can set to bolster your privacy.
Before you sync your iCloud or reinstall your apps, you need to lock down your iPhone or iPad. Here are seven important tweaks (and more) you can set to bolster your privacy.
During his talk at HOPE/X Jonathan Zdziarski detailed several undocumented services (with names like 'lockdownd,' 'pcapd,' 'mobile.file_relay,' and 'house_arrest') that run in the background on over 600 million iOS devices.
Zdziarski's questions for Apple include:
Why is there a packet sniffer running on 600 million personal iOS devices instead of moved to the developer mount?
Why are there undocumented services that bypass user backup encryption that dump mass amounts of personal data from the phone?
Why is most of my user data still not encrypted with the PIN or passphrase, enabling the invasion of my personal privacy by YOU?
Why is there still no mechanism to review the devices my iPhone is paired with, so I can delete ones that don’t belong?
... and his last slide (page 57 of the PDF) sums it up nicely:
Apple is dishing out a lot of data behind our backs
It’s a violation of the customer’s trust and privacy to bypass backup encryption
There is no valid excuse to leak personal data or allow packet sniffing without the user’s knowledge and permission.
Much of this data simply should never come off the phone, even during a backup.
Apple has added many conveniences for enterprises that make tasty attack points for .gov and criminals
Overall, the otherwise great security of iOS has been compromised… by Apple… by design.
During his talk at HOPE/X Jonathan Zdziarski detailed several undocumented services (with names like 'lockdownd,' 'pcapd,' 'mobile.file_relay,' and 'house_arrest') that run in the background on over 600 million iOS devices.
Zdziarski's questions for Apple include:
Why is there a packet sniffer running on 600 million personal iOS devices instead of moved to the developer mount?
Why are there undocumented services that bypass user backup encryption that dump mass amounts of personal data from the phone?
Why is most of my user data still not encrypted with the PIN or passphrase, enabling the invasion of my personal privacy by YOU?
Why is there still no mechanism to review the devices my iPhone is paired with, so I can delete ones that don’t belong?
... and his last slide (page 57 of the PDF) sums it up nicely:
Apple is dishing out a lot of data behind our backs
It’s a violation of the customer’s trust and privacy to bypass backup encryption
There is no valid excuse to leak personal data or allow packet sniffing without the user’s knowledge and permission.
Much of this data simply should never come off the phone, even during a backup.
Apple has added many conveniences for enterprises that make tasty attack points for .gov and criminals
Overall, the otherwise great security of iOS has been compromised… by Apple… by design.
One month after the release of OS X Mavericks and the disclosure of 48 vulnerabilities in Mountain Lion, Apple has not released any updates to fix these or any other problems in Mountain Lion.
To get content containing either thought or leadership enter:
To get content containing both thought and leadership enter:
To get content containing the expression thought leadership enter:
You can enter several keywords and you can refine them whenever you want. Our suggestion engine uses more signals but entering a few keywords here will rapidly give you great content to curate.
Les contrôles d’accès censés protéger les données personnelles comme le carnet d’adresses peuvent être contournés, comme vient de le démontrer un chercheur en sécurité.
Depuis hier, 24 septembre, les utilisateurs d’ordinateurs Mac peuvent installer la dernière version du système d’exploitation macOS Mojave. Malheureusement, celle-ci est déjà impacté par une importante faille de sécurité qui met à mal la protection des données personnelles. Avec macOS Mojave, Apple a en effet musclé les contrôles d’accès aux fichiers et aux applications sensibles tels que le carnet d’adresses, l’historique des messages, la base de données d’email, le microphone, la caméra, etc. Mais ces contrôles d’accès peuvent être court-circuités, comme le démontre le chercheur en sécurité Patrick Wardle.
Cet expert a développé une application baptisée « breakMojave » capable de siphonner en douce le carnet d’adresses de l’utilisateur sans rien lui demander. Il a montré le déroulement du hack dans une vidéo Vimeo. Au départ, on constate qu’aucune application tierce n’a accès au carnet d’adresses. Le chercheur ouvre ensuite une fenêtre Terminal et tente d’accéder directement aux données du carnet d’adresses, sans succès. Le lancement de breakMojave provoque enfin l’extraction des données, qui se retrouvent copiées en vrac sur le bureau.
Learn more / En savoir plus / Mehr erfahren:
https://www.scoop.it/t/apple-mac-ios4-ipad-iphone-and-in-security