iOS Developers Warned About Taking Shortcuts
Comments Off on iOS Developers Warned About Taking Shortcuts
Slapdash developers have been advised not to use the open source JSPatch method of updating their wares because it is as vulnerable as a soft boiled egg, for various reasons.
It’s FireEye that is giving JSPatch the stink eye and providing the warning that it has rendered over 1,000 applications open to copy and paste theft of photos and other information. And it doesn’t end there.
FireEye’s report said that Remote Hot Patching may sound like a good idea at the time, but it really isn’t. It is so widely used that is has opened up a 1,220-wide iOS application hole in Apple users’ security. A better option, according to the security firm, is to stick with the Apple method, which should provide adequate and timely protection.
“Within the realm of Apple-provided technologies, the way to remediate this situation is to rebuild the application with updated code to fix the bug and submit the newly built app to the App Store for approval,” said FireEye.
“While the review process for updated apps often takes less time than the initial submission review, the process can still be time-consuming and unpredictable, and can cause loss of business if app fixes are not delivered in a timely and controlled manner.
“However, if the original app is embedded with the JSPatch engine, its behaviour can be changed according to the JavaScript code loaded at runtime. This JavaScript file is remotely controlled by the app developer. It is delivered to the app through network communication.”
Let’s not all make this JSPatch’s problem, because presumably it’s developers who are lacking.
FireEye spoke up for the open source security gear while looking down its nose at hackers. “JSPatch is a boon to iOS developers. In the right hands, it can be used to quickly and effectively deploy patches and code updates. But in a non-utopian world like ours, we need to assume that bad actors will leverage this technology for unintended purposes,” the firm said.
“Specifically, if an attacker is able to tamper with the content of a JavaScript file that is eventually loaded by the app, a range of attacks can be successfully performed against an App Store application.
Courteys-TheInq
Yahoo Unveils Livetext Mobile Messaging App
August 11, 2015 by admin
Filed under Around The Net
Comments Off on Yahoo Unveils Livetext Mobile Messaging App
Yahoo unveiled a mobile messaging app that combines texting with live one-on-one video.
The app, named Livetext, is video calling with a twist: there’s no audio. To communicate, users type texts and emojis that are overlaid onto the screen during the call.
The app’s format might sound restricting, but Yahoo says Livetext will help users to communicate more freely. The lack of audio, the company says, removes inhibitions that people might feel when they otherwise receive video calls in public.
“We wanted to bridge the gap between the simplicity and ease of texting, with the live feeling of calling,” said Adam Cahan, senior vice president of video, design and emerging products at Yahoo, during the app’s unveiling at an event in New York on Wednesday that was webcast.
Livetext was developed from scratch at Yahoo. Its development was aided by Yahoo’s acquisition last year of mobile messaging app MessageMe, the company said Wednesday. It’s yet another messaging app in a sea of competitors like Snapchat, WhatsApp and Facebook Messenger.
Still, Livetext is the latest attempt by Yahoo to provide a messaging app that resonates with users. It became available to download for free on Thursday for iOS and Android, in the U.S., U.K, Canada, Ireland, Germany, France, Hong Kong and Taiwan. Users will be able to text in English, French, German and Chinese using the app.
The app streams video only when two people are connected through the app at the same time. Users can search for friends in the app through their Livetext user name, or through the contacts list on their phone.
There is no time limit on calls placed through the app, and no way to save or archive the sessions. The video quality will depend on the strength of the data connection, although connections at 3G and above should suffice, Yahoo said.
It’s available on Android and the desktop, but not on iOS.
Can OSX Make Macs Vulnerable To Rootkits?
Comments Off on Can OSX Make Macs Vulnerable To Rootkits?
The software genii at Apple have redesigned their OSX software to allow malware makers to make designer micro-software that can infect Macs with rootkits.
Obviously the feature is one that Apple software experts designed specifically for malware writers, perhaps seeing them as an untapped market.
The bug in the latest version of Apple’s OS X allows attackers root user privileges with a micro code which could be packed into a message.
Security researcher Stefan Esser said that this was the security hole attackers regularly exploit to bypass security protections built into modern operating systems and applications.
The OS X privilege-escalation flaw stems from new error-logging features that Apple added to OS X 10.10. Plainly the software genii did not believe that standard safeguards involving additions to the OS X dynamic linker dyld applied to them because they were protected from harm by Steve Job’s ghost.
This means that attackers to open or create files with root privileges that can reside anywhere in the OS X file system.
“This is obviously a problem, because it allows the creation or opening (for writing) of any file in the filesystem. And because the log file is never closed by dyld and the file is not opened with the close on exec flag the opened file descriptor is inherited by child processes of SUID binaries. This can be easily exploited for privilege-escalation,” Esser said.
The vulnerability is present in both the current 10.10.4 (Yosemite) version of OS X and the current beta version of 10.10.5. Importantly, the current beta version of 10.11 is free of the flaw, an indication that Apple developers may already be aware of the vulnerability.
An Apple spokesman said that engineers are aware of Esser’s post of course they did not say they would do anything about it. They will have to go through the extensional crisis involved in realising that their product was not secure or perfect. Then the security team will have to issue orders, signed in triplicate, sent in, sent back, queried, lost, found, subjected to an internal inquiry, lost again, and finally bury it in soft peat for three months and recycled as firelighters.
FCC To Tighten Rules On Robocalls
June 9, 2015 by admin
Filed under Around The Net
Comments Off on FCC To Tighten Rules On Robocalls
The top U.S. telecommunications regulator wants to make it more difficult for telemarketers and other businesses to robocall and text messages consumers under changes to autodialing rules being proposed.
The Federal Communications Commission plans to vote on June 18 on the proposal, which would give legal cover to telephone companies to offer consumers technologies that would block robocalls, regardless of where they originate.
“The FCC wants to make it clear: Telephone companies can – and in fact should – offer consumers robocall-blocking tools,” FCC Chairman Tom Wheeler said in a blog post.
The wireless carriers have worried that blocking automated calls could be construed as violations of the law that requires them to ensure that all calls placed over their networks reach their intended recipients.
The proposal would also reassert that consumers have to agree to receive automated calls and texts and clarify that they can revoke their consent in any “reasonable” way, including a simple request for calls to stop, without the need to file convoluted paperwork.
Robocalls and robotexts are by far the most common cause of consumer complaints at the FCC, topping 215,000 in the last year alone. Consumer advocates and the majority of U.S. states attorneys general had pressed the FCC to clarify the robocall rules.
Numerous business associations, including the U.S. Chamber of Commerce, have also pushed for clarifications, facing a growing number of lawsuits prompted by violations such as calling cellphone users whose numbers used to belong to someone else.
The FCC’s proposal would reassert that companies should try to avoid numbers reassigned to consumers who have not agreed to receive their calls. If they do not know that a number has been reassigned, they are allowed one call to find out.
The business community had also complained that some lawsuits unfairly target them for using dialing technologies that could be modified to become autodialers. FCC officials said any technology with the capacity to dial random or sequential numbers qualifies as an autodialer, even if it would require modification.
U.S. law prohibits telemarketing calls to both landline and cellphones of consumers who have not given written consent.
Twitter To Track Mobile Users
December 11, 2014 by admin
Filed under Around The Net
Comments Off on Twitter To Track Mobile Users
Twitter Inc has plans to start tracking what third-party apps are installed on users’ mobile devices so the social media company can deliver more tailored content, including ads, the company has revealed.
The feature, called “app graph,” will allow the company to see what other applications users may have installed on phones or other devices.
“To help build a more personal Twitter experience for you, we are collecting and occasionally updating the list of apps installed on your mobile device so we can deliver tailored content that you might be interested in,” the company said on its site.
The posting also included instructions on how to turn the feature off. Twitter is not collecting data from within the applications, the posting noted.
Twitter, whose main service allows users to broadcast 140-character messages, has been searching for ways to re-invigorate user engagement and drive growth. As part of that effort, the company is considering creating additional mobile applications beyond its core messaging service.
Office 365 Goes Video Streaming
December 3, 2014 by admin
Filed under Around The Net
Comments Off on Office 365 Goes Video Streaming
Microsoft unveiled Office 365 Video, a YouTube-like streaming service where enterprises and large organizations can post in-house video content for communication and training.
“Office 365 Video provides organizations with a secure, company-wide destination for posting, sharing and discovering video content,” said Mark Kashman, a senior product manager with the Office 365 team, in a blog posting.
Kashman touted Video as a tool for internal communications, citing the examples of new-employee orientation, management messaging and worker training. Employees will also be able to contribute to a “Community” section, though most companies will probably frown on cat antic clips.
The service rolls out over the next few days to companies that have registered for Office 365′s First Release early distribution program, then through early 2015 to others.
Video will be available only to subscribers of Office 365′s plans for enterprises — E1 through E4 — and universities (A2 through A4). It will not be offered to consumer subscribers or firms with small business-oriented plans like Business Essentials, Business and Business Premium.
Kashman also said Office 365 plans for government agencies will get Video at some point, but he did not proffer a timeline.
The other requirement is SharePoint Online, an off-premises component of the enterprise and academic plans, but missing from the increasingly popular Office 365 ProPlus, the rent-not-buy plan used by organizations that have decided to retain their back-end services, like SharePoint and Exchange, on premises.
Although Office 365 Video has elements of consumer streaming services like Google’s YouTube, it’s strictly an in-house affair: It will be available only to employees, and then only those whom IT administrators have assigned access rights.
New Malware Targeting Apple Devices
Comments Off on New Malware Targeting Apple Devices
Palo Alto Networks Inc has uncovered a new group of malware that can infect Apple Inc’s desktop and mobile operating systems, underscoring the increasing sophistication of attacks on iPhones and Mac computers.
The “WireLurker” malware can install third-party applications on regular, non-jailbroken iOS devices and hop from infected Macs onto iPhones through USB connector-cables, said Ryan Olson, intelligence director for the company’s Unit 42 division.
Palo Alto Networks said on Wednesday it had seen indications that the attackers were Chinese. The malware originated from a Chinese third-party apps store and appeared to have mostly affected users within the country.
The malware spread through infected apps uploaded to the apps store, that were in turn downloaded onto Mac computers. According to the company, more than 400 such infected apps had been downloaded over 350,000 times so far.
It’s unclear what the objective of the attacks was. There is no evidence that the attackers had made off with anything more sensitive than messaging IDs and contacts from users’ address books, Olson added.
But “they could just as easily take your Apple ID or do something else that’s bad news,” he said in an interview.
Apple, which Olson said was notified a couple weeks ago, did not respond to requests for comment.
Once WireLurker gets on an iPhone, it can go on to infect existing apps on the device, somewhat akin to how a traditional virus infects computer software programs. Olson said it was the first time he had seen it in action. “It’s the first time we’ve seen anyone doing it in the wild,” he added.
IBM And Tencent Team Up
Tencent Holdings Ltd announced that it would be teaming up with International Business Machines Corp (IBM) on a new cloud software business for corporate customers, a marked departure for one of the dominant forces in China’s consumer Internet industry.
Best known for its popular WeChat messaging app and its online games rather than business software, Tencent said its cloud unit would now target small and medium enterprises in the healthcare and “smart city” industries.
Many technology firms are jockeying for a slice of China’s enterprise software market, which promises to grow sharply in coming years as businesses modernize their IT operations and move data onto the cloud.
Tencent’s alliance with IBM, which has deep experience providing computing and consulting services to corporate clients, provides the Shenzhen company a competitive answer to its Chinese rival Alibaba Group Holding Ltd’s nascent cloud efforts.
An e-commerce giant, Alibaba has been slowly building its cloud unit, which recorded just $38 million in revenue in the three months ended June 30.
Tencent said it would tap IBM for its “industry expertise and enterprise reach” but did not disclose financial terms of the deal.
For IBM, the Tencent deal is just the latest in a recent spate of new software partnerships in China, where its hardware sales have been sliding.
IBM announced a deal earlier this year to install its cutting-edge DB2 database software on Chinese rival Inspur International Ltd’s machines. Big Blue also agreed to license its database and big data technology to Chinese software vendor Yonyou Software Co Ltd.
What Will Facebook Do With WhatsApp?
October 21, 2014 by admin
Filed under Around The Net
Comments Off on What Will Facebook Do With WhatsApp?
Facebook, which closed its acquisition of mobile messaging service WhatsApp earlier this week, has said that it has no near-term plan to make money from it.
Chief Executive Mark Zuckerberg, who is visiting India to participate in an event to boost Internet usage, refused to say much more, but it does indicate that the company has not worked out a cunning plan yet.
Facebook’s final WhatsApp acquisition price tag has risen an additional $3 billion to roughly $22 billion because of the increased value of Facebook’s stock in recent months. This means that Zuckerberg is under pressure to make a bob or two from the deal.
WhatsApp works across different types of phones, across borders, and without advertising. The app only charges a 99 cent annual subscription fee, which is waived for the first year.
BlackBerry To Patch For Heartbleed
BlackBerry Ltd said it will release security updates for messaging software for Android and iOS devices by Friday to address vulnerabilities in programs related to the “Heartbleed” security threat.
Researchers last week warned they uncovered Heartbleed, a bug that targets the OpenSSL software commonly used to keep data secure, potentially allowing hackers to steal massive troves of information without leaving a trace.
Security experts initially told companies to focus on securing vulnerable websites, but have since warned about threats to technology used in data centers and on mobile devices running Google Inc’s Android software and Apple Inc’s iOS software.
Scott Totzke, BlackBerry senior vice president, told Reuters on Sunday that while the bulk of BlackBerry products do not use the vulnerable software, the company does need to update two widely used products: Secure Work Space corporate email and BBM messaging program for Android and iOS.
He said they are vulnerable to attacks by hackers if they gain access to those apps through either WiFi connections or carrier networks.
Still, he said, “The level of risk here is extremely small,” because BlackBerry’s security technology would make it difficult for a hacker to succeed in gaining data through an attack.
“It’s a very complex attack that has to be timed in a very small window,” he said, adding that it was safe to continue using those apps before an update is issued.
Google spokesman Christopher Katsaros declined comment. Officials with Apple could not be reached.
Security experts say that other mobile apps are also likely vulnerable because they use OpenSSL code.
Michael Shaulov, chief executive of Lacoon Mobile Security, said he suspects that apps that compete with BlackBerry in an area known as mobile device management are also susceptible to attack because they, too, typically use OpenSSL code.
He said mobile app developers have time to figure out which products are vulnerable and fix them.
“It will take the hackers a couple of weeks or even a month to move from ‘proof of concept’ to being able to exploit devices,” said Shaulov.
Technology firms and the U.S. government are taking the threat extremely seriously. Federal officials warned banks and other businesses on Friday to be on alert for hackers seeking to steal data exposed by the Heartbleed bug.
Companies including Cisco Systems Inc, Hewlett-Packard Co, International Business Machines Corp, Intel Corp, Juniper Networks Inc, Oracle Corp Red Hat Inc have warned customers they may be at risk. Some updates are out, while others, like BlackBerry, are rushing to get them ready.