Apple Addressing Major Cross Product Security Flaw

Patch released for major Man-in-the-Middle attack on iPhones and iPads that allows hackers to intercept communication. Mac desktop patch to follow.

Advertisements

Malicious E-mail could Hack your Network by just Opening It

Simply opening a specially crafted e-mail on a Mac, iPhone or iPad could allow a remote attacker to hack your network, according to security specialist Bogdan Calin.

In the video above Calin shows a feature that Apple products have enabled by default that a hacker could manipulate to gain access to your computer’s IP address. With this information, a script can be written that automatically attacks your router’s DNS settings. Doing so would allow a hacker to control what websites that you see when you are surfing the internet.

All from an imbedded script hidden in an innocent looking e-mail:

“I got the idea for these tests after I noticed that Apple devices load remote images in emails by default. This can cause privacy issues and it is not a recommended practice. A malicious user can send you an email with an embedded 1×1 pixel image with the background colour of your email client, so it is not visible. The email client will load this image from a remote server and by doing so, it discloses your IP address and email client banner, and possible your identity. In some situations, such behaviour can have catastrophic consequences.”

The attack works by inserting several DNS change commands with default router usernames and passwords inside the e-mail. These are executed silently when the e-mail is read. If the included username and password matches your router, it could change your DNS settings.

These settings tell your computer where to go to find correct internet addresses for website names. If these settings were set to a malicious server, the hacker could send you to a bogus page that looks like a real one, but could harvest your credentials or account information.

The author recommends changing the “download remote image” Mail settings on Apple products to off or changing your router password to something complex. Using a long complex router password is always good advice.

2,000 Employees Riot at Apple’s iPhone 5 Factory

(Reuters / Stringer Photo)

All right all you iPhone junkies, I hope you are happy. Your lust for new tech has caused some major problems for the Foxconn plant in China that makes the new iPhone 5. According to Foxnews 2,000(!!) employees apparently fed up with working conditions were involved in a large scale brawl:

“Foxconn Technology Group and police said the cause of the unrest Sunday night was under investigation, but it comes amid a series of violent protests by workers in areas throughout China over grievances about pay and working conditions. Foxconn and police said as many as 2,000 employees were involved and 40 people were reported injured.”

I have seen several reports about harsh working conditions, and bad treatment of workers, especially at this plant. And it looks like things broiled over when a confrontation between a worker and guard became violent.

“Foxconn, some supervisors, and security guards never respect us,” said the employee, who asked not to be identified by name. “We all have this anger toward them and they (the workers) wanted to destroy things to release this anger.”

Apple systems used to be made in the good ‘ol USA, but as the demand for product increased, and as the lust for higher profits kicked in, manufacturing was moved from US plants to China. Where it appears laborer rights are not quite the same as they are here with reports of forced overtime, wage issues and ill treatment of workers.

According to the article workers were being forced to work more than 60 hours per week at one point in what some called a militaristic atmosphere:

“Workers are expected to obey their manager at all times, not to question but simply to what they are told,” Crothall said. “That atmosphere is not conducive to a happy or contented workforce. It’s a very dehumanizing way of treating workers.”

According to a PCWorld article, workers were forced to work up to 80 hours per week leading up to the release of the iPad 3.

Maybe when Chinese workers demand equal pay and rights, American businessmen will return the work to American shores where it is desperately needed. And where workers are treated a lot more humane.

Security and Privacy Concerns for Mobile Devices

BYOD (Bring your own Device) is one of the latest tech fads. Bring in that tablet or smart phone from home and we will hook it right up to our corporate network for you! What a great thing, and the IT staff just loves it too!  🙂

But there are some serious concerns about mobile devices. For example in March of this year, Sen. Charles Schumer talked with both Apple and Google over privacy concerns. It seems that some mobile apps were grabbing private photos and contact information and downloading them to servers or other sites – without the user’s permission…

It sends shivers up the spine to think that one’s personal photos, address book, and who knows what else can be obtained and even posted online without consent,” Senator Schumer wrote in a letter to the FTC.

Listing the permissions that an App wants during install is helpful. For example, on an Android device you are shown what the app wants access to – network access, phone access – but does everyone take the time to read them before they install the latest “gotta have” app? And even though apps are checked before being placed on Apple’s Marketplace, one common tactic that malicious programmers have used is to download malware with app updates.

And it is not just private data concerns that have been raising alarms. What about the video and recording features of smart devices or even the upcoming “Google Glasses”? Sure these are great in emergency situations, but what about at private meetings, secured facilities or around classified information?

An article in June from NY Times mentions some of the techniques that could be used to block smart phone recording features. SpyFinder camera detectors, Google algorithms for un-tagging people in photos, personal infrared and white noise generators are all mentioned.

Smart devices are excellent to use and a great convenience. But do you want them sharing your private contact information or personal photos? Do you really want recording devices and a possible additional malware platform inside your facility?

These are some of the security and privacy concerns that must be considered for both the individual user and the corporate environment.