Archive for Apple
Author: Dave Lewis
August 21, 2008 at 3:08 pm · Filed under Apple, Data Security
Tom has a post that just has to be read on his experiences with the support folks at Apple. He called them when the hard drive on his wife’s laptop started to fail.
From spylogic:
“You agree and understand that it is necessary for Apple to collect, process and use your data in order to perform the service and support obligations under the Plan. This may include the necessity to transfer your data to affiliated companies or service providers located in Europe, India, Japan, Canada, People’s Republic of China or the U.S.”
Huh? People’s Republic of China? That’s nice. I couldn’t find any reference noting what Apple does with your personal “hard drive” data. They only mention your name, address, things you purchased, etc…
Now, the best part is the rather interesting transcript of his conversation with the support person. Be sure to read the full posting.
Article Link
Author: Dave Lewis
June 16, 2008 at 5:48 am · Filed under Apple, Mobile, Security Mgmt
I wonder, is this battle heating up again? Would you allow an iPhone into your corporate environment?
If yes, how come? If not, why?
From Network World:
It’s still not good enough. That’s the reaction of IT analysts and security outfits to Apple’s new iPhone 3G. Sure, the iPhone 2.0 software will support Microsoft Exchange and Cisco VPNs. But is it safe enough for enterprise use — as safe as, say, PCs? Gartner says not quite. The security guys say be afraid. It’s just not good enough yet.
And it never will be. Oops, that wasn’t supposed to slip out.
But hasn’t that historically been IT’s official position? We’re the Department of No. Whatever it is, we’re against it.
Cell phones? Wi-Fi? BlackBerries? Web sites? LANs? Laptops? Spreadsheets? PCs? Departmental minis? Not one of those technologies was secure enough, reliable enough and enterprise-ready enough when business users first insisted on sneaking them in under the IT (or MIS or DP) department’s radar.
Of course, users had to sneak that stuff in. They knew what the answer would be if they asked us: No. Not ready. Not good enough. Not yet.
No? Never heard that one before? Ha!
As a security guy, I’m a little more open minded on the introduction of the iPhone. Now the ball point pen mind you, that is somewhat suspect in my book.
Article Link
Author: Dave Lewis
June 8, 2008 at 9:07 am · Filed under Apple, Crime
This is a rather amusing story of Kait Duplaga and her adventure to recover her stolen laptop.
From Seattle Times Newspaper:
Never underestimate the tenacity of a 19-year-old. When Kait Duplaga of White Plains, N.Y., had her laptop stolen — along with electronics she and her roommates owned — she didn’t despair. She cleverly used a built-in piece of Mac OS X 10.5 (Leopard) technology to catch the alleged thieves.
Duplaga, an Apple Store employee, had turned on Back to My Mac on her computer. This Leopard feature allows remote access to a computer when the right network conditions are met. A few days after her computer was stolen, a friend of Duplaga’s spotted her in iChat, and sent her a text message by cellphone congratulating her on the computer’s return.
The machine’s current possessor wasn’t aware that Duplaga stayed logged in to iChat, and so she showed up there.
She logged in to .Mac on another computer (via the .Mac system preference pane), and used the built-in screen sharing to access her purloined laptop. Screen sharing provides both a view of the remote screen as well as control of the keyboard and mouse.
For the full story read on.
Article Link
Author: Dave Lewis
April 29, 2008 at 7:17 am · Filed under Apple, Mobile
OK, I have to admit that I have been waiting for this for a while now. Today brings word that Rogers will be carrying the iPhone here in Canada. The release date has yet to be made public.
From Rogers Press Release:
TORONTO, April 29 /CNW/ - Ted Rogers, President and Chief Executive Officer of Rogers Communications Inc. today issued the following statement:
We’re thrilled to announce that we have a deal with Apple to bring the iPhone to Canada later this year. We can’t tell you any more about it right now, but stay tuned.
Just a few short hours before the announcement folks were dismissing the idea.
From Gizmo Republic:
Another hopeful but naïve iPhone-Canada rumors has reared its head again. Until pigs sprout wings and sail across the sky or Canada shows signs of coming out of the telecommunications dark-age … iPhone is NOT coming to Canada!
Whoops.
Well would you look at that.
Author: Dave Lewis
March 19, 2008 at 7:18 am · Filed under Apple, Vulnerability
Apple’s OS X is in the news again this morning with the release of security vulnerabilities aplenty. Time to patch my workhorse MacBook.
From Secunia:
Description:
Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities.
1) Multiple boundary errors in AFP client when processing “afp://” URLs can be exploited to cause stack-based buffer overflows when a user connects to a malicious AFP server.
Successful exploitation may allow execution of arbitrary code.
2) An error exists in AFP Server when checking Kerberos principal realm names. This can be exploited to make unauthorized connections to the server when cross-realm authentication with AFP Server is used.
3) Multiple vulnerabilities in Apache can be exploited by malicious people to conduct cross-site scripting attacks, cause a DoS (Denial of Service), or potentially compromise a vulnerable system.
4) A boundary error within the handling of file names in the NSDocument API in AppKit can be exploited to cause a stack-based buffer overflow.
5) An error in NSApplication in AppKit can potentially be exploited to execute code with escalated privileges by sending a maliciously crafted messages to privileged applications in the same bootstrap namespace.
6) Multiple integer overflow errors exist in the parser for a legacy serialization format. This can be exploited to cause a heap-based buffer overflow when a specially crafted serialized property list is parsed.
Successful exploitation may allow execution of arbitrary code.
7) An error in CFNetwork can be exploited to spoof secure websites via 502 Bad Gateway errors from a malicious HTTPS proxy server.
…and it goes on like this.
As well, there was a release concerning the Safari browser.
Get your patch on.
Article Link
Author: Dave Lewis
March 11, 2008 at 5:23 am · Filed under Airline Security, Apple
For an amusing start to the day I couldn’t help but, to share this story. A blogger heading to his flight was detained by TSA because…well, they didn’t know what it was exactly.
From MacNN:
The MacBook Air’s thin design is causing some confusion for the technically ignorant, according to one blogger who says that the ultra-portable caused him to miss his flight. When going through the TSA airport security checkpoint, blogger Michael Nygard was held up as security staff gathered around his MacBook Air, trying to make sense of the slender laptop. One of the less technically knowledgeable staff points out the lack of standard features as cause for alarm.
“I’m standing, watching my laptop on the table, listening to security clucking just behind me,” Nygard recalls of the situation. “‘There’s no drive,” one says. ‘And no ports on the back. It has a couple of lines where the drive should be,’ she continues.”
References to “unfrozen caveman lawyer” abound. Eventually a younger TSA employee brought enlightenment to the others and informed them of their mistake.
Article Link
Tags: TSA, MacBook Air, Airline Security
Author: Dave Lewis
February 12, 2008 at 1:23 pm · Filed under Apple, Patches
It’s Microsoft Patch Tuesday…and what a perfect time to release a security patch for Mac. Don’t get me wrong. I’m a huge Mac fan. I just find it amusing that they released it the day before. Hoping to get lost in the shuffle perhaps?
The fixes on the block today from Apple are,
- Directory Services - CVE-ID: CVE-2007-0355 - Impact: A local user may be able to execute arbitrary code with system privileges
- Foundation - CVE-ID: CVE-2008-0035 - Impact: Accessing a maliciously crafted URL may lead to an application termination or arbitrary code execution
- Launch Services - CVE-ID: CVE-2008-0038 - Impact: An application removed from the system may still be launched via the Time Machine backup
- Mail - CVE-ID: CVE-2008-0039 - Impact: Accessing a URL in a message may lead to arbitrary code execution
- NFS - CVE-ID: CVE-2008-0040 - Impact: If the system is being used as an NFS client or server, a remote attacker may cause an unexpected system shutdown or arbitrary code execution
- Open Directory - Impact: NTLM authentication requests may always fail - (Tiger only)
- Parental Controls - CVE-ID: CVE-2008-0041 - Impact: Requesting to unblock a website leads to information disclosure
- Samba - CVE-ID: CVE-2007-6015 - Impact: A remote attacker may cause an unexpected application termination or arbitrary code execution
- Terminal - CVE-ID: CVE-2008-0042 - Impact: Viewing a maliciously crafted web page may lead to arbitrary code execution
- X11 - CVE-ID: CVE-2007-4568 - Impact: Multiple Vulnerabilities exist in X11 X Font Server (XFS) 1.0.4
- X11 - CVE-ID: CVE-2008-0037 - Impact: Changing the settings in the Security Preferences Panel has no effect
Article Link
Tags: Apple Security, Apple Patches, 10.5.2, Security Patching
Author: Dave Lewis
February 7, 2008 at 12:16 pm · Filed under Apple, Exploit
From the Reg:
Security researchers have discovered you can crash an iPhone through the medium of a cleverly crafted webpage.
The exploit, dubbed a “memory exhaustion remote denial of service vulnerability” by the SecurityFocus website, affects Apple’s Mobile Safari web browser, a key component of both the iPhone and the iPod Touch.
Code up a webpage a certain way - all it takes is 19 lines of JavaScript - and if you can persuade an iPhone user to view it, the site will trigger the handset’s version of Mac OS X to experience a kernel panic and reboot.
Biting tongue.
Article Link
Tags: iPod Touch, iPhone, iPhone JavaScript Exploit
Author: Dave Lewis
January 21, 2008 at 7:45 pm · Filed under Apple, Remote Access
OK, this is cool. I was just messing around with my iPod Touch which I upgraded with the January release software. Thanks to a co-worker (thx Sab) I noticed that there is a VPN client on the Touch now. With the addition of email client (yes Gmail worked fine before) Google maps and a few other niceties this is quickly evolving into a light weight tablet computer for me. OK, from the initial screen, assuming that you haven’t made too many changes already after upgrading your iPod Touch. From the home page select your “settings” button (down on the right hand side).
More after the jump »
Author: Dave Lewis
January 21, 2008 at 8:03 am · Filed under Apple, Education
With just over two days left I wanted to make sure that I put this out to our Mac visitors as I’m a supporter of charitable causes. The MacHeist is on again this year and there are some very nice apps included this time. For those of you who might not be aware as to what MacHeist might be it’s a bundle of software for Macs that is offered as a bundle at a steep discount. The (very positive) catch is that 25% of the proceeds goes to charity. You can choose to have your purchase count to one charity or to be evenly distributed to all as I did. Here is the list of the charities that are benefiting from this endeavour.
Action Against Hunger
AIDS Research Alliance
Alliance for Climate Protection
Direct Relief International
Humane Society International
The Nature Conservancy
Save the Children
Save Darfur
Prevent Cancer Foundation
World Wildlife Fund
About MacHeist:
The MacHeist bundle was introduced last December, 2006, to huge success within the Macintosh community. The software bundle offered 10 of the Mac indie development community’s best offerings, and was available at the end of the MacHeist promotion for one week.
The bundle was called the greatest Mac software deal in history, and has never been available since then. Customers snapped up over 16,000 copies, and donated 25% of their purchase to various charities.
After over $190,000 was raised by customers by the end of the sale, MacHeist topped it off and $200,000 was raised in total.
This year MacHeist has raised $275,628 so far. Get in on the heist.
Article Link
Tags: MacHeist, Apple Software, Mac Software, MacHeist Charity
Next entries »
