Security blog Defense in Depth has found a glaring security flaw in OS X Lion that enables hackers to change the password of any user on a machine running Lion. “[While] non-root users are unable to access the shadow files directly, Lion actually provides non-root users the ability to still view password hash data,” Patrick Dunstan from Defense in Depth explained in a recent blog post. The result is that anyone could use a simple Python script, created by Dunstan himself, to discover a user’s password. It gets worse. Reportedly, OS X Lion does not require its users to enter a password to change the login credentials of the current user. That means typing the command: “dscl localhost -passwd /Search/Users/Roger” will actually prompt you to set a new password for Roger. As CNET points out, a hacker could only take advantage of the known bug if he or she has local access to the computer and Directory Service access. CNET suggests disabling automatic log-in, enabling sleep and screensaver passwords and disabling guest accounts as some preventative measures to keep your Mac secure.

[Via CNET]

Read

Apple has promised to patch a security hole found in the iPhone and iPad following a report published by Germany’s Federal Office for Information Security. Reportedly, a PDF security hole could allow hackers to gain unauthorized access to personal data — such as messages and passwords — stored on an iPhone or iPad and could “infect the mobile device with malware without the user’s knowledge.” Apple’s PR team was quick to respond to the allegations. “[Apple is] aware of this reported issue and developing a fix that will be available to customers in an upcoming software update,” Bethan Lloyd, an Apple spokesperson told AFP on Thursday. Apple has not yet confirmed when it will push out the security update.

[Via Mobile Burn]

Read

In a move that should surprise no one, Apple has banned the “Big Brother Camera Security” app that developer Daniel Amity used to swipe his customers’ passcodes. BGR reported on Tuesday about an application that attempted to trick users into setting a passcode identical to the pin used to lock their iPhones. The app then transmitted the PIN numbers in the background to the developer — albeit anonymously — who used them to publish a report covering the most commonly used iPhone passcodes. While the developer’s intentions hardly seemed malicious, there was no way Apple was going to sit back and watch while a developer published data about private PINs, even if they could not be directly tied to individual iPhone users. As such, the app has been banned from the App Store. “As of today at 4:58pm EST, Big Brother has been removed from the App Store,” Amity wrote in a blog post. ”I’m certainly not happy about it, but considering the concerns a few people have expressed regarding the transfer of data from app to my server, it is understandable.”

Read

Daniel Amitay, the iPhone developer who created “Big Brother Camera Security” application, has released a list of the top 10 iPhone passcodes. Amity implemented code into his last software update that allowed the application to record passwords entered in by its users. Since his app’s lock and passcode screens look identical to the iPhone’s, he argues that his data reflects an iPhone user’s actual password. Of the 204,508 recorded passcodes collected, the most popular was, not surprisingly, 1234. That’s followed by 0000, 2580, 1111, 5555, 5683, 0852, 2222, 1212, and 1998. Amity says those codes represent 15% of all passwords in use. As you might expect, many of them follow simple patterns on the keyboard. “iloveyou” has always been a popular password and 5683, the No. 6 passcode on the list, can be translated into ‘LOVE’ on a standard alphanumeric keypad. Amitay also found that the numbers 1990-2000 were all in the top 50 passcodes, and 1980 – 1989 were all in the top 100, suggesting that many users may be entering in the year of their birth or graduation. Hit the jump for another chart.

Read

BGR has provided extensive coverage of an ongoing saga that has seen numerous digital properties belonging to Sony fall under attack. To date, personal information belonging to well over 100 million Sony customers has been compromised, and nearly 13 million credit card numbers have been stolen. For IT professionals or other tech enthusiasts with weak stomachs, we can understand if reading one story after another about Sony’s security woes might make you a bit queasy. As such, a new site launched recently that has you covered. Hassonybeenhackedthisweek.com answers a single question for those who simply want to cut to the chase: Has Sony been hacked this week? The answer right now, by the way, is “yes.”

Read

According to reports from numerous gaming sites, the password reset page for Sony’s PlayStation Network has been exploited. Sony built the page in an effort to allow users, whose accounts were already compromised during a major security breach last month, to reset their security credentials. However, hackers who stole the information from Sony can reset users’ passwords by knowing and account holder’s email address and birthday — information they’ve already stolen. Forum members on Nyleveia have suggested that PSN users create a new email address specifically for use with PSN. Sony has taken the website offline, and said: “Unfortunately this also means that those who are still trying to change their password via PlayStation.com or Qriocity.com will still be unable to do so for the time being.” Sounds like Sony really needs to get those new security measures in place, stat.[Via Kotaku]

Read [Eurogamer] Read [Nyleveia] Read [NeoGaf]

Firefox 4 has been leaked for Mac and PC a day before the company said it would be officially available. Mozilla promises the user interface in Firefox 4 is sleeker and easier to use, and it enables users to keep open tabs, bookmarks, history, and passwords in sync with other devices running a Firefox browser. Firefox 4 also has a new feature that allow you to drag and drop open tabs into groups that can be arranged and named. The leaked downloads aren’t available direct from Mozilla, so we suppose there’s still a chance the team could pull the launch date tomorrow and issue an RC2 release, but we doubt it. We won’t keep you waiting, though, so hit the jump for a link to download Firefox 4 for PC or Mac.

[Via Business Insider]

Read [Firefox 4 Mac OS X] Read [Firefox 4 PC]

A new report from Cult of Mac suggests that Apple may have some nifty new features in store for the upcoming iPhone 5. Rumors that the iPhone 5 will utilize NFC are nothing new at this point, but this morning’s claims cover a very unique feature for the underutilized technology. The report suggests that the iPhone 5 will include a new portable computing function, allowing users to store data and settings from Mac computers on their iPhones. When a handset is waved near any other compatible NFC-equipped Mac computer, the user’s “applications, settings and data” will become available on the computer. “It will be as though they are sitting at their own machine at home or work,” the report states. In short, the feature would provide a new type of remote computing that could eliminate the need for virtual network computing (VNC) or similar technologies. This new feature is anything but confirmed for the time being, but it certainly would be a welcome addition for Mac users. What’s more, it might help give customers with aging Mac computers an extra push to upgrade to newer NFC-enabled machines.

Read

Google’s high profile war of words with China has garnered much public attention but the underlying cause of the dispute — the alleged hacking of Google by Chinese individuals, possibly with government sanction, has stayed quietly under the radar. A source with knowledge of Google’s internal investigation revealed to the NY Times that one of the targets of the attack was Google’s universal login system known as “Gaia”. Though you may not be familiar with the name, every Android-toting, Gmail-checking Google user is familiar with the system. Gaia, now known as “Single Sign-On”, is the password and login system that powers Google’s universal login and lets you read your feeds in Reader, analyze your website traffic, and check your Gmail using a single, simultaneous login. No passwords or accounts were compromised but the hackers allegedly obtained some, if not all, of the source code for this password/login system. Google declined to comment on this latest leaked information and towed the company line by re-affirming that it has dealt with all the security issues associated with this attack. We don’t need to elaborate on the potential ramifications this revelation has on the perceived security of Google’s cloud system; we can let you do that in the comments.

Read

Wow. Just wow. Marko Karppinen, head of a Finnish software development firm specializing in Mac software, just found himself on the wrong end of a security breach. According to his blog post from this morning Karppinen was the victim of a complex, crafty and well-executed scheme clearly carried out by a team of unscrupulous professional hackers. The end result; Karppinen’s Apple ID account was compromised and access to personal data was established for an unknown period of time. So how did this guerrilla team pull it off? They sent the following, umm, complex malicious code to Apple via email:

am forget my password of mac,did you give me password on new email marko.[redacted]@yahoo.com

No, seriously. That’s how easy it was for some grammar-stallion to have Apple change the email account associated with Karppinen’s account and issue a reset password to the new address. Luckily the culprit wasn’t quite smart enough (surprising, we know) to change Karppinen’s security question so he was able to regain control of his account rather quickly. Well, at least no one can say Apple customer service doesn’t act fast. They responded almost immediately to the thief’s email and accommodated him without hesitation. Kudos, Apple Support!

Read