Tag: Security

Posted on

OS X 10.10.2 Update

OS X Update 10.10.2

Apple releases OS X 10.10.2 Update build 14C109.

About the update

  • This update includes the following improvements:
  • Resolves an issue that might cause Wi-Fi to disconnect
  • Resolves an issue that might cause web pages to load slowly
  • Fixes an issue that could cause Spotlight to load remote email content when this preference is disabled in Mail
  • Improves audio and video sync when using Bluetooth headphones
  • Adds the ability to browse iCloud Drive in Time Machine
  • Improves VoiceOver speech performance
  • Resolves an issue that could cause VoiceOver to echo characters when entering text on a web page
  • Addresses an issue that could cause the input method to switch languages unexpectedly
  • Improves stability and security in Safari

Enterprise content

For enterprise customers, this update:

  • Improves performance for browsing DFS shares in the Finder
  • Fixes an issue where certain Calendar invitations could be displayed at the incorrect time
  • Fixes an issue for Microsoft Exchange accounts where the organizer of a meeting might not be notified when someone accepts an invitation using Calendar
  • Addresses an issue where Safari could continually prompt for credentials when accessing a site protected by NTLM authentication
  • Adds the ability to set “Out of Office” reply dates for Microsoft Exchange accounts in Mail

Security Content

This update is said to include fix against “Thunderstrike” (via iMore).

One thing I noticed with the pre-release build, the computer was no longer incremented. The last time it happened my MacBook Pro was named “Deus ex Macintosh (13)”.

Posted on

Apple Issues Patch for Critical NTP Vulnerability

Apple NTP Security Update 20141222

Apple issues OS X NTP Security Update for Mountain LionMavericks and Yosemite.

OS X NTP Security Update
ntpd

Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10.1

Impact: A remote attacker may be able to execute arbitrary code

Description: Several issues existed in ntpd that would have allowed an attacker to trigger buffer overflows. These issues were addressed through improved error checking.

To verify the ntpd version, type the following command in Terminal: what /usr/sbin/ntpd. This update includes the following versions:

Mountain Lion: ntp-77.1.1
Mavericks: ntp-88.1.1
Yosemite: ntp-92.5.1

CVE-ID

CVE-2014-9295 : Stephen Roettger of the Google Security Team

From ICS-CERT:

Google Security Team researchers Neel Mehta and Stephen Roettger have coordinated multiple vulnerabilities with CERT/CC concerning the Network Time Protocol (NTP). As NTP is widely used within operational Industrial Control Systems deployments, NCCIC/ICS-CERT is providing this information for US Critical Infrastructure asset owners and operators for awareness and to identify mitigations for affected devices. ICS-CERT may release updates as additional information becomes available.

These vulnerabilities could be exploited remotely. Exploits that target these vulnerabilities are publicly available.

Products using NTP service prior to NTP-4.2.8 are affected. No specific vendor is specified because this is an open source protocol.

Posted on

Ars Technica Asks Readers to Change Password Following Security Breach

Ars Technica

Due to the recent hack on the website, Ars Technica “strongly encourages all Ars readers — especially any who have reused their Ars passwords on other, more sensitive sites — to change their passwords today.”

Full Email:

Ars Technica was hacked: Please change your password

You are receiving this email because you may have – at some point – registered as a user on ArsTechnica.com. Our site was recently hacked.

Log files suggest that this intruder had the opportunity to copy the user database. This database contains no payment information on Ars subscribers, but it does contain user e-mail addresses cryptographically-protected passwords.

Out of an excess of caution, we strongly encourage all Ars readers — especially any who have reused their Ars passwords on other, more sensitive sites — to change their passwords today.

Read more about the incident here: http://arstechnica.com/staff/2014/12/ars-was-briefly-hacked-yesterday-heres-what-we-know/

Please login to Ars and update your password or use the “Forgot your password” form to change your password.

Settings page: https://arstechnica.com/civis/ucp.php?i=profile&mode=reg_details

Forgot your password? https://arstechnica.com/civis/ucp.php?mode=sendpassword

We sincerely apologize for any inconvenience this has caused.

– Ars

To paraphrase Al Bundy: “Hey! Come to think of it, I remember creating an account at Ars Technica.”

Posted on

What The Hell, Twitter?

Twitter App Graph

Jack Marshall, writing for WSJ.com:

Twitter is now collecting information about the apps installed on users’ devices in order to better target and tailor advertising and other content to them.

WHAT?!

From Twitter:

To help build a more personal Twitter experience for you, we are collecting and occasionally updating the list of apps installed on your mobile device so we can deliver tailored content that you might be interested in.

DFQ?!

If you’re not interested in a tailored experience you can adjust your preferences at any time (read below). Additionally, if you have previously opted out of interest-based ads by turning on “Limit Ad Tracking” on your iOS device or by adjusting your Android device settings to “Opt out of interest-based ads,” we will not collect your apps unless you adjust your device settings.

I have always enabled the “Limit Ad Tracking” option on all of my iOS devices.

iOS Privacy Settings: Limit Ad Tracking

Posted on

WordPress 4.0.1

Welcome to WordPress 4.0.1

WordPress 4.0.1 is out now.

  • Three cross-site scripting issues that a contributor or author could use to compromise a site. Discovered by Jon Cave, Robert Chapin, and John Blackbourn of the WordPress security team.
  • A cross-site request forgery that could be used to trick a user into changing their password.
  • An issue that could lead to a denial of service when passwords are checked. Reported by Javier Nieto Arevalo and Andres Rojas Guerrero.
  • Additional protections for server-side request forgery attacks when WordPress makes HTTP requests. Reported by Ben Bidner (vortfu).
  • An extremely unlikely hash collision could allow a user’s account to be compromised, that also required that they haven’t logged in since 2008 (I wish I were kidding). Reported by David Anderson.
  • WordPress now invalidates the links in a password reset email if the user remembers their password, logs in, and changes their email address. Reported separately by Momen Bassel, Tanoy Bose, and Bojan Slavković of ManageWP.

I would say that it is mandatory to update your WordPress installation, because of these important security fixes.

Posted on

“There are no target audience, just targets.”

facebook-censored

From TechCrunch:

Facebook has long been promoting the the idea of free, zero-rated mobile services in emerging countries to drive more Facebook (and wider mobile data) usage. Now, its Internet.org initiative has crafted another way to promote growth: by working with directly with carriers to analyse and fix their networks, with a recent trial in Indonesia — the fourth-biggest country for Facebook usage — speeding up mobile network speeds by up to 70%, the company says.

According to Wikipedia, Indonesia’s population is estimated at 250 millions in 2014; the fourth most populated country in the world.

The Internet.org work is being made public as Facebook CEO Mark Zuckerberg travels in Indonesia and meets with its president-elect and current Jakarta Governor Joko Widodo…….

I don’t think the President Elect of Indonesia understands that Facebook’s number one product is the user. No doubt that Facebook really see the revenue potential from Indonesian users.

Yep, this is one country where hoaxes are treated as facts, hoaxes such as:

Then there’s SoldatenKaffee, a Nazi-themed restaurant which opened for more than two years without a peep from the community and Indonesian government. It took some offended tourists for this Nazi-themed restaurant to close and reopen with different theme.

Of course, voicing an opinion could also land Indonesian in jail.

Then, the police got involved – but not to defend Ms Sihombing. Instead, after residents complained about her in numbers to the police, she was summoned for questioning on Saturday 30 August, and charged under the 2008 Electronic Transactions and Information Law for defamation and “inciting hatred”. Yogyakarta has a conservative reputation, and public manners are valued highly.

If the mobs didn’t kill you, the police will.

Indonesia is for sure an easy target for Facebook business model.