Tag: Security

Posted on

Apple releases fix for SSL Vulnerability in OS X Mavericks, Mountain Lion and Lion

In the morning of Tuesday, February 25, 2014 Apple releases fix for SSL Vulnerability in OS X Mavericks, Mountain Lion and Lion.

The fix for SSL Vulnerability is included in OS X Mavericks 10.9.2.

Safari on OS X Mavericks 10.9.2 passed the goto fail test.

OS X Mavericks 10.9.2 Safari goto fail test

OS X Mavericks 10.9.2 Update

This update:

  • Adds the ability to make and receive FaceTime audio calls
  • Adds call waiting support for FaceTime audio and video calls
  • Adds the ability to block incoming iMessages from individual senders
  • Improves the accuracy of unread counts in Mail
  • Resolves an issue that prevented Mail from receiving new messages from certain providers
  • Improves AutoFill compatibility in Safari
  • Fixes an issue that may cause audio distortion on certain Macs
  • Improves reliability when connecting to a file server using SMB2
  • Fixes an issue that may cause VPN connections to disconnect
  • Improves VoiceOver navigation in Mail and Finder

For detailed information about this update, please visit: About the OS X Mavericks 10.9.2 Update

Security Update 2014-001 (Mountain Lion)

Security Update 2014-001 (Lion)

——-

The SSL Vulnerability is currently present in iOS 7.1 beta 5 build 11D5145e. According to an Apple engineer, a new build of iOS 7.1 beta is coming “really soon”.

 

Posted on

SSL Vulnerability presents in iOS 7.1 beta and OS X Mavericks 10.9.2 Developer Preview

Apple released iOS 6.1.6 and iOS 7.0.6 to address an SSL vulnerability issue on Friday, February 21, 2014. According to reports, the same vulnerability presents in the current build of OS X Mavericks 10.9.1, OS X Mavericks 10.9.2 build 13C62 and iOS 7.1 beta build 11D5145e.

Based on goto fail; test Google Chrome, Mozilla Firefox and Camino on OS X are not affected by this vulnerability. Camino browser was no longer developed as of May 31, 2013.

iOS 7.1 beta 5 build 11D5145e SSL Vulnerability

Apple is expected to fix this SSL vulnerability issue in the upcoming build of iOS 7.1 and OS X Mavericks (10.91 and 10.9.2 Developer Preview).

John Gruber wrote a great post on Daring Fireball regarding this SSL vulnerability issue and NSA exploits on iOS.

According to Jeffrey Grossman’s tweet (Jeffrey903):

I have confirmed that the SSL vulnerability was introduced in iOS 6.0. It is not present in 5.1.1 and is in 6.0 /cc @markgurman

Tin foil hat might be handy, as a sleeper NSA agent might be working at Apple.

Posted on

Four months on, Google+ Hangouts for iOS is still better than its Android counterpart.

Google+ Hangouts for iOS gained Google Voice integration back on October 18, 2013 while its Android counterpart is still without this feature.

Google Hangouts Phone Dialer on iPhone 5s

This sure infuriated some hardcore Android users; their comments unintentionally become comedy gold.

According to Nikhyl Singhal, a Google Employee:

  •  Finally, we want to make Google Voice as secure as possible. There are a few third-party applications that provide calling and SMS services by making unauthorized use of Google Voice. These apps violate our Terms of Service and pose a threat to your security, so we’re notifying these app developers that they must stop making unauthorized use of Google Voice to run their services and transition users by May 15, 2014.

Reading between the lines, there seems to be an inherent security issue in Android Platform and/or Google Voice. If not, Google would have already deployed Google Voice integration within Hangouts for Android.

I want Google Voice integration within Hangouts on my Nexus 4; and so does my colleague with his Nexus 5. I guess we all still have to wait.

IMG_0017

Posted on

Spam Alert: Fake Drive Service Email

It seems that the same scammers/spammers who have been sending the Dropbox and Picasa phising email are still at it again.

The spam pretending to come from “Drive Service” which does not exist.

Spam Drive Service

This particular “Drive Service” spam includes a modified privacy policy from Livedrive (livedrive.com).

Spam purporting from Drive Service

Another spam purporting from “HomeVideo Library”, which is likely non-existent.

Spam Fake HomeVideo Library

Posted on

Yahoo Acknowledges Hacking Attempt, Resets Passwords for Affected Accounts.

From Yahoo Tumblr blog:

Security attacks are unfortunately becoming a more regular occurrence. Recently, we identified a coordinated effort to gain unauthorized access to Yahoo Mail accounts. Upon discovery, we took immediate action to protect our users, prompting them to reset passwords on impacted accounts.

Based on our current findings, the list of usernames and passwords that were used to execute the attack was likely collected from a third-party database compromise. We have no evidence that they were obtained directly from Yahoo’s systems. Our ongoing investigation shows that malicious computer software used the list of usernames and passwords to access Yahoo Mail accounts. The information sought in the attack seems to be names and email addresses from the affected accounts’ most recent sent emails.

Yahoo has initiated password rest to affected accounts.

Upon reading this announcement I changed the passwords to all my Yahoo account. Yes, I do have multiple Yahoo accounts.

Yahoo Password Reset

Posted on

Picasa Phishing Spam

We’ve been getting reports from a lot of people that they are also getting the fake Picasa email.

First and foremost, Picasa (Google) does not send you any email regarding your photos. There are no Picasa Photo Contest. Picasa does not actively “search” for your damaged photos.

Here are some screenshots of the phishing spam emails:

Picasa-Phising-Spam-6

Picasa-Phising-Spam-5

Picasa-Phising-Spam-4

Picasa-Phising-Spam-3

Picasa-Phising-Spam-2

Picasa-Phising-Spam-1