The Security Pub

Random Thoughts About Security

Tag Archives: Apple

Location Tracking on Mobile Devices Introduce More Privacy Concerns

Last week it was brought to everyone’s attention that a hidden Apple IOS version 4 feature is secretly tracking and saving geolocation data on iphone and iPads. This data is also stored on any computer you are using iTunes to sync the device(s).

A video of Warden and Allan discussing their discovery is below, courtesy of O’Reilly and Where 2.0. The two have also published a FAQ that provides more details on the discovery and its implications.

Later that week there was the talks of this same type of information being collected and stored on droid mobile devices. According to new research by security analyst Samy Kamkar, an HTC Android phone collected its location every few seconds and transmitted the data to Google at least several times an hour. It also transmitted the name, location and signal strength of any nearby Wi-Fi networks, as well as a unique phone identifier.

According to research firm Gartner, Google and Apple are gathering location information as part of their race to build massive databases capable of pinpointing people’s locations via their cellphones. These databases could help them tap the market for location-based services.

And now today it has been reported that the Windows phone is also collecting and sending location data to Microsoft. Microsoft has said that when location services for Windows phones are switched on, the devices transmit a unique ID along with nearby wireless networks, their signal strength, and GPS-extracted location to the company’s servers. They are also claiming that Windows phones don’t store any of the locations on the device itself.

 

 

Apple’s Ping Social Network is being Exploited

ping I bet Apple didn’t expect this when they released iTunes 10 and the new iTunes Ping a social network for music.  Spammers and scammers have quickly exploited this new feature that launched on Wednesday.  Ping is a cross between Facebook and Twitter, giving over 160 million iTunes users the ability to have networks of friends.

Sophos researchers have found that Ping is being over-run by scams and spam messages, some of which try and direct users into believing they will receive a free iPhone if they complete online surveys.

Most of the security industry has been pointing out the migration of spam from an email-only venture to blog/forum comments, Facebook, Twitter and other Web 2.0 platforms,” writes Chester Wisniewski of Sophos. “But apparently Apple didn’t consider this when designing Ping, as the service implements no spam or URL filtering. It is no big shock that less than 24 hours after launch, Ping is drowning in scams and spams.

More information about the Ping spam attacks, including screenshots, can be found in Chester Wisniewski’s Blog from Sophos.

iTunes Update Addresses WebKit Flaw

The latest version of iTunes for Windows addresses 13 security vulnerabilities, as well as adding much-publicised social networking functionality.

iTunes 10 for Windows addresses flaws in the media player’s WebKit browser that were fixed in Safari late last month with version 5.0.1 and 4.1.1 of Apple’s browser software.

Apple’s advisory on the security content of iTunes 10 can be found here.

Apple.com Hacked By Mass SQL Injections

sql injection A hack attack that can expose users to malware exploits has infected more than 1 million webpages, at least two of which belong to Apple.  The SQL injection attacks bombard the websites of legitimate companies with database commands that attempt to add hidden links that lead to malware exploits. While most of the sites that fell prey appear to belong to mom-and-pop operations, two of the infections hit pages Apple uses to promote iTunes podcasts, this Google search shows. The malicious links appear to have been removed since Google last indexed the pages in early August.

Check out the article – [The Register]

Jailbroken iPhones Compromised

Yesterday Dancho Danchev reported that a

Your iPhone’s been hacked because it’s really insecure! Please visit doiop.com/iHacked and secure your phone right now!

message popped up on the screens of a large number of automatically exploited Dutch iPhone users, demanding $4.95 for instructions on how to secure their iPhones and remove the message from appearing at startup.

Read the article here, and if you would like to know how to change your SSH root password the instructions are below.

  1. Install MobileTerminal on your Iphone
  2. Start MobileTerminal and type the command login & press enter
  3. Type root & press enter
  4. Type in the root password which should be the default alpine
  5. Now your ready to change the password.  Due this by typing in this command passwd & press enter
  6. Type in new password & press enter
  7. Type in new password once more & press enter

Now your SSH Root password is changed and you should not be as vulnerable now.  However DONT FORGET YOUR PASSWORD!!!