Home Tags Apple ios

Tag: apple ios

Ransom scam exploits Apple iOS Safari flaw to target porn viewers

The scareware campaign duped victims into paying a ransom.

C++ toolkit helps shorten the path to AI apps

Hoping to spread development of artificial intelligence applications, neural network platform builder Neurala is offering a toolkit that uses C++ for building AI applications. The Neurala Developers Program includes C++ APIs, testing tools, code sa...

A look at the CIA’s internal dank meme division

The CIA's malware development team dug deep into geek culture.

Google open-sources Chrome browser for iOS

Google is open-sourcing its Chrome browser on the Apple iOS platform, after making changes enabling the code to be part of Google’s Chromium browser project. The code will be moved to the open source Chromium repository, which lets developers build their own Chrome-like browsers.
It had been kept separate from Chromium because of Apple's requirement that all iOS browsers be built on the Apple-controlled WebKit rendering engine.[ Safeguard your browsers; InfoWorld's experts tell you how in the "Web Browser Security Deep Dive" PDF guide. | Cut to the key news in technology trends and IT breakthroughs with the InfoWorld Daily newsletter, our summary of the top tech happenings. ] But after years of refactoring to cleanly separate WebKit from the Chrome for iOS code, the Chrome for iOS code is rejoining Chromium, Google said in a bulletin. (Chrome on other operating systems uses Google's own Blink browser engine.) Developers can compile the iOS version of Chromium like they can for other Chromium versions.

Google said it had spent a lot of time during the past several years making changes required to move the code for Chrome for iOS into Chromium.To read this article in full or to leave a comment, please click here

JSA10770 – 2017-01 Security Bulletin: Junos Space: Multiple vulnerabilities resolved in...

CVE CVSS base score Summary CVE-2016-1762 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) The xmlNextChar function in libxml2 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted XML document. CVE-2016-444...

JSA10774 – 2017-01 Security Bulletin: Network and Security Manager (NSM): Multiple...

CVE CVSS base score Summary CVE-2015-5600 6.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L) The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processing of keyboard-interactive devices withi...

Android Banking Trojan Malware Disguises Itself As Super Mario Run

The Trojan disguises itself as Super Mario Run to trick users into giving up bank account details and credit card numbers. Image: Nintendo Cybercriminals are taking advantage of Android users who are desperate to play Nintendo's wildly popular Super Ma...

Apple IOS 10.2 and macOS 10.12.2 Debut Fixing Security Flaws

Apple is out with what is likely its' final security patch update of 2016, debuting the new macOS 10.2.2 operating system for desktops and the IOS 10.2 release for mobile devices. Apple is updating both its desktop macOS Sierra and mobile IOS operating...

Kaseya AuthAnvil Safeguards Microsoft Office 365 Customers

New integrated SSO, MFA, user-provisioning and risk-based network and application policy capabilities close critical business security holes in IAMLONDON, UK - November 16, 2016 – Kaseya®, the leading provider of complete IT management solutions for Managed Service Providers (MSPs) and small to mid-sized businesses (SMBs), today announced the immediate availability of the latest release of Kaseya AuthAnvil on-demand.

Delivering a new level of security all within a single identity and access management (IAM) solution, the technology now provides easy single sign on (SSO), multifactor authentication (MFA) and automated user provisioning for Microsoft Office 365. AuthAnvil Office 365 Microsoft Office 365 commercial subscriptions have ballooned in 2016, up 40 percent from the previous year to 85 million subscribers.

As companies around the world continue to embrace the shift to the cloud, millions of Microsoft Office 365 corporate users now have access to Kaseya AuthAnvil’s patented password management, MFA and SSO capabilities to further secure both employee and customer environments in the cloud. SSO support for Office 365 adds one of the most popular business applications to Kaseya's growing library of thousands of applications supported by AuthAnvil.

The technology provides end users with the simplicity and time savings of securely signing in once to access all applications without having to remember multiple passwords, accounts and login information. With its MFA capabilities, Kaseya AuthAnvil provides an added, easy-to-use layer of security to protect businesses from increasingly common password breaches at popular services and sites, such as LinkedIn, Dropbox, Yahoo and others. Kaseya's MFA supports common end-user devices, such as Apple iOS, Android phones and tablets, Windows 10 or the new U2F protocol, and meets the latest requirements of NIST 800-60 for mobile MFA, HIPAA, FFIEC and PCI standards. Kaseya AuthAnvil goes beyond security, compliance and usability by automatically provisioning Office 365 user accounts as part of the authentication process.

By directly tying into a company’s existing Active Directory or other user directory, AuthAnvil can automate both Office 365 user provisioning and privileges assignment.

As a result, IT administrators no longer have the burden of having to create user accounts and assign common services and privileges – such as SharePoint, OneDrive and mail. Additionally, Kaseya introduces an industry-first with its risk-based network and application authentication process engine.

This technology makes it simple for administrators to create fine-grained compliance controls for users, networks and applications. Using a simple, visual, policy interface, administrators can quickly and easily create authentication rules using a risk-based approach.

Access can be controlled not only based on any user attribute, but also based on geo-location, time, type of network or individual application usage. To learn more about the new Kaseya AuthAnvil release, please visit: www.authanvil.com. Supporting Quotes“Microsoft Office 365 is at the heart of many of our customers’ businesses, as well as our own.
So security is paramount for this application.

AuthAnvil’s latest support for O365 is a game changer.

The integration of single sign on, multifactor authentication and automatic user provisioning means our customers can trust that our own environment is as secure as possible, and that we have the capability and know how to safeguard theirs,” said Bill Burke, CIO, Corporate IT Solutions. “Plain and simple – AuthAnvil just works.” “It’s not easy to strike a balance between a seamless user experience and top notch security, but that is exactly what Kaseya AuthAnvil accomplishes,” said Jason Shirdon, vice president of operations, Ease Technologies. “With AuthAnvil, we’re able to comprehensively manage our IAM needs both efficiently and consistently.

As an MSP, our clients rely on us to be security conscious, which is why we use AuthAnvil.” “The growth of the cloud is in a historic phase right now, and Microsoft Office 365 is one of the leading drivers of this advancement.

That said, security remains a leading concern for all organisations as corporate data increasingly resides outside IT firewalls.

The latest release of Kaseya AuthAnvil locks down two key threat vectors to hybrid cloud environments: endpoint security and network access,” said Mike Puglia, chief product officer for Kaseya. “With Kaseya AuthAnvil, our multiple layers of security checks and balances ensure that access is limited to authorised users only, giving IT leaders peace of mind in the security of their corporate information.” About KaseyaKaseya is the leading provider of complete IT Management solutions for Managed Service Providers and small to midsized businesses. Kaseya allows organisations to efficiently manage and secure IT in order to drive IT service and business success. Offered as both an industry-leading cloud solution and on-premise software, Kaseya solutions empower businesses to command all of IT centrally, manage remote and distributed environments with ease, and automate across IT management functions. Kaseya solutions currently manage over 10 million endpoints worldwide and are in use by customers in a wide variety of industries, including retail, manufacturing, healthcare, education, government, media, technology, finance and more. Kaseya, headquartered in Dublin, Ireland, is privately held with a presence in over 20 countries.

To learn more, please visit www.kaseya.com. ### Media ContactAlex SweeneyThe Whiteoaks ConsultancyPhone +44 1252 727 313Email: alexs@whiteoaks.co.uk

Pokémon GO or No Go? Mobile Games May Pose More Risks...

Many mobile games can access sensitive functions and data on employer-issued devices including SMS, social networking, location services & tracking and calendar accessMaidenhead, U.K. – Oct. 18, 2016 – Augmented reality, fueled most recently by the Pokémon GO sensation, and virtual reality gaming opportunities are beginning to really open up on mobile platforms. According to IDC, the number of smartphone and tablet gamers should increase to more than 1.9 billion in 2020. Millions of mobile device users are predicted to play these types of games within a few years, and the workplace is not immune. According to a new report, “It’s Not All Fun and Games: A BYOD Reality Check for Companies”, many of these popular apps could violate corporate risk policies. “Some employees care about data security and privacy when they curate the apps they download to their mobile phones, but many don’t,” said Maureen Polte, Vice President of Product Management at Flexera Software. “When those phones are Bring Your Own Device, poor employee choices suddenly impact corporate risk. That is why Application Readiness automation – commonly used by companies to test their enterprise applications – must be extended to mobile apps, so CIOs can have a firm understanding of which ones violate their BYOD policies.” The report found that of the almost 60 popular Apple iOS mobile games tested[1]: 73 percent, including Angry Birds, AR Defender 2, Bejeweled Classic, Bubble Shooter, Clash of Clans, Clash Royale, Color Switch, Game of War, Mobile Strike, Pokémon GO and Slither, support Location Services & Tracking. 68 percent, including Angry Birds, Bejeweled Classic, Bubble Shooter, Clash of Clans, Clash Royale, Color Switch, Game of War, Mobile Strike and Slither, support Social Networking. 58 percent, including Angry Birds, Bejeweled Classic, Bubble Shooter, Clash of Clans, Clash Royale, Color Switch and Slither, support Calendar Access. 54 percent, including Angry Birds, AR Defender 2, Bejeweled Classic, Bubble Shooter, Color Switch and Slither, support SMS. “Unfortunately, not all mobile app developers are trustworthy,” added Polte. “CIOs must have a centralised, automated and repeatable Application Readiness process to identify and test those apps to determine what they do, and whether they comply or collide with an organisation’s BYOD policies. To compile the report, Flexera Software identified almost 60 widely used gaming applications, representing a small sampling of those that can be found in the Apple App Store and that could easily be downloaded by employees to a corporate-issued or BYOD device. These apps were tested using AdminStudio Mac® and Mobile, an Application Readiness solution that helps organisations identify, manage, track and report on mobile apps, simplify mobile application management, reduce mobile app risk, and address the rapidly growing demand for mobile apps in the enterprise. # # # [1]The apps tested were: 100 Balls, Angry Birds, Angry Birds Rio, AR Defender 2, Baby Twins – Terrible Two, Batman: Arkham Underworld, Bejeweled Classic, Bubble Shooter, Buddyman Run, Candy Crush, Clash of Clans, Clash of Kings, Clash Royale, Color Switch, Cookie Jam, Crossy Road, CSR Racing 2, Despicable Me: Minion Rush, Dictator: Emergence, Diner Dash, Disney Emoji Blitz, Doodle Jump Free, Drop Out, Eggs, Inc., Episode – Choose Your Story, Farm Heroes, Farm Heroes Saga, FIFA 16 Ultimate Team, Game of War, Hand of God, Happy Wheels, Harvest Swap, Hay Day, Hungry Shark Evolution, Ingress, Jetpack Joyride, Kendall and Kylie, Micro Machines, Mobile Strike, Mr Jump, NBA Live Mobile, PartyPoker, Piano Tiles, Pokémon GO, Quizduell, Rolling Sky, Slither.io, Snappy Bird: New Season, Soccer Stars, Stack, Steps, Subway Surfers, Talking Tom Gold Run, Temple Run, Temple Run 2, The Sims FreePlay, Walking Dead, Words with Friends and Zynga Poker Classic – Texas Holdem. Resources: Download the Report http://resources.flexerasoftware.com/web/pdf/WhitePaper-AR-BYOD-Mobile-Games-Fun-and-Games.pdf?utm_source=Marketwired&utm_campaign=ARMobileGames2016&utm_medium=PR Learn more about: Follow Flexera Software on… About Flexera SoftwareFlexera Software helps application producers and enterprises increase application usage and security, enhancing the value they derive from their software. Our software licensing, compliance, cybersecurity and installation solutions are essential to ensure continuous licensing compliance, optimised software investments, and to future-proof businesses against the risks and costs of constantly changing technology. A marketplace leader for more than 25 years, 80,000+ customers turn to Flexera Software as a trusted and neutral source of knowledge and expertise, and for the automation and intelligence designed into our products. For more information, please go to: www.flexerasoftware.com. For more information, contact:Vidushi Patel/ Nicola MalesVanilla PRprflexera@vanillapr.co.uk+44 7958474632 / +447976652491 Copyright© 2016 Flexera Software LLC. All other brand and product names mentioned herein may be the trademarks and registered trademarks of their respective owners.

‘Flaw’ in iOS 10 private browsing… not as bad as it...

At least according to (indie) experts Independent security experts have downplayed concerns about a reported flaw in iOS 10 private browsing. Stacey Jury, a digital forensic analyst at IntaForensics, found that the private browsing mode in Apple iOS 10 is not foolproof, since it does not delete your data correctly, leaving it open to recovery. “Apple have made the private browsing feature in Safari less ‘private’ in IOS 10… suspend state is now stored in a database which means recovering deleted records is now possible,” Jury explains. Using a iPhone 5S running IOS 10.0.1, Jury says she was able to recover web pages opened in Safari’s private mode from a database using XRY, a computer forensics tool, detailed in a blog post by IntaForensics here. Apple routinely ignores request for security comment from El Reg, so we’re not sure whether or not a fix for the reported flaw is in the works. Russian computer forensics software firm Elcomsoft, which we approached for comment on IntaForensics research, said it hasn’t come across any major issues in “private mode” browsing with the latest version of Apple’s smartphone and tablet software. “We looked at iOS private browsing mode a little bit, but have not found any issues - implementation seems to be good enough; all temp files seem to be properly deleted, visited links are not being saved in history etc,” Vladimir Katalov of ElcomSoft told El Reg. Other independent third parties also played down the significance of the vulnerability reported by IntaForensics. Lee Munson, security researcher for Comparitech.com, commented: “The flaw only relates to iPhone and iPad backups saved directly through iTunes on a Mac or PC, rather than via iCloud - which is the method adopted (knowingly or otherwise) by the majority of Apple’s customers.” He added: “That small subset of fruity fans that do manually back up are hardly at risk either – as long as their Mac or PC is itself secured via a strong password (a long mixture of letters, numbers and symbols), they have very little to worry about.” ®

Multiple Apple iOS Zero-Days Enabled Firm To Spy On Targeted iPhone...

Victims of 'lawful intercepts' include human rights activists and journalist, researchers from Citizen Lab and Lookout say. Apple’s much vaunted reputation for security took a bit of beating this week with two separate reports identifying serious vulnerabilities in its iOS operating system for iPhones and iPads. One of the reports, from security firm Lookout and the University of Toronto’s Citizen Lab, details a trio of zero-day vulnerabilities in iOS, dubbed Trident, that a shadowy company called the NSO Group has been exploiting for several years to spy on targeted iOS users. The NSO Group is based in Israel but owned by an American private-equity firm.  The company has developed a highly sophisticated spyware product called Pegasus that takes advantage of the Trident zero-day exploit chain to jailbreak iOS devices and install malware on them for spying on users. In an alert this week, security researchers at Citizen Lab and Lookout described Pegasus as one of the most sophisticated endpoint malware threats they had ever encountered.

The malware exploits a kernel base mapping vulnerability, a kernel memory corruption flaw and a flaw in the Safari WebKit that basically lets an attacker compromise an iOS device by getting the user to click on a single link. All three are zero-days flaws, which Apple has addressed via its 9.3.5 patch.

The researchers are urging iOS users to apply the patch as soon as possible. Pegasus, according to the security researchers, is highly configurable and is designed to spy on SMS text messages, calls, emails, logs and data from applications like Facebook, Gmail, Skype, WhatsApp and Viber running on iOS devices. “The kit appears to persist even when the device software is updated and can update itself to easily replace exploits if they become obsolete,” the researchers said in their alert. Evidence suggests that Pegasus has been used to conduct so-called ‘lawful intercepts’ of iOS owners by governments and government-backed entities.

The malware kit has been used to spy on a noted human rights activist in the United Arab Emirates, a Mexican journalist who reported on government corruption and potentially several individuals in Kenya, the security researchers said. The malware appears to emphasize stealth very heavily and the authors have gone to considerable efforts to ensure that the source remains hidden. “Certain Pegasus features are only enabled when the device is idle and the screen is off, such as ‘environmental sound recording’ (hot mic) and ‘photo taking’,” the researchers noted.   The spyware also includes a self-destruct mechanism, which can activate automatically when there is a probability that it will be discovered. Like many attacks involving sophisticated malware, the Pegasus attack sequence starts with a phishing text—in this case a link in an SMS message—which when clicked initiates a sequence of actions leading to device compromise and installation of malware. Because of the level of sophistication required to find and exploit iOS zero-day vulnerabilities, exploit chains like Trident can fetch a lot of money in the black and gray markets, the researchers from Citizen Lab and Lookout said.

As an example they pointed to an exploit chain similar to Trident, which sold for $1 million last year. The second report describing vulnerabilities in IOS this week came from researchers at the North Carolina State University, TU Darmstadt, a research university in Germany and University Politehnica in Bucharest. In a paper to be presented at an upcoming security conference in Vienna, the researchers said they focused on iOS’ sandbox feature to see if they could find any security vulnerabilities that could be exploited by third-party applications.

The exercise resulted in the researchers unearthing multiple vulnerabilities that would enable adversaries to launch different kinds of attacks on iOS devices via third-party applications. Among them were attacks that would let someone bypass iOS’ privacy setting for contacts, gain access to a user’s location search history, and prevent access to certain system resources.
In an alert, a researcher who co-authored the paper said that the vulnerabilities have been disclosed to Apple, which is now working on fixing them. Related stories: Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ...
View Full Bio More Insights