News & Updates

According to Elcomsoft, iPhone and iPad automatically send call history to Apple when iCloud is enabled, the company stores the data for up to four months.

According to the digital forensics firm Elcomsoft, Apple mobile devices automatically send call history to the company when the iCloud is enabled, it also stores the data for up to four months.

The only way to prevent such activity is to completely disable the cloud synchronization feature.

“iCloud sync is everywhere. Your contacts and calendars, system backups and photos can be stored in the cloud on Apple servers. This time, we discovered that yet another piece of data is stored in the cloud for no apparent reason. Using an iPhone and have an active iCloud account? Your calls will sync with iCloud whether you want it or not. In fact, most users we’ve heard from don’t want this “feature”, yet Apple has no official way to turn off this behavior other than telling people “not using the same Apple ID on different devices”. What’s up with that? Let’s try to find out.” reads the analysis published by Elcomsoft.

Elcomsoft tools could allow determining what personal data is synchronized with Apple servers and how to prevent it.

When the iCloud feature is enabled, Apple mobile devices automatically collect and send back to the company private information such as call history, phone numbers, phone call metadata (i.e. Length of calls).

The iPhone also sends information collected from other third-party VoOP applications, including Facebook Messenger, Viber, WhatsApp, and Skype.

iCloud

Security experts highlighted the low level of protection of users’ data in Apple iCloud, that could be easily accessed by law enforcement.

“So far, we had no reasons to doubt this policy. However, we’ve seen Apple moving more and more data into the cloud. iCloud data (backups, call logs, contacts and so on) is very loosely protected, allowing Apple itself or any third party with access to proper credentials extracting this information. Information stored in Apple iCloud is of course available to law enforcement.” continues Elcomsoft .

Even logs are sent in real time to Apple when iCloud Drive is enabled. If users want to stop sharing their logs with Apple need to disable iCloud Drive completely, an operation that has an impact on many applications.

“Syncing call logs happens almost in real time, though sometimes only in a few hours,” says Elcomsoft CEO Vladimir Katalov. “But all you need to have is just iCloud Drive enabled, and there is no way to turn that syncing off, apart from just disabling iCloud Drive completely. In that case, many applications will stop working or lose iCloud-related features completely.”

Apple, of course, defends its iCloud Sync feature ensuring that customers’ data is encrypted and protected with a two-factor authentication mechanism.

“We offer call history syncing as a convenience to our customers so that they can return calls from any of their devices. Apple is deeply committed to safeguarding our customers’ data. That is why we give our customers the ability to keep their data private. Device data is encrypted with a user’s passcode, and access to iCloud data including backups requires the user’s Apple ID and password. Apple recommends all customers select strong passwords and use two-factor authentication.” is the official statement from the company.

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs – iPhone, mobile)

The post Are you an iPhone user? Your call history is uploaded on iCloud too appeared first on Security Affairs.

Source: Security affairs

Three, one of UK’s biggest mobile operators, has become the latest victim of a massive data breach that reportedly left the personal information and contact details of 6 Million of its customers exposed.

The company admitted the data breach late Thursday, saying that computer hackers gained access to a Three Mobile customer phone upgrade database containing the account details of nearly 6


Source: http://feeds.feedburner.com/TheHackersNews

In the fight against encryption, Apple has positioned itself as a staunch defender of its user privacy by refusing the federal officials to provide encryption backdoors into its products, as well as implementing better encryption for its products.

However, a new report from a security firm suggests Apple’s online syncing service iCloud secretly stores logs of its users’ private information


Source: http://feeds.feedburner.com/TheHackersNews

The UK carrier Three Mobile confirmed a major cyber security breach which could have exposed the personal data of millions of customers.

Bad news for the UK carrier Three Mobile, cyber criminals have broken into a company database containing customer personal details, details of possibly six million customers exposed.

The news was reported by many media outlets that cited the National Crime Agency (NCA) and the Three Mobile company.

“Three Mobile cyber hack: six million customers’ private information at risk after employee login used to access database ” reports The Telegraph.

According to The Telegraph, Three Mobile admitted that hackers have accessed its customer upgrade database by using an employee login.

“In order to commit this type of upgrade handset fraud, the perpetrators used authorised logins to Three’s upgrade system.” said a company spokesman. 

“This upgrade system does not include any customer payment, card information or bank account information,” the spokesman said.

“Sources familiar with the incident told the Telegraph that the private information of two thirds of the company’s nine million customers could be at risk” continues The Telegraph.

three mobile uk-data-breach

Fortunately, payment data (i.e. Credit card data, bank account data) were not exposed, but the hackers did have access to customer names, addresses, phone numbers, and dates of birth.

Investigators believe the hackers have broken into the Three Mobile database to find customers eligible for handset updates and then place orders on their behalf for the new smartphones that were redirected to them and then resold in a parallel market.

This kind of scam is  increasing, crooks exploit handset upgrades being ordered in order to steal the mobile devices while in transit.

A Three Mobile spokesman confirmed a significant increase in attempted phone fraud over the past four weeks, adding that that increase also includes burglaries of Three retail stores.

The NCA has already arrested three men, two on computer misuse allegations and one on suspicion of attempting to pervert the course of justice.

“The investigation is ongoing and we have taken a number of steps to further strengthen our controls,” added the company spokesman.

The Three Mobile data breach follows the Talk Talk occurred in October 2015 when the details of more than 150,000 customers were stolen including the bank account details of around 15,000.

The company suffered a significant impact, it lost 95,000 subscribers as a result of the attack, which cost it £60million.

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs – Three Mobile, data breach)

The post Three Mobile cyber data breach, six million customers’ private data at risk appeared first on Security Affairs.

Source: Security affairs

Drupal developers have released updates for versions 7 and 8 that fix security issues which could expose websites to cyber attacks.

The Drupal development team has released security updates for versions 7 and 8. The updates fix security vulnerabilities that could expose websites running on the popular CMS and data they manage to security risks, including information disclosure, cache poisoning, redirection to third-party sites and a denial-of-service (DoS).

The new releases, Drupal 7.52 and Drupal 8.2.3, fix four vulnerabilities rated “moderately critical” and “less critical.”

  • Inconsistent name for term access query (Less critical – Drupal 7 and 8).
  • Incorrect cache context on password reset page (Less critical – Drupal 8).
  • Confirmation forms allow external URLs to be injected (Moderately critical – Drupal 7).
  • Denial of service via transliterate mechanism (Moderately critical – Drupal 8).

In one attack scenario, ill-intentioned could cause a DoS condition by simply sending specially crafted URLs via the transliteration mechanism that is used to replace certain characters, such as the ones used in Russian and Greek, with universally displayable US-ASCII characters.

“A specially crafted URL can cause a denial of service via the transliterate mechanism.” reads the security advisory.

In the case of the second flaw ranked as “Moderately critical”, under certain circumstances, attackers use a specially crafted URL to a confirmation form that would trick users into being redirected to a 3rd party website after interacting with the form. In this way, the users could be exposed to a wide range of social engineering attacks.

drupal

A Less critical flaw resides in the user password reset form that does not specify a proper cache context, a circumstance that which can lead to cache poisoning and unwanted content on the page.

The last “less critical” issue affects both Drupal 7 and 8 is related to inconsistent names for term access queries. The flaw can lead to information on taxonomy terms being disclosed to unprivileged users.

It is very important for websites running on Drupal to apply the security updates to avoid being hacked. In June 2016, experts from Sucuri firm reported that more than 19 months after the public disclosure of the CVE-2014-3704 many websites were still exposed to cyber attacks leveraging the flaw. For this reason, experts called the flaw Drupalgeddon.

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs – patch management, hacking)

The post Drupal releases security updates to fix four vulnerabilities in versions 7, 8 appeared first on Security Affairs.

Source: Security affairs

It took nearly 10 years, but authorities have finally targeted and taken down What.cd, which had risen to become the Internet’s largest invite-only, music-trading torrent site.

The news was confirmed by the tracker’s official Twitter account on Thursday via two posts: “We are not likely to return any time soon in our current form. All site and user data has been destroyed. So long, and thanks for all the fish.”

Read 7 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

Enlarge / Artist concept of the Space Launch System. (credit: NASA/MSFC)

With a new presidential administration promising to review its human spaceflight activities, NASA on Thursday continued to signal a willingness to consider alternatives to its exploration systems—the Space Launch System rocket, Orion spacecraft, and related ground systems developed at Kennedy Space Center to support their launch later this decade and in the 2020s.

In its latest request for information (RFI) released Thursday afternoon, NASA seeks solutions from industry and academia to maximize “the long term efficiency and sustainability” of its of exploration systems programs. Essentially, NASA wants ideas on how best to cut the production and operations costs for its SLS rocket and Orion spacecraft, which presently consume more than $3 billion annually in development costs. However, the RFI also offers respondents the opportunity to submit ideas about rockets and spacecraft that might compete with NASA’s own vehicles for exploration funds.

Specifically, the document requests responses about: “Competing exploration services in the mid-2020s timeframe and beyond if the market demonstrates such services are available, reliable, and consistent with NASA architectural needs.” Ars understands this to mean that if private competitors such as SpaceX, Blue Origin, United Launch Alliance, or other companies produce less expensive rockets and spacecraft within the next five to seven years, NASA will consider using them in lieu of SLS and Orion.

Read 10 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

Enlarge / The iPhone 6 and 6 Plus. (credit: Andrew Cunningham)

If you’ve been having touchscreen problems with your iPhone 6 Plus, Apple has a fix for you if you’re willing to pay for it. The “iPhone 6 Plus Multi-Touch Repair Program” is for phones that are either having trouble registering touchscreen input or that are have flickering displays as a result of “being dropped multiple times on a hard surface and then incurring further stress on the device.”

Unlike past iPhone repair programs—a list which includes the power button and battery in the iPhone 5 and the camera in the iPhone 6 Plus—Apple is charging a $149 service fee to replace iPhones affected by the problem. Even then, Apple says your phone needs to be “in working order” and can’t have a cracked or broken screen. If you have previously paid for a repair related to these problems, Apple says that you can contact the company to be reimbursed for whatever you paid beyond $149.

Based on Apple’s description of the problem, it sounds like this could be a fix for a problem that iFixit and independent iPhone repair shops brought to light a few months ago. Colorfully dubbed “Touch Disease,” iFixit says that the problem is caused by touchscreen controller chips that can come loose from the logic board. The controllers in question were moved from the logic board into the display assembly in the iPhone 6S, which iFixit speculates is the reason why later variants of the iPhone 6 design aren’t susceptible to the same problem.

Read 1 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

Enlarge / WASHINGTON, DC – NOVEMBER 10: President Barack Obama talks with President-elect Donald Trump in the Oval Office of the White House. (credit: Getty | The Washington Post)

Of all the hot-button issues chucked around during the Presidential election, healthcare landed as the top priority of Americans in a post-election Reuters/Ipsos poll released Thursday.

About 21 percent of the 1,782 Americans polled said that healthcare should be the primary focus of President-elect Trump’s first 100 days in office. Jobs came in as the second most pressing issue, selected by 16 percent. Immigration came in third, picked by 14 percent. The online poll, conducted from November 9 to 14, drew from all 50 states and had an accuracy of three percentage points.

Though the poll doesn’t reveal what Americans want changed about the country’s complex healthcare system, it may signal frustration with the Affordable Care Act (aka Obamacare), President Obama’s signature piece of healthcare legislation. Trump vowed during his campaign to quickly repeal and replace the law once in office. But since being elected, Trump has walked back that plan, saying he would consider preserving some Obamacare elements. Namely, he’s gone on record as tentatively wanting to prevent health insurance companies from denying coverage based on pre-existing conditions and allowing children to stay on their parents’ plans until the age of 26.

Read 2 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

Enlarge (credit: Tesla)

On Thursday afternoon, Tesla announced that its investors and SolarCity investors agreed to a $2.6 billion all-stock merger of the two companies. The decision passed with an 85 percent vote of approval.

SolarCity shareholders will receive 0.11 Tesla shares for every share of SolarCity stock they own.

The deal had been a topic of some controversy since Tesla announced the proposed in June. Investors were suspicious of Tesla adding more debt to its books and were uncertain why Tesla had to buy SolarCity. Tesla CEO Elon Musk spent the interim months convincing shareholders that the deal would be mutually beneficial and would create “cost synergies” for both companies—SolarCity panels would be able to be sold alongside Powerwall stationary storage batteries and Tesla vehicles at the same storefront, for example.

Read 4 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/