Saturday, 22 February 2014

Apple security flaw could allow hackers to beat encryption

Apple's iPhone 5Cs phones are displayed on racks bearing the logo of China Mobile, at a mobile phone shop in Beijing December 23, 2013. REUTERS/Kim Kyung-Hoon
A major flaw in Apple Inc (AAPL.O) software for mobile devices could allow hackers to intercept email and other communications that are meant to be encrypted, the company said on Friday, and experts said Mac computers were even more exposed.
If attackers have access to a mobile user's network, such as by sharing the same unsecured wireless service offered by a restaurant, they could see or alter exchanges between the user and protected sites such as Gmail and Facebook. Governments with access to telecom carrier data could do the same.
"It's as bad as you could imagine, that's all I can say," said Johns Hopkins University cryptography professor Matthew Green.
Apple did not say when or how it learned about the flaw in the way iOS handles sessions in what are known as secure sockets layer or transport layer security, nor did it say whether the flaw was being exploited.
But a statement on its support website was blunt: The software "failed to validate the authenticity of the connection."
Apple released software patches and an update for the current version of iOS for iPhone 4 and later, 5th-generation iPod touches, and iPad 2 and later.
Without the fix, a hacker could impersonate a protected site and sit in the middle as email or financial data goes between the user and the real site, Green said.
After analyzing the patch, several security researchers said the same flaw existed in current versions of Mac OSX, running Apple laptop and desktop computers. No patch is available yet for that operating system, though one is expected soon.
Because spies and hackers will also be studying the patch, they could develop programs to take advantage of the flaw within days or even hours.
The issue is a "fundamental bug in Apple's SSL implementation," said Dmitri Alperovich, chief technology officer at security firm CrowdStrike Inc. Adam Langley, a senior engineer at Google, agreed with CrowdStrike that OS X was at risk.
Apple did not reply to requests for comment. The flaw appears to be in the way that well-understood protocols were implemented, an embarrassing lapse for a company of Apple's stature and technical prowess.
The company was recently stung by leaked intelligence documents claiming that authorities had 100 percent success rate in breaking into iPhones.

Friday's news suggests that enterprising hackers could have had great success as well if they knew of the flaw.
Hope you enjoyed the post....

Samsung to unveil first smartwatches with own Tizen platform

A man walks out of Samsung Electronics' headquarters in Seoul January 6, 2014. REUTERS/Kim Hong-Ji/Files


 Samsung Electronics Co (005930.KS) is to unveil on Sunday its first wearable smartwatch powered by its Tizen platform in its latest attempt to distance itself from Google Inc (GOOG.O) and enhance its software and services.
Samsung has been jointly developing its mobile platform with Intel Corp (INTC.O), as the dominance of Google's free Android software, which Samsung uses for its Galaxy line of products, continues to grow and is now used in almost 80 percent of the global smartphone market.
The South Korean company is due to unveil two new smartwatches on Sunday, less than six months after it introduced the Galaxy Gear wristwatch, then running on Android, to prove that it is more than just a fast follower in innovation behind rival Apple Inc (AAPL.O).
The Galaxy Gear wristwatch has been criticised for its clunky design and difficult-to-use features.
The launch also underscores Samsung's desire to come up with new products to revive slowing momentum in its mobile business, the tech giant's biggest earnings driver, as sales of high-end smartphones have eased in many advanced markets.
For the new Galaxy Gear 2 and Neo 2, to be unveiled at an annual trade fair in Barcelona on Sunday, Samsung has not significantly upgraded the hardware on offer.
Instead, it has moved a camera to the watch's main body from the strap and added a couple of enhanced software offerings such as remote TV controlling, a fitness features like heart rate monitoring, and a standalone music player function, Samsung said in a statement.
The Neo does not have a camera.

The new devices, which will be followed by Samsung's new flagship smartphone to be announced on Monday, will go on sale globally in April.
Hope you enjoyed the post....

Apple promises fix "very soon" for Macs with failed encryption

Apple Inc CEO Tim Cook speaks about their new Mac Book computers during an Apple event in San Francisco, California October 22, 2013. REUTERS/Robert Galbraith/Files
Apple Inc CEO Tim Cook speaks about their new Mac Book computers during an Apple event in San Francisco, California October 22, 2013.
Apple Inc (AAPL.O) said on Saturday it would issue a software update "very soon" to cut off the ability of spies and hackers to grab email, financial information and other sensitive data from Mac computers.
Confirming researchers' findings late Friday that a major security flaw in iPhones and iPads also appears in notebook and desktop machines running Mac OS X, Apple spokeswoman Trudy Muller told Reuters: "We are aware of this issue and already have a software fix that will be released very soon."
Apple released a fix Friday afternoon for the mobile devices running iOS, and most will update automatically. Once that fix came out, experts dissected it and saw the same fundamental issue in the operating system for Apple's mainstream computers.
That started a race, as intelligence agencies and criminals will try to write programs that take advantage of the flaw on Macs before Apple pushes out the fix for them.
The flaw is so odd in retrospect that researchers faulted Apple for inadequate testing and some speculated that it had been introduced deliberately, either by a rogue engineer or a spy. Former intelligence operatives said that the best "back doors" often look like mistakes.
Muller declined to address the theories.
"It's as bad as you could imagine, that's all I can say," said Johns Hopkins University cryptography professor Matthew Green.
Adam Langley, who deals with similar programming issues as a Google (GOOG.O) engineer, wrote on his personal blog that the flaw might not have shown up without elaborate testing.
"I believe that it's just a mistake and I feel very bad for whomever might have slipped," he wrote.
The problem lies in the way the software recognizes the digital certificates used by banking sites, Google's Gmail service, Facebook (FB.O) and others to establish encrypted connections. A single line in the program and an omitted bracket meant that those certificates were not authenticated at all, so that hackers can impersonate the website being sought and capture all the electronic traffic before passing it along to the real site.
In addition to intercepting data, hackers could insert malicious web links in real emails, winning full control of the target computer.
The intruders do need to have access to the victim's network, either through a relationship with the telecom carrier or through a WiFi wireless setup common in public places. Industry veterans warned users to avoid unsecured WiFi until the software patch is available and installed.
The bug has been present for months, according to researchers who tested earlier versions of Apple's software. No one had publicly reported it before, which means that any knowledge of it was tightly held and that there is a chance it hadn't been used.
But documents leaked by former U.S. intelligence contractor Edward Snowden showed agents boasting that they could break into any iPhone, and that hadn't been public knowledge either.
Apple did not say when or how it learned about the flaw in the way iOS and Mac OS handle sessions in what are known as secure sockets layer or transport layer security. Those are shown to users by the website prefix "https" and the symbol of a padlock.
The issue is a "fundamental bug in Apple's SSL implementation," said Dmitri Alperovitch, chief technology officer at security firm CrowdStrike Inc.
Hope you enjojed the post....

Facebook's big buy, WhatsApp messaging app, back up after outage

Illustration photo shows ''likes'' on WhatsApp's Facebook page displayed on a laptop screen in Paris February 20, 2014. REUTERS/Mal Langsdon

WhatsApp, the rapidly expanding mobile messaging app, suffered an outage for more than three hours on Saturday, frustrating users just days after its acquisition by Facebook (FB.O) for $19 billion.
"WhatsApp service has been restored. We are so sorry for the downtime...," WhatsApp tweeted to its more than 1 million Twitter followers on Saturday around 5:48 p.m. EST (2248 GMT).
Earlier, the service had said it was "experiencing server issues" without providing further details. Facebook referred questions on the outage to WhatsApp representatives, who did not immediately respond.
Five-year-old WhatsApp currently has about 450 million users globally and has been adding a million users daily.
On Saturday, some of those users took to other forms of social media, including blogs and Twitter to report the outage and vent their frustration.
WhatsApp is the leader among a wave of smartphone-based messaging apps that are now sweeping across North America, Asia and Europe, and is known to appeal to teens and others who avoid mainstream social networks.
During the outage the buzz on Twitter ranged from the conspiratorial - that Facebook had really bought WhatsApp to shut it down and funnel users to Facebook Chat - to the philosophical.
"So now that #Whatsapp isn't working I've actually talked to my family, they seem like nice people," tweeted @Ali_Hilu, a self-described social media addict in Jordan.

And @Iamhollybrown of Surrey, England, scolded, "Can't believe all these people are crying about Whatsapp not working, do some exercise, do some work, learn a language."
Got this news while surfing......
Hope you enjoyed the post....

Nokia working on 3 Android smartphones



While it is widely expected that Nokia will unveil its first Android smartphone - Nokia X - next week at the Mobile World Congress (MWC) 2014, it is rumoured that the company has more Android handsets in the works.

According to a report by Chinese technology website tech.qq.com, internal emails leaked by sources at Silicon Valley company Artesyn technologies say that Nokia is working on two Android smartphones other than Nokia X. While one has been codenamed Nokia XX, the codename of the other model is not yet known. The former will be positioned above the entry-level Nokia X, while the latter will be a high-end handset. The specifications of these two models are not yet known.

While Nokia has already started working on these two Android smartphones, they are not expected to be unveiled at MWC. In fact, it is said that the manufacturer will launch X only to see the market response to its first Android smartphone.

All three Android smartphones by Nokia are expected to hit the market in May-June. Nokia X is said to cost approximately $110.

The Finnish manufacturer is widely expected to unveil the Nokia X on February 24. The device is said to have a 4-inch screen with 800x480p resolution and run on 1.2GHz dual-core Snapdragon 200 processor. It will have 512MB RAM, 5MP rear camera, Bluetooth 4.0, Android 4.4 (KitKat) operating system and 4GB internal storage. It is said to be a dual-sim smartphone and come in six colour options.

While Nokia X will run on Android, it will have a customized user interface and will not have access to Google Play Store and the apps available on the platform. Speculation is rife that Nokia and Microsoft will put their own set of apps - such as Facebook, Twitter and Here Maps - on the device via a proprietary app store, much like Amazon does on Kindle Fire range of tablets.