Apple claims to be serious about security, totally misses the point

Apple has been dealing with a little bit of a security mess since it was revealed last week that a security hole in their SMS messaging service will still be an issue in IOS 6.

The hole allows attackers to send messages to an iPhone with a false sender identity. In other words, you might think your friend Ted is sending you an exciting link to catswhothinktheyarepeople.com, when in fact, the link points to a malicious website.

The deception works through a feature in SMS protocol that allows a different “Reply to” address than that of the sender. Since the iPhone identifies the sender by the “Reply to”, users would likely think they are receiving the message from the person they would reply to.

Attention to the hole was made public last Friday by a hacker that goes by pod2g. 

"If the destination mobile is compatible with it, and if the receiver tries to answer the text, he will not respond to the original number, but to the specified one. Most carriers don't check this part of the message, which means one can write whatever he wants in this section: a special number like 911, or the number of somebody else," pod2g wrote. "On iPhone, when you see the message, it seems to come from the reply-to number, and you lose track of the origin."

So what’s Apple’s solution? Don’t use SMS.

Right….

iPhone to iPhone texting is easily accomplished with Apple’s iMessage protocol that sends messages over the web rather than SMS networks. Because iMessage users are verified against email addresses, the messages are impossible to spoof. The problem is, of course, that not everybody uses an iPhone. Your friends with Androids will still be texting you with SMS. So any hacker with half a brain can still spoof messages as long as the receiver thinks he’s receiving from someone with an non-iPhone.

Apple: You’ve got a big release coming up with the iPhone 5. Pull your act together.

Hack a Mac for $60

That's right folks, the malware scene is getting hostile for Mac users. French anti-virus firm Integro reported the existence of a $60 piece of malware that targets Macs. To put that in perspective, another popular piece of Mac Malware called OSX/Crisis sells for about $200,000.

Many experts are pointing to the shockingly low price of the malware, called OSX/NetWeirdRC, as evidence that OS X specific threats are growing. On the other hand NetWeirdRC has also been found to have a programming bug that renders the software basically useless without modification.

"It would seem that you get what you pay for, even in the malware world."

But regardless of how dangerous or popular the malware is, the fact remains that cheap, commercially available malware is spreading and with it will come a rise in Mac-targeted attacks.

You can check out the full scoop on Integro's website.

Passwords are leaking faster than ever, here's why

This password is strong, the sticky note
on the monitor? Not so much.

If you haven't figured it out yet, here at SumRando, we're big fans of security. In our case, that means protecting your data with a solid VPN over a secure internet connection and using great passwords for everything you do.

But no matter how long or complicated your password is, it seems that someone can crack it these days -- a fact that's putting your personal information in jeopardy.

Ars Technica has a great piece up today on why passwords are now so easy to hack. But if you don't have time to read the whole thing, here are a few major takeaways:

The average Web user maintains 25 separate accounts but uses just 6.5 passwords to protect them,  Now used increasingly for computing, graphics processors allow password-cracking programs to work thousands of times faster than they did just a decade ago. A PC running a single AMD Radeon HD7970 GPU, for instance, can try on average an astounding 8.2 billion password combinations each second. A series of leaks over the past few years containing more than 100 million real-world passwords have provided crackers with important new insights about how people in different walks of life choose passwords on different sites or in different settings. 

The first point is by far my favorite. It might seem obvious, but the statistics show that a horrifying number of people use the same passwords for their Twitter account and their checking account...

Keystroke authorization is the password of the future

We had talked in a little bit of detail about biometric security in the past, but this quick CNET video was just too cool/interesting not to post.

Traditionally, we think of biometric security as fingerprint authorizations or retina scans, but security based on physical attributes are a) difficult to implement because the physical infrastructure is not there (does your laptop have a retina scanner?) and b) insecure because you can't change your fingerprints if a hacker does somehow get your biometric information.

Keystroke authentication, as far as we can tell, is by far the most likely form of biometrics to be employed on a large scale because it works on two levels — the password and the typing patterns. If one is compromised, the other can be easily changed.

MLB social media pages get hacked

Did you hear? New York Yankees’ all-star player Derek Jeter will miss the remainder of the season as he undergoes and recovers from “sexual reassignment surgery”.

O.K., not really, but that’s what his Twitter account said after it was hacked on Thursday. And the Yankees weren’t the only ones posting embarrassing messages; hackers tampered with the social media pages for the Chicago Cubs and White Sox, Washington Nationals, San Francisco Giants, and the San Diego Padres.

Fortunately, the teams were quick enough to take down the hacked posts only an hour after they went up.

The incident highlights anew the risks that can come along with using such social media sites and shows the importance of installing appropriate security measures to prevent such egg-on-the-face situations, says Ben Rothke, a New Jersey-based information security professional and author. "At the end of the day, breaches are inevitable," he says. "Which is why having good practices in place and incident management programs outlined that can quickly identify, and rectify the situation is important." [NetworkWorld]