Category Archives: News

News

Lessons learned for Mac users from Black Hat and Def Con conferences

Image Leave a comment

News from the recent Black Hat and Def Con security conferences in Las Vegas was…not good. We’ve come to expect bad tidings for our cherished electronic devices at around this time every year. And indeed, these conferences often reveal startling vulnerabilities and exploits that malicious actors and “frenemy” states have probably been privy to for some time. And though, as Buzzfeed tech writer Joe Bernstein points out, Black Hat is the equivalent of a burglar breaking through your windows, entering your home, and then asking for commendation for proving that your windows could use some reinforcement — it’s still an event with a noble goal. In the depraved and paranoid world of the internet, this is what security looks like.

Black Hat and Defcon are places where people take notes on paper, not on electronic devices, and many probably leave their wallets at home, because everyone is too scared about some nut swiping their info with an RFID scanner or cracking into their devices through Bluetooth. Joe Bernstein’s account of his time at Black Hat are prescient. “This event radiates distrust, like a mean old croupier”, Bernstein writes. Between the depressing backdrop of Las Vegas, and the feverish paranoid hallways, it sounds like a bleak event. Bernstein draws a compelling parallel between the city of Vegas, destined to be reclaimed by the desert, and the fragility of our business, our culture, and our lives structured around increasingly complex and still fallible technology.

Among the shocking unveilings at Black Hat and Def Con, Thunderstrike 2 aside, was bad news for new-model car owners. According to Charlie Miller and Chris Valasek, there’s a variety of ways to take control of new Chryslers remotely, brakes, accelerator, and all. This, in the wake of keyless entry scandals plaguing Land Rover and many others, is scary news.

But we’re here for Mac news, and the news is grim. According to former National Security Agency employee Patrick Wardle, Mac’s protection against malware rates only a “C+”. The reason Apple isn’t experiencing large scale issues is the same as its always been, there just still aren’t enough people devoting time to crack Macs. While this is a good thing, it is increasingly becoming a good thing of the past. As Apple devices continue to proliferate, especially iPhones and iPads, Apple will have a day of reckoning soon, security experts fear.

Everyone, countries, commercial users, car drivers, business using contactless payment tech, Apple users, Windows users, Android users, are all, in Bernstein’s words, “fucked”. “It’s enough to make a person long for a little regulation, and a little enforcement, just to put a stop to all the unmitigated fucking”, Bernstein continues to lament. Buzzfeed’s tech writer tells of a speech given by Leonard Bailey, special council for National Security in the Department of Justice. After his “very smart, very clear, very measured” talk, Bernstein realizes that Bailey isn’t as above the fray as he’d like. In fact, as a federal employee his personal information has almost definitely been leaked in the massive Office of Personnel Management hack. Good luck trying to charge whatever state or states were responsible for that with a Computer Fraud and Abuse Act violation.

Well, if you haven’t already built a Faraday cage around your house or chucked all your electronics into the proper recycling bins, what is to be done? Unfortunately, conferences like Black Hat and Def Con are our best weapon against truly malicious forces. One big takeaway from the whole ordeal is for companies to redouble efforts to catch these vulnerabilities early, for Apple to devote more time to security, and for us all to either become OK with the tenuous electronic world we live in, or flip the script like the paranoids in Vegas, and ditch the iPads for notepads, paper notepads.

News

Where were the iPad’s at the All England Club?

Image Leave a comment

At Wimbledon 2015 lead sponsor IBM was on display everywhere. From banners and screen ads, to television spots, IBM’s domineering sponsorship was felt. When the casual fan (myself included) watched these games it appeared that umpires were aided in officiating by not just IBM’s Hawkeye technology, but Apple iPads to display it. This was originally going to be a post about the presence of iPads at Wimbledon. However, as Mark Reschke of T-Gaap.com reported, the tablets at the All England Club were not iPads, but rather Panasonic’s Toughpad, running Windows.

Apple and IBM are well into a hundred million dollar partnership, one that has included such far ranging deals as IBM promoting iPads to elderly Japanese, IBM/Apple’s many business apps, software designed for banks, telecom, and utilities, issuing Apple’s products to employees, and even a brand new service for IBM clients that allows faster and more seamless integration of MacBooks within large companies. So with all that abundant and very public support and cooperation, why no iPads at Wimbledon? The answer is probably a boring one about All England Club contracts with other companies and legacy business deals. But it could just as easily be a serious marketing misstep.

Equally as odd as the lack of iPads at an IBM event, as Mark Reschke pointed out, is IBM’s under utilization of iPads in their high profile TV adverts. All current IBM ads show students or doctors using Windows equipment. Reschke says, justifiably, “perhaps someone in IBM corporate will inform their sports analytics team, marketing department, and advertising agency” about their current partnerships with Apple. Contacts with other companies, namely Sony, aside, there shouldn’t be a huge barrier to IBM using the littlest amount of leverage to get iPads into Wimbledon, or simply putting them in their minute-long TV spots seen by millions of people across the globe.

wimbledon-ipad
Wimbledon App on the iPad

The only place Apple products were seen at Wimbledon? In the stands of course. Hoards of fans filmed the tennis action on their iPads and iPhones, uploading great quality video. Fan videos sometimes show, among other things, how Sony’s “Hawk-Eye” was getting some calls wrong. Hawk-Eye has a history of criticism, some from the Australian media regarding its use in cricket, another relating to a controversial call during Nadal-Federer in Wimbledon 2008, in which Hawk-Eye declared a ball in by 1mm, less than its 3.6 mm margin for error, and numerous peer-reviewed journal pieces calling into question the technology’s stated ability to predict trajectory. Tennis experts have also questioned whether or not the technology ignores factors like distortion of the ball on bouncing, and the human errors inherent in a court painted on the ground by people.

This is all to bring up another valid point, why has the much beleaguered Sony system, with a 3.6mm margin of error, not been replaced with better software and better cameras, like those sometimes found on Apple products? Prior contracts and commitments no doubt, but the sporting world is being short changed, and so is Apple.

News

Thunderstrike 2, New Zero-Day Vulnerability

Image Leave a comment

The Bad News: With every Black Hat season comes new vulnerabilities and zero-day exploits for our precious devices. According to TechCrunch.com, Xeno Novah and Trammell Hudson have found a serious exploit that potentially impacts all Apple devices. TechCrunch reports that this “firmworm” helps malware completely disable Apple devices, leaving users with no way to reboot their machines.

Thunderstrike 2 targets a device’s firmware through potentially any Thunderbolt linked accessory. Through receiving malicious code in an email or online link the malware looks for connected Thunderbolt accessories and infects them with its Option ROM. If the infected Thunderbolt accessory is connected when the device turns on, the malicious code targets firmware Basic Input/Output System (BIOS) for booting the device. The Extensible Firmware Interface (EFI) will execute Option ROM on Thunderbolt attachment before it boots OSX. The malicious code will infect the EFI itself and the device can be rendered inert and unfixable. If EFI is compromised, there is no way to reboot OSX, update firmware and remove malicious code. Additionally, the infected accessory device remains infected, and will infect other devices if connected.

This exploit news is not totally unexpected, a deluge of exploits is normal during Black Hat conference season, afterall. Uncomfortably, perhaps, it also comes in the wake of another Mac exploit last month. Stefan Esser found the DYLD exploit that allowed attackers to gain root privilege. There has been some evidence of adware creators using this vulnerability to install unwanted adware applications like VSearch, Genieo, and MacKeeper on users devices, also disabling the Mac App Store.

https://youtu.be/Jsdqom01XzY

 

Apple has already fixed DYLD in El Capitan’s beta but not in Yosemite, and has also already added applications using these exploits to the malware blacklist.

The Good News: According to a recent report from Ars Technica Apple have already partially patched this vulnerability in OS X 10.10.4, so fully updated users should be OK. Per Ars Technica Hudson has posted more information about the exploit here. According to Hudson, thanks to the update Macs are no longer “trivially vulnerable” but insists there are several vulnerabilities still. The pair of researchers will present more on the topic tomorrow at the Black Hat conference. To be extra careful until the fixes are formalize, be careful downloading (as always) and unplug any Thunderbolt accessories before booting your device. As Ars Technica‘s Andrew Cunningham points out, the real trouble with firmware-level malware is that most virus scans and anti-malware services search only in RAM and files stored on the desk. An infected accessory is difficult to detect, and just as tough to remove. Cunningham demonstrates that “You can’t use Thunderstrike to remove Thunderstrike” because, amazingly, the infected firmware patches the original security flaw.

thunderstrike-2
Photo by Trammell Hudson

Lastly, these exploits don’t only impact Apple’s devices. The exploits are common to most EFI firmware, including PCs by Dell, HP, Lenovo, Samsung, and more. However, numerous vulnerabilities also applied to Mac’s firmware, and Apple has only succeeded so far in partially fixing these issues.

 

News

Apple Pay and the Apple Watch: Initial Feedback

Image Leave a comment

Apple Pay is the mobile payment option by Apple. It is available on Apple Watch, iPad Mini 3, iPad Air 2, and iPhone 5 & 6 models. To use Apple Pay, your Apple device has to have the NFC radio antennae or the Touch IS sensor and the correct iOS. It has tie-ups with American Express (ExpressPay), MasterCard (PayPass), and Visa (PayWave). The Apple Pay on the Apple Watch is automatically disabled when you buy it and will have to be activated using a special code. Sensors on the watch ensure that Apple Pay can only be used by the watch’s owner so anyone who wears the watch other than the owner activates the disable feature.

apple-pay-with-iphone
Paying with an iPhone 6

The Apple Pay was revealed last September 2014 by CEO Tim Cook and was launched the following month when the iPhone 6 and iPhone 6 Plus was released. According to Apple, a security code is generated for every transaction and Apple has no intention of tracking transactions. A small transaction fee is charged to the owner which is fractionally lower than normal bank charges for online payments. If the Apple device is lost, Apple Pay can be disabled remotely using the Find My iPhone service.

Last year, there were over 220,000 places in the US where the Apple Pay was accepted. Apple Pay can only be used in US stores although the company plans to expand the service eventually to other countries.

As of April this year, the feedback on Apple Pay has encouraging with 66% of iPhone 6 and iPhone 6 Plus owners signing up for the security code. Of the 66%, 2/3 has tried Apple Pay. Compared to other mobile wallets, Apple Pay has done significantly better on its virgin run. The biggest issue thus far with Apple Pay is the cashiers’ unfamiliarity with the payment scheme which leads to payment delays, double postings, or incorrect postings. Obviously these are just birthing blues similar to what happened with LoopPay and other mobile payment methods.

Also this April, Apple added more banks and credit unions to Apple Pay which means there are now 180 financial institutions that support Apple Pay across the country. To make 2015, the year of Apple Pay according to Tim Cooks, more interesting a new mobile payment system is set to be launched by the middle of the year. It’s called CurrentC by Merchant Content Exchange. They plan to be a very aggressive competitor to Apple Pay and uses bar codes to complete the transaction. This could very well make 2015 the year mobile payments take over.

News

Understanding the Force Touch Technology created by Apple

Image Leave a comment

Don’t you love how Apple manages to capture so much creativity and imagination in their labels and terms? The Force Technology is a new feature launched with the Apple Watch. Basically, it senses force through tiny electrodes strategically placed on the Retina display. These electrodes are able to tell if you are pressing lightly or applying a deeper force and this give you quicker access to specific pressure-sensitive controls.

The Force Technology also brings specific firm touch sensitive apps like Music, Messages, and Calendar; access to features that will allow you to change watch face, search for information, and end or pause your workout timer.

force-touch-apple-watch
Apple Watch with Force Touch
Difference Between Multi-Touch and Force Technology

Multi-touch technology first came out in 1977 as and developed in CERN, a particle physics research lab in Switzerland but was developed into a functional multi-touch, human-input system  in 1982 by the University of Toronto in Canada. Multi-touch allows a user to use more than one pressure point on a screen to accomplish certain moves like the “pinch to zoom.”

Apple uses the multi-touch technology in its iPad and iPhone and also owns a few patents on the technology as far as implementation on user interfaces. These patents are currently being challenged after Apple tried to register the term “Multi-Touch” as part of their trademark and was denied.

While there is a “long tap” gesture used with multi-touch technology, it is not the same as the Force Technology. Here’s why:

  • The Force Technology has a feature that allows you customize the sensitivity level.
  • It can tell which finger you are using and will adjust to the corresponding programmed sensitivity level.
  • The force sensors or electrodes can detect your click and also move laterally to mimic the motions of a trackpad.
  • It works in synch with haptic feedback technology so you get the sensations of clicks, vibrations, or other motions
  • It has Taptic Engine which is a tiny device found at the back of the trackpad

There is talk that Apple is planning to make Force Technology exclusive to the iPhone 6 Plus even though it is already part of the Apple Watch, MacBook and MacBook Pro, 13 inch. There are still conflicting reports but one thing is for sure, the iPhone 6 Plus will have exclusive features like the landscape mode for homescreen and the optical image stabilization camera.

Some ways you can use the Force Technology are to create pressure sensitive drawings, customize a Force Click, and customize your zoom and accelerator just like a fast forward on a DVD movie.