Jailbroken iPhones are Weak on Security

Hacker Charlie Miller, who just discovered an SMS vulnerability that affects the iPhone, suggests that it is very unsafe to use a jailbroken iPhone. Jailbreaking is when a user removes Apple’s barriers to installing third-party applications, allowing users to install software that is not distributed via the iTunes Store, as well as cracked software. It also allows users to use the iPhone with carriers other than the exclusive carrier in their country. (iPhones without carrier limitations are sold in a handful of countries, but currently not in the US, for example.)

At the SyScan security conference in Singapore, Miller said, “If you care about security, don’t use a jailbroken iPhone.” He said that jailbreaking removes about 80 percent of the security protections built into the iPhone software, leaving users open to a wide variety of attacks.

Posted by Peter on July 2, 2009 in Apple, Security, iPhone | Permalink |

Apple Scrambling to Patch SMS Flaw in iPhone

Indefatigable hacker Charlie Miller has found a serious flaw in the iPhone, one that has Apple scrambling to get it fixed. Miller found a vulnerability in the way the iPhone handles text messages (SMSs), and Miller – who recently said “no more free bugs” – apparently has been working with Apple to help fix the flaw.

Reported by Infoworld, this bug,

allows an attacker to run software code on the phone that is sent by SMS over a mobile operator’s network. The malicious code could include commands to monitor the location of the phone using GPS, turn on the phone’s microphone to eavesdrop on conversations, or make the phone join a distributed denial of service attack or a botnet.

Miller will be presenting more information about this flaw at the coming Black Hat security conference, later this month. In the meantime, Apple is hoping to have a patch for this vulnerability by the end of the month. Discussing this flaw, Miller said, “The iPhone is more secure than OS X, but SMS could be a critical vulnerability.”

Posted by Peter on July 2, 2009 in Apple, Security, iPhone | Permalink |

New Variant of the RSPlug Trojan Horse

It seems that we’ve been using that phrase a lot lately. (We posted about another new variant last week.) In the first year of the RSPlug Trojan horse’s existence (Intego discovered it in October 2007, only a couple of variants were seen, but now it seems that there’s a new one every week; or every time Intego announces that it’s found the latest variant. For it’s obvious that the creators of this malware follow The Mac Security Blog: one variant of this Trojan horse even taunted Intego.

So today we’ve spotted RSPlug.M, a new variant of the Trojan horse, which, like the others, makes changes in its code in an attempt to fool antivirus software. But Intego VirusBarrier X5’s proactive analysis spotted this new variant right away.

The RSPlug.M variant was spotted on a music download site offering the download of an album by 2Pac:



While the page for this download contains a link to a RapidShare download page, this latter link is not active. The links on the page – one that seems to download the album itself, another for a “Fast Mp3 Music Downloader” – both lead to disk images containing this latest variant of RSPlug. It should be noted that, since the installer contained in the disk image claims to install “MacCinema”, or the same installer for fake video codecs, anyone downloading this disk image thinking it has something to do with music may hesitate.

Posted by Peter on July 2, 2009 in Security | Permalink |

Password Masking is Counter-Productive, Says Usability Expert

Usability expert Jakob Nielsen has published a post on his website stating that password masking – the way programs display bullets instead of the text you type when asking you to enter passwords – is counter-productive, and decreases usability of applications and websites.

You know how it is: you need to enter a password – for a web site, application or system feature – and as you type, you see nothing but bullets in the place of your password:



While there is a purpose to this strategy – preventing someone looking over your shoulder from seeing what you type – this protection is both illusory and inefficient.

Nielsen writes:

Most websites (and many other applications) mask passwords as users type them, and thereby theoretically prevent miscreants from looking over users’ shoulders. Of course, a truly skilled criminal can simply look at the keyboard and note which keys are being pressed. So, password masking doesn’t even protect fully against snoopers.

He points out that users make more mistakes when they can’t see what they type, reducing usability and productivity. And, Nielsen says that when users are “uncertain” about typing passwords, they tend to choose simpler, less secure passwords, which leads to a loss of security.

In most cases, [...] users will appreciate getting clear-text feedback as they enter passwords. Your business will increase, and security will even improve a tiny bit as well.

Perhaps the solution is to do what Apple does on the iPhone. When you type a password, you see the last character you type, but previous characters are changed into bullets, so you can follow your typing, but never see the entire password.

Posted by Peter on June 30, 2009 in Security | Permalink |

Last Chance: 50% Off Multi-Seat Licenses for Intego Software

Just a reminder of the last days of Intego’s super summer promo. Through June 30th, you can get 50% off on 5- and 10-seat licenses for all of Intego’s single Mac security programs (this discount does not apply to Internet Security Barrier suites).

During this promotion, you can purchase multi-seat licenses for the following Intego programs at half-price:

  • VirusBarrier X5: Protects Macs from all known viruses
  • NetBarrier X5: Protects your Mac from Internet attacks
  • Personal Antispam X5: Keeps your inbox spam-free
  • Personal Backup X5: Meets all your backup needs
  • FileGuard X5: Safeguards your confidential files
  • ContentBarrier X5: Makes the Internet a safe place for your kids

These special prices are only available from the Intego web site through June 30, 2009. These prices apply to full versions of Intego software, not to upgrades or Dual Protection software. This offer is not available from retail stores, or any vendors other than Intego. No refunds, no exchanges. This offer cannot be combined with any other special offer. Limited to one license of each program per purchaser, for individual users only. This offer may be cancelled at any time without notice.

Posted by Peter on June 29, 2009 in Intego Software | Permalink |

New Variant of RSPLug Trojan Horse: RSPlug.L

Intego yesterday discovered yet another variant of the RSPlug Trojan horse, this one called RSPlug.L. It’s more of the same, just change around a bit to try and get by antivirus software. No worries; our Virus Monitoring Center had new virus definitions available less than an hour after it was discovered. With Intego VirusBarrier X5, and Intego’s NetUpdate for updating programs, filters and virus definitions, you can be sure you’re safe from the torrent of Trojan horses we’ve been seeing lately.

Here’s a tip. If you don’t already have NetUpdate set to check for updates daily, you can do so in the program’s Scheduling settings:

When NetUpdate checks for updates, it doesn’t use much network bandwidth and hardly any processor time. So you won’t even notice daily checks, unless there’s something to update. Keep your Mac safer by checking daily so you always have the latest virus definitions as soon as possible.

Posted by Peter on June 26, 2009 in Intego Software, Security | Permalink |
   Older Articles >

Copyright © 2007-2009 Intego