Apple Vows to Fix iPhone Passcode Flaw

Macworld is reporting that Apple - in a rare announcement - has said that they will fix the passcode flaw in the iPhone, which we reported on this week. An Apple representative is quoted as having told Macworld, “The minor iPhone security issue which surfaced this week is fixed in a software update which will be released in September.” Meanwhile, Macworld offers a temporary workaround: “you can set the iPhone so that double-clicking the home button will take the user directly to the home screen, which if password protection is turned on, will be the unlock screen.”

Is VirusBarrier X5 the Sexiest Antivirus Program?

Well, Bit9 seems to think so. They rate it first in the top three “sexiest” antivirus programs. Following VirusBarrier X5 are Hello Kitty Antivirus (certainly the most unique interface we’ve seen yet), and Susan Orman Identity Theft Kit (just because there’s a female face on the interface?). However, the latter program is not an antivirus, but rather a tool that claims to prevent identity theft.

We’re partial, of course, but VirusBarrier is the clear winner compared to those two programs. Hello Kitty looks too childish, and Susan Orman, well, she’s got a nice smile, but there’s not much else to recommend.

But if you scroll down the page, you can see the standardized, staid interfaces of Windows antivirus software. Aside from their logos, it’s hard to tell them apart. We prefer not only a unique interface, but one that makes working with the software easier.

Do You Think Your iPhone Password is Secure?

Well, it’s not. As The Register reports, “press of the “Emergency Call” key from the passcode entry screen, followed by a double-tap on the home button. That takes the miscreant into favourites, from which they can access the address book, from which they can get into the e-mail client (by tapping a contact’s e-mail address) or the browser (by tapping a URL).”

I’d expect better protection on a device that can carry sensitive personal information, such as contacts, e-mail and more. Note that the iPod touch is better protected, since there is no emergency call key; the only option you have from the passcode screen is to enter the passcode.

UPDATE: More info and details here.

Kensington Laptop Lock Picked with a Toilet Paper Roll

When we think about security, we usually think about viruses, hackers and Trojan horses, but the first step in securing your Mac is making sure that no one can get physical access to it. If someone steals your Mac, they’ll get to its data one way or another - they can always just remove the hard disk and put it in another Mac, or simply use a Mac OS X installation disc to get at its contents.

In terms of physical security, Kensington laptop locks are often said to be reliable. But a creative hacker shows, in a two-minute video, how to make a small cylinder out of a toilet paper roll and crack the lock in seconds. Next time you think that such locks are secure, remember this video. You may want to think of better security for Macs that you use in public settings, such as labs, libraries or cafés.

Security Weaknesses in MobileMe Web Interface

MobileMe had a rocky launch, and now a security weakness is being brought to light that shows that MobileMe’s web interface does not provide adequate security. Rich Mogull, writing at TidBITS, explains the problem: “although your initial login to MobileMe is encrypted, the rest of your session is transmitted in plain text. If anyone on your network decides they want to sniff your connection and read your email, there’s nothing to stop them.”

In addition, Apple’s handling of user authentication has another weakness: “the secure authentication page points to auth.apple.com while the rest of MobileMe uses the domain me.com. By breaking the bond between the digital certificate used by SSL to verify a domain, and the domain where most of the interaction takes place, users are vulnerable to redirection attacks as highlighted by the recent DNS vulnerability.”

Nevertheless, Mogull says that one shouldn’t worry too much. “While there’s a reasonable, if small, risk someone might sniff your connection when you are out in public, the odds of a redirection attack are extremely low.” But Apple will have to address these issues soon, along with the many other problems of MobileMe.

Flash Clipboard Hijacking Attack

It is being reported, such as here at ZDNet, that a Flash clipboard hijacking attack is making the rounds. Malicious ads are injecting text into the clipboard, via Flash, causing users to scratch their heads in wonder as the same URLs appear each time they try to copy and paste text. No matter what is copied, the same URL gets pasted, as the Flash attack rewrites the clipboard constantly. These URLs are to sites that, in turn, attempt to install malicious software, mostly that affects Windows computers.

Reports show that the attack comes from Flash-based advertising on a number of legitimate sites, such as Newsweek, Digg and MSNBC.com. There is no visible sign of the attack until a user attempts to paste text.

There’s an easy way to get rid of this attack, though: just close the browser window or tab that contains the malicious Flash ad, or, if you can’t figure out which window is guilty, quit the browser. Then, copy something to the clipboard to replace what had been injected there by the malicious ad.

If you want to see this in action, security researcher Aviv Raff has set up a web page showing how it works: click this link. Try and paste some text after visiting that link; you’ll see that your clipboard contains the text “http://www.evil.com”. Next, close the tab, copy some text to the clipboard, then paste; you’ll see the URL is gone.

This attack seems to affect all browsers on all platforms, as long as Flash is installed. We have not heard anything from Adobe about a fix, but it is likely that they will issue one soon.