The Mac Security Blog
The online shoe and apparel company Zappos, a subsidiary of Amazon.com, was recently hacked, and credentials for 24 million users were stolen. In an e-mail to the company’s employees, CEO Tony Hsieh said, “We were recently the victim of a cyber attack by a criminal who gained access to parts of our internal network and systems through one of our servers in Kentucky.” The company told customers:
We are writing to let you know that there may have been illegal and unauthorized access to some of your customer account information on Zappos.com, including one or more of the following: your name, e-mail address, billing and shipping addresses, phone number, the last four digits of your credit card number (the standard information you find on receipts), and/or your cryptographically scrambled password (but not your actual password).
What is important to understand here is that the actual password was not recovered, but rather a “hash,” or, as Zappos says, a “cryptographically scrambled password.” Nevertheless, Zappos has reset its passwords for all of its customers, and they will see a request to create a new password the next time they try to log into the Zappos website. Also, the hackers did not obtain full credit card numbers. Nevertheless, the hackers did obtain e-mail addresses, which could be used for spamming or phishing campaign.
While passwords were not recovered in this hack (at least according to Zappos), they are sometimes obtained in this type of data breach. It’s worth pointing to an older blog post about choosing secure passwords to remind you not to use the same password on multiple sites, and how to come up with unbreakable passwords. Data breaches like this one are common; it’s a good idea to make sure your passwords are all secure, so if passwords are obtained in a data breach, hackers can’t use yours on other sites and see if it’s the same.
The Electronic Frontier Foundation (EFF) has raised concerns about the latest version of AOL Instant Messenger (AIM), an application used for sending and receiving instant messages on Macs, PCs and portable devices, including iOS devices. According to the EFF:
The new preview version of AOL Instant Messenger raised privacy concerns for us when it was first introduced, first because it started storing more logs of communications and second, because it apparently scanned all private IMs for URLs and pre-fetched any URLs found in them.
The EFF met with AOL to discuss these issues, but in a recent blog post, they said:
…we still recommend that AIM users do not switch to the new version, as it introduces important privacy-unfriendly features.
Mac users may not be aware, but when they use iChat, they are using AOL Instant Messenger. Apple’s iChat uses AOL’s servers to connect Mac users. Here’s a screen shot of the Server Settings tab in iChat’s Accounts preferences; you can see that the server used is an aol.com server:
The biggest privacy issue with the latest version of AIM is that it logs your chats for up to two months, or potentially indefinitely. While this may not be a serious issue for most users, data breaches could allow malicious users to obtain such logs which might contain personal information, phone numbers, passwords and more. In addition, “your private conversations are now available to, for instance, law enforcement agents with a warrant or a national security letter (In other words, be careful what you send by iChat.)
In addition to this, those people you chat with who are not using AIM may not be aware that their chats are being logged. While the new AIM will warn users the first time you initiate a chat, if you are using the new version of AIM, and there is option for the person using the new AIM to turn off logging, this is unclear, and inconsistent. Macworld’s Dan Miller wrote about this recently, pointing out that after he deleted the new version of AIM, these messages persisted, and it wasn’t at all clear whether chats were indeed being logged or not. It seems that once you log into your iChat account with the new AIM, this logging is turned on, and you simply cannot turn it off.
The EFF points out that:
You cannot go “off the record” if you are using an alternative client like iChat or Pidgin, or if you switch back to an earlier version of AIM. And if the other participant in the chat is not using the new AIM, that person cannot toggle the conversation off the record, such that it is not stored by AOL. Finally, there is no off the record mode for the new group chat feature at all. All group chats on AIM will be logged.
Another element of the new AIM is that the program scans all URLs in chats, in order to attempt to embed photos or videos in chat windows. Even if these links don’t lead to photos or videos, they are scanned and stored in logs. Yet this, too, cannot be turned off. The EFF says that, “it does not look like there will be a way to permanently opt out of the link downloading behavior.” It addition, “Since conversations can only be marked “off the record” from inside the new AIM, users of older versions or alternate clients will always be prone to having some of the links they send scraped, even though they won’t see them rendered.”
Finally, the EFF points out that users were not warned about this URL fetching service, and are not given an option to turn it off. As with many such privacy changes, it is best to inform users of what is changing and offer them a chance to opt in to the new features. AOL has not done so, and most users are not aware of what is happening. Users should carefully consider whether they want to install the new AIM. iChat users won’t see any changes on their end, but their contacts who do have the new AIM installed will cause chats with them to be logged.
The EFF’s final verdict is clear: “Because signing onto the new version of AIM permanently changes your account settings to log all conversations to AOL’s servers by default, we recommend that existing AIM users do not upgrade.”
With millions of e-mail addresses and passwords getting compromised by hacker attacks, it’s hard to know if yours has been grabbed by hackers and passed around on the Internet. A web site, Pwned List, centralizes a number of databases of “pwned” or owned e-mail addresses, and is approaching 5 million addresses. They have a simple search tool, so you can enter your e-mail address or user name and find out if it shows up in their database.
If it does, you should immediately change the password for that account. However, if it doesn’t show up, that doesn’t mean the account hasn’t been compromised. Since this site depends on databases and lists that they recover, they certainly don’t have everything that’s been hacked. Nevertheless, it’s a good idea to check from time to time for your addresses and accounts that may be susceptible to hack attacks.
We published an article about how to make secure passwords last year following a high-profile hack where some 200,000 e-mail addresses were harvested. It’s a good idea to look at that article to learn how to create the most secure passwords.
The big news in the security industry in the past couple of weeks has been a hack of DigiNotar, a Dutch certificate authority. We reported on this in late August, and Apple issued a security update last week to fix the problem on Macs.
The New York Times has a detailed look at what happened and how. This was the work of a lone hacker, “Comodohacker,” an Iranian who shared the results of his hack with others in Iran, leading to possibility that some Iranians had their e-mail compromised. Google advised Iranian Gmail users to change their passwords because of this breach.
The hacker took 10 days to get access to DigiNotar’s servers, and created 531 fake certificates, for sites such as Google, Facebook and Skype, as well as the CIA, MI6 and Mossad. As the New York Times says, “He shared them with a person or organization believed to have had control over dozens of Internet service providers and university networks in Iran — perhaps the government itself.”
If you’re using a Mac, make sure to apply the latest security update so you can be protected from any possible bogus certificates you may encounter.
The blogosphere has been agog for the past week or so, since information was made public showing that Apple’s iPhone (and other 3G iOS devices) records user location data. We felt that this wasn’t a big deal, and much of the press agreed. However, a number of people found this to be a Big Problem, leading Apple to release a Q&A on Location Data.
In this document, Apple addresses the issue, explaining what data is stored, why, and for how long.
First, the iPhone does not store user locations, but rather:
a database of Wi-Fi hotspots and cell towers around your current location, some of which may be located more than one hundred miles away from your iPhone, to help your iPhone rapidly and accurately calculate its location when requested.
Some of this data comes from a crowd-sourced database – from other iPhone users. Apple says:
The entire crowd-sourced database is too big to store on an iPhone, so we download an appropriate subset (cache) onto each iPhone. This cache is protected but not encrypted, and is backed up in iTunes whenever you back up your iPhone.
For this reason, users may find that the database shows them having been in locations they have never visited.
Apple points out that users cannot be identified:
This data is sent to Apple in an anonymous and encrypted form. Apple cannot identify the source of this data.
But Apple also points out that when Location Services is turned off, this data shouldn’t be stored. They say that this is a bug, and say that they will issue a software update in the coming weeks to fix it.
Apple says that the software update will do the following:
- reduce the size of the crowd-sourced Wi-Fi hotspot and cell tower database cached on the iPhone,
- cease backing up this cache, and
- delete this cache entirely when Location Services is turned off.
And, finally, Apple says:
In the next major iOS software release the cache will also be encrypted on the iPhone.
This all led to a nice discussion about user privacy and location data, and it showed that other phones store such data as well. Apple has reacted promptly and will fix the bug that allowed this data to be stored even when Location Services is turned off, and will encrypt this data just in case.
So can we move on to something more important now?