….from:
security-announce-request(a)lists.apple.com<mailto:security-announce-request@lists.apple.com>
Today's Topics:
1. APPLE-SA-2013-08-29-1 OS X: Java Web plug-in blocked
(Apple Product Security)
----------------------------------------------------------------------
Message: 1
Date: Thu, 29 Aug 2013 14:12:42 -0700
From: Apple Product Security
<product-security-noreply(a)lists.apple.com<mailto:product-security-noreply@lists.apple.com>>
To: "security-announce(a)lists.apple.com<mailto:security-announce@lists.apple.com>"
<security-announce(a)lists.apple.com<mailto:security-announce@lists.apple.com>>
Subject: APPLE-SA-2013-08-29-1 OS X: Java Web plug-in blocked
Message-ID: <89052771-2BB5-4DB4-A95B-C78C95D4B917(a)lists.apple.com<mailto:A95B-C78C95D4B917@lists.apple.com>>
Content-Type: text/plain; charset=us-ascii
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2013-08-29-1 OS X: Java Web plug-in blocked
Due to multiple security issues in older versions, Apple has updated
the web plug-in blocking mechanism to disable all versions prior to:
Java 6 update 51
Java 7 update 25
More information on Apple-provided updates is available at
http://support.apple.com/kb/HT5797
Information on blocked web plug-ins will be posted to:
http://support.apple.com/kb/HT5660
Wayne Billing
Classroom Technology Support
Audio Visual and Classroom Technology Support
130 Machray Hall Building
204-474-6649
204-807-3153 (cell)
204-474-7625 (fax)
Wayne_Billing(a)umanitoba.ca<mailto:Wayne_Billing@umanitoba.ca>
Hint: There are black iPhones and there are white iPhones. There are no blue or purple or yellow or orange or red iPhones….. at least not yet…. (see http://www.macrumors.com/2013/08/29/new-videos-depict-champagne-and-graphit… and http://money.cnn.com/2013/08/28/technology/mobile/iphone-5c/)
….from:
http://9to5mac.com/2013/08/29/your-local-mall-kiosk-might-be-carrying-fake-…
Your local mall kiosk might be carrying fake Apple products<http://9to5mac.com/2013/08/29/your-local-mall-kiosk-might-be-carrying-fake-…>
http://www.youtube.com/watch?v=D8s8CmmCzb4
[cid:730DFE82-A3EA-4C50-8574-CED66479A758@cc.umanitoba.ca]
A news report <http://www.wbaltv.com/news/maryland/anne-arundel-county/police-seize-hundre…> out of Baltimore demonstrates the level of counterfeit Apple products that are being sold right under our noses in malls, some of which undoubtedly share space with an Apple Store.
Officers said they raided the Cyberion store and the ST Tech Pros kiosk last Friday and recovered hundreds of fake Apple products that were being sold as authentic factory replacements.”These organizations that make these products are using substandard materials. They are doing everything they can to make them look like the real thing,” said Greg Shipley with the Maryland State Police.
While this particular bust may have been an isolated incident, if you’ve been to a US mall in the past few years, you’ve likely seen kiosks with fake Apple products. They are everywhere.
The items recovered from the Baltimore Mall included:
* 24 iPhones and the colored fronts and backings that go with them
* Cellphone conversion kits
* iPhone and iPad covers
* Apple product ID stickers
* iPad replacement screens
* Various internal iPhone parts.
* Packaging materials, equipment used to design and print those materials
* Computer equipment believed to be used to clone phones.
“Our investigators believe that they were acting as some type of authorized Apple repair shop and they were taking Apple phones and replacing them with interior parts that were inferior, that were fake, that were not Apple products,” Shipley said.
According to the report, an Apple representative helped with the investigation by confirming that the products were indeed counterfeit. The estimated value of all the items was more than $89,000.
A counterfeit Apple AC adapter is believed to be responsible for the electrocution death of a Chinese woman<https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0CCwQFj…>. Apple responded to the situation by offering USB power replacements for people who unknowingly bought counterfeits<http://9to5mac.com/2013/08/05/apple-launching-third-party-iphone-usb-charge…>.
http://arstechnica.com/information-technology/2013/08/blackberry-considers-…
BlackBerry considers spinning off Messenger as separate business
With BBM due to appear on iOS and Android, service may fare better on its own.
by Sean Gallagher<http://arstechnica.com/author/sean-gallagher/> - Aug 27 2013, 3:33pm CDT
[cid:4BEF973E-4B7F-44E6-BDA5-2C30FC563132@cc.umanitoba.ca]
Coming to Android and iOS soon, and possibly even more—BlackBerry is considering setting BBM free as a subsidiary.
BlackBerry Messenger (BBM), the messaging service that has existed exclusively on BlackBerry phones for years, may soon be set (partially) free. According to a report from the Wall Street Journal, BlackBerry is considering spinning off the Messenger service as a subsidiary company that would operate more independently from the Waterloo, Ontario, mothership. BlackBerry is already preparing to release BBM for iPhone and Android<http://us.blackberry.com/bbm.html> and is moving to position the service as a broader social media and communication platform.
The Journal reports that the subsidiary, which would be named BBM Inc., would move to offer additional services atop the messaging platform, potentially including a Twitter-like service called BBM Channels and a desktop client. BBM already offers voice chat, and the service would be expanded to offer a video chat feature similar to Google Hangouts and Apple's FaceTime. A BlackBerry spokeswoman would not comment on the report.
On August 12, BlackBerry executives announced that the company was undertaking a "strategic review" and that they were considering selling the company<http://arstechnica.com/business/2013/08/blackberry-announces-that-it-may-se…> as one of the outcomes of that review. Operating BBM as a subsidiary would allow BBM to expand development efforts beyond the BlackBerry platform itself, but it would also make the service easier to sell off, fully spin-off as a new company, or potentially raise the value of the whole company in the event of a sale.
The timing may be a little off for BBM, however. The number of users of the service has dropped precipitously as the BlackBerry platform has lost market share in North America. BBM currently has about 60 million active users. By comparison, Kik—formed in Waterloo by former BlackBerry Messenger developers—now has over 80 million users<http://business.financialpost.com/2013/08/20/kik-surpasses-blackberry-messe…>.
The new "Contact Apple Support" look by selecting GET STARTED in the "Contact Apple Support" area on the Apple Canada - Support page (http://www.apple.com/ca/support/):
[cid:3CECB28F-86D9-4932-9DF0-9649B5D5F73E@cc.umanitoba.ca]
…from:
http://9to5mac.com/2013/08/26/apple-launches-more-intuitive-applecare-suppo…
Apple launches more intuitive AppleCare support website, 24/7 chat<http://9to5mac.com/2013/08/26/apple-launches-more-intuitive-applecare-suppo…>
Subscription: 9to5Mac » Feed<http://9to5mac.com/>
Published: Yesterday 6:47 PM
Author: Mark Gurman
________________________________
Earlier this month, we reported that Apple would soon introduce significant changes<http://9to5mac.com/2013/08/07/applecare-chat-support-to-soon-go-247-new-ios…> to its online AppleCare support portals. In line with our report, Apple has begun rolling out a redesigned Applecare website to provide support and has also begun rolling out 24/7 live chat support.
The new AppleCare website is easier for users to follow and it groups product categories in more understandable fashion. The new support site also makes it simpler for customers to identify the exact issues with their device.
The updated site also is designed with a focus on connecting customers directly to an AppleCare support employee. Customers can easily schedule a call, in-store Genius Bar appointment, and access live chat support.
On the topic of live chat support, we’re told that 24/7 chat support<http://9to5mac.com/2013/08/07/applecare-chat-support-to-soon-go-247-new-ios…> has begun rolling out. Initially, the support was limited to certain hardware and software, but now Apple is supporting both Mac and iOS Device support at every hour of the day and night.
While the new AppleCare site has begun going live for some readers, other users are reporting that they are still seeing the old website. It is likely that Apple will complete the release of the redesign in the coming days.
While Apple has an "Exchange and Repair" web page (http://www.apple.com/support/exchange_repair/) where they list current repair and exchange programs, the following "video card" item hasn't made it to that page yet:
….from:
http://support.apple.com/kb/TS5167
iMac (27-inch): AMD Radeon 6970M Video Card Replacement Program
Symptoms
Apple has determined that some AMD Radeon HD 6970M video cards used in 27-inch iMac computers with 3.1GHz quad-core Intel Core i5 or 3.4GHz quad-core Intel Core i7 processors may fail, causing the computer’s display to appear distorted, white or blue with vertical lines, or to turn black. iMac computers with affected video cards were sold between May 2011 and October 2012.
Resolution
If your iMac has an AMD Radeon HD 6970M video card and is exhibiting any of the issues described above, choose one of the following options to arrange to have your iMac evaluated:
* Apple Retail Store: Set up a Genius Bar<http://concierge.apple.com/reservation/us/en/techsupport/> appointment.
* Apple Authorized Service Provider: Find one here<https://locate.apple.com/>.
* Apple Technical Support: Contact us<http://support.apple.com/kb/HE57> for local service options.
Before you go in for service, please back up your data. Learn more about backup options<http://www.apple.com/support/backup/>.
If the iMac (27-inch) meets these requirements, Apple will replace the video card free of charge for three years after the first retail sale of the computer.
Additional Information
If you believe you have paid for a repair or replacement due to this issue, contact Apple<http://support.apple.com/kb/HE57> regarding a refund.
This worldwide Apple program does not extend the standard warranty coverage of the iMac.
Apple will continue to evaluate service data and will provide further updates to this program as needed.
Last Modified: Aug 17, 2013
….from:
http://arstechnica.com/security/2013/07/trusting-iphones-plugged-into-bogus…
Trusting iPhones plugged into bogus chargers get a dose of malware
iPhones will pretty much trust any computer they're plugged into.
by Peter Bright<http://arstechnica.com/author/peter-bright/> - July 31 2013, 7:16pm CDT
* BLACK HAT<http://arstechnica.com/discipline/black-hat-2>
* HACKING<http://arstechnica.com/discipline/hacking-2>
* IOS & IDEVICES<http://arstechnica.com/discipline/ios-idevices>
91<http://arstechnica.com/security/2013/07/trusting-iphones-plugged-into-bogus…>
[cid:A3714C94-2BD8-4BA7-8413-BFE89E5E008A@cc.umanitoba.ca]
The Mactans charger uses a BeagleBoard for its computational power.
Billy Lau, Yeongjin Jang, and Chengyu Song
Plugging your phone into a charger should be pretty safe to do. It should fill your phone with electricity, not malware. But researchers from Georgia Institute of Technology have produced fake chargers they've named Mactans that do more than just charge your phone: they install custom, malicious applications onto iPhones.
Their bogus chargers—which do, incidentally, charge the phone—contain small computers instead of mere transformers. The iPhone treats these computers just as it does any other computer, but instead of just charging, it responds to USB commands. It turns out that the iPhone is very trusting of USB-attached computers; as long as the iPhone is unlocked (if only for a split second) while attached to a USB host, then the host has considerable control over the iPhone.
The researchers used their USB host to install an app package onto any iPhone that gets plugged in. iOS guards against installation of arbitrary applications with a strict sandboxing system, a feature that has led to the widespread practice of jailbreaking. This attack doesn't need to jailbreak, however.
Instead, it takes advantage of the system that Apple devised to permit developers to deploy applications to their own devices for testing purposes. Deploying such applications requires the creation of a provisioning profile. A provisioning profile identifies a specific phone and a specific application, allowing the named application to run on the named device. These provisioning profiles are generated by Apple and installed over USB.
The malicious charger interrogates the attached iPhone to read its UDID<http://arstechnica.com/apple/2012/09/ask-ars-whats-the-big-deal-with-iphone…>, the unique ID number that identifies a particular iPhone. It then sends the UDID to Apple's Web page that generates provisioning profiles. With the provisioning profile in hand, it can deploy the provisioning profile to the phone, and then deploy the malicious app identified by the provisioning profile.
Though the malicious app is still sandboxed, it doesn't have to pass through Apple's normal application vetting process, and so it can still do plenty of useful malicious things. The demonstration showed a malicious Facebook app that replaced the real Facebook app with a trojaned version. The trojaned version could then do things like take screenshots of the iPhone whenever passwords are being entered, and simulate key presses to, for example, dial numbers without user intervention.
There are limits to this kind of attack. As well as requiring the phone's screen to be unlocked, the generation of the provisioning profile requires the attacker to have a valid developer account. Each developer account can only generate provisioning profiles for 100 different phones, and there's no facility to remove a UDID that's associated with a developer's account.
This will tend to limit the attacks to specific ones against individual users, rather than widespread, indiscriminate attacking. In principle, a Mactans charger could be made to look identical to an official Apple charger; a suitably motivated attacker could replace proper chargers with the malicious chargers to attack targets' phones.
Apple has responded to this research by making the iPhone a little less trusting. Instead of trusting any USB host that it's connected to, iOS 7 will prompt users the first time, asking if they want to trust the currently connected computer. This notification will immediately disclose that a charger isn't a charger at all, but in fact a Mactans-like device.
[cid:17BBC417-8A01-4401-9376-018837994D2B@cc.umanitoba.ca]
iOS 7 devices are a little bit more suspicious than their iOS 6 brethren.
…from:
http://arstechnica.com/tech-policy/2013/08/ed-snowdens-encrypted-e-mail-ser…
Ed Snowden’s e-mail service shuts down, leaving cryptic message
Lavabit offered Snowden—and other customers—512-bit security on stored e-mails.
by Joe Mullin<http://arstechnica.com/author/joe-mullin-2/> - Aug 8 2013, 4:00pm CDT
* GOVERNMENT<http://arstechnica.com/discipline/government-2>
* PRIVACY<http://arstechnica.com/discipline/privacy-2>
NSA LEAKS
* NSA captures Americans’ Internet content if it mentions overseas suspects<http://arstechnica.com/tech-policy/2013/08/nsa-captures-americans-internet-…>
* If Bruce Schneier ran the NSA, he’d ask a basic question: “Does it do any good?”<http://arstechnica.com/tech-policy/2013/08/if-bruce-schneier-ran-the-nsa-he…>
* German justice minister proposes ban for US firms that don’t abide privacy laws<http://arstechnica.com/tech-policy/2013/08/german-justice-minister-proposes…>
* Update: Researchers say Tor-targeted malware phoned home to NSA<http://arstechnica.com/tech-policy/2013/08/researchers-say-tor-targeted-mal…>
* Other agencies gripe that NSA, FBI shut them out of data sharing<http://arstechnica.com/tech-policy/2013/08/other-agencies-gripe-that-nsa-fb…>
Once it became clear that he was going to be trapped in Moscow's Sheremetyevo Airport for a while, National Security Agency (NSA) leaker Edward Snowden chose to end his isolation by inviting several human rights activists to meet<http://arstechnica.com/tech-policy/2013/07/snowden-holds-court-in-moscow-ai…> with him in July. The e-mails Snowden sent out to organize that meeting reportedly came from the e-mail address "edsnowden(a)lavabit.com<mailto:edsnowden@lavabit.com>."
That got Lavabit quite a bit of positive attention from techies concerned about privacy. "Pretty cool features list," observed<http://boingboing.net/2013/07/12/so-apparently-edward-snowden.html> BoingBoing's Xeni Jardin. "I am sold!"gushed<http://www.dailykos.com/story/2013/07/13/1223284/-INTERNET-PRIVACY-Why-not-…> a writer at DailyKos.
Not all the attention may have been positive. Less than a month after Snowden was revealed to have used the service, it has been shut down<http://boingboing.net/2013/08/08/lavabit-email-service-snowden.html>. The owner of Lavabit,Ladar Levison<https://www.facebook.com/KingLadar>, has left a cryptic and chillingmessage<http://lavabit.com/> stating that he had to walk away from the ten years of work he put into Lavabit, lest he "become complicit in crimes against the American public." Until real reform happens, Levison says he "would _strongly_ recommend against anyone trusting their private data to a company with physical ties to the United States."
The full message reads:
I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit. After significant soul searching, I have decided to suspend operations. I wish that I could legally share with you the events that led to my decision. I cannot. I feel you deserve to know what’s going on—the first amendment is supposed to guarantee me the freedom to speak out in situations like this. Unfortunately, Congress has passed laws that say otherwise. As things currently stand, I cannot share my experiences over the last six weeks, even though I have twice made the appropriate requests.
What’s going to happen now? We’ve already started preparing the paperwork needed to continue to fight for the Constitution in the Fourth Circuit Court of Appeals. A favorable decision would allow me to resurrect Lavabit as an American company.
This experience has taught me one very important lesson: without congressional action or a strong judicial precedent, I would _strongly_ recommend against anyone trusting their private data to a company with physical ties to the United States.
Sincerely,
Ladar Levison
Owner and Operator, Lavabit LLC
Defending the constitution is expensive! Help us by donating to the Lavabit Legal Defense Fund here<https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=7BCR4A…>.
Lavabit's deleted website is still available, for now, through Google Cache. The pages show a long list of privacy and anti-spam features. Lavabit emphasized that stored mail was encrypted with public and private keys. The security section read in part:
The secure mail storage process uses asymmetric encryption to ensure the privacy of messages while being stored on the Lavabit servers. Asymmetric encryption is a process that uses public key and private key encryption to make messages unreadable without knowing a user's plaintext password. Presently we use Elliptical Curve Cryptography (ECC) with 512 bits of security to encrypt messages. The private, or decryption, key is then encrypted with a user’s password using the Advanced Encryption Standard (AES) and 256 bits of security. The result is that once a message is stored on our servers in this fashion, it can’t be recovered without knowing a user's password. This provides a priceless level of security, particularly for customers that use e-mail to exchange sensitive information.
It should be noted that ECC has been approved by the NSA for Suite B<http://www.nsa.gov/ia/programs/suiteb_cryptography/>, meaning the agency thinks it's strong enough<http://www.nsa.gov/business/programs/elliptic_curve.shtml> for government use.
…from:
http://9to5mac.com/2013/08/05/apple-launching-third-party-iphone-usb-charge…http://www.apple.com/support/usbadapter-takeback/
Following electrocution controversy, Apple to offer USB power adapter [<http://9to5mac.com/2013/08/05/apple-launching-third-party-iphone-usb-charge…>takeback program]
[Image via Flickr]<http://9to5mac.files.wordpress.com/2013/08/4444779602_2cb3916fee_o.jpg>
Image via Flickr<http://www.flickr.com/photos/shanghaidaddy/4444779602/in/photolist-7LLE85-b…>
Following controversy in recent weeks<http://9to5mac.com/2013/07/15/apple-investigating-electrocution-death-of-ch…> regarding the safety of counterfeit and third-party USB charging adapters for the iPhone, iPod, and iPad, Apple has announced<http://www.apple.com/support/usbadapter-takeback/> a new [takeback] program for these adapters. The program will be held at both official Apple Retail Stores and Authorized Apple Resellers. The program will officially kickoff on August 16th. Apple also shares that customer safety is its top priority:
Customer safety is a top priority at Apple. That’s why all of our products — including USB power adapters for iPhone, iPad, and iPod — undergo rigorous testing for safety and reliability and are designed to meet government safety standards around the world.
The [takeback] program will allow anyone who feels uncomfortable with their adapter to replace it with an official unit for a discounted price of $10. The option will be available until October 18th of this year. Customers must bring in their corresponding device in order to be applicable.
If you need a replacement adapter to charge your iPhone, iPad, or iPod, we recommend getting an Apple USB power adapter. For a limited time, you can purchase one Apple USB power adapter at a special price — $10 USD or approximate equivalent in local currency. To qualify, you must turn in at least one USB power adapter and bring your iPhone, iPad, or iPod to an Apple Retail Store or participating Apple Authorized Service Provider for serial number validation. The special pricing on Apple USB power adapters is limited to one adapter for each iPhone, iPad, and iPod you own and is valid until October 18, 2013.
Apple will properly recycle the [tackback] adapters. Last month, an Apple customer reportedly passed away from electrocution due to a counterfeit charger<http://9to5mac.com/2013/07/15/apple-investigating-electrocution-death-of-ch…> used with an iOS Device. Immediately following this incident, Apple opened up a webpage<http://www.apple.com.cn/power-adapters/> to properly identify Apple-built adapters. Apple has begun notifying its stores and reseller partners of the upcoming program.
Recent reports have suggested that some counterfeit and third party adapters may not be designed properly and could result in safety issues. While not all third party adapters have an issue, we are announcing a USB Power Adapter Takeback Program to enable customers to acquire properly designed adapters.
Customer safety is a top priority at Apple. That’s why all of our products — including USB power adapters for iPhone, iPad, and iPod — undergo rigorous testing for safety and reliability and are designed to meet government safety standards around the world.
Starting August 16, 2013, if you have concerns about any of your USB power adapters, you can drop them off at an Apple Retail Store<http://www.apple.com/retail/> or at an Apple Authorized Service Provider<https://locate.apple.com/>. We will ensure that these adapters are disposed of in an environmentally friendly way.
If you need a replacement adapter to charge your iPhone, iPad, or iPod, we recommend getting an Apple USB power adapter. For a limited time, you can purchase one Apple USB power adapter at a special price — $10 USD or approximate equivalent in local currency. To qualify, you must turn in at least one USB power adapter and bring your iPhone, iPad, or iPod to an Apple Retail Store or participating Apple Authorized Service Provider for serial number validation. The special pricing on Apple USB power adapters is limited to one adapter for each iPhone, iPad, and iPod you own and is valid until October 18, 2013.
Note: Due to the complexity of testing required to detect an unsafe or counterfeit adapter, Apple Retail and Apple Authorized Service Providers cannot advise you on the authenticity or safety of your adapter. We are offering this special takeback program for any USB power adapter made for use with iPhone, iPad, and iPod for which you have concerns.