Ars Technica Details the Danger of WiFi Hotspots

image

“Free” Wi-Fi from Xfinity and AT&T also frees you to be hacked http://feeds.arstechnica.com/~r/arstechnica/index/~3/s-x4Wk3bVTo/

This is a great article from Ars Technica discussing the dangers of using WiFi hotspots, even those from trusted providers.  Thousands of hotspots are turning up around Delaware advertising xfinitywifi (including one in my own building), a free WiFi network for customers of Comcast’s Xfinity service.  The problem with these WiFi hotspots is that your wireless device has no way to determine if the hotspots are authentic.  This matters because before you are able to use these hotspots, you must first authenticate using your xfinity login and password. 

This is dangerous because there is nothing to prevent a malicious hacker from creating a Hotspot named xfinitywifi and then setting up a fake authentication page to intercept your account login.  The worst part is that once you instruct your device to trust a connection with a WiFi router with that SSID identification (xfinitywifi) it will try to reconnect whenever it sees a Hotspot with that name. 

For this reason, I have stopped using this free service of my cellular provider and Internet service provider.  If you are an xfinity user and absolutely need to use the network of free WiFi routers, I would suggest that you setup an additional ID with Comcast just to use for WiFi access.  When you add this additional ID, you have the option to provide it with no administrative access to your account, so even if it is hacked, no damage can be done to your account or personal information.  Just make sure you use a different password for your dummy account. 

Apple’s iOS Activation Lock is Helping Reduce Cell Phone Theft

Enable Find My iPad in Settings

iMore has an article indicating that theft of iPhones has drastically declined thanks to the activation lock feature that was introduced in iOS. Activation Lock is a feature of “Find My iPhone” that requires that your iTunes username and password be used when trying to erase a device or reactivating a device. Apple prompts you to enable “Find My iPhone” during the initial setup. After being enabled, a device cannot be erased or re-activated without the iTunes username and password being entered.

This feature works on any device that iOS 7 can be installed on. That includes all models of the iPhone and iPad currently being sold. To determine if you have this feature enabled, check settings, iCloud, and make sure Find My iPad is enabled. For more information see Apple’s support page.

Siri Will Let Anyone Access Your Contacts from the Lock Screen

openlockA new “feature” of iOS 7.1.1 has been discovered by Egyptian Neurosurgeon Sherif Hashim. With a simple work-around, Siri will help anyone access your contacts, even if your phone is locked. The bug allows a user to launch Siri, and say “Call”, “Text” or “Email”, and then after using the keyboard to type a single letter, the user is prompted to “Clarify, at which time selecting “Other…” will provide them with the contact list on the device.

Beyond possibly revealing confidential client lists for attorneys (that keep clients in their contacts), once the contact list is seen, Siri can be used to “Text”, “Call” or “Email” anyone that was identified from browsing your contacts. This means that the malicious user can send messages as YOU to contacts on your device!

For those that want to prevent themselves from being a victim of this vulnerability, disable the use of Siri on the lockscreen. This can be done by going into the Settings App, choosing “Passcode” (or on iPhone 5s, “Touch ID & Passcode”), then disabling Siri access in the “Allow Access When Locked” section. No word on when a fix will be released.2014-05-07 09.59.23

For more information, see Gizmodo.

Another Week, Another iOS Security Bug

Today another reminder has come that your telephone operating system is never as secure as you may think it is. 9To5 Mac has a story indicating that a security researcher has discovered that several versions of iOS 7 (including the current version 7.1.1), are not encrypting email attachments in the bundled Mail application. This is a major issue, because adding a passcode to your iPhone or iPad, is supposed to add this extra layer of security to your attachments.

What this means to the end-user in the legal community, is that it is possible that if your device falls in the wrong hands, your attachments may be accessible even if your device is password-protected. There does not appear to be any solution to this issue at this time. The security researcher, Andreas Kurtz, reached out to Apple and it claims to be aware of the issue, but has not indicated when a fix would be issued.

In the meantime, be careful if you are using a corporate, Government or personal email account on your device, and you are exchanging documents with confidential information.

Another Major https Vulnerability in iOS 7.1

It seems that the new update Apple released Tuesday for iOS was more important than originally thought. iOS 7.1.1 patches a vulnerability that would allow a “man-in-the-middle” to intercept encrypted data that is being transmitted using SSL over https connections.

According to Ars Technica, this bug allows a third party to open two connections. One would be the connection to the site you believe you are accessing, while the second connection would also send your data to a third party without your knowledge. This bug effects any device running iOS 7.1 or earlier.

It is recommended that this update be installed on your devices immediately. To install the update open ‘Settings’, then ‘General’, then ‘Software Update’.

20140423-204721.jpg

Jail Broke iOS Devices Vulnerable to New Malware Attack

Ars Technica has a report about a new vulnerability (unflod app) that has been discovered to effect certain jail-broken iOS devices.  Currently only 32 bit devices have been found to be infected.  That means that iPhone 5s, iPad Air, and iPad Mini with Retina are currently okay. Once the malware is on the device, it intercepts your Apple login and password credentials. 

Although the code has been found, the delivery mechanism has not.  Since it can’t be determined how devices were initially infected with the malware, it is recommended that infected devices be restored to the factory software. 

See the Ars Technica article for more details: Active malware campaign steals Apple passwords from jailbroken iOS devices

Another Good Reason to Password Protect Your iPad/iPhone

image

9 to 5 Mac details an iOS 7 bug that allows anyone to disable Find My iPhone and bypass Activation Lock without a password http://9to5mac.com/2014/04/03/ios-7-bug-allows-anyone-to-disable-find-my-iphone-and-bypass-activation-lock-without-a-password/.

The good news about this new security risk is that it only works if you do not have a password setup on your iPhone or iPad.  Even if your device is unlocked, on reboot the unauthorized user would need to enter a password. The moral of the story, Password Protect Your Device!

1 2