Unlocking TouchID with fake fingerprint. | YouTube
@timbray Pre-Touch ID, your … | Twitter / gruber
Why I Hacked Apple’s TouchID, And Still Think It Is Awesome. | The Official Lookout Blog
Touch ID is not a “strong” security control. It is a “convenient” security control. Today just over 50 percent of users have a PIN on their smartphones at all, and the number one reason people give for not using the PIN is that it’s inconvenient. TouchID is strong enough to protect users from casual or opportunistic attackers (with one concern I will cover later on) and it is substantially better than nothing.
On the Effective Security of Touch ID | Daring Fireball
Clearly Touch ID is better than no passcode at all — which Apple claims is how the majority of iPhone users (and smartphone owners in general) have their devices configured. Further, I think it’s better than a 4-digit PIN. It seems far easier to me to spy on someone entering their PIN than it would be to capture a high-resolution fingerprint (from their correct finger) and reproduce it in way that works to fool Touch ID.
(The new lock screen PIN entry UI in iOS 7 might even make it easier than before to snoop someone’s PIN.)
アップルを翻弄したハッカー | maclalala2
Microsoft hacked | The Loop
The world’s largest software company said the security intrusion was “similar” to recent ones reported by Apple Inc (NSQ:AAPL) and Facebook Inc (FB.O).
Recent Cyberattacks | MSRC
We’ve been hacked | Zendesk
Zendesk Security Breach Affects Twitter, Tumblr, and Pinterest | Daring Fireball
One Site May Be Responsible for Recent Hacks | AllThingsD
The site is called iPhonedevSdk, according to sources close to the Facebook hacking investigation. After Facebook employees visited the mobile development site in recent weeks, malicious code injected into the HTML of the site used an exploit in Oracle’s Java plugin to infect employee laptops, as the company divulged last Friday. […]
Of note: Do not visit this site, as it may continue to be compromised. While it’s potentially risky to publicize the web site, AllThingsD is providing the name to inform readers, mobile developers and organizations interested in mobile development in order to keep them from becoming infected.
iPhoneDevSDK | Daring Fireball
ハッカー攻撃を受けたアップル | maclalala2
iPhoneDevSDK — the site apparently responsible for the hacks at Facebook, Apple, and Twitter — says it was not aware it was being used to attack visitors until it read press reports this week. In a news post (do not click if you’re wary of security breaches) on Wednesday, site admins said they had no knowledge of the breach and were not contacted by any of the affected companies. Though, iPhoneDevSDK is now working with Facebook’s security team in order to share information about what happened.
iPhoneDevSDK Admins Didn’t Know Site Was Booby-Trapped | Daring Fireball
《Update：ワナが仕掛けられたことを知らなかった管理人》 | maclalala2
Apple, which is working with law enforcement to track down the hackers, told Reuters that only a small number of its employees’ Macintosh computers were breached, but “there was no evidence that any data left Apple.”
The iPhone and iPad maker said it would release a software tool later on Tuesday to protect customers against the malicious software used in the attacks.
Reuters: Apple Hit by Hackers Who Targeted Facebook Last Week | Daring Fireball
Apple attacked by hackers | The Loop
Apple comments on hacker attack | The Loop
Java for Mac OS X 10.6 Update 13 | Apple
ハッカー攻撃を受けたアップル | maclalala2
An update on our war against account hijackers | Google Official Blog
With stolen passwords in hand, attackers attempt to break into accounts across the web and across many different services. We’ve seen a single attacker using stolen passwords to attempt to break into a million different Google accounts every single day, for weeks at a time. A different gang attempted sign-ins at a rate of more than 100 accounts per second. Other services are often more vulnerable to this type of attack, but when someone tries to log into your Google Account, our security system does more than just check that a password is correct.
If a sign-in is deemed suspicious or risky for some reason — maybe it’s coming from a country oceans away from your last sign-in — we ask some simple questions about your account. For example, we may ask for the phone number associated with your account, or for the answer to your security question. These questions are normally hard for a hijacker to solve, but are easy for the real owner. Using security measures like these, we’ve dramatically reduced the number of compromised accounts by 99.7 percent since the peak of these hijacking attempts in 2011.
Google’s War Against Account Hijackers | Daring Fireball
China’s Army Is Seen as Tied to Hacking Against U.S. | NYTimes.com
An unusually detailed 60-page study, to be released Tuesday by Mandiant, an American computer security firm, tracks for the first time individual members of the most sophisticated of the Chinese hacking groups — known to many of its victims in the United States as “Comment Crew” or “Shanghai Group” — to the doorstep of the military unit’s headquarters. The firm was not able to place the hackers inside the 12-story building, but makes a case there is no other plausible explanation for why so many attacks come out of one comparatively small area.
“Either they are coming from inside Unit 61398,” said Kevin Mandia, the founder and chief executive of Mandiant, in an interview last week, “or the people who run the most-controlled, most-monitored Internet networks in the world are clueless about thousands of people generating attacks from this one neighborhood.”
Chinese cyber-attacks: Hello, Unit 61398 | The Economist
China Lashes Back at Hacking Claims | WSJ.com
Unit 61398: The Computer-Hacking Division of China’s Military | Daring Fireball
Twitter Got Hacked. Expect More Companies to Follow. | AllThingsD
“Who’s next?” you may be thinking. But the question to ask isn’t “Who’s next?” The question is, “Who will admit it next?”
Or even scarier: Perhaps these companies aren’t aware they’ve been hacked in the first place.
“I truly believe we’re going to see quite a bit more of these annoucements as companies start to get smarter and look more closely at their systems,” Soltani said. “It’s not a matter of whether or not you’ve been compromised. It’s whether you have the expertise to tell.”
Even the New York Times wasn’t aware of hacks that had occurred on its network for months on end; the company’s security software, provided by Symantec, failed to identify all but one of the 45 separate pieces of custom malicious software over a period of three months.