Amazon and Apple have taken serious steps today in responding to news of how Mat Honan was hacked, which was done not with brute-force but by using social engineering to trick Apple and Amazon support staff to give out various pieces of information and reset some passwords. Amazon reacted first and arguably more decisively by enacting a new security policy of no longer allowing users to change account settings (such as credit card information and email addresses) via the phone.
Apple has meanwhile enacted a 24-hour freeze on resetting account passwords over the phone whilst they review their security practices. When Wired then tried to reset an AppleID password through Apple support staff on the phone, the representative said “Right now, our system does not allow us to reset passwords. I don’t know why”.
An Apple worker with knowledge of the situation, speaking on condition of anonymity, told Wired that the over-the-phone password freeze would last at least 24 hours. The employee speculated that the freeze was put in place to give Apple more time to determine what security policies needed to be changed, if any.
Mat Honan: How Apple and Amazon Security Flaws Led to My Epic Hacking
You may have heard about Mat Honan (Wired writer) being hacked last week, with his Twitter account being compromised and the hackers using iCloud to remote wipe his iPhone, iPad and Mac. Today he’s written up a detailed article on Wired that goes through how exactly the hackers got access to it all. The scary thing is that it wasn’t done by brute force, but rather by using social engineering to trick Apple and Amazon support staff.
But what happened to me exposes vital security flaws in several customer service systems, most notably Apple’s and Amazon’s. Apple tech support gave the hackers access to my iCloud account. Amazon tech support gave them the ability to see a piece of information — a partial credit card number — that Apple used to release information. In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification. The disconnect exposes flaws in data management policies endemic to the entire technology industry, and points to a looming nightmare as we enter the era of cloud computing and connected devices.
It’s undoubtedly a scary story about the perils of putting our entire lives in the hands of a cloud service – because more so than ever, physical access isn’t needed to wreak havoc. It’s also a friendly reminder to ensure you’re using strong passwords, isolating critical accounts and creating local backups wherever feasible as a last resort if indeed this or something similar does happen to you.
My experience leads me to believe that cloud-based systems need fundamentally different security measures. Password-based security mechanisms — which can be cracked, reset, and socially engineered — no longer suffice in the era of cloud computing.
A hacker known as plamoni created a Siri proxy server that could allow anyone to use it and make Siri work with a wide range of non-Apple devices. Applidium, a development firm, hacked the Siri security protocol and has explained the process so anyone can use it.
One implementation of Siri + the proxy server is sending commands to any standard thermostat with Wi-Fi capabilities. plamoni taught Siri (no jailbreak required) to send commands over the network and if you’re interested, the source code is available for free online. Anyone with an iPhone 4S unique identifier and knowledge of networking can get it working. In order to set up Siri to control your home’s temperature involves a DNS server that uses a proxy to send requests to Siri’s servers.
As reported by 9to5mac, it appears Apple’s iOS 5 comes with a software functionality to enable an Android-like extra keyboard row for auto-corrections and common suggestions systemwide.
Screenshots of the feature, first posted by Australian developer Sonny Dickson, seems to suggest the feature had been present in iOS 5 since the first beta seeded to developers, but have only been recently re-discovered. The images posted by Dickson show an additional row on top of the standard system keyboard on the iPhone and iPad, which in the provided examples includes suggestions to auto-complete “Hel” with common options like “He’ll”, “Help” or “Gel”. It appears that once enabled, the keyboard bar replaces iOS’ standard auto-correction popup. 9to5mac shares a method on how to enable the feature without a jailbreak.
The extra keyboard row, however, isn’t completely new to iOS 5. The OS already uses a similar (if not the same) system for the Japanese Kana keyboard, with text suggestions displayed in a bar that you can scroll, and expand with the arrow icon also seen in Dickson’s screenshots. For this reason, we believe the hack simply extends the Japanese keyboard’s functionalities to other iOS 5 keyboards.
As usual with unofficial iOS 5 features discovered by developers hacking around the system, don’t expect complete and reliable functionality from the keyboard bar. As Panorama Mode has shown earlier this week, there’s a reason Apple has decided not to include a certain feature in the final version of iOS 5, and early reports from users who have activated this tweak indicate the keyboard bar may crash the iOS Springboard. Still, this is an interesting discovery that we’d be curious to try out with the new iPad split keyboard, also a new feature in iOS 5.
We’ve seen a multitude of hacks that have enabled AirPlay streaming to a variety of platforms that aren’t officially supported by Apple. The latest hack, by Thomas Pleasance, lets you AirPlay straight to Windows Media Center.
To get this working all you’ll need is Apple’s Bonjour service installed (most of you will have already done this) and Pleasance’s Media Center add-in. Then just jump on your iPhone or iPad and stream video or pictures over to it – music support isn’t yet included.
If you own a jailbroken iPhone, you don’t mind trying new tweaks and you’ve been looking for yet another way to modify the look of Apple’s iOS multitasking UI, there’s a new app called PhySwitch available in the Cydia Store that I’ve been positively impressed with over the past week and decided to keep installed on my device. Just like Multifl0w, PhySwitch presents running apps as windows, rather than icons. But unlike the aforementioned hack, PhySwitch doesn’t scroll through windows horizontally, like you would do on a computer or larger screen: considering the nature of the iPhone’s display, developer Pedro Franceschi opted for a vertical solution that makes much more sense on the iPhone, and uses the volume keys to let you cycle through apps. You can bring PhySwitch’s fast app switcher in the foreground with an Activator command you, and after that you’ll be able to quickly browse apps with the volume keys, or a vertical swipe. It’s really simple and, for some reason, I’ve come to use it on a daily basis.
The tweak’s not perfect (apps don’t come in the foreground immediately, as PhySwitch goes back to the homescreen for a second and re-launches the app you selected) and could use some speed improvements, especially for the opening animation. However, I think it’s a very clever hack that’s very easy to use and accessible. Get it in the Cydia Store, and check out the demo video below. (more…)
Erica Sadun, author of the great AirPlay hack BananaTV has come out with a new beta application; BananaTunes. Taking advantage of the recent reverse engineering of AirPlay it will allow you to transmit full stereo music from an AirPlay enabled iOS device to any Mac running BananaTunes.
Previously AirPlay hacks such as BananaTV or AirFlick and AirTuner only expanded upon the video side of AirPlay but thanks to that reverse engineering magic we can now stream music too. TUAW reported mixed results with BananaTunes (it is beta after all) with it working fine with their iPad 2 but having some issues with an iPhone 4. I personally had no issues using both my iPhone 4 and iPad 2 in playing music to my Mac through BananaTV, except a few initial seconds of stuttering that soon disappeared.
Ultimately Erica plans to merge the BananaTuner functionality into the BananaTV software, but for now you can download these two zip files (or this all-in-one installer) to try it out, but be warned it requires OS X 10.6 and only runs as a 64-bit application.
Here’s an interesting tip about the OS X dock I absolutely didn’t know about, which was brought to our attention by OS X Daily. With a simple Terminal command, you can create a new “smart” stack item in your dock that will automatically collect your most recent applications, servers you’ve connected to, documents, volumes and Favorite items. The stack — which needs to be manually enabled — comes in handy if you’re looking for a quick way to re-open items you’ve recently launched — and especially for Servers and Volumes, this means the stack is collecting my most used items, not just the recent ones.
To enable the recents menu, type this in the Terminal:
The new stack will automatically be placed in the rightmost section, next to the Trash. To remove it, simply drag it out of the Dock. I like this menu because it’s making me save lots of time that would have been spent into the Finder otherwise (the method above worked just fine for me on Snow Leopard 10.6.7). Check out more screenshots below.
Update: if the Terminal command throws you a syntax error, make sure to copy the plain text from OS X Daily.
With iOS 4.3, Apple introduced the possibility for developers to activate “multitasking gestures”, a set of multitouch-based four and five-finger gestures that allow you to quickly switch between apps, go back to the homescreen, or invoke the multitasking tray. The gestures didn’t make it into the public version of iOS 4.3 (they were meant for dev test-only since the beginning), but they still can be enabled with a copy of Xcode, also sold in the Mac App Store at $4.99. Personally, I love multitasking gestures on my iPad and I use them all the time. Gestures are the future, and on the iPad they help me do things faster, in a much more intuitive process.
A new Cydia tweak called MT Gestures allows iPhone 4 and iPod touch 4g owners to turn on the multitasking gestures — with the same preference panel seen on the iPad. These settings have been there all the time, but they need to be manually enabled with an hack. This is exactly what MT Gestures does, for free. It’s available in ModMyi’s repository.