Stories by Glenn Fleishman

Private I: A Slice of Apple: Users with Old iOS Versions

In the rush to critique Google for its inability to patch older and some current versions of Android at all or promptly--a rush I was absolutely part of--it's good to not ignore the baggage we're carrying around as well. Google was rightly criticized for the tradeoffs it made starting with the release of Android 1.0 to allow handset makers and cellular carriers to control, more or less, what went onto Android handsets.

Glenn Fleishman | 18 Aug | Read more

Why a strong password doesn't help as much as a unique one

You may snigger when you hear that a few months after the euphemistically named AdultFriendFinder was hacked, now Ashley Madison has had its turn. The site, which enthusiastically advertises its ability to connect people to have affairs, had its accounts compromised, according to security reporter Brian Krebs and confirmed by the company.

Glenn Fleishman | 22 Jul | Read more

Apple drops Recovery Key in new two-factor authentication for El Capitan and iOS 9

In early June, Apple said two-factor authentication would be tightly integrated into OS X 10.11 El Capitan and iOS 9, but provided little detail as to what that means. The current setup is scattered across sites and methods in order to deliver a second one-time use, time-limited code or other method of verification when a user logs in to an Apple site or on an Apple device with an Apple ID set up for it.

Glenn Fleishman | 09 Jul | Read more

Hacking Team hack reveals why you shouldn't jailbreak your iPhone

An Italian firm with the appropriate name Hacking Team suffered a massive breach in its company data Sunday, and 400GB of internal documents so far have been released and are being analyzed by reporters and security researchers. Hacking Team's customers are government agencies, including both law enforcement and national security, and the ostensibly legal software it sells to help them intercept communications includes not-yet-exploited vulnerabilities, known as zero-days.

Glenn Fleishman | 07 Jul | Read more

Private I: Hijacked DNS puts iOS virtual private networks at slight risk

Virtual private network (VPN) connections designed to keep data safe from snooping eyes may be vulnerable to two forms of network attacks by malicious parties with access to a local network, a research paper (PDF) explained on June 30. The founders of Cloak, a VPN service with native iOS and OS X apps, say that the more severe of the two vulnerabilities also exists in iOS's most deeply integrated VPN protocol, and can't be mitigated without Apple's involvement.

Glenn Fleishman | 03 Jul | Read more

Private I: The App Store's weaknesses and problems already solved

It's the easiest thing in the world to write a headline that tells you to panic; it's much harder to write one that says something is very wrong, but the odds of it occurring are very low and getting lower. Last week's release of a research paper that showed exploits that were possible in App Store-approved software in iOS and OS via intra-application shared resources was significant. However, most of the media covering it (including us) got the nuance right.

Glenn Fleishman | 23 Jun | Read more

Zero-day exploit lets App Store malware steal OS X and iOS passwords

Security researchers have found major flaws in OS X and a single one in iOS that open the door to malware. The exploits allow malicious apps that have made their into the App Store to bypass or ignore sandbox and other security protections to grab passwords from others apps' keychain entries, steal data from other apps' private data storage, hijack network ports, and masquerade as different apps to intercept certain communications.

Glenn Fleishman | 18 Jun | Read more

LastPass was hacked: Here's what you have to do

The password-storage maker LastPass announced the worst possible news for a company in its business on Monday: its password database was breached and user account information stolen. Because LastPass allows central storage and synchronization of your data store--the "vault" of passwords and other information you use with its app and website--someone being able to suss out your master password would seemingly have access to all your secrets.

Glenn Fleishman | 18 Jun | Read more