Hasta La Gadget!

Apple introduced two-factor authentication (or two-step verification if you’d like to call it that) with iCloud back in March, adding an extra layer of security to its cloud backup system. However, security researchers say that iCloud is still vulnerable to a break-in if your password is stolen.

ElcomSoft, a company that specializes in password-cracking software, says that there are security holes in Apple’s two-factor authentication process, saying that “Apple’s implementation does not apply to iCloud backups, allowing anyone and everyone knowing the user’s Apple ID and password to download and access information stored in the iCloud.” When you log in to your iCloud account, you’ll have “full information to everything stored there without being requested any additional logon information.”

The company says that they were able to download an iCloud backup using login details without ever using two-factor authentication, and the physical iOS device that the backup came from wasn’t needed for credential purposes. Of course, this doesn’t mean your iCloud data is out in the open. As long as your password is secure, no one can access your iCloud backup.

ElcomSoft also mentions another security issue, which is the fact that Apple sends verification codes directly to an iOS device’s lockscreen. This means that the verification code is exposed to whoever can turn on the display and look at the lockscreen, meaning that you don’t need to unlock an iOS device in order to see the code. ElcomSoft says that the code should obviously not be displayed on the lockscreen, but rather require users to unlock the device first in order to see it.

However, two-factor authentication does prevents hackers from resetting a user’s Apple ID password, but it doesn’t keep hackers from copying or deleting files that are stored in iCloud. ElcomSoft thinks that Apple’s two-factor authentication “does not look like a finished product,” and “it’s just not as secure as one would expect this solution to be.”

VIA: Ars Technica

SOURCE: ElcomSoft

iCloud not protected by Apple’s two-factor authentication, say researchers is written by Craig Lloyd & originally posted on SlashGear.
© 2005 – 2012, SlashGear. All right reserved.

Broadcaster BSkyB has returned its Android apps to the Google Play store today, after pulling them earlier this month following the hacking of its Twitter account and Play listings by the Syrian Electronic Army. The hack, which took place on May 26, saw the official Sky Twitter account advise subscribers to uninstall the apps – which include Sky Go for on-demand streaming, and Sky+ for remotely managing DVRs – as they had been compromised. However, it was later revealed that there had been no such issue, though BSkyB still pulled its vandalized listings from the store.

For those who did not uninstall the apps when (erroneously) advised to, the broadcaster was adamant that they were safe to use. “Sky Android apps previously downloaded by Sky customers are unaffected and there is no need to remove them from an Android device” Sky tweeted following the hack.

However, that still left the apps missing for new downloads, a situation which has lingered since the weekend. The hacker group had modified the listings of each application to show its own logo, along with replacing the description of the app with “Syrian Electronic Army Was Here”.

Each of the restored applications, which showed up in the Play store earlier today, is dated May 31, though there’s no specific mention of the hack in any of the listings. The closest BSkyB gets is a reference to generic “bug fixes” in the change-logs.

May was a busy month for the Syrian Electronic Army, with the Sky hack just one of a number of attacks. The group also targeted UK broadcaster ITV, along with newspaper The Financial Times, while The Onion spun several satire stories out of an earlier breach of its own systems.

VIA: Paul O’Brien

Sky apps return to Google Play following hack is written by Chris Davies & originally posted on SlashGear.
© 2005 – 2012, SlashGear. All right reserved.

This week the folks at Evernote have made it clear: they’re not going to be the last ones out there without two-step security. The note-taking app now joins the likes of Gmail and Twitter as security measures step up to the last several years – and exponential up-ramping – of incidents in which this simple push for more secure log-ins would have stopped hacking altogether.

Evernote’s implementation of this two-step verification process uses’s Google’s Authenticator app – the same as Gmail. This system has the user enter their password as normal, but requires a code that’s generated separately by the app that’s unique to the user. The app exists on Android and iOS devices – tablets and smartphones alike.

As Evernote has made clear, “Implementing two-step verification is not trivial.” They’re implementing this system on all of their applications including, but not limited to, Evernote, Skitch, Penultimate, and Evernote Food. As significant back-end work was required to implement this system, Evernote will gladly be accepting feedback from Premium Users first.

This system will be rolling out to premium users first, then eventually to standard users across the board. As Evernote says Premium members are “the most engaged”, it only made sense to begin the rollout with them. Stay tuned as the full system hits apps in the near future.

SOURCE: Evernote

Evernote two-step verification has the brand join the security squad is written by Chris Burns & originally posted on SlashGear.
© 2005 – 2012, SlashGear. All right reserved.

Your smartphone has advanced security, why shouldn’t your front door? Startup August is aiming to change that, with its Smart Lock security system replacing your traditional deadbolt with one that can be controlled from your smartphone, including allowing temporary or permanent guest access for visitors, dog walkers, or babysitters.

The Smart Lock uses Bluetooth LE (low energy) to connect with a nearby smartphone, with “virtual keys” that can be kept to the homeowner, or shared out with others. Each of those share invitations can be optionally time-limited, so that visitors only get access when the homeowner wants them to.

August – a collaboration between Yves Behar (who also designed the OUYA) and Jason Johnson – is said to work with 90-percent of home lock systems in the US, and take a couple of minutes with some screwdriver handiwork to fit. There’s no WiFi connection or external power needed, so even if the electricity goes out the door is still secure. A standard key means that, even if the batteries are flat, you can still get in.

The Smart Lock will automatically ping out a message to you whenever a guest enters and exits, and entry permission can be removed at any time. The control on the inside – which rotates to lock and unlock manually – has a built-in LED indicator to show lock and permissions status, and also makes different noises depending on whether it’s locking or unlocking.

As for the app, that can be used to send out invitations individually or to a group, and a guestbook can be used to leave notes for visitors or for them to add messages back.

It’s all part of a growing effort to make home security more technologically advanced, at the same time bringing the functionality down from what have historically been high price points. August isn’t the only company doing smart locking systems; AT&T, for instance, rolled out a 15-market trial of its Digital Life service last month, which includes lock control as well as CCTV and water leak monitoring.

August expects the Smart Lock to begin shipping later in 2013. It’s up for preorder now, priced at $199; there are no ongoing fees for the “core functionality” August says.

VIA Gizmodo Australia

August Smart Lock wants to make your front door intelligent is written by Chris Davies & originally posted on SlashGear.
© 2005 – 2012, SlashGear. All right reserved.

Many of the Pentagon’s most advanced weapon systems — including the F-35 Joint Strike Fighter and PAC-3 Patriot missile system — were compromised by Chinese hackers, according to a classified document obtained by the Washington Post. The list of weapons was part of an earlier DoD report condemning Chinese cyber-espionage activities, but had been confidential until now. Other systems hacked are said to include the Terminal High Altitude Area Defense (THAAD), the Navy’s Aegis ballistic-missile defense system, the F/A-18 fighter, V-22 Osprey and the Littoral Combat Ship used for shore patrol. Many of these form the foundation of defense systems from Europe to the Persian Gulf — and their breach goes a long way toward explaining Washington’s unprecedented dressing-down of China.

Filed under: Misc

Comments

Via: The Verge

Source: Washington Post