The internet has been ablaze with reports of jailbroken iPhones being infested with worms. The exploit takes advantage of unwitting jailbreakers who install OpenSSH on their iPhones via Cydia without taking into account all of the impacts on security. The most notable, and now famous, hole in this theory is that every iPhone ships with the same default password for both the all-powerful "root" user as well as the more-restricted "mobile" user.

Not surprisingly, Apple has officially commented on the situation noting that "the worm affects only a very specific set of iPhone users who have jail broken[sic] their iPhones and hacked it with unauthorized software." It is pretty clear from Apple's statement their feelings on the jailbreak community and its effects on the iPhone and iPod touch.

Luckily, if you need to have OpenSSH installed on your iPhone (who doesn't want a remotely-accessible, full UNIX terminal in their pocket?), there is a pretty simple solution to this problem that will prevent this breed of infestation from ever reaching your iPhone.

1. Remember, this only affects jailbroken iPhone owners who have installed OpenSSH...
2. Begin by installing MobileTerminal via Cydia (alternately, you can login via SSH from Terminal.app or a Cygwin-equipped Windows PC).
3. Type "login", you will be asked for a login name which should be "root" then a password which should be "alpine".
4. Type "passwd" then tap return, you will be asked to type the new password. Tap return and type the new password again.

Repeat this same process for the "mobile" user by replacing "root" with "mobile" in step 3. Also, when using passwd to change the password for "mobile" you may be asked the old password which would be "alpine". It is not necessary to use a different password for "root" and "mobile" but if you're highly security conscious, it wouldn't hurt. The second half of this post includes a screen image of my exact process working successfully on OS 3.1.2 with an iPhone 3GS.

In addition to changing the user passwords for your iPhone, another good security measure is to use one of the jailbreak apps like BossPrefs or SBSettings to have a toggle that will disable SSH when not in use. Obviously, having SSH disabled (or not installed) is the best defense against worms of this sort. Got any other iPhone security tips? Let us know in the comments!

Last month a Dutch iPhone user demonstrated how careless jailbreaking can cause trouble. Namely, after finding users who enabled SSH with the phone's default password intact, he sent those phones a message that read, "Your iPhone's been hacked because it's really insecure! Please visit doiop.com/iHacked and secure your iPhone right now! Right now, I can access all your files." A similar worm caused phones to rickroll their owners.

They could have done worse. This week, someone has. Again from the Netherlands and again finding jailbroken iPhones with SSH enabled, F-secure reports that this infraction puts up an ING Direct login page that lets the hacker gather login credentials and, we assume, move funds to wherever they please. This version also changes the 'alpine' password to block users from getting to the phone via SSH.

We'll have more on this as the story develops, but the moral is this: If you jailbreak your iPhone, you should know what you're doing -- and you should change your SSH password.

[via Engadget & ZDnet Asia]

Despite some security-conscious enterprise experts pointing accusatory fingers at the rather bleak encryption story and only-recently fixed ActiveSync policy compliance on the iPhone platform, there's no doubt that IT and network professionals are grooving on the iPhone -- there are many apps designed for administrators to take control of their operations with a touch of a finger, and now Cisco has stepped in with an informational and alert resource that fits in your pocket.

The Cisco SIO (Security Intelligence Operations) to Go free app [iTunes link], requiring iPhone OS 3.0 or later, lets the paranoid properly alert and aware security professional keep tabs on the global threat landscape with Cisco's Cyber Risk Reports, Threat Outbreaks and Mitigation Bulletins, along with podcasts, blog posts and a slew of other branded content. There's also an IronPort-driven IP and email domain scanner, which will grab WHOIS data along with a brief reputation score for your hosts.

Having all this Cisco goodness in one place is handy, although the majority of the app's headlines link to pages on the Cisco site that remain largely iPhone-unfriendly -- even the press release announcing the app's launch is hard to zoom properly -- and there's none of the flexibility of a full-featured RSS reader to forward articles, bookmark or set read/unread points.

Still, as a gesture of goodwill towards the intersection of iPhone users and security professionals, it's a reasonable step. Cisco also has the WebEx Meetings app [iTunes link] and the Cisco Mobile telephony tool [iTunes link] in the store, both free.

[via TechCrunch]

For the last few days, some jailbroken iPhone users have found their home screen background a little different than they remembered. A hacker, going by the name "ikee," created a worm that changes the home screen background on jailbroken iPhones whose owners failed to change the default password after installing SSH. Simply jailbreaking your iPhone will not make you vulnerable to this sort of hack. The iPhone OS, in general, is also immune to this hack. Still confused? Let's back up a bit.

On jailbroken iPhones, SSH is installable with a package from Cydia that allows you to connect to your phone and make changes to the filesystem. It does this by logging into the root user with the password "alpine." After installing SSH, it is always recommended that you change "alpine" to the password of your choosing. This hack can only affect people who chose not to change that password -- no one else.

This hack originated in Australia, the home country of ikee, and has possibly spread to other iPhones in other countries, but we've been unable to verify that. A gentleman by the name of JD held an interview with the hacker over IRC and posted it to his blog. In ikee's own words, here's how the worm has spread:

...The code itself is set to firstly scan the 3G IP range the phone is on, then Optus/Vodafone/Telstra's IP Ranges (I think the reason Optus got hit so hard is because the other 2 are NAT'd) then a random 20 IP ranges. I'm guessing a few phones hit a range that another vulnerable phone was on.

Basically, once your phone is infected, the worm starts looking for other iPhones on the cellular network that use the root:alpine combination. Once it finds another vulnerable iPhone, it installs itself and begins the process again... and again... and again.

Luckily for the jailbreakers in the audience who may have been affected, there's really no harm done -- at least not with this version of the worm. According to the hacker, this was more of an experiment than anything else. The worm changes your background and then disables inbound SSH, which is a good thing. If SSH was left turned on, a similar worm could follow along but conceivably do much more damage. For instructions on how to delete this worm, read JD's interview with ikee. I would recommend reading the interview just for the information it presents; I found it pretty interesting. If you've got a jailbroken iPhone or iPod touch and you've never changed the default device password, now's the time. Here's how, if you are using terminal:

Type: ssh root@(iPhone IP address)
When prompted for the password type: alpine
Now you're connected the phone...
type: passwd
It should then prompt your for a new password -- type one that you'll remember. There's no easy way to reset it if you forget it.

That's it. Please remember to be responsibly secure with your devices. Hackers like ikee are troublesome, but this could have been much worse. While I don't personally condone his actions, he's prevented a lot of people from being vulnerable to more malicious attacks later down the road.

Thanks, James!

Most of us have really crappy, insecure passwords. Sure, we tack a couple of numbers or punctuation characters at the end of our cat's name, but that's a far cry from secure -- especially since we also have the equally nasty habit of using the same password on every single site/service/machine/device with which we have regular contact. We're not just asking for trouble, we're offering it a delectable stolen identity sandwich.

As most of us Mac folks know, a solution exists and it's called 1Password. If you've owned your Mac for more than an hour or so, chances are pretty good that you've been admonished to acquire this lovely app (maybe even by more than one person). Several of us at TUAW are big fans of 1Password, and today our pointy party hats are standing taller than ever thanks to the opening of the public beta for 1Password 3.

This new version brings with it a massive list of changes, improvements and new features -- a couple of which have helped me to realize the dream of being able to utilize 1Password data on OSes other than OS X. You see, like many other Mac enthusiasts, I use Windows at work. Obviously, this precludes me from fully embracing Mac-only software like 1Password, but thanks to a brand new feature called 1Password Anywhere, my pain is dulled.

1Password Anywhere allows you to take your 1Password data and open it using any modern web browser. I've tested this with Chrome, Firefox and IE under Windows XP and they all work wonderfully. Your data is still absolutely secure and stored behind the same master password that protects the data in 1Password proper. They didn't spare any detail, either -- 1Password Anywhere looks and feels remarkably similar to the native OSX application. The data is read-only in your browser, but being able to easily the strong passwords and paste them is worth the admission price. The truly enlightened will see the application of a service like Dropbox here -- just move your keychain file into your Dropbox and your passwords are now with you whenever you go.

When most people think about Apple and backups they probably think about Time Machine or perhaps even Time Capsule. But Apple has a lesser-known application which you might consider using.

The app, simply named Backup, was originally available only to .Mac users, but is now openly available on Apple's website. It lists "MobileMe account" as one of its requirements. If you do not have a MobileMe account, each backup is limited to 100 MB. The good news is that for what I am suggesting, 100 MB will be completely sufficient for most people. Follow along as I use Backup to create a complete and scheduled backup of personal data and settings on my Mac.

First, install and launch the application. Choose Plan > New Plan from the menu.

If you have a MobileMe account, choose the "Personal Data & Settings" option (second from the top), click the "Choose Plan" button, and then skip the next paragraph.

Face it: your address book and your contacts, they're personal. They reveal a lot about you: your friends, your business partners, your cake buying proclivities, and more. The address book you see at the top of this post appears to be for someone in the Denver area. I know that because of the REI Denver listing and Le Bakery Sensual on 6th, which I drive by whenever I head East from Broadway.

These contacts, along with their notes, their phone numbers, dates of birth, and other information say a lot about the person whose address book this is, and also about the people who appear in that contact list, with all their personal and professional info.

There's one big problem. The screen shot you see wasn't made by the person who owns this me.com account. Under certain very specific conditions, Apple is inadvertently sharing data from other people's accounts. Ouch.

A TUAW reader sent us a video made as he renewed his me.com account from the UK. The address book data he accessed during that time included this Denver-based set shown here, as well as data from an Ireland-based user of Polish descent (all his contacts were back in Poland although his business was based in Ireland).

This all went down during the period when his MobileMe account was renewing. Each time he logged off and back on, he was presented with yet another set of contacts--none of them his. He writes, "Each time I logged off and on I got a different address book. All the other options were disabled (because my renewal was being processed) but clicking the Contacts icon showed me *an* address book," just not his address book.

With a little Internet-fu, he checked out some of the numbers and found that they were valid and operational. This leads him to believe that this is real data. My inspection of the local Denver data from his screen shots convinces me of the same. Further inspection of work addresses and personal family names makes us believe we know whose Denver-based address book this is. We've attempted to contact this person but as yet have not heard back.

The address book glitch ended once the registration process finished, leaving our TUAW reader with a series of screen shots and videos and a deep concern about Apple's ability to safeguard personal data. He's already contacted Apple about the bug. "I contacted them by two means: their web-chat thing where they told me that they 'had no reports of such an issue'. They suggested closing and reopening Safari (helpful eh?) and a generic autoresponse saying they'd reply within 5 days when i sent an email." He adds, "I don't think the people manning the help desk appreciated the seriousness of the situation."

TUAW has sent a heads-up to Apple and will keep monitoring the situation to see how it develops.

Appearing alongside the Mac OS X 10.6.1 update, Apple released another update today: Security Update 2009-004 is out for users of Leopard and Tiger. This update patches several vulnerabilities, including the security issue with Flash that was also part of Mac OS 10.6.1.

It's available now through Software Update and is applicable for Mac OS X Leopard, Tiger (PPC and Intel) and Tiger Server (PPC and Universal).

It's not that we have anything against the Flash plugin for Mac browsers. Well, other than the fact that it's crashy, and slow, and makes our laptop fans spin up like we're doing wind tunnel testing for the Air Force. But other than that, we have nothing against it -- and it's lovely that the new 64-bit version of Safari in Snow Leopard can isolate Flash-related stalls and hiccups from the main browser process for enhanced crash protection. Very nice.

Unfortunately, as pointed out initially by Graham Cluley over at the security and anti-virus vendor Sophos, the version of the Flash plugin that Apple bundles with Snow Leopard is old. It's the 10.0.23.1 version, old enough that it has some notable vulnerabilities versus the currently shipping 10.0.32.18 version. You can check which version of the plugin you have by visiting this Adobe check page. Even if you had the current build on your machine before upgrading to Snow Leopard, the upgrade process replaces your Flash with the vintage Flash instead -- poor form! Cluley recommends, and Adobe concurs, that the best thing to do is head over to Adobe's download site and get the most up-to-date version instead.

It's understandable that Apple had to lock down a version of the Flash plugin for inclusion in the OS golden master, but if you're gonna do that then you've got to provide an integrated method for users to update to the current build when the time comes (like, say, via an OS-wide Software Update utility). Downgrading user security while upgrading OS versions is a rotten way to run a railroad.

[Side note, does Cluley's narration in the video above make you wonder if, just maybe, he's moonlighting as Ben 'Yahtzee' Croshaw over at The Escapist? NSFW!]

Thanks to everyone who sent this in.

We usually look at news updates and blog posts from antivirus vendor Intego with a bit of a gimlet eye, since the company has been known to spread a little bit of that good old FUD when it comes to the everyday risk of malware faced by most Mac users (that is to say, pretty much none). Today, however, the Intego blog pointed out an unheralded feature of the forthcoming Mac OS X 10.6 Snow Leopard update: some basic malware checking built into the operating system, reported by users of the beta version.

As the post notes (and sites such as The Register and ZDnet corroborate), when a problematic DMG is downloaded or mounted -- containing one of two known malware components -- the Finder throws the alert pictured above, warning the user not to install the software in question and to throw away the disk image. While this is a nice touch for the two security risks in question, The Register notes that the filter appears to only catch files downloaded through some of the more common apps (Mail.app, Entourage, Safari, Firefox and iChat among them) but not files copied over from removable media. It doesn't cover the wider gamut of threats out there, nor would it detect or block Windows malware that a Mac user could unwittingly transmit; for all of those scenarios, a true AV app (paid or free) is what the doctor ordered.

You can keep up with all the latest Snow Leopard news via our category page.

Amidst the Safari and AirPort updates yesterday, Apple has released yet another update today, Security Update 2009-004. This update patches a single vulnerability affecting the BIND DNS server. It's available now through Software Update or Apple's support downloads page, and is available to download for Mac OS X Leopard, Tiger (PPC and Intel) and Tiger Server (PPC and Universal).

Maybe it's already Saturday in the UK, or close to it: Apple has released iPhone OS 3.0.1 for iPhone, iPhone 3G & 3GS, an update that patches the phone to prevent bad actors from taking it over or taking it down with the just-demoed SMS exploit. The update weighs in at close to 300 MBabout 230 MB (like all iPhone updates, it's a full image of the OS), and as far as we can tell there are no other fixes or tweaks; just the privilege of continuing to use your iPhone in peace and security.

Update with care, and let us know in the comments how the update works for you!

14:30 ET: Apple's security mailing list just delivered the notes for 3.0.1, they are reproduced in the 2nd half of this post. Also worth noting that the SMS exploit is not endemic to the iPhone alone; both Android and Windows Mobile platforms can be attacked with similar techniques, although Google tells BW that the issue on Android phones is now fixed (presumably through carrier action on T-Mobile's side, not confirmed though).

Yesterday's news from the Black Hat Technical Security Conference in Las Vegas about the SMS security flaw affecting iPhone, Android, and Windows Mobile smartphones was a bit unnerving. Through skillful manipulation of SMS messages, an attacker could gain control of a smartphone.

BBC News reports that UK mobile provider O2 has received word from Apple about a patch for the security flaw on the iPhone. The patch, in the form of a software update, will be available Saturday, August 1, 2009. As with all updates to the iPhone, the security patch will appear in iTunes.

Considering the potential for mischief on the part of hackers, it is entirely possible that AT&T, O2, and other carriers will notify their customers of the availability of the update. Whether or not that message will come through SMS remains to be seen.

Be sure to keep an eye on TUAW or our Twitter feed (http://twitter.com/tuaw) tomorrow and we'll notify you as soon as the patch makes an appearance.

UPDATE: iPhone OS 3.0.1 is now available for download from iTunes. 297.9MB in size.

Two security researchers, Charlie Miller and Collin Mulliner, have discovered a serious security vulnerability affecting SMS messaging on the iPhone that will be unveiled later today at the Black Hat security conference in Las Vegas. This flaw affects all iPhones and can allow an attacker to gain complete control of an iPhone, including the ability to make calls, browse the web and access the camera. This exploit is caused by corruption in the iPhone's memory handling and is executed by sending a burst of text messages by using a uncommon text character or by sending a hidden message.

So far, Apple has been rumored to have a fix in the works, but there's been no confirmation yet when it will be available. The researchers also say that there's nothing you can do to protect your iPhone from this vulnerability, other than to turn off the phone. More details on this issue will be discussed later today at Black Hat, hopefully outlining a path to fix this issue.

Meanwhile, the two developers have already demonstrated this flaw in action to CNET's Elinor Mills, proving its existence and extent of the threat.

We'll be providing more coverage on this issue once it's unveiled, so stay tuned to TUAW.

Apple is apparently alerting ALI forum members that Learning Interchange account passwords have been compromised. In a message forwarded to us by several TUAW readers, Apple warns that members who commonly use the same credentials on multiple sites may be at risk. If you are an ALI account user, please consider updating any accounts that use identical credentials. Here is the Apple quote that was sent to us.

We recently learned that the security of Apple Learning Interchange (ALI) members' names and passwords may have been compromised. These accounts are limited to accessing the ALI discussion board and do not contain sensitive information such as credit card or social security numbers.

While ALI member names and passwords are not linked to your Apple ID, our records indicate that your ALI member name and Apple ID are the same. For this reason we strongly recommend that you change your Apple ID password as well as any others that might have the same name and password combination.

At the time of posting, the ALI site (also linked to in the Source link) is unavailable. We do not have confirmation from Apple about this situation, although we have contacted them for a statement.