C/C++/Cocoa tool for codesign security, Developer ID, & Mac App Store Receipt Validation
Tighten Pro - in the Mac App Store
Tighten Pro is now available in the Mac App Store.
Simply click on the icon to the left to purchase directly from Apple.
Or choose PKCS#7Viewer.app by clicking the image to the right.
Mac Developer: Security researchers build on PC vulnerabilities to create first firmware-based Mac worm
Security researchers build on PC vulnerabilities to create first firmware-based Mac worm: "Firmware attacks are possible because many computer manufacturers put few safeguards in place to prevent malicious updates or changes, leaving many computers vulnerable. According to Wired, Apple could have put protections in place to prevent at least one type of attack discovered by the research group, but apparently elected not to."
More O Daeng!
Labels: security, security fix
Mac Developer: The iOS 8.4 jailbreak app is now available on Mac
Mac Developer: 'Stagefright' Android Text Message Vulnerability May Affect 950M Devices | MacTrast
'Stagefright' Android Text Message Vulnerability May Affect 950M Devices | MacTrast: "A newly discovered security flaw in the Android mobile operating system has been dubbed one of the worst vulnerabilities to date. ‘Stagefright’ could affect around 950 million Android devices."
This is a real goshwhacker.
Labels: android vs. ios
Mac Developer: Hackers combine coded photos and Twitter to hit targets - BBC News
Hackers combine coded photos and Twitter to hit targets - BBC News: "On several occasions, the commands, encrypted by using a technique called steganography, have instructed Hammertoss to upload information from a victim's network to accounts on cloud storage services."
Quite a dance.
Labels: security flaw
Mac Developer: Hackers Remotely Kill a Jeep on the Highway—With Me in It | WIRED
Hackers Remotely Kill a Jeep on the Highway—With Me in It | WIRED: "The Jeep’s strange behavior wasn’t entirely unexpected. I’d come to St. Louis to be Miller and Valasek’s digital crash-test dummy, a willing subject on whom they could test the car-hacking research they’d been doing over the past year. "
I'd say this falls into the category of "must read"
Labels: security flaw, security policy, security research
Mac Developer: It's time to uninstall Adobe's Flash from your Mac - here's how
It's time to uninstall Adobe's Flash from your Mac - here's how: "Adobe has patched more than twenty Flash vulnerabilities in the last week — some of them days after active exploits were discovered in the wild — and issued over a dozen Flash Player security advisories since the beginning of this year."
This was my basic thought in 2001. Back then it was more about open standards and accessibility.
Labels: security flaw
Mac Developer: The unbelievable true story of Farty Troll‘s struggle to release | Cult of Mac
The unbelievable true story of Farty Troll‘s struggle to release | Cult of Mac: "Scott Kurtz, artist and writer of popular webcomic PvP, and his business partner Cory Casoni decided to find out with Farty Troll, a Flappy Bird clone about propelling a flatulent, blue giant named Skull through a maze of coffee cups using nothing but his own wind. Apple repeatedly rejected the app, but after a bit of straining and a lot of effort, it has finally come out."
The curious case of Farty Troll.
Labels: android vs. ios
Mac Developer: Hacking Team, the company that sells snooping software to governments, gets hacked | VentureBeat | Security | by Paul Sawers
Hacking Team, the company that sells snooping software to governments, gets hacked | VentureBeat | Security | by Paul Sawers: "Based out of Milan, Italy, Hacking Team has been known for a while, but it hit the headlines last year after security experts revealed the extent to which its software gives law enforcement and intelligence agencies remote access to mobile operating systems. It lets them access texts, phone calls, location data, and other forms of digital communications."
I guess, "Physician, heal thyself!"
Labels: security leak
Mac Developer: This might be our first look at BlackBerry’s Android smartphone (Update) | 9to5Google
This might be our first look at BlackBerry’s Android smartphone (Update) | 9to5Google: "Evan Blass just can’t stop. Earlier today he came out on Twitter to say that BlackBerry’s Android-powered ‘Venice’ smartphone is on its way to AT&T, and now he has shared an image of what looks to be some kind of BlackBerry device running Google’s mobile operating system."
A novel approach might be to run Android as a subsystem under QNX, and keep the highly secure Blackberry mail running in the better (ie. QNX) OS.
Labels: blackberry android
Mac Developer: Stepson of Stuxnet stalked Kaspersky for months, tapped Iran nuke talks | Ars Technica
Stepson of Stuxnet stalked Kaspersky for months, tapped Iran nuke talks | Ars Technica: "in 2011 Duqu 1.0 attackers compromised computers at NetLock, a Hungarian certificate authority. That hack allowed them to sign their wares with digital stamps trusted by Windows machines."
Fascinating tale. Or "How I learned to stop worrying and love the Nation-state sponsored cyberwars."
Labels: secure coding mac, security, security flaw
Mac Developer: NSA, GCHQ hacked Kaspersky, other cybersecurity companies – Snowden docs - YouTube
NSA, GCHQ hacked Kaspersky, other cybersecurity companies – Snowden docs - YouTube: "Published on Jun 23, 2015
US and British spy agencies worked to reverse-engineer antivirus software in order to 'exploit such software and to prevent detection of our activities.' Russian security firm Kaspersky Lab was particularly targeted."
Saw this on RT. Nothing in the Western press about it, which I think is very interesting.
Labels: security flaw, security policy
Mac Developer: Some T-Mobile iPhone users suffering from random restarts, 'blue screen of death' | iMore
Some T-Mobile iPhone users suffering from random restarts, 'blue screen of death' | iMore: "If you're encountering random reboots on your T-Mobile iPhone, you're not the only one. Several users on social media are reporting that iPhones on the Uncarrier are flashing blue for a second, and randomly rebooting every 20 to 30 minutes."
Is this why there are no more Mac vs. PC ads? Let us use the billions to crush PCs once and for all! Mac! Mac! Mac!
Labels: windows vs. ios vs android
Mac Developer: XARA, deconstructed: An in-depth look at OS X and iOS cross-app resource attacks | iMore
XARA, deconstructed: An in-depth look at OS X and iOS cross-app resource attacks | iMore: "This week, security researchers from Indiana University released details of four security vulnerabilities they discovered in Mac OS X and iOS. The researchers detailed their discoveries of what they call 'cross-app resource attacks' (referred to as XARA) in a whitepaper released Wednesday. Unfortunately, there has been a lot of confusion surrounding their research."
A little more about XARA which I think is quite serious on OSX.
Labels: security flaw
Mac Developer: Popcorn Time for iOS passes 1 million downloads on non-jailbroken devices | VentureBeat | Media | by Emil Protalinski
Popcorn Time for iOS passes 1 million downloads on non-jailbroken devices | VentureBeat | Media | by Emil Protalinski: "Because sideloading apps onto iOS was not achievable without jailbreaking your device, until now, the Popcorn Time group is ecstatic at having reached this milestone. It shows that iOS users are not just very interested in a Popcorn Time app for iOS, but they are eager to try an alternative to jailbreaking in order to get apps that Apple doesn’t approve of."
Don't fret. This is probably a good thing at this point in the evolution of the OS.
Labels: security policy
Mac Developer: Developer hacks Apple Watch to run native UIKit apps on watchOS 1.0 | 9to5Mac
Developer hacks Apple Watch to run native UIKit apps on watchOS 1.0 | 9to5Mac: "Well-known developer Steve Troughton-Smith, who previously was able to get real UIKit-backed apps running on Apple Watch with watchOS 2.0, now says that he has gotten native UIKit apps running on watchOS 1.0. Smith shared a video showing off the feat, which can be seen via the embed below."
Mac Developer: Major zero-day security flaws in iOS & OS X allow theft of both Keychain and app passwords | 9to5Mac
Major zero-day security flaws in iOS & OS X allow theft of both Keychain and app passwords | 9to5Mac: "Researchers from Indiana University and the Georgia Institute of Technology said that security holes in both iOS and OS X allow a malicious app to steal passwords from Apple’s Keychain, as well as both Apple and third-party apps. The claims appear to have been confirmed by Apple, Google and others."
Labels: quarantine, sandbox, sandbox policy language, security flaw
Mac Developer: The US Navy wants to buy unpatched security flaws
The US Navy wants to buy unpatched security flaws: "It won't surprise you to hear that governments are eager to buy unpatched security exploits for the sake of cyberdefense or surveillance, but they're rarely overt about it. No one must have told that to the US Navy until this week, however. The Electronic Frontier Foundation caught the military branch soliciting for both zero-day exploits and recently discovered vulnerabilities (less than six months old) for relatively common software from the likes of Apple, Google and Microsoft."
I don't feel like I'm the target. Do you?
Labels: security policy
Mac Developer: Report: Hack of government employee records discovered by product demo | Ars Technica
Report: Hack of government employee records discovered by product demo | Ars Technica: "Those statements may not be entirely accurate. According to a Wall Street Journal report, the breach was indeed discovered in April. But according to sources who spoke to the WSJ's Damian Paletta and Siobhan Hughes, it was in fact discovered during a sales demonstration of a network forensics software package called CyFIR by its developer, CyTech Services."
Will the truth be known?
Mac Developer: Apple combines iOS and Mac developer programs into single Apple Developer Program | 9to5Mac
Apple combines iOS and Mac developer programs into single Apple Developer Program | 9to5Mac: "Apple has ended its separate iOS and Mac developer programs that required software makers to buy two different memberships in order to publish across the company’s various platforms and replaecd them with a single combined Apple Developer Program."
Even when they were separate the membership was still cheaper than buying a codesign certificate for WinXP development from a 3rd party service provider. Or call me wrong.
The range is $200 to $500 with no assurances as to the security of the root CA. With Apple's root protecting billions in IP, I feel pretty confident the trust chain is banzai!
Mac Developer: Edward Snowden hails Apple as 'pioneering' for iOS 8 security measures
Edward Snowden hails Apple as 'pioneering' for iOS 8 security measures: "'Basic technical safeguards such as encryption — once considered esoteric and unnecessary — are now enabled by default in the products of pioneering companies like Apple, ensuring that even if your phone is stolen, your private life remains private,' Snowden said."
Snowden gives thumbs up to iOS security.
Labels: android vs. ios, security policy
Mac Developer: New exploit leaves most Macs vulnerable to permanent backdooring | Ars Technica
New exploit leaves most Macs vulnerable to permanent backdooring | Ars Technica: "The attack, according to a blog post published Friday by well-known OS X security researcher Pedro Vilaca, affects Macs shipped prior to the middle of 2014 that are allowed to go into sleep mode. He found a way to reflash a Mac's BIOS using functionality contained in userland, which is the part of an operating system where installed applications and drivers are executed. By exploiting vulnerabilities such as those regularly found in Safari and other Web browsers, attackers can install malicious firmware that survives hard drive reformatting and reinstallation of the operating system."
Kind of disheartening, really.
Labels: security flaw
Mac Developer: Opinion: Google’s new Photos may just have won my library away from Apple | 9to5Mac
Opinion: Google’s new Photos may just have won my library away from Apple | 9to5Mac
My relationship with Apple’s hardware is simple: I’m happily locked in, and not changing platforms any time soon. But my relationship with Apple’s software is complex: I want to love it, but every time Apple decides to “throw everything away” and “start over” with an app, it’s disruptive — and for many users, unnecessary.
When you treat software like furniture or jewelry. Imagine getting up in the morning to go to work and having to learn how to drive a car all over again. I've got other things to do. It's not just Apple. Google just messed up their contacts webapp. It was my favorite and now I can't stand it. Unfortunately, because it's tightly integrated with gmail and hangouts and voice, I'm more or less forced to use it.
Once again, it's like the web programmers are in charge of everything. Which is why dropbox doesn't work from a CoreDuo MacBook running 10.6.8 and Chrome.
I think Steve Jobs famously said he hoped the internet would never lose it's "dial tone" HTML functionality. If you ask me, the dial tone is gone silent.
Labels: blind leading the blind
Mac Developer: Security Bug in Safari Browsers Puts OS X and iOS Users at Risk | The Mac Security Blog
Security Bug in Safari Browsers Puts OS X and iOS Users at Risk | The Mac Security Blog
Security researchers have discovered a serious Safari address-spoofing bug that can deceive users about the sites they're visiting. The exploit works on fully patched versions of OS X and iOS, and could be used by cyber-criminals in phishing or malware attacks.
Once again, Safari providing the holes while the reams of third party developers trying to shoehorn their code into increasingly restrictive runtime requirements. I like the security features of OSX, I just think that the attack vectors are not small 3rd party apps in the Mac App Store.
Labels: security flaw
Mac Developer: Bug in iOS Unicode handling crashes iPhones with a simple text
Bug in iOS Unicode handling crashes iPhones with a simple text
A peculiar iOS bug apparently that allows pranksters to crash a victim's iPhone by sending a text message from their own iPhone containing what appears to be a single line of seemingly innocuous Arabic script.
A little troubling to be sure.
Labels: secure coding mac, security flaw
Mac Developer: Security features in Mac OS X Yosemite | Kaspersky Lab Official Blog
Security features in Mac OS X Yosemite | Kaspersky Lab Official Blog
It doesn’t, however, mean that it is an “absolutely” protected operating system – unfortunately, there are no such systems. Moreover, the number of threats targeting OS X, specifically, is growing as is the number of Mac users. This certainly has drawn the attention of criminals, who are looking into vulnerabilities and occasionally finding them.
Some attention directed here. Not nearly as much as directed elsewhere, thank goodness.
Labels: mac, mac security, malware
Mac Developer: Chrome for Android goes almost “entirely open source” | 9to5Google
Chrome for Android goes almost “entirely open source” | 9to5Google
Launched in September 2008, Google’s Chrome browser is now dominant in its share of the desktop web browser market, with approximately 1 in 4 Internet users interfacing with the web using the browser.
This is now the only secure, modern browser that runs under Snow Leopard. Which indicates security policy. I wish they would port Chrome to XP SP2. I'm sure that's still 500 million desktops, if there were 2 billion to begin with.
Mac Developer: Apple attends 'spy summit' to discuss data privacy, mass surveillance issues
Apple attends 'spy summit' to discuss data privacy, mass surveillance issues
According to The Intercept, which obtained a copy of the event program, the summit was chaired by former British MI6 Sir John Scarlett as part of an ongoing series of conferences put on by the Ditchley Foundation. Said to discuss "complex issues of international concern," these highly confidential meetings are held at the foundation's mansion in Oxfordshire.
As long as they've got someone with the title "Sir" leading the discussion, I'm sure everything will be grand.
Labels: security policy