Tighten Pro C/C++/Cocoa tool for codesign security, Developer ID, & Mac App Store Receipt Validation
Tighten Pro - in the Mac App Store
Tighten Pro is now available in the Mac App Store.
Simply click on the icon to the left to purchase directly from Apple.
Or choose PKCS#7Viewer.app by clicking the image to the right.
|
Mac Developer: In a first, US military plans to drop “cyberbombs” on ISIS, NYT says | Ars Technica
In a first, US military plans to drop “cyberbombs” on ISIS, NYT says | Ars TechnicaOpening a new front in its campaign to defeat Islamic State terrorists, the US military has for the first time directed its Cyber Command to mount hacking attacks against ISIS computers and networks, The New York Times reported Sunday. This may lead to a sadly unexpected escalation that affects many ordinary people.
Labels: security policy
|
|
|
Mac Developer: Blame the victim: Report shows fifth of breaches caused by “miscellaneous errors” | Ars Technica
Blame the victim: Report shows fifth of breaches caused by “miscellaneous errors” | Ars TechnicaIn cases where malware or hacking was used to get in the door, "zero day" vulnerabilities played a microscopic role. The vast majority of breaches involving exploiting bugs in software went after known vulnerabilities—and just 10 vulnerabilities accounted for 85 percent of exploit attacks (though the list of top vulnerabilities has been called into question by some observers). Social hacking has always been dominant. Probably, if someone was good enough to gain access to your systems through a zero-day exploit, you wouldn't know about it, unless they were using a purchased toolkit written by someone else.
Labels: social hacking, zero day exploit
|
|
|
Mac Developer: 7 million unsalted MD5 passwords leaked by Minecraft community Lifeboat | Ars Technica
7 million unsalted MD5 passwords leaked by Minecraft community Lifeboat | Ars Technica: "E-mail addresses and hashed passwords for 7 million Lifeboat accounts. The mass compromise was discovered by Troy Hunt, the security researcher behind the Have I been pwned? breach notification site. Hunt said he had acquired the data from someone actively involved in trading hacked login credentials who has provided similar data in the past." Have you been owned? Yes, in fact, you have. Labels: social hacking
|
|
|
Mac Developer: Boffins believe buggy Binder embiggens Android attack surface • The Register
Boffins believe buggy Binder embiggens Android attack surface • The RegisterThe paper notes that “private APIs” in Android – APIs that aren't documented for third-party developers – are a security problem. Since they're unknown, they don't get checked or tested.
Another architectural issue the paper cites is that de-serialisation is “assumed to be always undisturbed”, another assumption that depends on the validity of the client-side transaction.
Reminiscent of the XPC exploit that could be used to root Apple devices. Security "features" Labels: android vs. ios
|
|
|
Mac Developer: Hacking group “PLATINUM” used Windows’ own patching system against it | Ars Technica
Hacking group “PLATINUM” used Windows’ own patching system against it | Ars TechnicaIn 2006, Alex Sotirov gave a presentation at Black Hat that briefly described how Windows' hotpatching worked in the context of a description of how third parties had offered some quick patches for Windows flaws while waiting for Microsoft's official fixes. A more thorough description was given by Alex Ionescu at SyScan 2013. Ionescu's talk wasn't just about how hotpatching was implemented, but described ways that attackers could use it to modify running systems to inject malware without having to write the malware to disk or inject DLLs, both of which are visible to anti-malware software and humans alike. The joys of a monoculture. It's like a petri dish where microbes flourish.
Labels: security flaw, security policy
|
|
|
Mac Developer: Billion dollar Bangladesh hack: SWIFT software hacked, no firewalls, $10 switches | Ars Technica
Billion dollar Bangladesh hack: SWIFT software hacked, no firewalls, $10 switches | Ars Technica: "Billion dollar Bangladesh hack: SWIFT software hacked, no firewalls, $10 switches
The Bangladesh central bank had no firewall and was using a second-hand $10 network when it was hacked earlier this year. Investigation by British defense contractor BAE Systems has also shown that the SWIFT software used to make payments was compromised, enabling the hackers to send money around the world without leaving any trace in Bangladesh." No commentary required. Labels: security fail, security flaw
|
|
|
Mac Developer: Exploit gets around Windows' app security safeguards
Exploit gets around Windows' app security safeguards Researcher Casey Smith has discovered a vulnerability in Windows that gets around this barrier. If you tell Regsvr32 to point to a remotely hosted file (such as a script), you can make a system run whichever app you want -- just what hackers and virus writers are looking for. I leak, you leak, we all leak together.
Labels: sandbox, security exploit, security fail
|
|
|
Mac Developer: EtherPEG
EtherPEGEtherPEG works by capturing unencrypted TCP packets off your local network, collecting packets into groups based on TCP connection (determined from source IP address, destination IP address, source TCP port and destination TCP port), reassembling those packets into order based on TCP sequence number, and then scanning the resulting data for byte sequences that suggest the presence of JPEG or GIF data. Some familiar characters and their mischief. Labels: social hacking
|
|
|
Mac Developer: Managing Subscriptions with In-App Purchase - WWDC 2012 - Videos - Apple Developer
|
|
|
Mac Developer: Facebook was the victim of a backdoor hack
Facebook was the victim of a backdoor hackDevcore's Orange Tsai recently discovered that someone had installed a backdoor on one of Facebook's corporate servers (that is, not the social network itself) in a bid to swipe workers' login details. And what are mere mortals to do?
Labels: security flaw
|
|
|
Mac Developer: Congress asks the NSA how often it spies on Americans
Congress asks the NSA how often it spies on AmericansThanks in part to leaks, it's no secret that the National Security Agency's foreign intelligence gathering also covers some Americans. But just how many Americans are under watch, and how many are simply innocents caught in the crossfire? Congress wants to find out. The House Judiciary Committee has sent a letter giving Director of National Intelligence James Clapper until May 6th to provide a "rough estimate" of how many Americans are swept up in spying under the Foreign Intelligence Surveillance Act. Wild Bill Lawless, as sheriff of these parts, I give you just 27 years to get outta town.
Labels: security policy
|
|
|
Mac Developer: “Nuclear” exploit kit service cashes in on demand from cryptoransomware rings | Ars Technica
“Nuclear” exploit kit service cashes in on demand from cryptoransomware rings | Ars Technica: "Security researchers at Cisco Talos and Check Point have published reports detailing the inner workings of Nuclear, an 'exploit kit' Web service that deployed malware onto victims' computers through malicious websites. While a significant percentage of Nuclear's infrastructure has been recently disrupted, the exploit kit is still operating—and looks to be a major contributor to the current crypto-ransomware epidemic." Somehow, after I deleted it, Flash was on my machine again. Labels: security flaw
|
|
|
Mac Developer: Brazen no more, makers of account-draining bank trojan get 24 years | Ars Technica
Brazen no more, makers of account-draining bank trojan get 24 years | Ars TechnicaAlso providing assistance were researchers from Microsoft’s Digital Crimes Unit, Flashpoint, PhishLabs, Dell SecureWorks, Damballa, and the Norwegian Security Research Team known as "Underworld.no." The arrests came as both men brazenly traveled through places subject to US law-enforcement extradition. Nice. Labels: security fix
|
|
|
Mac Developer: National Security Letters are now constitutional, judge rules | Ars Technica
National Security Letters are now constitutional, judge rules | Ars TechnicaThe legal challenge Illston decided stemmed from a challenge brought by the Electronic Frontier Foundation, which was representing two service providers that challenged the NSLs on grounds that the gag requirement illegally limited their rights of speech. A fight with no winners, only losers.
Labels: security policy
|
|
|
Mac Developer: DRAM bitflipping exploits that hijack computers just got easier | Ars Technica
DRAM bitflipping exploits that hijack computers just got easier | Ars Technica: "New research into the 'Rowhammer' bug that resides in certain types of DDR memory chips raises a troubling new prospect: attacks that use Web applications or booby-trapped videos and documents to trigger so-called bitflipping exploits that allow hackers to take control of vulnerable computers."
Hard to imagine building defences against bugs in the actual hardware. Labels: security flaw
|
|
|
Mac Developer: Apple-backed coalition opposes Burr-Feinstein encryption bill in open letter
Apple-backed coalition opposes Burr-Feinstein encryption bill in open letter: "A group of four tech industry associations — representing businesses like Apple, Amazon, Microsoft and Google — have published an open letter opposing a draft bill by U.S. Senators Richard Burr and Dianne Feinstein, which would make it possible for courts to order help bypassing encryption." It may well be that we need an entire generation of legislators to die off before we get the laws that are informed by people who understand what is going on. Labels: security policy
|
|
|
Mac Developer: How hackers eavesdropped on a US Congressman using only his phone number | Ars Technica
How hackers eavesdropped on a US Congressman using only his phone number | Ars TechnicaA US Congressman has learned first-hand just how vulnerable cellphones are to eavesdropping and geographic tracking after hackers were able to record his calls and monitor his movements using nothing more than the public ten-digit phone number associated with the handset he used. Just when you thought it was safe to go back in the pool.
Labels: security flaw
|
|
|
Mac Developer: How Hacking Team got hacked | Ars Technica
How Hacking Team got hacked | Ars TechnicaOn Friday, the self-described black hat hacker who claimed responsibility for the Hacking Team dump last year, and who goes by the handle "Phineas Phisher," published the technical details of how he pulled off the caper—and encouraged others to follow his example. It's like one guy doing the actual work that the NSA was tasked with.
Labels: security policy, security research
|
|
|
Mac Developer: Apple confirms QuickTime for Windows at end of life
Apple confirms QuickTime for Windows at end of life: "Last week software security outfit Trend Micro disclosed the discovery of two new flaws in QuickTime 7 for Windows, saying Apple was informed of the security threats in November. At the time, Apple said it had no plans to issue a patch, adding the software 'would be deprecated on Windows and the vendor would publish removal instructions for users.' iTunes is, of course, everything that QuickTime(tm) was, and aspired to be. Labels: security fix
|
|
|
Mac Developer: Flashback: Declassified 1970 DOD cybersecurity document still relevant | Ars Technica
Flashback: Declassified 1970 DOD cybersecurity document still relevant | Ars Technica: "The National Security Archives at George Washington University has just added a classic text of computer security to its 'Cyber Vault' project—the original version of what came to be known as the 'Ware Report,' a document published by the predecessor to the Defense Advanced Research Projects Agency in February 1970. And as much as technology has changed in the 46 years that have passed, the Ware Report would still hold up pretty well today with a few notable edits. We knew exactly what needs to be done but were still unable to do it because it is possibly an unsolvable problem. Labels: security flaw
|
|
|
Mac Developer: House votes to undermine net neutrality rules, and ISPs cheer | Ars Technica
House votes to undermine net neutrality rules, and ISPs cheer | Ars TechnicaThe "No Rate Regulation of Broadband Internet Access Act" was ostensibly proposed to prevent the FCC from setting the rates charged by Internet providers. But the bill defines "rate regulation" so broadly that FCC Chairman Tom Wheeler says it could prevent the commission from enforcing net neutrality rules against blocking and throttling. Soon, the USA will be the most technologically-backwards country in the world when it comes to connectivity. Google Fiber notwithstanding.
Labels: security policy
|
|
|
Mac Developer: Out-of-date apps put 3 million servers at risk of crypto ransomware infections | Ars Technica
Out-of-date apps put 3 million servers at risk of crypto ransomware infections | Ars Technica: "More than 3 million Internet-accessible servers are at risk of being infected with crypto ransomware because they're running vulnerable software, including out-of-date versions of Red Hat's JBoss enterprise application, researchers from Cisco Systems said Friday." The joys of monoculture, the ideal petri dish for the epidemic disaster. Labels: security flaw
|
|
|
Mac Developer: QuickTime Sandbox Fail
This looks like a security scoped URL fail. When the sandbox is so restrictive even Apple can't figure out how to make it work.
Labels: security fail
|
|
|
Mac Developer: Apple investigating major App Store search changes, mulling paid results, report says
Apple investigating major App Store search changes, mulling paid results, report says: "A report Thursday claims Apple has a 'secret team' working on major user-facing changes to App Store search results, including the possibility of charging developers to promote content. " I'm looking forward to seeing the Microsoft brand at the top of every search category on the App Store(s). If Google isn't already the way you find relevant content in the App Store, it soon will be. Labels: app store
|
|
|
Mac Developer: '1970' date bug could be used to wreck pre-iOS 9.3.1 devices over Wi-Fi, researchers say
'1970' date bug could be used to wreck pre-iOS 9.3.1 devices over Wi-Fi, researchers say: "If an iOS device is set to connect to a trusted Wi-Fi network automatically — such as a cable company's free hotspot — a hacker mimicking that network's name can trick a device into setting the wrong time, said Patrick Kelley and Matt Harrigan, cited by Krebs on Security. This is possible because iOS regularly tries to connect to an NTP (network time protocol) server to keep time in sync." Think of all those wasted hours trying to get useful code running in a sandbox environment. To what end? Labels: security flaw, social hacking
|
|
|
Mac Developer: How to install and run Mac apps that don't come from the Mac App Store
How to install and run Mac apps that don't come from the Mac App Store: "Apple has introduced a number of features designed to protect users from malware in OS X, but these tools occasionally go too far when trying to save people from themselves." Well, as long as the Mac can run really crappy ports of iPad shovel ware, why should anybody complain? Labels: app store
|
|
|
Mac Developer: FBI reportedly paid 'gray-hat' hackers, not Cellebrite, for zero day exploit in San Bernardino iPhone case
FBI reportedly paid 'gray-hat' hackers, not Cellebrite, for zero day exploit in San Bernardino iPhone caseIn the latest development of what appears to be a never-ending guessing game, a report on Tuesday claims FBI officials purchased a zero day exploit from a group of professional security researchers as part of its successful effort in breaking into an iPhone 5c linked to last year's San Bernardino terror attack. Moral hazard courtesy of "the establishment". Labels: security policy
|
|
|
Mac Developer: More big-name sites hit by rash of malicious ads that attack end users | Ars Technica
More big-name sites hit by rash of malicious ads that attack end users | Ars TechnicaSome of the Netherland' most popular websites have fallen victim to a malvertising campaign that managed to compromise a widely used ad platform, security researchers reported on Monday.
The malicious ads were served over at least 11 sites including marktplaats.nl, the Netherlands equivalent to eBay and the country's seventh most visited website, according to a blog post published by security firm Fox IT. The modern browser: source of most security problems. Labels: security flaw
|
|
|
Mac Developer: WhatsApp is now most widely used end-to-end crypto tool on the planet | Ars Technica
WhatsApp is now most widely used end-to-end crypto tool on the planet | Ars TechnicaAs the company explained in a white paper that was released on Monday night, WhatsApp uses the Signal protocol (formerly known as Axolotl), which was created by Moxie Marlinspike’s Open Whisper Systems. (That protocol is also used by Marlinspike’s Signal encrypted messaging and voice app.) Open source wins again.
Labels: security policy
|
|
|
Mac Developer: Why Microsoft needed to make Windows run Linux software | Ars Technica
Why Microsoft needed to make Windows run Linux software | Ars Technica: "The recent Xamarin acquisition and the announcement last week that Xamarin would be free with Visual Studio and released as open source to boot makes Windows a strong candidate for all kinds of software development. Visual Studio includes a high quality Android emulator and all the tools for developing on Android." Quite right. Labels: Mac vs. Windows vs. Linux
|
|
|
Mac Developer: A spiritual successor to Aaron Swartz is angering publishers all over again | Ars Technica
A spiritual successor to Aaron Swartz is angering publishers all over again | Ars TechnicaI would like to reference Robert K. Merton, the founder of sociology of science. He studied ethos of research communities. And what he found is that communism is one of the four important ethical norms (along with universalism, disinterested, and organized skepticism) that makes science work. By communism, he meant the common ownership of scientific discoveries, according to which scientists give up intellectual property in exchange for recognition.
Information wants to be free.
Labels: security policy, social hacking
|
|
|
Mac Developer: Software security needs a new perspective | TechCrunch
Software security needs a new perspective | TechCrunchthe potential destructiveness of software bugs has become orders of magnitude more dramatic than it used to be, say, 20 years ago.
It used to be that only AT & T was networked and running Unix and susceptible. Now, every darn IOT device is running some version of Linux. Labels: security flaw
|
|
|
Mac Developer: Announcing the official release of the Visual C++ Build Tools 2015 | Visual C++ Team Blog
Announcing the official release of the Visual C++ Build Tools 2015 | Visual C++ Team BlogATL and MFC are important libraries. The fact that they were missing from the Build Tools made it impossible for you to use the Build Tools for your projects.
You think you understand corporate development, but you don't. MFC and ATL were my primary frameworks in 1994. That's 22 years ago. Keep that in mind when you release new tools every year that break code that was written 3 years ago. Labels: android vs. ios
|
|
|
| |
|