Research paper: Unauthorized Cross-App Resource Access on MAC OS X and iOS.
I previously reported on this monumentally dangerous security bug in All your passwords at risk with OS X and iOS, and Apple Sits on the Problem.
ArsTechnica covers the same issue in Serious OS X and iOS flaws let hackers steal keychain, 1Password contents.
Why has Apple sat on this for over six months, doing next to nothing?
MPG advice is to use 2-factor authentication on all sensitive accounts. That means a hardware token or something like Authy. Unfortunately, many institutions are badly in arrears on security, not even allowing strong passwords. And there is only piecemeal and inconvenient support for 2-factor authentication. Worse, each institution may do it its a different way. It’s awkward.
Well, it’s a lot worse than your own stuff
The internet and the Cloud have become a very dangerous place for not just money and privacy, but real physical things, like steel mills. Are nuclear power plants next? It’s a valid question. The Federal Government just lost 4 million or whatever sensitive employee records to China (allegedly). Tip of the tip of the iceberg without a doubt, in terms of security penetrations that are “sleepers” and what is not reported and not detected.
Recently I sat next to a CEO of a major company whose business is to staff and run major events all over the country (conventions, exhibits, etc), including all the IT work and information collection. I mentioned the massive and dangerous security issues cropping up today, the fact that governments and organized crime were involved, that real physical things could be shut down and destroyed, and this naive CEO jackass actually argued with me that his network was secure and it was just not an issue because his security folks were doing their job. His attitude was that I was a “sky is falling” reactionary worried about fantastically remote possibilities. That’s the state of denial today that still exists in corporate America.
But a loss of privacy or money pales in comparison to far worse possibilities, like shutting down the power grid for a few months, which could kill (by starvation and similar) millions. It’s no laughing matter, and only a gray swan probability. In fact, it is a certainty when war comes because a country can be taken down by computer, no bombs or bullets needed (electronically attack all dams, power plants, distribution centers, hospitals, etc, probably with sleeper compromises already in place and undetected). This country sits and waits for that to happen, with virtually nothing being done.