Despite some security-conscious enterprise experts pointing accusatory fingers at the rather bleak encryption story and only-recently fixed ActiveSync policy compliance on the iPhone platform, there's no doubt that IT and network professionals are grooving on the iPhone -- there are many apps designed for administrators to take control of their operations with a touch of a finger, and now Cisco has stepped in with an informational and alert resource that fits in your pocket.

The Cisco SIO (Security Intelligence Operations) to Go free app [iTunes link], requiring iPhone OS 3.0 or later, lets the paranoid properly alert and aware security professional keep tabs on the global threat landscape with Cisco's Cyber Risk Reports, Threat Outbreaks and Mitigation Bulletins, along with podcasts, blog posts and a slew of other branded content. There's also an IronPort-driven IP and email domain scanner, which will grab WHOIS data along with a brief reputation score for your hosts.

Having all this Cisco goodness in one place is handy, although the majority of the app's headlines link to pages on the Cisco site that remain largely iPhone-unfriendly -- even the press release announcing the app's launch is hard to zoom properly -- and there's none of the flexibility of a full-featured RSS reader to forward articles, bookmark or set read/unread points.

Still, as a gesture of goodwill towards the intersection of iPhone users and security professionals, it's a reasonable step. Cisco also has the WebEx Meetings app [iTunes link] and the Cisco Mobile telephony tool [iTunes link] in the store, both free.

[via TechCrunch]

With the latest jailbreaking code, blacksn0w, now available for Geohot's blackra1n utility, iPhone owners who want to free their favorite smartphone from the constraints of the App Store and the AT&T network may do so. But a recent report by PCWorld / Network World indicates that Apple is hiring a new "sheriff" to lock up the iPhone platform for good. Is this true? Maybe not.

According to the post by Network World blogger John Cox, an Apple corporate website is showing a job posting for an iPhone platform security manager. The manager would lead a team aimed at creating methods for secure booting and installation of the iPhone OS, strengthening the platform's cryptographic services, partitioning and hardening internal security domains, and providing risk analysis of security threats.

The post goes on to breathlessly state that this job posting (which is noted as filling an existing position, not creating a new one) is indicative of Apple's concern that enterprise users might jailbreak and unlock their iPhones. The jailbroken phones would let enterprise users load apps that could "threaten corporate data or back-end Exchange servers," and "unlocking the phone... makes it hard to track, monitor and optimize wireless costs and could open the enterprise to legal problems."

Why is it so important for Apple to crack down on jailbreaking and unlocking? Well, the post says that many enterprises are adopting the iPhone "despite the fact that Apple provides virtually no security or management infrastructure..." That last statement is a bit ridiculous, considering that Apple even provides a series of white papers on exactly how to implement secure, managed iPhone deployments in enterprises.

Perhaps the author has been out the enterprise world for a while, since alterations like jailbreaking and unlocking are forbidden by policy in almost all big businesses that provide their employees with phones. As Mike Rose put it succinctly, "What enterprise user is jailbreaking their phone to use T-Mobile when that means they won't get reimbursed for their cell costs? What enterprise user wants to risk getting cut off from Exchange access?" And what enterprise employee is going to risk his or her good graces with the corporate security team for the sake of being able to run SplatCam or Cycorder on the iPhone?

The post tries to tie the rather innocuous task of filling an open job posting to an attempt by Apple to try to shut off the jailbreak world -- which, if it is doing, isn't necessarily about covering corporate requirements. As long as there are people who want to jailbreak their phones or unlock and move them to a different GSM carrier, hackers will find a way to do it. To us, it appears that Apple is just trying to maintain and improve security for the iPhone platform, something that will benefit all iPhone owners.

Most of us have really crappy, insecure passwords. Sure, we tack a couple of numbers or punctuation characters at the end of our cat's name, but that's a far cry from secure -- especially since we also have the equally nasty habit of using the same password on every single site/service/machine/device with which we have regular contact. We're not just asking for trouble, we're offering it a delectable stolen identity sandwich.

As most of us Mac folks know, a solution exists and it's called 1Password. If you've owned your Mac for more than an hour or so, chances are pretty good that you've been admonished to acquire this lovely app (maybe even by more than one person). Several of us at TUAW are big fans of 1Password, and today our pointy party hats are standing taller than ever thanks to the opening of the public beta for 1Password 3.

This new version brings with it a massive list of changes, improvements and new features -- a couple of which have helped me to realize the dream of being able to utilize 1Password data on OSes other than OS X. You see, like many other Mac enthusiasts, I use Windows at work. Obviously, this precludes me from fully embracing Mac-only software like 1Password, but thanks to a brand new feature called 1Password Anywhere, my pain is dulled.

1Password Anywhere allows you to take your 1Password data and open it using any modern web browser. I've tested this with Chrome, Firefox and IE under Windows XP and they all work wonderfully. Your data is still absolutely secure and stored behind the same master password that protects the data in 1Password proper. They didn't spare any detail, either -- 1Password Anywhere looks and feels remarkably similar to the native OSX application. The data is read-only in your browser, but being able to easily the strong passwords and paste them is worth the admission price. The truly enlightened will see the application of a service like Dropbox here -- just move your keychain file into your Dropbox and your passwords are now with you whenever you go.

Face it: your address book and your contacts, they're personal. They reveal a lot about you: your friends, your business partners, your cake buying proclivities, and more. The address book you see at the top of this post appears to be for someone in the Denver area. I know that because of the REI Denver listing and Le Bakery Sensual on 6th, which I drive by whenever I head East from Broadway.

These contacts, along with their notes, their phone numbers, dates of birth, and other information say a lot about the person whose address book this is, and also about the people who appear in that contact list, with all their personal and professional info.

There's one big problem. The screen shot you see wasn't made by the person who owns this me.com account. Under certain very specific conditions, Apple is inadvertently sharing data from other people's accounts. Ouch.

A TUAW reader sent us a video made as he renewed his me.com account from the UK. The address book data he accessed during that time included this Denver-based set shown here, as well as data from an Ireland-based user of Polish descent (all his contacts were back in Poland although his business was based in Ireland).

This all went down during the period when his MobileMe account was renewing. Each time he logged off and back on, he was presented with yet another set of contacts--none of them his. He writes, "Each time I logged off and on I got a different address book. All the other options were disabled (because my renewal was being processed) but clicking the Contacts icon showed me *an* address book," just not his address book.

With a little Internet-fu, he checked out some of the numbers and found that they were valid and operational. This leads him to believe that this is real data. My inspection of the local Denver data from his screen shots convinces me of the same. Further inspection of work addresses and personal family names makes us believe we know whose Denver-based address book this is. We've attempted to contact this person but as yet have not heard back.

The address book glitch ended once the registration process finished, leaving our TUAW reader with a series of screen shots and videos and a deep concern about Apple's ability to safeguard personal data. He's already contacted Apple about the bug. "I contacted them by two means: their web-chat thing where they told me that they 'had no reports of such an issue'. They suggested closing and reopening Safari (helpful eh?) and a generic autoresponse saying they'd reply within 5 days when i sent an email." He adds, "I don't think the people manning the help desk appreciated the seriousness of the situation."

TUAW has sent a heads-up to Apple and will keep monitoring the situation to see how it develops.

iWork.com, Apple's service for sharing documents from iWork '09 to the Internet, which our own Dave Caolo posted about it's shortcomings just last week, received an update a few days ago along with iWork '09. It added a few new features and improvments to the service, which is still in beta.

They include:

• Automatic email notification. Now the iWork.com beta lets you stay up to date whenever viewers add new comments or notes to your posted documents. You can choose to be notified immediately, hourly, or daily.

• Enhanced security. Automatic 128-bit SSL encryption now safeguards communication between you and your viewers via iWork.com. You can also password-protect documents you share on iWork.com-so even if someone has a link to your document, they won't be able to view it without the password you supply.

• Refined user interface. The redesigned Shared Documents page includes thumbnail previews so you can more easily identify your shared iWork files. You can also organize your shared documents by date, name, size, or comments received. And you can now access all your shared documents by signing in at www.iwork.com.

You should be able to use these new improvements once you've updated to the latest version of iWork '09, if you haven't already done so.

Also, Apple has set up a new iWork.com news page, where you can get updates on iWork and the iWork.com service.

Hopefully, these improvements will further advance the iWork.com service.

Appearing alongside the Mac OS X 10.6.1 update, Apple released another update today: Security Update 2009-004 is out for users of Leopard and Tiger. This update patches several vulnerabilities, including the security issue with Flash that was also part of Mac OS 10.6.1.

It's available now through Software Update and is applicable for Mac OS X Leopard, Tiger (PPC and Intel) and Tiger Server (PPC and Universal).

Sometimes it's the smallest thing in a software update that means the most to some users. This latest iPhone update contains a few little gems that should not be lost in all the excitement over new iPod hardware.

One of the nicest additions is the ability to remotely lock your iPhone if you're a MobileMe subscriber. It could be very helpful if you've left it somewhere and are not sure where, or you know it's stolen but don't want to wipe all your content in case the phone is quickly recovered. This doesn't replace the very welcome remote wipe feature, but it is a nice add-on.

The place to activate the remote lock is on your MobileMe settings page, which you can access from a web browser. You can give a four digit code, and if your phone is turned on it will immediately lock. You will also get a confirmation e-mail from Apple.

One item to note, once you have done this, it is not a one-time thing. When you get your phone back and you unlock it, it will lock up again when your auto-lock activates unless you turn the feature off in your iPhone settings. I tested the remote lock function, and it worked as advertised.

Another worthwhile addition in the iPhone 3.1 software is the ability, finally, to use Bluetooth voice commands with a Bluetooth headset. This feature should have been included in the iPhone 3.0 software, but I am glad to see Apple address this obvious shortcoming,

With my Jabra Bluetooth headset I could initiate a voice call without any problem. I also asked the phone what song is playing and got the correct answer, but the voice responded through the phone and not the headset. No big thing.

It's nice to see Apple cleaning up some of these little issues as the iPhone moves forward. Wonder where it will be in a year?

It's not that we have anything against the Flash plugin for Mac browsers. Well, other than the fact that it's crashy, and slow, and makes our laptop fans spin up like we're doing wind tunnel testing for the Air Force. But other than that, we have nothing against it -- and it's lovely that the new 64-bit version of Safari in Snow Leopard can isolate Flash-related stalls and hiccups from the main browser process for enhanced crash protection. Very nice.

Unfortunately, as pointed out initially by Graham Cluley over at the security and anti-virus vendor Sophos, the version of the Flash plugin that Apple bundles with Snow Leopard is old. It's the 10.0.23.1 version, old enough that it has some notable vulnerabilities versus the currently shipping 10.0.32.18 version. You can check which version of the plugin you have by visiting this Adobe check page. Even if you had the current build on your machine before upgrading to Snow Leopard, the upgrade process replaces your Flash with the vintage Flash instead -- poor form! Cluley recommends, and Adobe concurs, that the best thing to do is head over to Adobe's download site and get the most up-to-date version instead.

It's understandable that Apple had to lock down a version of the Flash plugin for inclusion in the OS golden master, but if you're gonna do that then you've got to provide an integrated method for users to update to the current build when the time comes (like, say, via an OS-wide Software Update utility). Downgrading user security while upgrading OS versions is a rotten way to run a railroad.

[Side note, does Cluley's narration in the video above make you wonder if, just maybe, he's moonlighting as Ben 'Yahtzee' Croshaw over at The Escapist? NSFW!]

Thanks to everyone who sent this in.

Another day, another dumb criminal gets snared by Apple technology. In this case, 2 dumb criminals. This latest foiled crime involved the theft of 4 iPhones from the Apple Palisades store in West Nyack, New York.

According to the Journal News up that way, the two crooks ran from the store, and police put out a description of the thieves. The phones were also tracked using the built-in iPhone GPS, and the info led police to a hardware store parking lot in Orangetown.

The hapless thieves are scheduled to appear tomorrow in court to answer to to the charges relating to the stolen iPhones and also to explain why they had 2 more stolen iPhones in their possession. The apprehended men are now in the Rockland County jail, hopefully thinking it may not have been so smart to steal phones with GPS tracking. Oddly, the Journal News article quotes cops saying the value of the four stolen phones was close to $4,000, which seems quite high; perhaps they meant the value of all six phones found with the suspects.

Meanwhile, our friend 'Jim' says he is getting good cooperation from his local police in apprehending the thieves who stole his MacBook and iMac. As you'll remember from our previous coverage, Jim has the Back to My Mac feature of MobileMe and using the screen sharing function saw someone filling out an online job application, which helpfully listed their address, phone number, name and Social Security number. Then yesterday, Jim snagged a picture of one of the alleged crooks who had used the built in iSight camera to pose for a snapshot..

As Jim continues to make contact with his stolen laptop, he finds more goodies. Someone logged into their MySpace page, and Jim was able to copy and download various pictures of the alleged perps. He also retrieved one of their cellphone numbers.

Police have made a couple of visits to the address, but haven't found anyone at home. They are persisting and will undoubtedly find them, likely ruining their day.

[Thanks to Jim R. for the West Nyack tip]

Yesterday we told you about some crooks that broke into a house and made off with a couple of Macs and a PC. We recounted how the victim used his replacement MacBook Pro to screen share with the stolen device, and even watch as someone filled out an online form to find a job, displaying an address, social security number and phone number.

Well, the crooks are still at it, and seemingly oblivious to the consequences. Last night, I heard from 'Jim' the victim, and he said he was connected again to his laptop, but no one appeared to be home. He saw an unfamiliar jpeg image on the desktop, and you guessed it, the alleged perp had proudly taken a picture of himself with the built in iSight camera. 'Jim' grabbed the pic, and has now forwarded it to his local police department.

It's kind of amazing that the crooks would know enough to grab a pic from the camera, but not realize they have left the Mac wide open to the features of Back to My Mac.

Hopefully, the police will get in gear, and rescue the stolen computers, and grab the perps. Meanwhile, 'Jim' is cautiously considering getting back into his Mac and erasing any files with personal info on them. He just doesn't want to get caught and spook the thieves.

We'll keep you posted.

Update 2:30p ET 9/1: We've heard more from the theft victim; see the latest news on this crime story here.

We're getting our share of crime stories lately, and today's is really a jaw dropper. I'm going to be sketchy on details and locations because there is an investigation underway.

Here's what we have so far. An East Coast man had his house broken into with 2 Macs and one PC stolen, along with some other household items of value.

One of the Macs was a laptop, and our victim bought a new MacBook Pro to replace it, and used a Time Machine backup to restore all his files. The crime was reported to police, who said they had no leads, but there had been a string of similar burglaries in the area for quite some time.

When our victim (we'll call him Jim) sat down at his replacement laptop last night, he saw one of his missing computers come up as a share via the Back to My Mac feature of MobileMe. He clicked on the share, and explored the files of his stolen machine. You can guess what comes next. Taking a chance, he clicked on screen sharing, and saw that someone was using his Mac, checking lottery numbers on a web page.

Jim didn't want to take control of the Mac, so he just watched, fascinated. Later, when activity on his missing computer stopped, he went to the network panel and grabbed an IP address, and took a screen shot of it.

This morning, he saw someone applying for a job online using the stolen laptop, and Jim now has the Social Security number, address and phone number used on the job application. Jim speculates it is possible the machine has been sold to someone and that is who was applying for the job. Or it could still be with the crooks.

He's contacted the police, and we don't know how this saga ends yet, but we'll let you know how it all works out. So far we've got a pretty smart victim and some really dumb crooks. Jim says he is sure he'll be renewing MobileMe when it's time.

Details at 11.

[Thanks to 'Jim' for sharing his experience with all of us]

Stepping up to a shiny new 3GS? Thinking about selling your old iPhone on eBay or craigslist? Don't forget to wipe!

I buy iPhones from time to time to unlock and offer to our local customers. One such phone arrived today and I eagerly opened the box to get things prepared. After charging the dead iPhone for a while, I powered it on and was greeted with tons of personal information about the previous owner.

The phone was loaded up with three accounts full of literally thousands of emails, 107 contacts, 974 songs, a few dozen photos and a handful of apps -- all still happily filling the 8GB. There were faxed checks related to the previous owner's sales position, visual voicemails available to anyone's ears, and a huge log full of text messages.

The previous owner hadn't deleted anything before sending his iPhone off to a complete stranger! While I was taking care of that important step for him, I thought "This is a perfect opportunity to save some TUAW readers from this sort of embarrassment, not to mention potential ID theft, with a quick reminder."

Clearing all of the data from your iPhone was made simple with the 2.0 firmware update last year.

1. Go to Settings
2. Tap on General
3. Scroll all the way down and tap Reset
4. Choose Erase All Content and Settings
5. Confirm (twice) that you REALLY want to lose everything

Make sure you have it plugged in, as the process will take quite a long time, "about an hour" according to the warning. But, believe me, it is time well spent!

Once the process is complete, you'll be left with a "factory fresh" installation of the iPhone OS with no trace of you or your data, and you can safely sell it and upgrade to the latest and greatest model. Oh, and do me a favor -- if I'm the auction winner, include a working sync cable this time!

Amidst the Safari and AirPort updates yesterday, Apple has released yet another update today, Security Update 2009-004. This update patches a single vulnerability affecting the BIND DNS server. It's available now through Software Update or Apple's support downloads page, and is available to download for Mac OS X Leopard, Tiger (PPC and Intel) and Tiger Server (PPC and Universal).

Maybe it's already Saturday in the UK, or close to it: Apple has released iPhone OS 3.0.1 for iPhone, iPhone 3G & 3GS, an update that patches the phone to prevent bad actors from taking it over or taking it down with the just-demoed SMS exploit. The update weighs in at close to 300 MBabout 230 MB (like all iPhone updates, it's a full image of the OS), and as far as we can tell there are no other fixes or tweaks; just the privilege of continuing to use your iPhone in peace and security.

Update with care, and let us know in the comments how the update works for you!

14:30 ET: Apple's security mailing list just delivered the notes for 3.0.1, they are reproduced in the 2nd half of this post. Also worth noting that the SMS exploit is not endemic to the iPhone alone; both Android and Windows Mobile platforms can be attacked with similar techniques, although Google tells BW that the issue on Android phones is now fixed (presumably through carrier action on T-Mobile's side, not confirmed though).

Two security researchers, Charlie Miller and Collin Mulliner, have discovered a serious security vulnerability affecting SMS messaging on the iPhone that will be unveiled later today at the Black Hat security conference in Las Vegas. This flaw affects all iPhones and can allow an attacker to gain complete control of an iPhone, including the ability to make calls, browse the web and access the camera. This exploit is caused by corruption in the iPhone's memory handling and is executed by sending a burst of text messages by using a uncommon text character or by sending a hidden message.

So far, Apple has been rumored to have a fix in the works, but there's been no confirmation yet when it will be available. The researchers also say that there's nothing you can do to protect your iPhone from this vulnerability, other than to turn off the phone. More details on this issue will be discussed later today at Black Hat, hopefully outlining a path to fix this issue.

Meanwhile, the two developers have already demonstrated this flaw in action to CNET's Elinor Mills, proving its existence and extent of the threat.

We'll be providing more coverage on this issue once it's unveiled, so stay tuned to TUAW.