For the last few days, some jailbroken iPhone users have found their home screen background a little different than they remembered. A hacker, going by the name "ikee," created a worm that changes the home screen background on jailbroken iPhones whose owners failed to change the default password after installing SSH. Simply jailbreaking your iPhone will not make you vulnerable to this sort of hack. The iPhone OS, in general, is also immune to this hack. Still confused? Let's back up a bit.

On jailbroken iPhones, SSH is installable with a package from Cydia that allows you to connect to your phone and make changes to the filesystem. It does this by logging into the root user with the password "alpine." After installing SSH, it is always recommended that you change "alpine" to the password of your choosing. This hack can only affect people who chose not to change that password -- no one else.

This hack originated in Australia, the home country of ikee, and has possibly spread to other iPhones in other countries, but we've been unable to verify that. A gentleman by the name of JD held an interview with the hacker over IRC and posted it to his blog. In ikee's own words, here's how the worm has spread:

...The code itself is set to firstly scan the 3G IP range the phone is on, then Optus/Vodafone/Telstra's IP Ranges (I think the reason Optus got hit so hard is because the other 2 are NAT'd) then a random 20 IP ranges. I'm guessing a few phones hit a range that another vulnerable phone was on.

Basically, once your phone is infected, the worm starts looking for other iPhones on the cellular network that use the root:alpine combination. Once it finds another vulnerable iPhone, it installs itself and begins the process again... and again... and again.

Luckily for the jailbreakers in the audience who may have been affected, there's really no harm done -- at least not with this version of the worm. According to the hacker, this was more of an experiment than anything else. The worm changes your background and then disables inbound SSH, which is a good thing. If SSH was left turned on, a similar worm could follow along but conceivably do much more damage. For instructions on how to delete this worm, read JD's interview with ikee. I would recommend reading the interview just for the information it presents; I found it pretty interesting. If you've got a jailbroken iPhone or iPod touch and you've never changed the default device password, now's the time. Here's how, if you are using terminal:

Type: ssh root@(iPhone IP address)
When prompted for the password type: alpine
Now you're connected the phone...
type: passwd
It should then prompt your for a new password -- type one that you'll remember. There's no easy way to reset it if you forget it.

That's it. Please remember to be responsibly secure with your devices. Hackers like ikee are troublesome, but this could have been much worse. While I don't personally condone his actions, he's prevented a lot of people from being vulnerable to more malicious attacks later down the road.

Thanks, James!

As Christina mentioned a while ago, 1Password version 3 is on the horizon, and we've got some sneak peeks to show you. There are some great improvements to the core, but more immediately noticeable are the visual tweaks to the interface. The entire UI has been overhauled, and I'm impressed. Take a look at the gallery to see for yourself. Oh, and check the end of the post if you missed out on the private beta but want to play with version 3 on your machine!

Haven't heard of 1Password? It's a form-filling, password-storing, iPhone-syncing, highly-secure information storage system. It handles software licenses, secure notes, credit cards and, of course, passwords. It can generate impossible-to-crack passwords on-the-fly, and then remember them for you. All you have to remember is, that's right, one password. Get it?

Read on for a quick walkthrough of new 1Password features, and a little trick to get your hands on it early ...

Update: The Agile Web Solutions guys have been nice enough to extend beta invites to another 100 TUAW readers. Those that don't make it into the first round, don't worry, the guys said they will be putting you on a waiting list and accessing that over the next couple of months, so with any luck, everyone can get in on the fun! Check out http://switchersblog.com for details in the coming weeks. Once again, send an e-mail with the subject "I want my 1P3 beta!" to 1P3Promo [at] agile [dot] ws!

I am a huge fan of Agile Web Solutions's 1Password. It's always one of the first applications I install on a freshly formatted Mac, and I use it countless times a day to manage my logins to various web sites, forums, shopping sites and more. I used to be really, really bad about using the same few passwords for every login, but the strong password generator coupled with support across browsers (and on the iPhone and iPod touch) makes it easy for me to have distinct and secure logins all over the web.

Last night, the Agile Web Solutions team released the 2.9.19 beta (with support for Safari 4), and if you subscribe to the 1Password newsletter, you know that 1Password 3.0 is gearing up for testing before being released later this year.

We've got some juicy details about what to expect in 1Password 3.0 and a chance for current 1Password fans to get in on the private 1Password 3.0 beta! Read on...

I swear, getting old is not a lot of fun.

Last night, I taught a class in data security for home and small business users at our local community college. There were a lot of good questions from the community education program students, so the class ended quite late and I was still answering questions as I walked out the door.

This morning, I went to grab my MacBook Air out of my laptop bag and literally grabbed air instead. In my haste to get out of the classroom and head home, I had packed everything but the laptop. Fortunately, the classroom was locked and few classes are scheduled for early morning, so I called the campus police and had them rescue the MBA for me. Problem solved!

After actually losing an iPhone 3G a few months ago, I wrote a post about what to do to prevent data loss and identity theft when lose your iPhone, and included a few tips on how to hopefully keep yourself from losing the phone in the first place. In this post, I'll talk about the things that I do (or can do) to keep my MacBook Air and my data safe, even when my mind conspires against me to try to lose the computer.

Agile Web Solutions, developer of the 1Password secure password manager for Mac, has announced the release of 1Password touch 2.0 for iPhone and iPod touch. The app, which is available through Friday, June 5th as a free download, is much improved over the previous versions and includes new functionality as well.

I downloaded and installed 1Password touch 2.0 [App Store] yesterday and was pleased to see that some previous issues have been resolved. The app now launches much faster, and the user interface has been improved for adding logins, passwords, and notes.

One of the biggest improvements is in how 1Password touch handles wallet items. These are things like driver's licenses, bank account numbers, internet account information, or other information that you may need to have at your fingertips, but would like to have secured behind AES-128 encryption on your iPhone. Previously, you couldn't add or edit wallet items on your iPhone; now you can.

WiFi Sync is now available as well (replacing the previous sync functionality, which was branded differently). You need to be running 1Password for Mac version 2.9.16 or later, as well as 1Password touch 2.0 or later. The sync is very fast, and it makes moving password and wallet information between your Mac and iPhone a piece of cake.

If you don't currently have a secure password manager for your iPhone, or if you're not happy with the one currently installed on your device, be sure to download 1Password touch for free during the next few days. Check out the gallery below for some screenshots of the new version.

Apple yesterday announced a new addition to Mobile Me: The ability to share large files with others via iDisk. One of our readers had noticed an announcement about it way back on New Year's Day.

The service works much like YouSendIt, though rather than uploading a file, you point to an existing file on your iDisk. MobileMe then assigns a URL to that file, and offers to send an email to a recipient with the link. You can also assign an expiration date and password to the link.

MobileMe's sharing functionality is so far only available only through the iDisk web application, and not through the Finder. Tools like Dropbox and FileChute -- available on the desktop -- allow you to upload files and assign them a public link, but don't feature expiration dates or passwords (yet).

Apple offers a tutorial on how to use the new feature on its website.

Thanks to everyone who sent this in!

Today is Data Privacy Day, a global initiative to highlight information security rights and practices, especially among teens, professionals, corporations, and the government.

As part of the celebration, TUAW (along with our sister blog Download Squad) has seven good ideas for you about how to keep your data safe and away from prying eyes with Mac OS X Leopard. Also, be sure to browse TUAW articles filed under Security for other tips and alerts about keeping your data safe.

1: Turn on your firewall

Leopard, as we all know, comes with a built in firewall to prevent other computers from connecting to internet-facing ports on your computer. But: Did you know it's turned off by default?

To turn on your firewall, open System Preferences, and click the Security icon. Then, click the Firewall tab. Make sure either "Allow only essential services" is selected, or you can choose to "set access for specific services and applications" yourself.

You can also use "Stealth Mode": when enabled, computers that send data to blocked ports won't even get acknowledgement that the data was received. To enable Stealth Mode, click the Advanced button on the Firewall tab of the Security preference pane, and click the check box next to "Enable Stealth Mode."

2: Set a screen saver password

A feature popular with Windows users, Mac OS X can also lock your screen when your computer sleeps or when the screen saver comes on. Simply open System Preferences, select Security, and choose the General tab. Click the check box next to "require password to wake this computer from sleep or screen saver," and you're all set.

If you have automatic login enabled and click the "require password" check box, Mac OS X will recommend that you disable automatic login. This means you'll have to enter your password to turn your computer on, too; nefarious nogoodniks won't be able to restart your Mac while the screen saver is on to circumvent the need for a password. Good thinking.

Have you forgotten a password to a website, email account, or other password? If you use Mac OS X's Keychain, chances are that your password can be easily retrieved.

First off, open Keychain Access.app (located in /Applications/Utilities/). Once there, scroll through the list of keys until you find the one that you're looking for. Double click on it and check the box that says, "Show Password." Once you authenticate with your user credentials, your forgotten password will be displayed in the text box.


Want more tips and tricks like this? Visit TUAW's Mac 101 section.

Marko Karppinen, an ADC Premier member, iPhone developer, and user like the rest of us, had his personal information released by Apple to an unknown third party, simply because of this one-line email:

am forget my password of mac,did you give me password on new email marko.[redacted]@yahoo.com

Apple -- apparently with no additional research -- reset Karppinen's password, and changed the email address on the account to the perp's. As a result of the login change, the perp had access to Karppinen's credit card details, developer software seed key, and the contents of his iDisk.

Karppinen, understandably, was livid, and sent ADC an email about what happened. A team lead from ADC's European support organization contacted Karppinen, apologizing for the mix-up. The rep promised to find out (from Apple's own logs) what information was compromised.

Apple has so far not commented on the incident, outside of what Karppinen says the ADC rep told him. It's unclear what Apple will do in the future to prevent this from happening again.

[Via Daring Fireball and The Consumerist.]

Agile Web Solutions has updated their 1Password product with support for 4 new browsers and better support for the newly released Firefox 3. 1Password now works on the following web-browsing applications: Safari 4 (Developer Preview), DEVONagent 2.3.1, latest OmniWeb, and Flock 2 beta.

In addition to updated browser support, 1Password also boasts a higher level of stability while running in Camino on PPC Macs. You can see the full list of updates (all 21 of them) by visiting the Agile Web Solutions' website. In addition, you can download the update by going to 1Password > Check for Updates in the 1Password application.

In a recent post over at Ars Technica, they say that Mac OS X users could have their login passwords recovered through physically accessing the RAM. This comes after FileVault was proven to be cracked. The article notes that Mac OS X and certain applications store the user's password in memory, leaving it there after you've logged in. While locally-running apps cannot readily retrieve the password, someone could get access to the contents of RAM after the computer has been rebooted or shut down.

This could be accomplished by physical means and might require the hacker to remove the RAM cover on your Mac and chill the RAM, as suggested by Edward Felten's research team at Princeton. This freezing allows the information to stay on the RAM for longer than the normal 2.5 to 35 seconds -- allowing someone to place it in another computer and read the contents.

In a separate approach to the password-in-RAM vulnerability, CNET witnessed an EFF demo of an attack using a custom NetBoot "EFI memory scraper" to record the RAM contents on reboot and save the data as a file on another machine over the network -- the attackers were able to clearly find the login password in the file. Again, this attack requires physical access to the machine (in order to force the NetBoot via holding down the N key on restart) within a minute or two of shutdown. However, an attacker could conceivably target a machine that was locked or sleeping (with RAM contents 'live'), power it off and back on, and use the NetBoot attack immediately.

While Apple has been made aware of the attack (notified on February 5), no fixes for these issues were reported in the 2/11 security update. According to CNET, an Apple spokesperson said they were aware of the issues and were "working to fix it in an upcoming software update." Until this update comes out, you may want to set a firmware password for your Mac, or wait longer to leave your unattended Mac after a shut down. Alternatively, we have lovely TUAW-branded tin foil hats available for purchase.

[via Ars Technica]

Back at Macworld we saw a sneak-peek from 1Password creater Dave Teare of the (then forthcoming) iPhone form-filling, username-storing 1Password bookmarklet for iPhone (pictured above at Moscone). Today sees a new build of 1Password pushed out for beta-loving users who want to take advantage of it.

Of course, one main qualm people may have with this is "just how secure is my data?" The 1Password data is saved in the bookmarklet itself using "448-bit blowfish encryption". Users set up password to use with the bookmarklet, and 1Password outputs all your data in an encrypted format to sync via iTunes' 'Sync Safari Bookmarks option'. Once on the iPhone, you navigate to the page such as Pownce, choose the bookmarklet, enter your previously-set password and choose the login you wish to use. All the form filling, and form submission, is handled by the Javascript.

I've been long-in-need of something like this for the iPhone -- the typical 'too many usernames, too many unique passwords' scenario -- and using it this evening, it's been mighty handy. If you're wanting to get your hands on it, simply set your copy of 1Password to check for beta releases (all the usual beta disclaimers apply) and download the most recent release!

The browser password manager 1Passwd has just been updated to version 2.5b and adds an interesting new feature: iPhone export. You're now able to export your secure passwords and notes to the iPhone from your Mac. The clever thing is that they accomplish this without hacking the iPhone in any way.

Basically what it does is create a special Safari secured bookmarket from your 1Passwrd data "using 448 bit Blowfish encryption." This special bookmarklet is then synced to the iPhone in the normal way through iTunes. When you access the bookmarklet in mobile Safari on the iPhone it prompts you for your password and then gives you access to your passwords, secure notes, etc. Since it's just a bookmarklet in mobile Safari this should not be affected by any future firmware changes, etc.

The latest 1passwd beta can be downloaded from the Agile Web Solutions Forum.

TUAW has lately been trying to help you Secure Your Mac, and while a few options have been available, biometric security is one area in which the Mac has seemed to lag behind the Windows side. Now UPEK has released a preview of the Mac version of their Eikon Digital Privacy Manager. The software allows you to use the Eikon scanner to login to your account, control your Keychain, switch users, or lock down your Mac.

The Eikon scanner is a USB device which costs about $40 and only comes with Windows software. Once you have the scanner however, you can download the Mac Protector Suite Preview for free from UPEK. If security is a serious concern and passwords are getting tedious then a biometric solution like this one looks increasingly cost effective.

[via OhGizmo]

This week's podcast covers 1Passwd, the password manager and autofill tool that brings some really unique features and multi-browser support for the Keychain to the table. For just under 8 minutes I demonstrate some of the killer features of this app that go above and beyond the norm, and the whole thing weighs in at a mere 28MB. Snag it from our iTunes Store Podcast directory, this direct link or our own podcast rss feed. Enjoy!