For the last few days, some jailbroken iPhone users have found their home screen background a little different than they remembered. A hacker, going by the name "ikee," created a worm that changes the home screen background on jailbroken iPhones whose owners failed to change the default password after installing SSH. Simply jailbreaking your iPhone will not make you vulnerable to this sort of hack. The iPhone OS, in general, is also immune to this hack. Still confused? Let's back up a bit.

On jailbroken iPhones, SSH is installable with a package from Cydia that allows you to connect to your phone and make changes to the filesystem. It does this by logging into the root user with the password "alpine." After installing SSH, it is always recommended that you change "alpine" to the password of your choosing. This hack can only affect people who chose not to change that password -- no one else.

This hack originated in Australia, the home country of ikee, and has possibly spread to other iPhones in other countries, but we've been unable to verify that. A gentleman by the name of JD held an interview with the hacker over IRC and posted it to his blog. In ikee's own words, here's how the worm has spread:

...The code itself is set to firstly scan the 3G IP range the phone is on, then Optus/Vodafone/Telstra's IP Ranges (I think the reason Optus got hit so hard is because the other 2 are NAT'd) then a random 20 IP ranges. I'm guessing a few phones hit a range that another vulnerable phone was on.

Basically, once your phone is infected, the worm starts looking for other iPhones on the cellular network that use the root:alpine combination. Once it finds another vulnerable iPhone, it installs itself and begins the process again... and again... and again.

Luckily for the jailbreakers in the audience who may have been affected, there's really no harm done -- at least not with this version of the worm. According to the hacker, this was more of an experiment than anything else. The worm changes your background and then disables inbound SSH, which is a good thing. If SSH was left turned on, a similar worm could follow along but conceivably do much more damage. For instructions on how to delete this worm, read JD's interview with ikee. I would recommend reading the interview just for the information it presents; I found it pretty interesting. If you've got a jailbroken iPhone or iPod touch and you've never changed the default device password, now's the time. Here's how, if you are using terminal:

Type: ssh root@(iPhone IP address)
When prompted for the password type: alpine
Now you're connected the phone...
type: passwd
It should then prompt your for a new password -- type one that you'll remember. There's no easy way to reset it if you forget it.

That's it. Please remember to be responsibly secure with your devices. Hackers like ikee are troublesome, but this could have been much worse. While I don't personally condone his actions, he's prevented a lot of people from being vulnerable to more malicious attacks later down the road.

Thanks, James!

I'm not sure if you've been following the story of "Infosec Sellout" (it's a tough one to follow), but apparently the anonymous Mac hacker has given up blogging about OS X security-- his blog has been deleted and renamed on Blogspot. Just recently, he made headlines by claiming that he'd developed a worm for OS X called "Rape.osx," that hit a known vulnerability in the OS X mDNSResponder, an open source Internet protocol used by Apple. But apparently Infosec Sellout didn't think Apple responded appropriately to his warning (and/or his site was hacked itself), and he's gone quiet.

Robert McMillian of the IDG news service has has contact with Infosec Sellout in the past, and heard from the hacker in an email that "it was a great experiment to see how the industry could handle some honesty, which they can't. They are quick to attack the credibility of others in order to hide their own flaws." From that comment, it sounds like Infosec thinks Apple is somehow claiming to be impenetrable, but as other security analysts say, that's far from true. Still another story is that Infosec's identity was close to being found out, and he quit because of that. Apparently Infosec says that the identity discovery was a factor, but not because he didn't want to be found out, just because he didn't want his employer to be approached by "crybabies."

Strange story indeed. Unfortunately Infosec still hasn't revealed the hack, and says he won't reveal it to Apple until testing is completed.

The whole QuickTime/MySpace security hole that was discussed this week on TUAW has given rise to a general concern about QuickTime's vulnerabilities. The QuickTime bug apparently allowed a worm to infect MySpace user profiles and redirected traffic to a phishing site, where passwords were harvested.

An Information Week article suggests the security flaw could extend well beyond Myspace to both Mac and Windows users. The problem seems to stem from QuickTime's JavaScript support and a bug that allows malicious JavaScript code to affect browsers. The article states that although Apple has provided an Internet Explorer patch, it has yet to issue a general QuickTime fix across all platforms.

One of the long-standing major appeals of the Mac OS has been its relatively small and low-impact ratio of serious security vulnerabilities and virus attacks. Users wear it like a badge on their shoulder, and even Apple has jumped in by flat-out bragging about Mac OS X's security with their latest Get a Mac ad campaign.

While the debate surrounding exactly why the Mac has earned this reputation has raged at least since the term 'trolling' was coined, I'm a bit more interested in bending the space-time continuum and asking you, dear readers, a hypothetical: what would happen if a truly malicious Mac OS X virus were to break out in large scale? I'm talking about something along the lines of the Sasser worm, which grounded some Delta Airline flights, brought many other companies to their knees, and is estimated to have caused billions in damage.

I know Apple's machines aren't quite as integral to the various operations of our society and businesses like Windows and Linux are, but it would be hard to argue that a good portion of of the Mac user base doesn't care about the security of their chosen OS. With this in mind, I wonder: would you keep your Mac in a day and age when 3rd party virus and security tools become a basic necessity of Mac OS X? Would you bite the bullet and buy Norton Virus Mega Security Bundle Premium 2007 beta 5? Do you think all those switchers - reeled in by Apple's "We don't have any viruses" Get a Mac commercials - would become crippled in disillusion?

What say you, TUAW readers. How large of a hole in Apple's security record would be 'too large'?

A malicious QuickTime movie made the rounds across MySpace profiles last weekend, altering user profiles and changing links on their pages to redirect to phishing websites crafted to look like MySpace logins. The movie, CNET reports, actually capitalized on a MySpace flaw and QuickTime's legitimate support for JavaScript to craft what has been dubbed the Quickspace attack. It is also worth noting that while this movie could infect users who simply viewed a compromised page, the attack (as far as we know) only works on IE and Firefox in Windows (in other words: if you're on a Mac, you can resume your regularly scheduled MySpace obsession).

Yesterday, MySpace's chief security officer Hemanshu Nigam contacted Apple to request a fix to plug the hole, even though it was a flaw of MySpace in combination with a legit feature of QuickTime that caused all the damage. Apple is reportedly working on a fix, but for now the two companies have ironed out some workarounds, such as blocking all the phishing URLs and scrubbing their network for compromised profiles.

On a side note: what exactly does one gain from harvesting MySpace account logins? Wouldn't oh, say, credit card numbers be a little more productive? I know there's a lot of kids out there who bank on whether they're in some people's top 8 spaces, but I'm still having a hard time seeing how or why phishers would deal in the same currency.

Thanks Daniel

This week's podcast involves Dan Pourhadi and the C4 developer shindig he attended, those exclusive Leopard screenshots we nabbed, iPod viruses and the corporate blame game, and we round off with Apple's preliminary 4th quarter earnings results. Dan and I kept things short this time around, as the podcast rounds off at just over 20 minutes and 18.6MB.

As usual, you can grab the podcast via a direct link, our podcast RSS feed or in the iTunes Store podcast directory. Enjoy the show.

Update: It seems there's a bug in our iTS feed preventing from getting this latest episode, though our other links for accessing the podcast are working just fine. We'll keep you posted.

Well, here's something you don't see very often. Symantec has issued an update that offers protection agains OSX.Leap.A, the Mac Trojan Horse that we wrote about earlier. They classify it as a "level 1" on a scale of 1 to 5, so there's no need to slip into panic  mode. It seems to be PPC only, so you lucky Mactel owners have nothing to worry about. Carry on.