Most of us have really crappy, insecure passwords. Sure, we tack a couple of numbers or punctuation characters at the end of our cat's name, but that's a far cry from secure -- especially since we also have the equally nasty habit of using the same password on every single site/service/machine/device with which we have regular contact. We're not just asking for trouble, we're offering it a delectable stolen identity sandwich.

As most of us Mac folks know, a solution exists and it's called 1Password. If you've owned your Mac for more than an hour or so, chances are pretty good that you've been admonished to acquire this lovely app (maybe even by more than one person). Several of us at TUAW are big fans of 1Password, and today our pointy party hats are standing taller than ever thanks to the opening of the public beta for 1Password 3.

This new version brings with it a massive list of changes, improvements and new features -- a couple of which have helped me to realize the dream of being able to utilize 1Password data on OSes other than OS X. You see, like many other Mac enthusiasts, I use Windows at work. Obviously, this precludes me from fully embracing Mac-only software like 1Password, but thanks to a brand new feature called 1Password Anywhere, my pain is dulled.

1Password Anywhere allows you to take your 1Password data and open it using any modern web browser. I've tested this with Chrome, Firefox and IE under Windows XP and they all work wonderfully. Your data is still absolutely secure and stored behind the same master password that protects the data in 1Password proper. They didn't spare any detail, either -- 1Password Anywhere looks and feels remarkably similar to the native OSX application. The data is read-only in your browser, but being able to easily the strong passwords and paste them is worth the admission price. The truly enlightened will see the application of a service like Dropbox here -- just move your keychain file into your Dropbox and your passwords are now with you whenever you go.

When most people think about Apple and backups they probably think about Time Machine or perhaps even Time Capsule. But Apple has a lesser-known application which you might consider using.

The app, simply named Backup, was originally available only to .Mac users, but is now openly available on Apple's website. It lists "MobileMe account" as one of its requirements. If you do not have a MobileMe account, each backup is limited to 100 MB. The good news is that for what I am suggesting, 100 MB will be completely sufficient for most people. Follow along as I use Backup to create a complete and scheduled backup of personal data and settings on my Mac.

First, install and launch the application. Choose Plan > New Plan from the menu.

If you have a MobileMe account, choose the "Personal Data & Settings" option (second from the top), click the "Choose Plan" button, and then skip the next paragraph.

Face it: your address book and your contacts, they're personal. They reveal a lot about you: your friends, your business partners, your cake buying proclivities, and more. The address book you see at the top of this post appears to be for someone in the Denver area. I know that because of the REI Denver listing and Le Bakery Sensual on 6th, which I drive by whenever I head East from Broadway.

These contacts, along with their notes, their phone numbers, dates of birth, and other information say a lot about the person whose address book this is, and also about the people who appear in that contact list, with all their personal and professional info.

There's one big problem. The screen shot you see wasn't made by the person who owns this me.com account. Under certain very specific conditions, Apple is inadvertently sharing data from other people's accounts. Ouch.

A TUAW reader sent us a video made as he renewed his me.com account from the UK. The address book data he accessed during that time included this Denver-based set shown here, as well as data from an Ireland-based user of Polish descent (all his contacts were back in Poland although his business was based in Ireland).

This all went down during the period when his MobileMe account was renewing. Each time he logged off and back on, he was presented with yet another set of contacts--none of them his. He writes, "Each time I logged off and on I got a different address book. All the other options were disabled (because my renewal was being processed) but clicking the Contacts icon showed me *an* address book," just not his address book.

With a little Internet-fu, he checked out some of the numbers and found that they were valid and operational. This leads him to believe that this is real data. My inspection of the local Denver data from his screen shots convinces me of the same. Further inspection of work addresses and personal family names makes us believe we know whose Denver-based address book this is. We've attempted to contact this person but as yet have not heard back.

The address book glitch ended once the registration process finished, leaving our TUAW reader with a series of screen shots and videos and a deep concern about Apple's ability to safeguard personal data. He's already contacted Apple about the bug. "I contacted them by two means: their web-chat thing where they told me that they 'had no reports of such an issue'. They suggested closing and reopening Safari (helpful eh?) and a generic autoresponse saying they'd reply within 5 days when i sent an email." He adds, "I don't think the people manning the help desk appreciated the seriousness of the situation."

TUAW has sent a heads-up to Apple and will keep monitoring the situation to see how it develops.

Appearing alongside the Mac OS X 10.6.1 update, Apple released another update today: Security Update 2009-004 is out for users of Leopard and Tiger. This update patches several vulnerabilities, including the security issue with Flash that was also part of Mac OS 10.6.1.

It's available now through Software Update and is applicable for Mac OS X Leopard, Tiger (PPC and Intel) and Tiger Server (PPC and Universal).

It's not that we have anything against the Flash plugin for Mac browsers. Well, other than the fact that it's crashy, and slow, and makes our laptop fans spin up like we're doing wind tunnel testing for the Air Force. But other than that, we have nothing against it -- and it's lovely that the new 64-bit version of Safari in Snow Leopard can isolate Flash-related stalls and hiccups from the main browser process for enhanced crash protection. Very nice.

Unfortunately, as pointed out initially by Graham Cluley over at the security and anti-virus vendor Sophos, the version of the Flash plugin that Apple bundles with Snow Leopard is old. It's the 10.0.23.1 version, old enough that it has some notable vulnerabilities versus the currently shipping 10.0.32.18 version. You can check which version of the plugin you have by visiting this Adobe check page. Even if you had the current build on your machine before upgrading to Snow Leopard, the upgrade process replaces your Flash with the vintage Flash instead -- poor form! Cluley recommends, and Adobe concurs, that the best thing to do is head over to Adobe's download site and get the most up-to-date version instead.

It's understandable that Apple had to lock down a version of the Flash plugin for inclusion in the OS golden master, but if you're gonna do that then you've got to provide an integrated method for users to update to the current build when the time comes (like, say, via an OS-wide Software Update utility). Downgrading user security while upgrading OS versions is a rotten way to run a railroad.

[Side note, does Cluley's narration in the video above make you wonder if, just maybe, he's moonlighting as Ben 'Yahtzee' Croshaw over at The Escapist? NSFW!]

Thanks to everyone who sent this in.

We usually look at news updates and blog posts from antivirus vendor Intego with a bit of a gimlet eye, since the company has been known to spread a little bit of that good old FUD when it comes to the everyday risk of malware faced by most Mac users (that is to say, pretty much none). Today, however, the Intego blog pointed out an unheralded feature of the forthcoming Mac OS X 10.6 Snow Leopard update: some basic malware checking built into the operating system, reported by users of the beta version.

As the post notes (and sites such as The Register and ZDnet corroborate), when a problematic DMG is downloaded or mounted -- containing one of two known malware components -- the Finder throws the alert pictured above, warning the user not to install the software in question and to throw away the disk image. While this is a nice touch for the two security risks in question, The Register notes that the filter appears to only catch files downloaded through some of the more common apps (Mail.app, Entourage, Safari, Firefox and iChat among them) but not files copied over from removable media. It doesn't cover the wider gamut of threats out there, nor would it detect or block Windows malware that a Mac user could unwittingly transmit; for all of those scenarios, a true AV app (paid or free) is what the doctor ordered.

You can keep up with all the latest Snow Leopard news via our category page.

Amidst the Safari and AirPort updates yesterday, Apple has released yet another update today, Security Update 2009-004. This update patches a single vulnerability affecting the BIND DNS server. It's available now through Software Update or Apple's support downloads page, and is available to download for Mac OS X Leopard, Tiger (PPC and Intel) and Tiger Server (PPC and Universal).

Maybe it's already Saturday in the UK, or close to it: Apple has released iPhone OS 3.0.1 for iPhone, iPhone 3G & 3GS, an update that patches the phone to prevent bad actors from taking it over or taking it down with the just-demoed SMS exploit. The update weighs in at close to 300 MBabout 230 MB (like all iPhone updates, it's a full image of the OS), and as far as we can tell there are no other fixes or tweaks; just the privilege of continuing to use your iPhone in peace and security.

Update with care, and let us know in the comments how the update works for you!

14:30 ET: Apple's security mailing list just delivered the notes for 3.0.1, they are reproduced in the 2nd half of this post. Also worth noting that the SMS exploit is not endemic to the iPhone alone; both Android and Windows Mobile platforms can be attacked with similar techniques, although Google tells BW that the issue on Android phones is now fixed (presumably through carrier action on T-Mobile's side, not confirmed though).

Yesterday's news from the Black Hat Technical Security Conference in Las Vegas about the SMS security flaw affecting iPhone, Android, and Windows Mobile smartphones was a bit unnerving. Through skillful manipulation of SMS messages, an attacker could gain control of a smartphone.

BBC News reports that UK mobile provider O2 has received word from Apple about a patch for the security flaw on the iPhone. The patch, in the form of a software update, will be available Saturday, August 1, 2009. As with all updates to the iPhone, the security patch will appear in iTunes.

Considering the potential for mischief on the part of hackers, it is entirely possible that AT&T, O2, and other carriers will notify their customers of the availability of the update. Whether or not that message will come through SMS remains to be seen.

Be sure to keep an eye on TUAW or our Twitter feed (http://twitter.com/tuaw) tomorrow and we'll notify you as soon as the patch makes an appearance.

UPDATE: iPhone OS 3.0.1 is now available for download from iTunes. 297.9MB in size.

Two security researchers, Charlie Miller and Collin Mulliner, have discovered a serious security vulnerability affecting SMS messaging on the iPhone that will be unveiled later today at the Black Hat security conference in Las Vegas. This flaw affects all iPhones and can allow an attacker to gain complete control of an iPhone, including the ability to make calls, browse the web and access the camera. This exploit is caused by corruption in the iPhone's memory handling and is executed by sending a burst of text messages by using a uncommon text character or by sending a hidden message.

So far, Apple has been rumored to have a fix in the works, but there's been no confirmation yet when it will be available. The researchers also say that there's nothing you can do to protect your iPhone from this vulnerability, other than to turn off the phone. More details on this issue will be discussed later today at Black Hat, hopefully outlining a path to fix this issue.

Meanwhile, the two developers have already demonstrated this flaw in action to CNET's Elinor Mills, proving its existence and extent of the threat.

We'll be providing more coverage on this issue once it's unveiled, so stay tuned to TUAW.

Apple is apparently alerting ALI forum members that Learning Interchange account passwords have been compromised. In a message forwarded to us by several TUAW readers, Apple warns that members who commonly use the same credentials on multiple sites may be at risk. If you are an ALI account user, please consider updating any accounts that use identical credentials. Here is the Apple quote that was sent to us.

We recently learned that the security of Apple Learning Interchange (ALI) members' names and passwords may have been compromised. These accounts are limited to accessing the ALI discussion board and do not contain sensitive information such as credit card or social security numbers.

While ALI member names and passwords are not linked to your Apple ID, our records indicate that your ALI member name and Apple ID are the same. For this reason we strongly recommend that you change your Apple ID password as well as any others that might have the same name and password combination.

At the time of posting, the ALI site (also linked to in the Source link) is unavailable. We do not have confirmation from Apple about this situation, although we have contacted them for a statement.

Recently, we reported on AT&T's push to make it easier for iPhone & iPod touch users to connect to their Wi-Fi Hot Spots. One of our readers, Jamie Phelps, pointed out on his blog that AT&T's Wi-Fi service is not actually a "secure connection," as is advertised in various places on their website; we had overlooked this, and mistakenly reinforced the company's shaky claim in our post.

This brings to light an important point about wireless networks and security, however. It's really easy (and sadly all too common) to hop on to an available wireless signal in your office, at the hotel, or your favorite coffee spot and not even think twice about logging in to your e-mail or checking your bank balance.

What many users don't realize is even though the server you are connecting to (i.e. your bank's website) may employ several layers of security, the connection between your computer and the wireless access point is very likely to be unsecured. Anyone who is within range of your computer can trivially monitor the traffic being sent between your computer and the access point, allowing them to see what websites you may be visiting or capture details about other services that you may be connected to. This isn't because of some gaping vulnerability or software bug, it's just an inherent part of how wireless networks work.

So, what can you do to protect yourself? Read on for a list of simple steps you can take to ensure that your wireless connection is safe and secure.

When I wrote about Pogoplug earlier this month, journaled HFS+ support was missing in action. That was a shame, since it's the most common drive format for Mac users.

Pogoplug is a network drive adapter coupled with a web service that allows you to access a personal drive from anywhere on the Internet without having to worry about firewalls and other security issues. You plug a drive into the Pogoplug, connect the unit to power, and you can securely access that data no matter where you are, from your laptop, another computer, or from an iPhone.

Today, Pogoplug has announced support for journaled HFS+ formatted drives. You can now plug in almost any drive formatted for use on the Mac and it'll work with Pogoplug.That's great, because the last few times I dredged up Disk Utility (from /Applications/Utilities), it was to re-format drives to use with the Pogoplug system. (You can also turn off journaling from the Terminal, if you're so inclined, via the 'diskutil' command.)

What's particularly cool is that Pogoplug is currently working on developing remote backup assistance. They don't support Time Capsule yet, but the Pogoplug developers say they're working on having "the Pogoplug play nice with [Time Capsule and other remote storage devices] and allow our users to back up to their home drives automatically and regularly."

Being able to set up off-site backup drives with just a simple plug-and-go sounds like an awesome business opportunity for anyone with a central router and a whole bunch of USB hubs. But even if you're setting up your off-site backup at your sister-in-law's ("Sure, go ahead and plug in that...um...thing. Can I take it out if I need to vacuum?"), that's a fine way to keep your backups physically remote from your primary computing space. At just $99 plus the cost of a hard drive (the lifetime service is included free), a bargain.

One of our readers has pointed out that even if you use a password lock on the new iPhone 3G S the voice dialing functions still work.

It's true. With the phone locked down you can still hold down the home key, and voice dial someone in your contacts list. Some will consider this a feature, and others a bug. If I wanted to make a quick call, it seems it would be nice to bypass the log in. If a thief had your iPhone, he'd have to know the name of someone in your contacts to call them, or just try a lot of guesses.

Then there is the matter of why a criminal would want to call someone on your contact list. "Hi Bob, I just stole this iPhone. Pretty neat, huh?"

If this issue does bother you, Apple has thoughtfully given you the ability to turn voice dialing off, and when you try it with the phone locked the computer voice dutifully warns you that voice dialing is non-functional.

You can't, by the way, turn off iPod voice control. So anyone could pick up your locked iPhone and say "play songs by Tiny Tim", wearing down your battery and offending everyone around them.

Thanks to Mike for pointing this out, but I don't think it's a big issue. Have I missed something? Weigh in with your thoughts.

TUAW reader Jim Carroll is worried: "It is crunch time for your site," he warned ominously in an email yesterday.

Jim is worried that security updates made available via the iPhone OS 3.0 updates last week will only be available to iPod touch users through the obligatory $10 upgrade. "Please use your power as an Apple site to raise the issue." Please, Jim. We're blushing.

"As a long time computer user I am unaware of a similar incident where a company would charge for security updates," he writes. Companies charge money for updates all the time -- operating systems and anti-virus software take time and energy to make, and companies want to get their investment back. Apple has been kind with free updates to Safari, but only because they gain revenue from it via the Search bar.

Apple has always charged iPod touch users for major updates, of course, but security updates have most often come free. 1.0.1, 1.1.2, 1.1.3, 1.1.5, 2.1, and 2.2 all included security fixes, but were free to iPod touch users. (The latter two cases were free for those who bought the 2.0 update.)

1.1.5 is an interesting case. It was released a few days after the 2.0 update, and included security updates that were wrapped into the 2.0 update.

My advice? Have patience. This coming week or next, I have confidence we'll see an update for 2.x (2.2.2 perhaps?) that leaves out the new features, but includes the same security updates found in 3.0 at about $9.95 less.

We're also beginning to hear whispers of a 3.0.1 update for the device to help resolve WiFi issues in the new release; a German iPod user reports being told by an AppleCare representative that an update is expected shortly. Take that with the appropriately sized grain of salt.

Thanks, Jim & Oboewan!