Posts

After “Mother of All Breaches,” Update Passwords on Compromised Sites

/in /by

January’s big security news was the Mother of All Breaches, the release of a massive database containing 26 billion records built from previous breaches across numerous websites, including Adobe, Dropbox, LinkedIn, and Twitter. It’s unclear how much of the leaked data is new, but it’s a good reminder to update your passwords for accounts on compromised sites, especially those you reused on another site. Cybernews has a leak checker that reports which breached sites include your data. More generally, password managers often have a feature that checks your passwords against the Have I Been Pwned database of breaches and helps you change compromised passwords—1Password’s is called Watchtower, shown below. You can also search Have I Been Pwned directly. Don’t panic if your email address appears in numerous breaches because some of the theoretically compromised accounts may be defunct sites, trivial sites you used once 10 years ago, or duplicate password manager entries for a site whose password you already updated.

(Featured image by iStock.com/Prae_Studio)

Social Media: Worried about the “Mother of All Breaches” that has been making the rounds in security news? We share a leak checker that can tell you if your email address was involved and recommend that you update any compromised passwords.

Use iOS 17.3’s Stolen Device Protection to Reduce Harm from iPhone Passcode Thefts

/in /by

Last year, a series of articles by Wall Street Journal reporters Joanna Stern and Nicole Nguyen highlighted a troubling form of crime targeting iPhone users. A thief would discover the victim’s iPhone passcode, swipe the iPhone, and run. With just the passcode, the thief could quickly change the victim’s Apple ID password, lock them out of their iCloud account, and use apps and data on the iPhone to steal money, buy things, and wreak digital havoc.

In essence, Apple allowed the passcode, which could be determined by shoulder surfing, surreptitious filming, or social engineering, to be too powerful, and criminals took advantage of the vulnerability. It’s best to use Face ID or Touch ID, especially in public, but some people continue to rely solely on the passcode.

Apple has now addressed the problem for iPhone users with the new Stolen Device Protection feature in iOS 17.3. It protects critical security and financial actions by requiring biometric authentication—Face ID or Touch ID—when you’re not in a familiar location like home or work. The most critical actions also trigger an hour-long security delay before a second biometric authentication. We recommend everyone who uses Face ID and Touch ID turn on Stolen Device Protection. The feature is not available for the iPad or Mac, but neither is as likely to be used in places like the crowded bars where many iPhones have been snatched.

How Stolen Device Protection Works

The location aspect of Stolen Device Protection is key. When you’re in a “significant location,” a place your iPhone has determined you frequent, you can do everything related to security and financial details just as you have been able to in the past, including using the passcode as an alternative or fallback.

However, when you’re in an unfamiliar location, as you would likely be if you were out in public where someone might steal your iPhone, Stolen Device Protection requires biometric authentication to:

  • Use passwords or passkeys saved in Keychain
  • Use payment methods saved in Safari (autofill)
  • Turn off Lost Mode
  • Erase all content and settings
  • Apply for a new Apple Card
  • View an Apple Card virtual card number
  • Take certain Apple Cash and Savings actions in Wallet (for example, Apple Cash or Savings transfers)
  • Use your iPhone to set up a new device (for example, Quick Start)

Some actions have even more serious consequences, so for them, Stolen Device Protection requires biometric authentication, an hour security delay—shown with a countdown timer—and then a second biometric authentication. The delay reduces the chances of an attacker forcing you to authenticate with the threat of violence. You’ll need to go through the double authentication plus delay when you want to:

  • Change your Apple ID password (Apple notes this may prevent the location of your devices from appearing on iCloud.com for a while)
  • Sign out of your Apple ID
  • Update Apple ID account security settings (such as adding or removing a trusted device, Recovery Key, or Recovery Contact)
  • Add or remove Face ID or Touch ID
  • Change your iPhone passcode
  • Reset All Settings
  • Turn off Find My
  • Turn off Stolen Device Protection

There are a few caveats to keep in mind:

  • The iPhone passcode still works for purchases made with Apple Pay, so a thief could steal your passcode and iPhone and buy things.
  • Although Apple says it’s required, you can turn off Significant Locations to require the extra biometric authentication and security delay everywhere. That would eliminate the worry about a thief using Significant Locations to go to your most recent familiar spot in an attempt to sidestep the extra authentication.
  • If you plan to sell, give away, or trade in your iPhone, make sure to turn off Stolen Device Protection first. Once it’s out of your physical control, no one else will be able to reset it.

Turn On Stolen Device Protection

Before you get started, note that Apple says you must be using two-factor authentication for your Apple ID (everyone should be anyway), have a passcode set up for your iPhone (ditto), turn on Face ID or Touch ID, enable Find My, and turn on Significant Locations (Settings > Privacy & Security > Location Services > System Services > Significant Locations), although this last one doesn’t actually seem to be required.

Then, go to Settings > Face ID/Touch ID & Passcode, enter your passcode, and tap Turn On Protection. (If it’s enabled, tap Turn Off Protection to remove its additional safeguards.)

Once Stolen Device Protection is on and you’re in an unfamiliar location, the actions listed above will require either biometric authentication or two biometric authentications separated by the hour-long security delay.

There is one group of people who should not turn on Stolen Device Protection: those for whom Face ID or Touch ID don’t work. Most people have no trouble with Apple’s biometric technologies, but some people have worn off their fingerprints or have other physical features that confuse Touch ID or, less commonly, Face ID.

If that’s you, stick with our general recommendation for discouraging possible iPhone thefts: Never enter your iPhone passcode in public where it could be observed.

(Featured image by iStock.com/AntonioGuillem)

Social Media: In iOS 17.3, Apple has introduced Stolen Device Protection to discourage iPhone thefts enabled by a revealed passcode. It requires additional biometric authentication, and we recommend that everyone who uses Face ID or Touch ID enable it.

Forget Your Just-Changed Passcode? iOS 17’s Passcode Reset Has Your Back

/in /by

The hardest time to remember your iPhone or iPad passcode is right after you’ve changed it. Generally speaking, there’s no reason to change your passcode, but if you inadvertently or intentionally shared it with someone with whom you wouldn’t trust your bank account information, changing it to something new is a good idea. We could also imagine a child who knows your passcode changing it on you as a prank. For whatever reason, if you can’t enter your new passcode, a new iOS 17 feature called Passcode Reset lets you use your old one for 72 hours. Once you’ve tried the wrong passcode five times, tap Forgot Passcode , enter your old passcode , and create a new one . If you’re certain you know the new one, you can expire the old one sooner in Settings > Face ID/Touch ID & Passcode.

(Featured image by iStock.com/NazariyKarkhut)

Social Media: If you change your passcode and can’t remember it (or it was changed for you by a prankster), iOS 17 lets you use your old passcode for 72 hours. It’s a helpful backstop for the results of a memory lapse or mischievous child.

Faster Copying of Two-Factor Authentication Codes from Messages

/in /by

One welcome feature of Safari is its automatic detection and auto-filling of SMS-based two-factor authentication codes you receive in Messages. It allows you to complete your login quickly, without having to retrieve the code from Messages. But what if you use a different Web browser, like Google Chrome, Firefox, Brave, or Arc? Apple doesn’t allow other developers access to those codes in Messages, but Messages itself recognizes the verification code, marking it with an underline. Rather than transcribing the code manually like an animal, you can Control-click the underlined numbers and choose Copy Code. Then, switch to your Web browser and press Command-V to paste it. Not all websites accept pasted codes, but most will, even if they present a custom interface.

(Featured image by iStock.com/Galeanu Mihai)

Social Media: Need to enter SMS-initiated two-factor authentication codes manually in Web browsers other than Safari? Try this hidden trick for quickly copying and pasting them instead of retyping all those numbers.

Stay Alert! Voice Phishing Used in Recent Ransomware Attacks

/in /by

All it took for MGM Resorts International to be compromised with ransomware was a quick phone call, which some now call “voice phishing” or “vishing.” An attacker using LinkedIn information to pose as an employee asked MGM’s help desk for a password change, after which they were able to install ransomware. MGM is now up to $52 million in lost revenues and counting. Two takeaways. First, if you call support for a manual password reset, expect to be asked for a lot of verification, such as a video call where you show your driver’s license. Second, if you receive a call at work from an unknown person asking you to do anything involving money or account credentials, hang up, verify their identity and authorization, and proceed accordingly only if they check out.

(Images by iStock.com/1550539 and HT Ganzo)

Social Media: Phishing isn’t limited to email and texts anymore—“voice phishing” or “vishing” was used recently in a major ransomware attack on MGM Resorts. The rise in such attacks means that requests over the phone will need much more verification.

Beware Executive Imposter Scams Aimed at New Employees

/in /by

We’re hearing about new hires who receive an email or text from someone claiming to be the CEO of their new company, asking the employee to carry out some small task like sharing personal information, purchasing a gift card for a client, or wiring funds to another business. The new employee, eager to make a good impression and lacking the context of what’s reasonable, is tempted to do as asked. (The scammers seemingly gather the necessary information by scraping LinkedIn for job changes and corporate titles, then cross-referencing with email addresses and phone numbers stolen in data breaches.) To reduce the chances of such a scam succeeding, train new employees during onboarding not to trust unsolicited messages from unfamiliar addresses or numbers, be wary of unusual requests, and check with a trusted source within the company before replying in any way.

(Featured image by iStock.com/Ton Photograph)

Social Media: We’re seeing an uptick in scam emails and texts to new hires purporting to be from corporate executives. The best defense is awareness, so we recommend adding security training to your onboarding process.

Pay Attention to Unsolicited Facebook Password Reset Messages

/in /by

We’ve seen an uptick in attacks on Facebook accounts that generate email messages like the one below. It’s saying someone is attempting to reset your Facebook password in order to access your account. If you didn’t ask to reset your Facebook password within the past 5 minutes, do not enter the provided code! In fact, do nothing with a message like this, since you can’t easily tell if it’s a legitimate message from Facebook or a phishing attack. As long as your email account hasn’t been compromised, you have nothing to worry about, but consider any such messages as encouragement to have strong, unique passwords for your email account and any social media services. Also, we highly recommend turning on two-factor authentication for these accounts. Of course, if you get a second message saying that your password was reset, immediately secure your account.

(Featured image by iStock.com/Nicholas77)

Social Media: If you receive unexpected password reset email messages from Facebook, don’t worry—but don’t click anything! Use them as encouragement to ensure your email and social media passwords are strong, unique, and protected with two-factor authentication.

Apple Starts Releasing Rapid Security Responses for the iPhone, iPad, and Mac

/in /by

By now, you’ve probably seen a new form of update for iOS, iPadOS, and macOS: the Rapid Security Response. Early in May, Apple released the first instances of these updates, which the company had promised for iOS 16, iPadOS 16, and macOS 13 Ventura when those operating systems were first announced. Let’s answer some of the questions we’ve been hearing.

What are Rapid Security Responses?

Rapid Security Responses are security updates that Apple wants to distribute as quickly and broadly as possible. Users often delay installing standard operating system updates because they’re huge downloads, interrupt work for a long time while installing, and occasionally cause new problems.

To address these concerns, Rapid Security Responses are much smaller, install far more quickly (sometimes without a restart), and can easily be removed if they cause problems.

What security vulnerabilities do Rapid Security Responses address?

Apple released no security notes for its first set of Rapid Security Responses, and we don’t anticipate that changing for future releases. The point of a Rapid Security Response is to block a serious vulnerability that’s likely being exploited in the wild, and Apple doesn’t describe such fixes until it has patched vulnerable operating systems, including older versions, tvOS, and watchOS, none of which can take advantage of Rapid Security Responses. If this last set of updates is any indication, Apple will identify the Rapid Security Response fixes in security notes for the next full operating system update, which will also include the same fixes.

How do I install a Rapid Security Response?

Rapid Security Responses use the same software update mechanism as Apple’s other operating system updates. You can and generally should let Rapid Security Responses install automatically. That’s the default, but check to make sure.

  • iOS/iPadOS: Go to Settings > General > Software Update > Automatic Updates, and look at “Security Responses & System Files.”
  • macOS: Go to System Settings > General > Software Update, and click the ⓘ next to Automatic Updates. Then look at “Install Security Responses and system files.”

On recent iPhones and Macs, the installation time was quick, with the device being ready to use again within 2–4 minutes, including a restart. Older devices took longer, and future Rapid Security Responses may take more or less time.

How can I revert if a Rapid Security Response causes a problem?

Apple makes this easy in both iOS/iPadOS and macOS, with the amount of time being roughly similar to how long the Rapid Security Response took to install:

  • iOS/iPadOS: Go to Settings > General > About > iOS/iPadOS Version, tap Remove Security Response, and confirm the action.
  • macOS: Go to System Settings > General > About, click the ⓘ next to the macOS version, click Remove & Restart, and confirm the action.

How can I tell if I’m running a Rapid Security Response?

With this first Rapid Security Response, iOS and iPadOS both posted a notification informing the user of the update; macOS did not.

More generally, devices updated with a Rapid Security Response will have a letter after their version number, such as 16.4.1 (a), and the letter will disappear with the next full update, such as iOS 16.5. To determine what version your devices are running:

  • iOS/iPadOS: Go to Settings > General > About, and look at the iOS/iPadOS Version line.
  • macOS: Choose About This Mac from the Apple menu, and look at the macOS line.

Given what we know now, we recommend that everyone install Rapid Security Responses as soon as they’re available. If you notice a problem afterward, you can remove it. The only caveat is that if your employer manages your device, they may prefer to delay the Rapid Security Response installation until they’re comfortable with the changes.

(Featured image by iStock.com/champpixs)

Social Media: In an effort to protect users from security vulnerabilities that are being actively exploited, Apple has introduced Rapid Security Responses, which are security updates that are quick to download, quick to install, and easily removed if necessary.

Make Sure to Back Up iPhone Photos on Your Mac

/in /by

If your iPhone were to be stolen or suffer an unfortunate accident, would you lose all your precious photos? Those using iCloud Photos are probably shaking their heads smugly, thinking that all those baby and vacation photos are backed up securely in iCloud. iCloud Photos does indeed store a copy of all your photos, but you shouldn’t assume that everything in it is completely protected. Although it’s extremely unlikely that Apple’s systems would fail so that you’d lose anything, the contents of your iCloud account aren’t as safe as would be ideal.

An Aside to Explain Why iCloud Isn’t Perfectly Secure

Recently, Wall Street Journal reporters Joanna Stern and Nicole Nguyen covered a troubling form of crime aimed at iPhone users in an article (paywalled) and accompanying video. Thieves hang out in bars, looking for users who tap in their passcodes instead of using Face ID or Touch ID. Once they’ve learned someone’s passcode with surreptitious shoulder surfing, they grab the iPhone and run. As soon as they’re clear, they use the passcode to change the user’s Apple ID password and enable or reset a recovery key, which prevents the user from employing Find My to locate and lock the iPhone. Worse, with the passcode, they can make purchases with Apple Pay, access all passwords in iCloud Keychain, and use other information on the iPhone to facilitate identity theft. It’s a disaster.

But it gets worse, as the reporters detail in a new Wall Street Journal article (paywalled) and video. By enabling a recovery key, the thief disables Apple’s normal account recovery process for resetting the Apple ID password. In other words, if this were to happen to you, along with all the financial losses and headaches, you would lose access to your iCloud account, possibly forever, and with it, all your photos in iCloud. With luck, Apple will block this attack soon.

For now, follow this commonsense advice to reduce the chances of being victimized:

  • Pay attention to your iPhone’s physical security in public.
  • Always use Face ID or Touch ID in public.
  • If you must enter your passcode in public, conceal it from anyone nearby.
  • Never share your passcode beyond highly trusted family members.

Backing Up Your iPhone Photos

As with so many other modern ills, good backups go a long way toward minimizing the pain of problems. They won’t prevent someone from stealing your iPhone or locking you out of your account, but if that were to happen, at least you won’t lose all your photos!

There are two possible backup scenarios. Using iCloud Photos and downloading originals to your Mac is easiest but requires that you pay Apple for more storage if you have more than a handful of photos. If you don’t use iCloud Photos, you can just back up your iPhone to your Mac or, better yet, import images into Photos on the Mac and then sync them back. It’s more work and fussier, but doesn’t cost anything.

  • iCloud Photos: When using iCloud Photos, the trick to protecting your pictures is to sync the originals with your Mac. In Photos > Settings/Preferences > iCloud, select Download Originals to this Mac. The only downside of this approach is that you need enough disk space on your Mac to hold them all; if that’s not the case, you may need to move your system Photos Library to an external hard drive.
  • iPhone-only photos: If you aren’t using iCloud Photos, the best approach is to connect your iPhone to your Mac using a USB-to-Lightning cable or Wi-Fi and then import new snapshots into Photos on your Mac manually (select the iPhone in the Photos sidebar). It’s helpful to remove the original photos from the iPhone with the Delete Items checkbox after importing so you can manage them solely on the Mac.

    Then you can sync all the photos (or just desired ones, if your iPhone is low on space) back to your iPhone using the Finder. First, select the iPhone in a Finder window’s sidebar. Then click Photos in the button bar at the top, and select “Sync photos to your device from Photos” along with “All photos and albums” and “Include videos” in the options below. Finally, click Apply or Sync.

    Technically speaking, backing up your iPhone to your Mac without syncing to Photos also backs up your photos, but the only way to get them back is to restore a backup onto an iPhone. It’s much better to have all the photos accessible in Photos too.

Either way, once the photos are on your Mac, you should back up all your data using Time Machine, an Internet service like Backblaze, or a third-party app like Carbon Copy Cloner or SuperDuper. If you’re concerned about the quality of your backups for preserving photos, contact us for advice.

(Featured image by iStock.com/metamorworks)

Social Media: With new reports of iPhone theft victims being locked out of their iCloud accounts, it’s all the more important that you copy your iPhone photos to a Mac and then back up that Mac.

Is Your Wi-Fi Network a Security Risk?

/in /by

With Wi-Fi security, it’s easy to fall into the “out of sight, out of mind” trap. Your Wi-Fi router probably lives in a corner or closet, and of course, Wi-Fi’s radio waves are invisible. But the ease of connecting your devices to your Wi-Fi network means it’s equally as easy for a hacker to connect to your network and eavesdrop on your traffic. Or rather, it’s easy unless you take advantage of the security options available in every Wi-Fi router.

Before looking at those options, let’s discuss the importance of securing your wireless network. The fact is, we all send sensitive data over Wi-Fi and onto the Internet. That data includes passwords, financial information, and personal details, all of which could be used for identity or outright theft. For those who work at home, it may also include important corporate credentials and information. In addition, if your Wi-Fi network is open for everyone and has a bandwidth cap, you could be throttled or incur additional charges due to extra usage from someone using your network without your knowledge. Worse, someone could engage in illegal activity from your network, potentially putting you at legal risk.

Here are six ways you should secure your Wi-Fi network, plus another that’s usually not worth the effort. Exactly how you go about these tasks varies depending on your Wi-Fi router, but they should all be easy to accomplish.

1. Change Your Wi-Fi Router’s Default Password

Every Wi-Fi router has an app- or Web-based administrative interface where you can adjust settings, including security options. The first thing you should do when setting up a new Wi-Fi router is change the password for accessing that admin interface. (And if you didn’t do that when you set up your current Wi-Fi router, go do it now. Immediately. We’ll wait.) The default passwords are well known to hackers, who can use them to take over routers and turn off all the other security settings.

2. Change the Default Network Name (SSID)

Every Wi-Fi network has a name—technically an SSID, or Service Set Identifier. There’s no security benefit in changing it to anything in particular, but you should change it from the default name. That’s because default names often identify the router’s manufacturer, such as “Netgear” or “Linksys,” and some routers have known vulnerabilities or password styles that make it easier to break in. Of course, the main advantage of changing the network name is that it makes it easier to pick out from any other nearby networks.

3. Update Your Wi-Fi Router’s Firmware

Wi-Fi router manufacturers frequently fix security vulnerabilities and release new firmware versions. Check to make sure your Wi-Fi router has the latest firmware available, and if there’s an option for it to update its firmware automatically, turn that on.

4. Disable WPS (Wi-Fi Protected Setup) If Possible

When you connect a new device to your Wi-Fi network, you need to enter your Wi-Fi password. That’s entirely reasonable, and Apple devices automatically offer to share that password with your other Apple devices and other people in your Contacts. More generally, a technology called Wi-Fi Protected Setup (WPS) was designed to enable connecting without typing the Wi-Fi password, either by entering an 8-digit PIN or pressing a button on the router. The button is fine—no one can connect without physical access to the router. But the PIN is horribly insecure and can be brute forced with readily available cracking software. If your router supports WPS—not all do, happily—turn it off entirely.

5. Create a Guest Network

You’ll probably want to give visitors access to your Wi-Fi network so they can get to the Internet. The best way to do that is to create a guest network—a feature in nearly all Wi-Fi routers—separate from your main Wi-Fi network. It has a different name and password, and its traffic is isolated from yours, ensuring that even if a hacker were to access it, they wouldn’t be able to eavesdrop on your communications. It can have a simpler password since all it’s protecting is your bandwidth. One additional tip—put “Internet of Things” devices like smart appliances, video game consoles, and the like on your guest network to ensure they don’t provide access to your main network’s traffic if they’re hacked. You probably won’t want to do that with HomeKit devices, which will work better on the same network as your Apple devices.

6. Use Strong WPA2 or WPA3 Encryption

After changing the default admin password, this is the second-most important piece of Wi-Fi security advice. All traffic on a Wi-Fi network can (and should) be encrypted so hackers can’t eavesdrop with impunity. The first wireless security protocol was WEP (Wired Equivalent Privacy), which was commonly used from the late 1990s through 2004. Unfortunately, WEP is so easily broken today that it’s no longer considered secure. If you still use WEP, immediately switch to WPA2 (Wi-Fi Protected Access). There’s also WPA3, which is even more secure but is available only in hardware sold in the last few years.

Don’t Bother Hiding Your SSID

Finally, you may see suggestions that you should hide your Wi-Fi SSID, which prevents nearby devices from displaying it when they list available networks. That might seem like it would improve security, but all it does is prevent the sort of people who aren’t a threat anyway from seeing it. Anyone with the necessary software and skills to break into an unprotected or weakly protected Wi-Fi network can still detect and access a hidden network. They might even be more interested in what’s there, given that the network owner took the trouble to hide it. As long as you follow all the other advice in this article, there’s no benefit in hiding the SSID as well.

Bonus Advice: Use a VPN When on Public Wi-Fi Networks

Ensuring the security of your Wi-Fi network is essential, but what about public Wi-Fi networks in coffee shops, hotels, and airports? Because they’re open to anyone within range, they’re insecure by definition, and anyone on the network could theoretically see any other user’s traffic. Don’t panic. Most Web connections now use HTTPS, which encrypts traffic between you and the destination site (look for https at the start of URLs or a lock icon in the address bar of your Web browser). To ensure that all traffic is protected from prying eyes, use a VPN (Virtual Private Network), which creates an encrypted pipe from your computer to a VPN server elsewhere. Many organizations provide or even require VPN use so that traveling or remote employees can’t inadvertently use unencrypted connections. If your organization doesn’t have a VPN now but would like to set one up, contact us.

(Featured image by iStock.com/CASEZY)

Social Media: As more personal and work information passes through Wi-Fi networks, it becomes increasingly important that you follow this advice to secure your network.