Posts

About That Worrying Message Saying Your Password Has Been Breached…

/in /by

In iOS 14, Apple added a feature that warns you when one of your website passwords stored in iCloud Keychain has appeared in a data breach. We’ve fielded some questions of late from people worrying if the message is legitimate, and if so, what they should do. What has happened is that online criminals have stolen username and password data from a company, and your credentials were included in that data breach. You should indeed change your password immediately, and it’s fine to let the iPhone suggest a strong password for you. Or, if it makes you feel more comfortable, you can usually change the password in Safari on your Mac instead. Either way, make sure it’s unique—never reuse passwords across multiple sites!

(Featured image by iStock.com/LumineImages)

Frequently Asked Questions Surrounding Apple’s Expanded Protections for Children

/in /by

Apple’s recent announcement that it would soon be releasing two new technologies aimed at protecting children has generated a firestorm of media coverage and questions from customers. Unfortunately, much of the media coverage has been based on misconceptions about how the technology works, abetted by uncharacteristically bungled communications from Apple. It’s not inconceivable that Apple will modify or even drop these technologies in the official release of iOS 15, iPadOS 15, and macOS 12 Monterey, but in the meantime, we can provide answers to the common questions we’ve been hearing.

What exactly did Apple announce?

Two unrelated technologies:

  • Messages will gain features that warn children and their parents when sexually explicit photos are received or sent. Such content will be blurred, the child will be warned and given the option to avoid viewing the image, and parents may be alerted (depending on the age of the child and settings).
  • Photos uploaded by US users to iCloud Photos will be matched—using a complex, privacy-protecting method that Apple has developed—against known illegal photos considered Child Sexual Abuse Material, or CSAM. If a sufficient number of images match, they’re verified by a human reviewer at Apple to be CSAM and then reported to the National Center for Missing and Exploited Children (NCMEC), which works with law enforcement in the US.

Does this mean Apple is scanning all my iPhone photos?

Yes and no. Messages will use machine learning to identify sexually explicit content in received and sent images. That scanning takes place entirely on the iPhone—Apple knows nothing about it, and no data is ever transmitted to or from Apple as a result. It’s much like the kind of scanning that Photos does to identify images that contain cats so you can find them with a search. So scanning is taking place with this Messages feature, but Apple isn’t doing it.

The CSAM detection feature operates only on images uploaded to iCloud Photos. (People who don’t use iCloud Photos aren’t affected by the system at all.) On the device, an algorithm called NeuralHash creates a hash and matches it against an on-device database of hashes for known illegal CSAM. (A hash is a one-way numeric representation that identifies an image—it’s much like how a person’s fingerprint identifies them but can’t be used to re-create that person.) NeuralHash knows nothing about the content of any image—it’s just trying to match one hash against another. In this case, it’s matching against existing image hashes, not scanning for a type of content, and Apple is notified only after enough image hashes match.

It’s also important to note that this is different from how companies like Facebook, Google, and Microsoft scan your photos now. They use machine learning to scan all uploaded photos for CSAM, and if they detect it, they’re legally required to report it to the NCMEC’s CyberTipline, which received 21.7 million CSAM reports from tech companies in 2020, over 20 million from Facebook alone. Because Apple does not scan iCloud Photos in the US like other companies scan their photo services, it made only 265 reports in 2020.

What happens if the CSAM detection feature makes a mistake?

This is called a false positive, and while vanishingly improbable, it’s not mathematically impossible. Apple tested 100,000,000 images against NeuralHash and its CSAM hash database and found 3 false positives. In another test using 500,000 adult pornography images, NeuralHash found no false positives.

Even if NeuralHash does match an image hash with one in the known CSAM hash database, nothing happens. And nothing continues to happen until NeuralHash has matched 30 images. Apple says that the chances of there being 30 false positives for the same account are 1 in 1 trillion.

I have terrible luck. What if that happens with my account?

Once at least 30 images have matched, the system enables Apple to decrypt the low-resolution previews of those images so a human can review them to see if they are CSAM. Assuming they are all false positives—remember that possession of CSAM is illegal in the US—the reviewer sends them to Apple engineers to improve the NeuralHash algorithm.

Could non-CSAM images end up in Apple’s CSAM hash database?

It’s extremely unlikely. Apple is constructing its database with NCMEC and other child-safety organizations in other countries. Apple’s database contains image hashes (not the actual images; it’s illegal for Apple to possess them) for known illegal CSAM images that exist both in the NCMEC database and at least one other similar database. So multiple international organizations would have to be subverted for such image hashes to end up in Apple’s database. Each source database will have its own hash, and Apple said it would provide ways for users and independent auditors to verify that Apple’s database wasn’t tampered with after creation.

Plus, even if a non-CSAM image hash were somehow added to Apple’s database and matched by NeuralHash, nothing would happen until there were 30 such images from the same account. And if those images weren’t CSAM, Apple’s human reviewers would do nothing other than pass the images to engineering for evaluation, which would likely enable Apple to determine how the database was tampered with.

Couldn’t a government require Apple to modify the system to spy on users?

This is where much of the criticism of Apple’s CSAM detection system originates, even though Apple says the system will be active only in the US. On the one hand, Apple has said it would resist any such requests from governments, as it did when the FBI asked Apple to create a version of iOS that would enable it to break into the San Bernardino shooter’s iPhone. On the other hand, Apple has to obey local laws wherever it does business. In China, that already means that iCloud is run by a Chinese company that presumably has the right to scan iCloud Photos uploaded by Chinese users.

It’s conceivable that some country could legally require Apple to add non-CSAM images to a database, instruct its human reviewers to look for images the country finds objectionable, and report them to law enforcement in that country. But if a country could successfully require that of Apple, it could presumably force Apple to do much more, which hasn’t happened so far. Plus, the CSAM detection system identifies only known images—it’s not useful for identifying unknown images.

Is Apple heading down a slippery slope?

There’s no way to know. Apple believes this CSAM detection system protects the privacy of its users more than scanning iCloud Photos in the cloud would, as other companies do. But it’s highly unusual for a technology that runs on consumer-level devices to have the capacity to detect criminal activity.

(Featured image by iStock.com/metamorworks)

Social Media: Apple’s recently announced expanded protections for child safety have generated a firestorm of criticism and confusion. We attempt to answer some of the most common questions we’ve received.

Disable Unused Sharing Options on Your Mac If You’re Not Using Them

/in /by

Many security breaches—even high-profile ones—stem from simple oversight. There’s one spot in macOS that has long been particularly susceptible to such lapse: the Sharing pane of System Preferences. In it, you can enable a wide variety of sharing services, some of which could allow another user to access your Mac remotely. They all let you limit access to particular users, but passwords can be stolen, accounts can be compromised, and server software can have bugs. For safety’s sake, if you’re not actively using a sharing service, turn it off. The most important ones to disable when not in use are Screen Sharing, File Sharing, Remote Login, Remote Management, and Remote Apple Events. We also caution against leaving Printer Sharing and Internet Sharing on unnecessarily.

(Featured image by Morgane Perraud on Unsplash)

Intuit Has Stopped Updating the QuickBooks Online Mac App; Switch to a Web Browser

/in /by

If you’re using QuickBooks Online with the service’s Mac app to manage your business’s accounting, you may have seen a message like the one below announcing that Intuit has stopped updating the QuickBooks Online app. This doesn’t affect your QuickBooks Online account, which you can and should use via a Web browser at qbo.intuit.com now. Even if the QuickBooks Online Mac app continues to work, which it likely will for some time, we recommend that you delete it and switch entirely to a Web browser. It’s not safe to use an unsupported app for financial records because Intuit won’t be fixing any security vulnerabilities going forward.

(Featured image based on an original by RODNAE Productions from Pexels)

Don’t Store Confidential Files in Online File Sharing Services

/in /by

Given their integration into the Mac’s Finder, it can be easy to forget that online file sharing services like Dropbox, Google Drive, iCloud Drive, and Microsoft OneDrive can be accessed using a Web browser by anyone with your username and password. Obviously, you should always have strong, unique passwords, but to be safe, it’s best not to use services designed for public file sharing to store unencrypted files containing sensitive information like credit card numbers, Social Security numbers, passport scans, privileged legal documents, financial data, and so on. Keep such data secure on your Mac—outside of any synced folders—where accessing it requires physical access to the machine.

(Featured image based on an original by Kenaz Nepomuceno from Pexels)

When Asking about Phishing Email, Make Sure to Write Separately Too

/in /by

Sadly, email is not an entirely reliable communications medium, thanks to spam filters, addressing errors, and server failures. With certain types of email, it’s worth double-checking that a message was seen. One example of that we see is with reports of phishing email, which miscreants use to try to trick you into revealing passwords, credit card info, or other sensitive information. Phishing messages can be tricky to identify—that’s their goal. If you’re forwarding a possible phishing email to us or another trusted technical contact for evaluation, remember that spam filters often catch such messages, so they may go unseen. To work around this awkwardness, send a separate message saying you’ve forwarded what you think might be a phishing message so the recipient knows to check their Junk mailbox if need be. It’s helpful if you can include the Subject line of the suspect message.

(Featured image by Mikhail Nilov from Pexels)

What Are Those Orange and Green Dots in Your iPhone’s Status Bar?

/in /by

In iOS 14 and iPadOS 14, Apple added two new status indicators to the right side of the status bar at the top of the screen. They’re designed to give you feedback about what an app is doing. An orange dot indicates that an app is using the microphone, and a green dot means that an app is using the camera (and possibly the microphone as well). They’re subtle and shouldn’t be distracting, but if you ever notice them when you don’t think the camera or microphone should be in use, look for apps that might be using them in the background.

(Featured image by Bruno Massao from Pexels)

5 New Year’s Resolutions That Will Improve Your Digital Security

/in /by

Happy New Year! For many of us, the start of a new year is an opportunity to reflect on fresh habits we’d like to adopt. Although we certainly support any resolutions you may have made to get enough sleep, eat healthy, and exercise, could we suggest a few more that will improve your digital security?

Keep Your Devices Updated

One of the most important things you can do to protect your security is to install new operating system updates and security updates soon after Apple releases them. Although the details seldom make the news because they’re both highly specific and highly technical, you can get a sense of how important security updates are by the fact that a typical update addresses 20–40 vulnerabilities that Apple or outside researchers have identified.

It’s usually a good idea to wait a week or so after an update appears before installing it, on the off chance that it has undesirable side effects. Although such problems are uncommon, when they do happen, Apple pulls the update quickly, fixes it, and releases it again, usually within a few days.

Use a Password Manager

We’ve been banging this drum for years. If you’re still typing passwords in by hand, or copying and pasting from a list you keep in a file, please switch to a password manager like 1Password or LastPass. Even Apple’s built-in iCloud Keychain is better than nothing. A password manager has five huge benefits:

  • It generates strong passwords for you. Password1234 can be hacked in seconds.
  • It stores your passwords securely. An Excel file on your Desktop is a recipe for disaster.
  • It enters passwords for you. Wouldn’t that be easier than typing them in manually?
  • It audits existing accounts. How many of your accounts use the same password?
  • It lets you access passwords on all your devices. Finally, easy login on your iPhone!

A bonus benefit for families is password sharing. It allows, for example, a married couple to share essential passwords or for parents and teens to share certain passwords.

In short, using a password manager is more secure, faster, easier, and just all-around better. If you need help getting started, get in touch.

Beware of Phishing Email

Individuals and businesses alike frequently suffer from security lapses caused by phishing, forged email that fools someone into revealing login credentials, credit card numbers, or other sensitive information. Although spam filters can catch many phishing attempts, it’s up to you to be on your guard at all times. Here’s what to watch for:

  • Any email that tries to get you to reveal information, follow a link, or sign a document
  • Messages from people you don’t know, asking you to take an unusual action
  • Direct email from a large company for whom you’re an anonymous customer
  • Forged email from a trusted source asking for sensitive information
  • All messages that contain numerous spelling and grammar mistakes

When in doubt, don’t follow the link or reply to the email. Instead, contact the sender in some other way to see if the message is legit.

Avoid Sketchy Websites

We won’t belabor this one, but suffice it to say that you’re much more likely to pick up malware from sites on the fringes of the Web or that cater to the vices of society. To the extent that you can avoid sites that provide pirated software, “adult” content, gambling opportunities, or sales of illicit substances, the safer you’ll be. That’s not to say that reputable sites haven’t been hacked and used to distribute malware too, but it’s far less common.

If you are concerned after spending time in the darker corners of the Web, download a free copy of Malwarebytes or DetectX Swift and scan for malware manually.

Never Respond to Unsolicited Calls or Texts

Although phishing happens mostly via email, scammers have also taken to using phone calls and texts. Thanks to weaknesses in the telephone system, such calls and texts can appear to come from well-known companies, including Apple and Amazon. Even worse, with so much online ordering happening, fake text messages pretending to help you track packages are becoming more common.

For phone calls from companies, unless you’re expecting a call back from a support ticket you opened, don’t answer. Let the call go to voicemail, and if you feel it’s important to respond, look up the company’s phone number elsewhere, and talk with someone at that number rather than one provided by the voicemail.

For texts, avoid following links unless you recognize the sender and it makes sense that you’d be receiving such a link. (For instance, Apple can text delivery details related to your orders.) Regardless, never enter login information at a site you’ve reached by following a link because there’s no way to know if it’s real. Instead, if you want to learn more, navigate manually to the company’s site by entering its URL yourself, then log in.

Let’s raise a glass to staying safe online in 2021!

(Featured image based on originals from Tim Mossholder and Jude Beck on Unsplash)

Social Media: Have a safer 2021 with New Year’s resolutions that will help you secure your devices, avoid email and text scams, and stay safe from malware, as well as benefit from the security and ease-of-use of password managers, which can even fill in passwords for iPhone apps.

Flash Is Dead—Uninstall Flash Player to Keep Your Mac Secure

/in /by

In July 2017, Adobe announced that it would stop distributing and updating Flash Player on December 31st, 2020. Web standards like HTML5 provide a viable alternative to Flash content, and organizations that relied on Flash have had three years to replace it. Because Adobe will no longer be addressing security vulnerabilities in Flash with updates, Flash Player now prompts users to uninstall. We strongly recommend doing so—just click the Uninstall button if you get this alert. If you don’t, a Flash Player Install Manager app in your Utilities folder should be able to remove Flash Player as well. Adobe also provides instructions to uninstall manually.

(Featured image based on an original by Gary Meulemans on Unsplash)

Preparing Your Organization for a Possible COVID-19 Quarantine

/in /by

As of this writing, the respiratory disease COVID-19 has caused nearly 3000 deaths and infected over 80,000 people worldwide. There are relatively few cases in North America currently, but that could increase significantly. For high-quality information about COVID-19, turn to the World Health Organization and the US Centers for Disease Control and Prevention.

For now, the Centers for Disease Control are recommending sensible precautions. They include regular hand washing or using alcohol-based hand sanitizer, covering coughs and sneezes (with your elbow), and staying home and avoiding public spaces if you’re feeling unwell. (These are smart things to do during flu season anyway, given that 10,000 people in the US have died of influenza already this season.)

What if local health officials were to declare a quarantine? Without lapsing into doomsday scenarios, it is always reasonable to make sure that you are personally ready for a natural disaster or other emergency. The Prepared has a detailed guide to help you prepare for a COVID-19 scare or quarantine.

We want to focus on how organizations—either those you run or work for—might prepare for a public health scare or possible quarantine, particularly in the context of your technology use. Here are our thoughts, and contact us if you want help with your preparedness plans.

Infection Prevention

If your organization has numerous employees or serves the public, put some thought into how you can reduce the chance of infection. That might include providing hand sanitizer dispensers, wiping down frequently touched surfaces with household cleaners, and a more frequent cleaning schedule for restrooms.

For an Apple-specific tip, try using or encouraging the use of Apple Pay to reduce the need to touch credit card terminals!

Also, it’s best to avoid shaking hands with customers and colleagues. Perhaps the Japanese custom of bowing will gain traction elsewhere in the world.

Internal Communications

In the event that public health officials discourage people from gathering, think about how your company will communicate internally with people working from home. Many organizations allow such flexibility now anyway, so it’s likely that yours has at least informal communication channels via phone and email, and chat systems like Slack.

Consider formalizing those channels if need be, and if your directory service doesn’t already contain this information, publish a list of phone numbers and email addresses so everyone can contact co-workers easily. If your organization relies on IP telephony, make sure everyone understands how to use softphones or can configure an office phone at home. If you have a switchboard, investigate how it can be operated remotely.

If your organization’s email system is usually available only from computers owned by the organization, make sure webmail access is enabled and that everyone understands how to access it. Similarly, it’s worth making sure everyone has email access from their phones.

Chat systems like Slack or Microsoft Teams can be effective ways for far-flung groups to communicate because they provide real-time communication segregated into topic- or group-specific channels. If you’re not already using such a system and would like to investigate adding it to your communications strategy, contact us for advice.

Remote Access to Organizational Services

For connectivity to office-based file servers and other systems, make sure everyone has access to your VPN and knows how to use it. (Don’t have a VPN, or virtual private network? Again, call us—a VPN is an essential way to provide remote access while ensuring security.)

Are there any specialized servers or services, such as an accounting system, that have security safeguards related to specific access points? Think about what additional access may need to be provided for an employee working from home.

Physical Environment

If most or all employees are working from home, what does that mean for your office? Do physical security systems or climate settings need to be adjusted? Do you want to set up video cameras or other remote monitoring hardware? Who’s going to water the plants? On a more serious note, if you have on-premises servers, make sure they can be administered entirely remotely, including power cycling.

It’s also worth determining who will have responsibility for the office in the event of problems, which could still occur even if no one is there. What if a water pipe in the building breaks, or there’s a burglary? Make sure it’s clear who will respond.

Business Functions

Think about the regularly scheduled aspects of running the business, with an eye toward those that might assume the presence of certain people. Can they run payroll, accounts receivable, and accounts payable remotely? Make sure that every key position has at least one backup, so if one person falls ill, the organization’s ability to function won’t be compromised.

If international travel is a significant part of your organization’s mission, you’re already figuring out how to compensate through videoconferencing and similar technologies. But if you regularly travel only within the country or your area, think about which trips are essential and which can be replaced using online conferencing tools.

Finally, consider how your clients and customers will react to the situation. It’s unfortunately likely that there will be less work taking place, so you may see decreased revenues, but certain organizations may see an increased workload. For instance, if the number of patients in hospitals skyrockets, those who support healthcare systems may struggle under the load alongside the doctors and nurses.

We certainly hope that all these preparations prove unnecessary, but they’re worthwhile regardless. Too many businesses have failed after a fire, hurricane, or earthquake renders an office uninhabitable, and such natural disasters are all too common. As the Boy Scout motto says, “Be prepared.”

(Featured image based on an original by Gerd Altmann from Pixabay)

Social Media: How would your organization react to a COVID-19 scare or quarantine? Here’s how you can use technology to respond to such an event.