security - page 4

Safari’s content blockers effectively block trackers and other Bad Stuff on the web, but that only works in Apple’s browser. Any other app you install on your iPhone or iPad can send all kinds of personal information to anyone, without you ever knowing. Your location, the details of your menstrual cycle, how long you spend asleep — pretty much anything.

So how do you stop this? Well, iOS 13 itself can help limit some abuses. But what you really need is an iOS firewall app that can detect and shut down any unauthorized connections.

A newly-discovered flaw in iOS 13 lets anyone access your contacts without your passcode.

It takes just a few simple steps to bypass your iPhone’s lockscreen and see every phone number, email address, and physical address you have saved. But a fix is already on the way.

One of the biggest buyers of iOS zero-day exploits says the market is flooded with new iPhone bugs due to weakened security components in Safari and iMessage.

Zerodium, which pays $2 million for iOS exploits, recently announced it’s increasing its payout for Android exploits to $2.5 million. iOS used to be the most locked-down mobile operating system, but the company says Android’s security has improved with every new OS release while iOS has been slacking, leading to a glut of new exploits.

An iPhone exploit which used malicious websites to hack iPhones was used to target Uyghur Muslims in China.

The security exploit was recently disclosed by Google researchers. It involved infecting users with malicious code, allowing an attacker to gain access to their phone. Apple fixed the vulnerability earlier this year, before the news was publicly shared.

In the olden days, when you wanted to replace your hard drive with a bigger one, you’d run a “secure erase” on it to completely remove any personal data. This would write zeros to the entire disk, overwriting anything already there.

But now, thanks to advances in storage tech, this no longer does the trick. (Not that you can change your own Mac SSDs now anyway.) The new secure-erase, says Apple, is to just encrypt your disk.

Apple has historically not been a company in favor of people jailbreaking its devices. So why would Cupertino give hackers special iPhones to help them find weaknesses in iOS? To patch those problems, of course!

According to a new report, Apple will announce plans this week at the Black Hat security conference in Las Vegas to hand out such devices to security researchers. Apple also will introduce a new Mac bug bounty program to reward anyone who finds security problems in macOS.

A Bluetooth LE security flaw could let malicious actors discover people’s iPhone numbers using Apple’s file-sharing AirDrop feature.

An attacker would need to create a phone number database for a specific region. Using a special script, they then could collect information on users who tried to AirDrop a file.

Apple shares recordings made by Siri with third-party contractors, according to a recent report. The goal is to improve Siri’s responses, but the fact is, you probably didn’t know that this was happening — and almost certainly want it to stop.

Today, I will show you how to prevent these diagnostic recordings from going to Apple. The good news? You can do it using only Apple’s tools. The bad news is that you’ll have to get your hands dirty in the process.

Lockdown Apps is a new firewall app for iOS. Like Guardian Firewall, which we covered last month, Lockdown uses iOS’ VPN framework to intercept all incoming and outgoing network traffic, and allows you to block connections to any address.

Unlike Guardian Firewall, Lockdown operates entirely on your device. It is also open source.

DuckDuckGo is a private search engine. Unlike Google, it doesn’t track your internet use, save your searches, or track your location. DuckDuckGo’s reason for existing is to protect your privacy on the internet, but it’s also a great search engine. And when it doesn’t find the results you want, it’s easy to run that search in Google.

Today we’ll see how to switch all your searches to DuckDuckGo, and how to add a one-tap Google backup search.

The good news is that you don’t have to do anything weird or difficult to switch to DuckDuckGo. Both iOS and macOS offer it as a default option in their settings. On the Mac, this setting is in Safari. On the iPhone and iPad, you’ll find it under Safari in the Settings app.

Thanks to the Zoom fiasco, which left a secret webcam-sharing server running on Macs of anyone who previously installed the videoconferencing app, Apple issued two silent updates in the past week or so.

These silent updates are security patches that Apple can apply to your Mac automatically, without asking you first. They’re relatively rare, and are a great way for Apple to patch security holes almost instantly. They prove especially helpful for the kind of user that never, ever bothers to run software updates.

But what if you are a Mac nerd? Maybe you want to have a say over this kind of thing. Or perhaps you run IT for a company, and don’t want anything being installed on the business Macs without you checking it first. Can you switch off Apple’s silent updates? Yes, you can. Here’s how.

Users running the latest iOS 13, iPadOS 13 or macOS Catalina betas can now sign into iCloud using either Face ID or Touch ID.

If you’re using these beta versions, visiting iCloud in Safari will present a pop-up asking if you want to log in using biometrics.

Security researches have discovered new malware that targets macOS users and evades popular antivirus tools.

“CrescentCore” is distributed as a DMG package that’s disguised as Adobe Flash Player. It can now be found on multiple websites — one of which is “a high-ranking Google search result,” according to Intego.

Apple security chief Ivan Krstic will be returning to the Black Hat security conference this summer to discuss iOS 13 and macOS Catalina — as well as the security protections in Apple’s new Find My service.

The 50-minute talk, titled “Behind the scene of iOS and Mac Security,” will take place on August 8. Krstic describes it as the “first public discussion of several key technologies new to iOS 13 and the Mac.”

You can now ask the Google app on iOS to automatically wipe your location and activity history.

The new feature, which was showcased during Google I/O in late May, takes the hassle out of covering your tracks. You only have to set it up once and it will take care of itself going forward. Here’s how to get started.

Apple discontinued the AirPort line of wireless routers last year but continues to support them, including efforts to keep out hackers. The US government’s Cybersecurity and Infrastructure Security Agency (CISA) released a statement urging users of networking equipment to install a new firmware patch to block attacks.

USB is dirty. Just like you’d never stick your body parts into a mysterious public hole, neither should you plug your iPhone into a public charging station. iOS is pretty good at rejecting unknown connections from USB, but why take the risk?

There are a few ways to make public iPhone charging safe. One is to plug into a power outlet using your own plug and cable. But what about on a plane or train, or other public spot where only USB outlets are available? Or a friend’s computer, one that might be riddled with malware? Then you need a custom USB cable, one that only passes power, and not data. The good news is that, if you have an old Lightning USB cable laying around, you can easily fashion your own, just by yanking out two pins from inside the USB plug. Alternatively, a charging keychain can be a great portable solution to ensure safe and convenient charging wherever you go.

Here’s how.

UPDATE: See the statement received from Google at the bottom of this story.

You might want to think twice about buying used Nest security cameras.

A new report reveals that secondhand models can allow previous owners to spy on new users — even if they correctly follow Nest’s instructions on resetting the device. There’s currently no fix for the security flaw.

Guardian Firewall claims to be the first proper firewall app for iOS. It works by routing all the network connections from your iPhone or iPad through a VPN, and then filtering out privacy-invading trackers on Guardian’s own servers.

The idea is that all the heavy lifting is done on those servers, so you don’t have to worry about battery drain, or on the iOS security features that prevent an app from futzing with your internet connection.

Sounds good, but should you trust Guardian Firewall?

Background refresh is what lets your iPhone and iPad download your email while your iPhone is sleeping, to update your weather app while you are sleeping, and to grab all kinds of data so that it’s ready before you need it — news feeds, notes-app syncing, and pretty much anything else.

However, as revealed this week by the Washington Post, plenty of bad apps are abusing the background refresh mechanism. They are using it to send your private data — you location, your email address, your phone number, and much much more.

It’s likely that this is happening to you, because background refresh is enabled by default for newly-installed apps. Fortunately, it’s an easy problem to fix. Today we’ll see how.

Over 25% of phones can be cracked just by using one of the top 20 most used four digit PINs.

Cyber security expert Tarah Wheeler shared a list of the most popular PINs based on the findings of the folks at the SANS Institute, which is one of the largest cyber security organizations in the world. Some of the passcodes on the list aren’t surprising but there are a couple combinations that we didn’t expect to see.

Make sure your PIN didn’t make the list:

Your Amazon Echo speaker can now keep an eye on your home while you’re away.

A new feature called Alexa Guard lets your speaker listen for signs of danger while you’re out. If your speaker has a built-in camera, it will also provide a direct video feed into your home.

Way back in iOS 9 days, Apple added “content blocking” to the iPhone and iPad. More commonly known as “ad-blockers,” this tech lets you use third-party apps to block ads, malware, trackers, comments, and more, in Mobile Safari. Apple itself doesn’t do any more than make blocking possible. To actual decide what to block, you need a third-party app.

Enabling ad-blocking is easy, once you know how, and you can set-and-forget it once done. Or you can keep on top of things, adding custom rules, and white-listing trusted websites. Here’s how.

Apple has responded to a New York Times report, claiming that it has removed various parental control apps from the App Store. Apple allegedly removed apps which offered similar features to its own Screen Time tool.

In response, Apple confirms that it did remove “several” such apps — but says that this was done due to privacy and security risks.

Apple has confirmed that all macOS apps will need to be notarized to be accepted by Gatekeeper after its Mojave 10.14.5 update.

The requirement applies to new and updated apps and all software from developers who are new to distributing with Developer ID. In a future version of macOS, notarization will be required by default.