security - page 4

AirDrop flaw makes it possible to gather strangers’ phone numbers

By

That's not a great look for AirDrop!
That's not a great look for AirDrop!
Image: Hexway

A Bluetooth LE security flaw could let malicious actors discover people’s iPhone numbers using Apple’s file-sharing AirDrop feature.

An attacker would need to create a phone number database for a specific region. Using a special script, they then could collect information on users who tried to AirDrop a file.

How to stop Siri logging and sharing recordings

By

Even Siri can manage to set alarms and timers without screwing it up.
Siri is always listening (depending on your settings).
Photo: Charlie Sorrel/Cult of Mac

Apple shares recordings made by Siri with third-party contractors, according to a recent report. The goal is to improve Siri’s responses, but the fact is, you probably didn’t know that this was happening — and almost certainly want it to stop.

Today, I will show you how to prevent these diagnostic recordings from going to Apple. The good news? You can do it using only Apple’s tools. The bad news is that you’ll have to get your hands dirty in the process.

Lockdown brings open source firewall to iOS

By

Lockdown secures your iPhone with a firewall.
Lockdown secures your iPhone with a firewall.
Photo: Charlie Sorrel/Cult of Mac

Lockdown Apps is a new firewall app for iOS. Like Guardian Firewall, which we covered last month, Lockdown uses iOS’ VPN framework to intercept all incoming and outgoing network traffic, and allows you to block connections to any address.

Unlike Guardian Firewall, Lockdown operates entirely on your device. It is also open source.

How to ditch Google and switch to DuckDuckGo

By

The door mat at DuckDuckGo HQ.
The door mat at DuckDuckGo HQ.
Photo: DuckDuckGo

DuckDuckGo is a private search engine. Unlike Google, it doesn’t track your internet use, save your searches, or track your location. DuckDuckGo’s reason for existing is to protect your privacy on the internet, but it’s also a great search engine. And when it doesn’t find the results you want, it’s easy to run that search in Google.

Today we’ll see how to switch all your searches to DuckDuckGo, and how to add a one-tap Google backup search.

The good news is that you don’t have to do anything weird or difficult to switch to DuckDuckGo. Both iOS and macOS offer it as a default option in their settings. On the Mac, this setting is in Safari. On the iPhone and iPad, you’ll find it under Safari in the Settings app.

How to stop your Mac from installing Apple’s silent updates

By

Switching off Apple's silent updates is probably a bad idea, but here's how to do it if you must.
Switching off Apple's silent updates is probably a bad idea, but here's how to do it if you must.
Photo: Charlie Sorrel/Cult of Mac

Thanks to the Zoom fiasco, which left a secret webcam-sharing server running on Macs of anyone who previously installed the videoconferencing app, Apple issued two silent updates in the past week or so.

These silent updates are security patches that Apple can apply to your Mac automatically, without asking you first. They’re relatively rare, and are a great way for Apple to patch security holes almost instantly. They prove especially helpful for the kind of user that never, ever bothers to run software updates.

But what if you are a Mac nerd? Maybe you want to have a say over this kind of thing. Or perhaps you run IT for a company, and don’t want anything being installed on the business Macs without you checking it first. Can you switch off Apple’s silent updates? Yes, you can. Here’s how.

Beta users can now sign into iCloud using Face ID or Touch ID

By

The latest Apple betas offer the option of signing in with Face ID or Touch ID.
The latest Apple betas offer the option of signing in with Face ID or Touch ID.
Screenshot: Charlie Sorrel

Users running the latest iOS 13, iPadOS 13 or macOS Catalina betas can now sign into iCloud using either Face ID or Touch ID.

If you’re using these beta versions, visiting iCloud in Safari will present a pop-up asking if you want to log in using biometrics.

’CrescentCore’ malware attacks your Mac, evades antivirus tools

By

CrescentCore-Flash-update
Don’t install Flash Player. Not even the real one.
Photo: Intego

Security researches have discovered new malware that targets macOS users and evades popular antivirus tools.

“CrescentCore” is distributed as a DMG package that’s disguised as Adobe Flash Player. It can now be found on multiple websites — one of which is “a high-ranking Google search result,” according to Intego.

Apple security chief will talk iOS 13, macOS Catalina at Black Hat

By

Black-Hat-security-conference
Ivan Krstic last appeared at Black Hat in 2016.
Photo: Black Hat

Apple security chief Ivan Krstic will be returning to the Black Hat security conference this summer to discuss iOS 13 and macOS Catalina — as well as the security protections in Apple’s new Find My service.

The 50-minute talk, titled “Behind the scene of iOS and Mac Security,” will take place on August 8. Krstic describes it as the “first public discussion of several key technologies new to iOS 13 and the Mac.”

How to ask Google to auto-wipe your activity data on iOS

By

Google-app-activity-data
It takes care of itself.
Photo: Killian Bell/Cult of Mac

You can now ask the Google app on iOS to automatically wipe your location and activity history.

The new feature, which was showcased during Google I/O in late May, takes the hassle out of covering your tracks. You only have to set it up once and it will take care of itself going forward. Here’s how to get started.

If you’re using an AirPort, you should upgrade it ASAP

By

AirPort Express
Anyone with an AirPort Express like this one should install the latest security update.
Photo: Apple/Cult of Mac

Apple discontinued the AirPort line of wireless routers last year but continues to support them, including efforts to keep out hackers. The US government’s Cybersecurity and Infrastructure Security Agency (CISA) released a statement urging users of networking equipment to install a new firmware patch to block attacks.

How (and why) to make your own power-only USB cable

By

Title image
Assemble your tools for a fun hack attack
Photo: Charlie Sorrel/Cult of Mac

USB is dirty. Just like you’d never stick your body parts into a mysterious public hole, neither should you plug your iPhone into a public charging station. iOS is pretty good at rejecting unknown connections from USB, but why take the risk?

There are a few ways to make public iPhone charging safe. One is to plug into a power outlet using your own plug and cable. But what about on a plane or train, or other public spot where only USB outlets are available? Or a friend’s computer, one that might be riddled with malware? Then you need a custom USB cable, one that only passes power, and not data. The good news is that, if you have an old Lightning USB cable laying around, you can easily fashion your own, just by yanking out two pins from inside the USB plug.

Here’s how.

Be very careful about buying used Nest security cams [Update]

By

Nest-camera
Who’s watching you through your Nest?
Photo: Nest

UPDATE: See the statement received from Google at the bottom of this story.

You might want to think twice about buying used Nest security cameras.

A new report reveals that secondhand models can allow previous owners to spy on new users — even if they correctly follow Nest’s instructions on resetting the device. There’s currently no fix for the security flaw.

Guardian Firewall is the first true privacy-protecting firewall for iOS

By

A partial visual pun for a firewall.
A partial visual pun for a firewall.
Photo: Charlie Sorrel/Cult of Mac

Guardian Firewall claims to be the first proper firewall app for iOS. It works by routing all the network connections from your iPhone or iPad through a VPN, and then filtering out privacy-invading trackers on Guardian’s own servers.

The idea is that all the heavy lifting is done on those servers, so you don’t have to worry about battery drain, or on the iOS security features that prevent an app from futzing with your internet connection.

Sounds good, but should you trust Guardian Firewall?

How to stop apps using background refresh to snoop your data

By

Refreshing background refresh drink
What could be more refreshing than a rhubarb and soda drink, with something in the background?
Photo: Charlie Sorrel/Cult of Mac

Background refresh is what lets your iPhone and iPad download your email while your iPhone is sleeping, to update your weather app while you are sleeping, and to grab all kinds of data so that it’s ready before you need it — news feeds, notes-app syncing, and pretty much anything else.

However, as revealed this week by the Washington Post, plenty of bad apps are abusing the background refresh mechanism. They are using it to send your private data — you location, your email address, your phone number, and much much more.

It’s likely that this is happening to you, because background refresh is enabled by default for newly-installed apps. Fortunately, it’s an easy problem to fix. Today we’ll see how.

Is your iPhone passcode on this list of pathetic PINs?

By

GrayKey can bypass iPhone security
Don’t use generic passcodes.
Photo: Ed Hardy/Cult of Mac

Over 25% of phones can be cracked just by using one of the top 20 most used four digit PINs.

Cyber security expert Tarah Wheeler shared a list of the most popular PINs based on the findings of the folks at the SANS Institute, which is one of the largest cyber security organizations in the world. Some of the passcodes on the list aren’t surprising but there are a couple combinations that we didn’t expect to see.

Make sure your PIN didn’t make the list:

How to block ads and malware on iOS

By

This is the web without content blockers.
This is the web without content blockers.
Photo: Charlie Sorrel/Cult of Mac

Way back in iOS 9 days, Apple added “content blocking” to the iPhone and iPad. More commonly known as “ad-blockers,” this tech lets you use third-party apps to block ads, malware, trackers, comments, and more, in Mobile Safari. Apple itself doesn’t do any more than make blocking possible. To actual decide what to block, you need a third-party app.

Enabling ad-blocking is easy, once you know how, and you can set-and-forget it once done. Or you can keep on top of things, adding custom rules, and white-listing trusted websites. Here’s how.

Apple says parental control apps were removed for privacy and security reasons

By

Woman in China temporarily goes blind in one eye after smartphone overuse
Apple introduced its own Screen Time tools with iOS 12.
Photo: Ed Hardy/Cult of Mac

Apple has responded to a New York Times report, claiming that it has removed various parental control apps from the App Store. Apple allegedly removed apps which offered similar features to its own Screen Time tool.

In response, Apple confirms that it did remove “several” such apps — but says that this was done due to privacy and security risks.

Apple will soon require all macOS apps to be notarized

By

iMac
Apple wants to make macOS as safe as possible.
Photo: Apple

Apple has confirmed that all macOS apps will need to be notarized to be accepted by Gatekeeper after its Mojave 10.14.5 update.

The requirement applies to new and updated apps and all software from developers who are new to distributing with Developer ID. In a future version of macOS, notarization will be required by default.

Apple takes on Lighthouse team after acquiring security patents

By

Lighthouse
Is Apple planning to make cameras of its own?
Photo: Lighthouse

Around 20 members of the Lighthouse team are now working at Apple, according to a new report.

The hires, which include two company co-founders, come after Apple acquired a bunch of Lighthouse’s home security patents earlier this month. An email sent to customers this week requested permission to transfer security camera data with Apple.

Facebook admits hundreds of millions of passwords were exposed

By

Facebook owns 4 of the top 10 apps of the past decade
The issues keep piling up for Facebook.
Photo: Ste Smith/Cult of Mac

It’s time to change your Facebook and Instagram passwords again.

Facebook revealed today that it unknowingly stored hundreds of millions of passwords in a readable format on its internal storage systems. There’s no information yet that the passwords were accessed by any nefarious people, but you should probably update yours, just in case.

Secret Apple data spilled through public Box links

By

Store your Pages and GarageBand files anywhere, not just in iCloud Drive.
Are you exposing sensitive data in the cloud?
Photo: Charlie Sorrel/Cult of Mac

Apple is one of a larger number of big companies that has been inadvertently leaking sensitive data through Box, the cloud storage service.

Security researchers found that staff were exposing data by sharing public links to files and documents that can be easily discovered. It’s thought more than 90 companies, including Box itself, are affected.

Google’s Project Zero discovers ‘high severity’ flaw in macOS kernel

By

macOS High Sierra
Apple is said to be working on a fix.
Photo: Apple

Google’s Project Zero team has discovered a “high severity” flaw in the macOS kernel.

The issue, which potentially allows attackers to perform malicious actions on a mounted filesystem, was reported to Apple more than 90 days ago. No fix has been made available yet, but Apple has acknowledged the issue and is working with Project Zero on a patch.

Researcher provides Apple with details (and fix) for Keychain flaw

By

macOS Keychain
Apple still won't cough up a reward.
Photo: Killian Bell/Cult of Mac

A security researcher has decided to provide Apple with details — and a patch — for a serious Keychain flaw in macOS Mojave that allows anyone to access your saved usernames and passwords.

Linus Henze previously withheld the information in protest of Apple’s decision not to offer a macOS bug bounty program. He now believes the problem is too serious for the company to ignore.

Why Dashlane is the first app you should install on a new iPhone [Video]

By

Dashlane app iOS
The Dashlane password manager app on iOS is good-looking and easy to use.
Photo: Stephen Smith/Cult of Mac

What’s the very first app you should download onto a brand new iPhone?

The first app you get should be Dashlane, a rock-solid, easy-to-use password manager that is Cult of Mac’s official security app.

When you start from scratch, you face a big problem — passwords! Dashlane solves that.