Monthly Archives: March 2017

How to protect your Apple iCloud account

Maybe the London-based hacker group — which goes by the name “Turkish Crime Family” — doesn’t have access to 250-million Apple iCloud account names and passwords. But they do have access to some indeterminate number of accounts, and that’s more than enough reason to exercise caution: Protect your iCloud password and data today or risk losing it tomorrow.

 

Back up vulnerable data

First, you need to back up your iCloud data. Yes, I know Apple’s idea was you could use iCloud to back up your Apple device data, and that’s fine, but it’s iCloud itself we’re worried about today.

For your iPhone, iPad, or iPod, the easiest way to do this is to back up your device’s files to your Mac or PC with an iTunes backup.

  • Plug your device into your Mac or PC with iTunes on.
  • In iTunes’ top left-hand corner, under the play controls, there’s a tiny phone icon. Click here and it will take you to your device’s menu.
  • Click on Summary in the left-hand column.
  • You will be presented with three boxes. Choose Select Backups.
  • Choose to automatically or manually back-up your device. If you choose automatic, every time you plug your gadget in, iTunes will start to back it up.
iPhone Backup

Backing up your Apple device locally, and not just to iCloud, is a good idea.

The only problem here is that iTunes doesn’t back everything up. For example, it won’t back up your Apple Pay information and settings, photos already on iCloud, or purchased iTunes and App Stores content.

So, to be safe, you really must change and secure your password.

Change your passwords

Apple could help here — and not just by paying off the Turkish Crime Family. Other major sites — like Amazon, Netflix, and LinkedIn — buy cracked password lists, and use one-way hashing matches to check for existing passwords. They then reset vulnerable passwords and ask users to switch passwords. Apple hasn’t done that, but it should consider doing it, given just how large the threat appears to be.

Since Apple isn’t doing this, it’s up to you.

 

One thing that has always annoyed me is that Apple talks as if your Apple ID and iCloud ID are different. They’re not. They’re the same, and they use the same password.

To change your Apple ID password, sign in to your Apple ID account page with any web browser and follow the instructions to reset your password. I changed mine using Google Chrome from a Mint Linux system.

Your new Apple ID password must contain at least eight characters, a number, an uppercase letter, and a lowercase letter. You also can’t use spaces, the same character three times in a row, your Apple ID, or a password you’ve used in the last year.

Whatever you do, do NOT use dumb passwords such as “abcdefgh,” “qwerty,” or “password.” The easiest way to create a secure password that won’t try your memory is to use passphrases instead of passwords.

Instead of working your nerves into a frenzy trying to memorize what the cat wrote when he jumped on the keyboard (e.g. “sdf9usdf”), use an easy-to-remember but nonsensical phrase instead. For example, “Plump/Trotting Pups:” or “UNC?Win!Duke?Lose!” or “AC!DC!Tesla!Edison?” These are easy to recall and hard for crackers to break.

Once you’ve changed your password, you’ll need to change it on all your Apple devices.

Then, you’re going to want to add another layer of protection: Two-factor authentication (2FA).

2FA

Apple’s 2FA is clunky, but it still does a great job of protecting your account.

Apple 2FA

For additional protection, turn on Apple’s two-factor authentication.

When you activate 2FA, you can access your account only from trusted devices such as your iPhone, iPad, or Mac. When you want to sign in to a new device for the first time, you’ll need to provide two pieces of information. These are your Apple ID password and the six-digit verification code that’s automatically displayed on your trusted devices.

To use Apple 2FA, you’ll also need a trusted phone number so you can receive verification codes. To add a trusted phone number, take the following steps:

  1. Go to your Apple ID account page
  2. Sign in with your Apple ID
  3. Go to the Security section and click Edit
  4. Click Add a Trusted Phone Number and enter the phone number

Now, you’re ready for 2FA. For a trusted device, you need an iPhone, iPad, or iPod touch with iOS 9 and later, or you need a Mac running OS X El Capitan or later that you’ve already signed into with 2FA.

To turn on Apple 2FA, take the following steps.

On your iPhone, iPad, or iPod touch with iOS 9 or later:

  1. Go to Settings > iCloud > tap your Apple ID
  2. Tap Password & Security
  3. Tap Turn on Two-Factor Authentication

On your Mac with OS X El Capitan or later:

  1. Go to Apple menu > System Preferences > iCloud > Account Details
  2. Click Security
  3. Click Turn on Two-Factor Authentication

Yes, this can be a lot of work. On the other hand, how much work would it take you to replace your important photos, music, books, or documents if your Apple iCloud account goes up in smoke? Take the time, do it now. You’ll be glad you did.

How to lock up your digital life

Taking individual responsibility for your own privacy and safety in a world full of data breaches, vulnerabilities, and hacking is becoming paramount.

Hardly a week goes by when you don’t hear of yet-another-company admitting to a data breach, and the consequences of being compromised can be extreme. In 2016, Linux Mint to Swift, the Trump Towers to strings of hotel chains all lost customer account information, which paved the way for potential identity theft and fraudulent transactions.

 

As we rely on different online services to do everything from check our bank statements to purchase our groceries, it can sometimes be difficult to keep on top of the security of our accounts, but now, we have to consider our digital assets, accounts, and services as important to protect as our physical bank card and IDs.

However, you don’t need to spend hours upon hours to improve your personal security practices on the Internet and tighten up controls for both your accounts and information as a whole — if you know where to begin.

To get started, follow the steps below, which should take you little more than an hour or so — a worthwhile investment when you consider how much frustration can be caused by compromised accounts, fraudulent transactions, and identity theft.

A database of 1.4 billion Leaked From Biggest Spam Network

A database of 1.4 billion email addresses combined with real names, IP addresses, and often physical address has been exposed in what appears to be one the largest data breach of this year.

What’s worrisome? There are high chances that you, or at least someone you know, is affected by this latest data breach.

The database contains sensitive information about the company’s operations, including nearly 1.4 Billion user records, which was left completely exposed to anyone – even without any username or password.

According to MacKeeper security researcher Vickery, RCM, which claims to be a legitimate marketing firm, is responsible for sending around a billion unwanted messages per day.

Besides exposing more than a billion email addresses, real names, IP addresses and, in some cases, physical addresses, the leak exposed many documents that revealed the inner workings of RCM’s spam operation.

“The situation presents a tangible threat to online privacy and security as it involves a database of 1.4bn email accounts combined with real names, user IP addresses, and often physical address,” Vickery said. “Chances are that you, or at least someone you know, is affected.”

Vickery wasn’t able to fully verify the leak but said he discovered addresses he knew were accurate in the database.

Illegal Hacking Techniques Used by RCM

The company employed many illegal hacking techniques to target as many users as possible. One of the primary hacking methods described by the researchers is the Slowloris attacks, a method designed to cripple a web server rather than subvert it in this manner.

“[Slowloris is] a technique in which the spammer seeks to open as many connections as possible between themselves and a Gmail server,” Vickery writes in a blog post published today.

“This is done by purposefully configuring your own machine to send response packets extremely slowly, and in a fragmented manner, while constantly requesting more connections.”

The researchers have reported that details of RSM’s operations and its abusive scripts and techniques have been sent to Microsoft, Apple, Salted Hash, Spamhaus, and others affected parties.

Meanwhile, the researchers have also notified law enforcement agencies, which they says, have expressed keen interest in the matter.

FCC blocks rules that stop internet providers from secretly selling your data

Federal officials have moved to block rules set out by the Obama administration requiring internet providers to protect customer data — a day before they were expected to come into effect.

The rules would have prevented internet providers, such as AT&T, Comcast, and Verizon, from selling customer data without their consent.

Advertisers are increasingly pushing to gather more information on consumers, such as gender and race, as well as browsing history and the websites they visit, to better target advertising,

The rules, set out in October 2016, would impose stronger restrictions on internet providers who wish to provide customer information and data to advertisers. The rules also carve out data security requirements and compel internet providers to inform customers of data breaches. The rules say that customers have to explicitly opt-in to allow sharing of web browsing data, geolocation data, and health and financial information.

But FCC chairman, Ajit Pai, a Republican who previously served as a top Verizon lawyer, moved to prevent those rules from coming into effect.

In a brief statement last month, Pai said that one of the previous administration’s privacy rules “is not consistent” with the Federal Trade Commission’s privacy standards.

His argument was that the rules gave websites the ability to collect more customer data than internet providers, giving websites the edge in advertising.

Last year, when he voted against the rules under former Obama-appointed FCC chairman Tom Wheeler, Pai said in his dissenting opinion that consumers “should not have to be network engineers to understand who is collecting their data and they should not have to be lawyers to determine if their information is protected.”

Pai got his way when the FCC voted on Friday in favor of staying the rules.

The FCC said that the decision “will maintain a status quo that has been in place for nearly two years with respect to ISPs and nearly a decade with respect to other telecommunications carriers.”

While consumer advocates were in favor of the rules, internet providers and telcos pushed back.

Telegram And Other Messaging Apps Are Helping Scammers

“If spammer signs up for the Telegram and if he already had your phone number in his contact list, it will also notify him that you also have Telegram,” the post reads. “So, in addition to connecting you with your friends and contacts, this app will also connect scammers to you. Similarly, if you happen to have scammers’ numbers in your contact list for some random reason, then you will get push notifications when they join Telegram.”

This looks like a rising problem as the security company noticed that more and more scammers are signing up for their service. Even worse is that there’s no way to prevent other people from knowing that you use Telegram.

The risk grows even further when you take the uses of this particular feature for third parties into account. For example, intelligence agencies take this type of apps a “risk factor.” Basically, if you want to have your privacy, they will think you have something to hide. The same assumption could be made by border control officers, and we have all seen what is happening in the American airports.

White House wants spy law renewed. Congress has other ideas

The clock is ticking for a controversial surveillance provision, which is is set to expire at midnight at the end of the year.

But the Trump administration has signaled that it will support its clean reauthorization. Passing a clean version of the Foreign Intelligence Surveillance Act, or FISA, is “necessary to protect the security of the nation,” according to a White House official speaking to Reuters.

Already, bipartisan lawmakers in Congress are gearing up for a fight — ready to oppose the law’s reauthorization of the provision without some level of significant reform.

FISA, initially signed in 1978 and amended in 2008 following a vast expansion of domestic surveillance under the Bush administration, was back in the spotlight in 2013 after details of National Security Agency surveillance programs it authorized were leaked by Edward Snowden.

One particular element of the law, dubbed Section 702, has faced intense criticism from privacy advocates and lawmakers alike.

The provision permitted surveillance operations such as the PRISM program, which collected private data from customers of Apple, Google, Facebook, Microsoft and others. The provision also permitted “upstream” collection from the backbone fiber connections of the internet.

And though FISA is designed to target foreign nationals, an unknown amount of Americans’ data is also collected in the process.

That’s one of the main reasons why numerous Democratic and Republican legislators have argued reforms to Section 702 are necessary to ensure that Americans’ constitutionally-guaranteed privacy rights are not violated.

But a key question remains unanswered: exactly how many Americans were caught up in the NSA’s surveillance dragnet as a result of surveillance authorized under Section 702?

Since the Snowden disclosures during Obama’s second term, nobody has been willing to put a number on it.

This week, Dan Coats, the administration’s pick for director of national intelligence, who called the provision the “crown jewels” of the intelligence agency’s surveillance programs, said that the program is “designed to go after foreign bad guys.”

Ghost apps live on to torment Android users

As many as half a million Android users could be at risk from hacking, phishing and other threats because still using apps they’ve downloaded from Google Play which have since been removed from the store.

With more than two million apps available to download from Android’s official store, sometimes malicious apps find their way through the initial screening process and are only identified as dangerous after they’ve been downloaded by users.

Recent examples include the data-stealing Charger ransomware, which disguised itself as a battery saver app, and the Dresscode spy malware which hid in plain sight within the Google Play store as games, skins, themes, and phone optimization boosters.

In both of these cases – and more – the malicious apps were identified by cybersecurity researchers then removed from the official app store.

However, while Google might eventually remove these threats from Play, users which have mistakenly installed malicious apps from the official Android store aren’t told about the risk. Security company Intel Security said 4,000 apps have been removed from Google Play during the last year without users being notified. Some were malicious, others were abandoned by their developers.

“Dead apps need recall notices like other defective products,” said Intel Security.

According to telemetry data collected by McAfee Mobile Threat Research, more than 500,000 Android devices still have these ghost apps installed, meaning that these users – and the organisations they work for – are still potentially exposed to malware and data breaches.

One such threat is trojan designed for stealing passwords, disguised as an app which offered to help users gain Instagram followers. Once downloaded from Google Play, the malicious app directed the user to a fake Instagram login site which stole their login credentials.

fake-instagram-app.jpg
The fake Instagram app steals user credentials.

Image: Intel Security

Another threat is a trojanized photo app called ‘I Love Filter’ which purports to have been downloaded over a million times. Once downloaded and installed, the app requests users ‘upgrade to VIP’ which triggers the continious sending of text messages to premium rate numbers, as well as providing the malicious software with the ability to carry out additional attacks.

Despite being malicious, the app is rated at is rated 3.5 out of 5.0 on Google Play, something which Intel Security researchers say demonstrates “that the rating system is not enough to go on when it comes to evaluating apps and threats” – and that Google should inform users that they’re still using a malicious app.

“It’s time for app store curators to notify those users impacted to help keep them secure and protect their privacy,” the report recommends.

But until this happens, users need to remain vigilant about what they’re downloading, even if it comes from an official source.

Labor calls out government for breaching privacy laws amid Centrelink fiasco

Labor has accused the Australian government of breaching privacy laws by leaking confidential information about Centrelink customers.

The accusation stems from Centrelink’s new automated debt recovery system that has seen some letters demanding money repayment sent in error to welfare recipients.

Opposition human services spokeswoman Linda Burney moved a motion in the lower house on Tuesday, arguing that the government had conducted a vindictive campaign to gag those who complain about the Centrelink scandal by leaking their details to the media.