When is an “a” not necessary the “a” you think it is? When a browser shows it as part of the URL in the location or smart-search field. Due to the late entry of non-Roman characters to domain names, a backwards-compatible method of representing them aids phishing.
Unicode allows the representation of nearly all the glyphs—characters, symbols, ideograms, script element, and more—that form the basis of language and other written subjects, like math and games, in use around the world. While the Unicode Consortium started its work decades ago, but it’s only in the last few years that it’s finally permeated operating systems, browsers, and apps to the point where you can almost rely on it working almost everywhere.
But the Domain Name System (DNS) that operating systems use to turn human-readable location and resource names into the numeric and other data needed to make a connection dates back even before Unicode. And because of its ubiquity, making any change could break compatibility for hundreds of millions of people and devices—maybe more. This is why some sensible improvements, like having a cryptographic component to a domain name that prevented its being spoofed by a party that didn’t own the domain, has still not been rolled out.
Read more »
If you use iCloud for email, calendar events, or contacts with any apps other than those made by Apple, and you haven’t upgraded the security on your account to use two-factor authentication (2FA), syncing and other interaction will fail starting June 15. That’s when Apple imposes a new security requirement that requires unique passwords for all third-party software that works with iCloud accounts. That includes apps like BusyContacts, Fantastical, and Thunderbird, to name a few of hundreds, as well as online services that sync with iCloud or retrieve email.
That sounds a lot more secure, but there’s less there than meets the eye. Apple’s method of allowing third-party access has significant flaws in containing abuse if one of these unique passwords gets discovered. There’s a better way with its own set of problems, but Apple doesn’t appear to be moving in that direction. (Here’s our how-to guide on setting up iCloud/Apple ID 2FA.)
Blocking easy account hijacking
Read more »
A friend of mine who advocates against a form of health stigma has been targeted for many months by those who prefer to keep the stigma active. (Yes, there is pro-shame harassment in the world. Go figure.) The intensity of this opposition leaks way over from nasty email and social-media messages to account hacking.
While my friend has secured all their accounts as tightly as possible, using an email address that’s protected by two-factor authentication (2FA) coupled with enabled 2FA everywhere that supports it, their problem is that they receive a continuous stream of email about login attempts. Because of strong passwords and other choices, their accounts aren’t being hijacked.
But they wondered: Is there a way to remain protected by not receive a well-meaning onslaught of such emails? The short answer is no. Facebook, Google Mail, WordPress, and many other services aimed remain naively predicated on the idea that nobody will see that many attempts by someone unauthorized to try to gain access to their users’ accounts through a “forgot your password” or other links.
Read more »
Uber reportedly tagged iPhones with persistent IDs that allowed it to identify devices uniquely after a phone had been wiped and configured from scratch. The company said it was about fraud detection, but its history makes many people dubious, whether that’s true or not.
Bigger issues were raised, however. It’s Apple who discovered the violation of its terms, news about which never appeared until last week. Is Apple acting in our best interests as proprietary and quiet stewards of our identities? This tagging also raises the spectre of a silent ban by app makers, in which consumers could buy a second-hand phone previously employed for fraud that can’t be used ever again with many services.
Let’s start with what happened two years ago, and which would have destroyed Uber’s business.
Read more »
Updated with new information about XProtect from Apple.
Check Point, a security analysis firm, posted an alarming blog entry on Thursday about a new malicious macOS Trojan horse that appeared able to bypass Apple’s protections and could hijack and sniff all the traffic entering and leaving a Mac without a user’s knowledge. This would include SSL/TLS encrypted connections, because the malware installs a local digital certificate that overrides normal man-in-the-middle warnings and protections.
The malware, called OSX/Dok by Check Point, spreads via a phishing attack that Check Point says mostly targets European users. One message shown is in German and the signature portion says it’s from the Swiss tax office. The email contains a ZIP file attachment which has to be saved, opened, and an item within it launched. It’s unclear from the description whether a user has to enter an administrative password, although based on the steps, this would seem likely. On execution, the malware performs various nefarious deeds, such as copying itself and running shell commands, as well as installing a startup item so it will launch at each reboot.
Read more »
When security researcher Jonathan Zdziarski took a job at Apple a few weeks ago, I heard from many people concerned about the future of his macOS app, Little Flocker, a tool that restricts apps and system processes access to files without permission. He was unable to talk details, but recently F-Secure, a leading security developer and analysis company, announced its purchase of Little Flocker, which it’s rebranded as Xfence.
I spoke to Sean Sullivan, security advisor at F-Secure, about the changeover and the general current set of risks to Mac users. He said Xfence, which was in release form as Little Flocker, will shift into a free beta mode for the foreseeable future. (Those who paid for a Little Flocker license will get some currently unspecified benefit as future pricing for Xfence and its inclusion in other products isn’t yet set. “Their license will carry through when there’s a paid product,” Sullivan said.)
The littleflocker.com domain remains up showing a maintenance page and the Check for Updates link, which queries that domain, currently doesn’t work. That should change when the new beta is released with Xfence branding.
Read more »
LastPass has been in the news a number of times in the last few years, and not in a good way. The firm makes password-management software for multiple platforms, synced through their central servers. In mid-2015, thieves copied its main password database, but because of good password storage design, the likelihood is that no users had any data extracted. In January 2016, a researcher found a user-interface spoofing bug, since fixed. In mid 2016, another researcher figured out how to fool LastPass with an autofill operation (fixed) and another reported a phishing vulnerability (also fixed). Then a few weeks ago, another found browser-based extension vulnerabilities (also fixed, except for one older client, being retired).
This sounds bad, right? But only in the first of those issues, the database theft, did information leak, and good design effectively mitigated it. All the rest of the vulnerabilities came from researchers reporting to LastPass, and there’s no evidence of those flaws being used in the wild, despite LastPass’s apparently large user base.
Likewise, you might think that 1Password, made by AgileBits, must be substantially stronger, because no similar research has surfaced in the last few years. But that’s not the case, either. LastPass and AgileBits have taken similar paths for products with quite different interfaces, interactions, and pricing for securing any data they host. (A problem with content-distribution network Cloudflare last month seemingly leaked some 1Password.com data, but only incidentally, and it was wrapped in additional layers of protection, as discussed in my article on the leakage.)
Read more »