Antivirus software won't save your Mac from future malware

A long-running debate between Mac owners and those folks who use other platforms is whether or not malware exists for macOS. It does! Mac owners tend to be very defensive (and, sadly, sometimes offensive) about macOS, because of years of slights when Windows was in the ascendance and virus ridden.

These days, most malware that attacks computers and mobile systems in the wild comes from visiting a website, receiving and opening an attachment via email or a text message, or following a link in an email that misleads you into thinking you’re at a legitimate site, into which you mistakenly enter legitimate credentials.

And most of that malware is old. On the desktop, most attacks focus on older versions of Windows, some using variants of malware that are several years old, according to a recent update from the analysis firm Check Point. On the mobile side, 60 percent of attacks come a single 15-month old attack called Hummingbad, which is often delivered as a Trojan horse—malware hidden inside what appears to be a legitimate app.

Read more »

0

Security check: Which apps have permission to access your online accounts?

Recently, hundreds of accounts—from Forbes to Amnesty International to Starbucks Argentina—started spewing swastikas and slogans in Turkish labeling the Netherlands “Nazi Holland.” The propaganda arises from a dispute in advance of a Turkish referendum to grant its president more power, and the Dutch refusal to allow Turkish officials to speak at rallies of Turkish people living in the Netherlands.

Political issues aside, the accounts were hijacked through a weakness many people forget exists until it strikes: third-party app permissions in social networks and other platforms. These integrations are part of the power of many services, which pitch themselves as platforms. Developers can create software that talks to the service’s API and reads information from a user who authorizes it. But more critically, these third-party apps can often post on behalf of a user, delete messages, or engage in other behavior.

In this case, Twitter Counter was responsible. Its servers were hacked, and credentials stolen.

Read more »

0

How to use Find My iPhone and Find My Mac, the best part of iCloud

Knock skeuomorphic wood, but I’ve never had a computer or mobile device stolen. (I feel footsteps on my digital grave as I write those words.) But I have forgotten where I’ve left one of my pieces of electronics.

Apple started building its location-based device-finding system years ago into iOS, then macOS, then watchOS, and even AirPods as of iOS 10.3 (still in beta at press time). For this article, I’m going to call the feature Find My iPhone just for consistency, even though Apple labels it differently on every kind of device.

You just have to remember it’s on and have your iCloud account associated with your devices handy to use it, whether you think a device has taken off on its own or it’s fallen down between the couch cushions.

Read more »

0

Don’t shy from secure end-to-end messaging apps in light of recent news

Talking recently with a colleague in the security research side of things, they noted, “Funny—we’ve come full circle moving from phone numbers to social media handles now back to phone numbers. Wait a little longer and you’ll be mailing me letters.” (Quoted with their permission.)

That’s not as mordant as it sounds. The seemingly accurate revelations by WikiLeaks recently of a CIA cache containing descriptions and analyses of an enormous number of exploited and potential vectors to insinuate into people’s hardware and data leaves me once again examining what it means to have privacy—whether from those you know, criminals, or governments (with or without legal authority to snoop).

My colleague was referencing in particular the Signal app, which relies on phone numbers as initial identifiers to connect with others, at which point you engage additional out-of-band methods to affirm the person with possession of a given device connected to that phone number is the person you expect it to be.

Read more »

0

How to cope with the recent flood of security failures

Cassandra’s curse was to know the future truly, but when she spoke, no one would believe her. Those of us who write about security and privacy know the feeling. Worse than those who ignored Cassandra are those who believed her and were swept away by the tides of fate. These last few weeks have had aspects of both being heard and being brushed off.

On February 17, Germany’s Federal Network Agency banned My Friend Cayla, a doll with voice-recognition technology, by declaring it an espionage device, because the manufacturer didn’t meet the country’s requirements for disclose and security for recording conversations. “Dangers arise directly from toys being used as espionage devices: with the awareness of parents, childrens’ speech and that of other people can be recorded and forwarded,” the agency wrote.

On February 23, SHA-1, one of the fundamental building blocks of the Internet’s ability to avoid forgery, was broken. This is both more and less serious than it sounds, as it was anticipated, but it has a large impact for the future of outdated and impossible-to-update devices and software.

Read more »

0

iOS

Lock the lock screen out of revealing secrets and listening to Siri

A Twitter user recounted a familiar story of a lost iPhone that resonated with a lot of people just a few days ago. The person behind @afronomics_ said she found another woman’s phone in the bathroom. She noted,

I asked Siri what’s my name. It pulled up her info. Cool. I asked Siri who do I call most. Pulled up her recent calls. Cool.

The whole thread is good reading. (The account owner uses colorful language and may be inappropriate to peruse at a workplace.)

Read more »

0

Chrome and Firefox increase their password warnings, but Safari lags behind

Software designers have to strike a careful balance between letting users do what they want and alerting them to mistakes while avoiding pestering them so often that the warnings go ignored. Worst of all, an app could prevent someone from carrying out an action they want to take, leading them to abandon the app in frustration.

Nowhere is this more fraught than in Web browsers, especially considering that every major operating system ships with an in-house version, even as competition remains in place. People can switch easily, and browser makers know this. If your browser cautions, blocks, or nags you too much, you can just find one that’s less harsh—and I think this philosophy has led companies to allow more security issues to slip past.

Starting around 2015, Google’s Chrome and Mozilla Foundation’s Firefox have changed their approach a lot because of security issues relating to outdated cryptographic standards used in web server digital certificates. It’s spread to many less technical areas. Apple’s Safari, however, has mostly erred on the side of quietly deterring and deflecting without alerting, and there are good reasons it should change.

Read more »

0