Elcomsoft’s Phone Breaker can now help access iCloud data protected with 2-step verification

By Christian Zibreg on Dec 18, 2014

Moscow-based Elcomsoft, which produces a mobile forensic tool used by law enforcement around the world to gain access to a suspect’s iOS devices, has updated its Phone Breaker application which now makes it easier to bypass Apple’s two-step verification for Apple ID accounts in order to access underlying iCloud data, Engadget reported Thursday.

Not only does this include iWork documents stored in iCloud, but also data in third-party apps such as WhatsApp communications, 1Password password databases — even user dictionaries that may contain secret words and phrases — provided a user has enabled the app in question to sync data with iCloud.

Although hackers still need both your Apple ID username/password and a two-factor code sent to your trusted device (or a digital token stolen from your computer), once they do gain access to your account Phone Breaker can then create a digital token granting them permanent access to iCloud data, no two-step verification code needed — until you change your Apple ID password, that is. Read More

 

Poll: is your Apple ID protected with two-step verification?

By Christian Zibreg on Dec 9, 2014

Two-step verification protects your Apple ID from unauthorized access when accessing iCloud.com and the Apple ID web interface or when when making an App Store or iTunes purchase from a new device. It’s an additional layer of security which combines something you know (your Apple ID password) with something you have (an iOS device).

Once enabled, it requires that you enter a four-digit code after providing your Apple ID credentials, with the code being pushed to a trusted iOS device.

You will also get a 14-character Recovery Key to regain control of your account should you ever lose access to your trusted devices or forget your password.

So, is your Apple ID protected with two-factor verification or do you still trust your digital life with the good ol’ password in conjunction with security questions? Read More

 

How losing your Apple ID Recovery Key could permanently lock you out of your account

By Christian Zibreg on Dec 9, 2014

With two-step verification enabled for your Apple ID, you don’t need to create or remember any security questions because your identity is exclusively verified using your password, verification codes sent to your trusted devices and your Recovery Key.

The added layer of security is a tremendous convenience, but with great power comes great responsibility and I can’t stress enough how crucial it is to ensure you never forget where you stored your Recovery Key. As Owen Williams of The Next Web learned the hard way, they’re calling it “Key” for a good reason.

Losing your Recovery Key puts you at risk of being locked out of your Apple ID if Apple’s temporarily disabled it as a security precaution because someone’s tried to hack it.

Apple cannot grant you access back into your Apple ID. This is by design: the system’s been engineered in such a way so that only you can regain access to it. And in order to do that, you absolutely need a Recovery Key.

Here’s what to know about securing your Apple ID with two-step verification. Read More

 

With new Password Changer feature, Dashlane can change all your passwords at once

By Sébastien Page on Dec 9, 2014

Password manager Dashlane introduced today Password Changer, a new feature that allows you to change all your passwords at once, including accounts secured by two-factor authentication. Powered by Dashlane’s recent acquisition of startup PassOmatic came up with the core technology, the feature, that is just entering beta, currently works with about 70 different websites, including Apple, Amazon, Twitter, Facebook, but will open up to more sites in the future. Read More

 

Twitter unveils better reporting and blocking tools

By Christian Zibreg on Dec 2, 2014

Twitter isn’t exactly a great example of what you’d call a privacy-minded online service with a wide-ranging set of comprehensive tools to prevent harassment and block poor souls who spew abuse at others.

And who could blame them? At its core, Twitter is about sharing quick thoughts with the web at large. Of course, Twitter over the years did roll out a bare minimum of reporting features.

Now Twitter’s privacy capabilities have gotten a tad better. Announced Tuesday, a sweeping update to Twitter’s existing reporting and blocking tools calls for simplified forms that mobile users can fill out with easy when reporting abuse, a change to blocking policy, a better web interface to manage blocked users and more.

Read More

 

Department of Justice compelling smartphone makers to bypass encryption

By Christian Zibreg on Dec 2, 2014

The United States Department of Justice is reportedly pursuing an unusual legal strategy to compel cellphone makers to assist investigations by removing device encryption on iPhones and other mobile devices, according to findings by technology website Ars Technica.

Tapping the All Writs Act, feds want Apple’s help to defeat encrypted phones, as revealed by newly discovered court documents from two federal criminal cases in New York and California. Read More

 

WhatsApp starts encrypting instant messages on Android, iOS and other platforms coming soon

By Christian Zibreg on Nov 19, 2014

WhatsApp, the most popular instant-messaging platform with more than 600 million users which Facebook snapped up for $16 billions earlier this year, has started to protect data with end-to-end encryption, The Wall Street Journal reports.

For the time being, text messages exchanged between Android users of WhatsApp are being encrypted by default.

It shouldn’t be too long until the company adds encryption to the iOS app and other mobile platforms. Encryption protects users’ communications from governments and hackers alike by making the data unreadable as it travels between servers. Read More

 

Apple credits Pangu team for discovering vulnerabilities patched in iOS 8.1.1

By Cody Lee on Nov 18, 2014

Apple has posted a support page on the security content of the just-released iOS 8.1.1, reaffirming previous reports that the firmware breaks the Pangu jailbreak tool. In the page, the company credits the Pangu team for discovering three vulnerabilities patched in 8.1.1.

Among those vulnerabilities was a state management issue in the dyld directory, which has to do with app launches. There was also a validation issue in the handling of metadata fields with the kernel, and a sandbox profile bug that allowed apps to launch arbitrary binaries. Read More

 

Chinese authorities shut down WireLurker site, suspects arrested

By Cody Lee on Nov 17, 2014

Chinese authorities arrested three individuals last Friday that are believed to have developed the “WireLurker” malware, according to a police post on Sina Weibo. The authorities were tipped off by Chinese security company Qihoo 360 technology. Additionally, the post says that authorities have also identified and shut down the website that was hosting and distributing the malware. Read More

 

Apple issues statement on Masque Attack, says it’s not aware of any affected users

By Cody Lee on Nov 13, 2014

Apple tonight broke its silence regarding Masque Attack, a recently discovered vulnerability in iOS. In a statement to iMore, the company says it encourages customers to only download apps from trusted sources and that it’s not currently aware of any users affected by the exploit.

Research security FireEye announced its discovery of Masque Attack on Monday. The malware installs itself through a phishing link disguised as a new app or game, and then masquerades as a legitimate app. Once installed, it can access login credentials, credit card info and more. Read More

 

US government warns iOS users about new ‘Masque Attack’ threat

By Cody Lee on Nov 13, 2014

The United States government issued a warning for iPhone and iPad users today regarding the recently-discovered ‘Masque Attack’ vulnerability, reports Reuters. The security flaw, which began circulating the web earlier this week, allows malicious third-party apps to be installed to a device using enterprise provision profiles.

Today’s bulletin was issued by the National Cybersecurity and Communications Integration Center, and it warns users of how Masque Attack can spread and what it’s capable of doing. The malware installs itself through a phishing link disguised as a new app or game, and then it can masquerade as a well-known app like Gmail. Read More

 

iOS security flaw could lure unsuspecting users into installing dangerous malware

By Christian Zibreg on Nov 10, 2014

A new security exploit discovered in Apple’s mobile operating system allows attackers to fool unsuspecting users into installing malicious iPhone and iPad apps disguised as new versions of popular apps and games such as Gmail, Angry Birds and more.

Instances of malicious apps with such deceiving names as “New Angry Bird”, “New Flappy Bird” and others were mentioned Monday in a report by mobile security research firm FireEye. Read More

 

Apple now blocking apps infected with WireLurker malware

By Cody Lee on Nov 6, 2014

Apple released a statement today saying that it is aware of the newly discovered WireLurker malware that targets Macs and iOS devices, and it has taken action. “We’ve blocked the identified apps to prevent them from launching,” a spokesman for the company told the Wall Street Journal.

Yesterday security researchers at Palo Alto Networks published a report saying they had discovered a new malware targeting Macs and iOS that is the “biggest in scale” it has ever seen. They named the malware “WireLurker” for its ability to jump from infected Macs to iOS devices over USB. Read More

 

New malware ‘WireLurker’ found infecting Macs and iOS devices in China

By Cody Lee on Nov 5, 2014

Security researchers at Palo Alto Networks say they’ve uncovered a new malware campaign targeting Macs and iOS that is the “biggest in scale” it has ever seen. Dubbed WireLurker, the malware has infected more than 400 apps in the Maiyadi App Store, a third-party Mac app store in China.

In the last six months, researchers say 467 infected applications have been downloaded 356,104 times, and “may have impacted hundreds of thousands of users.” The scary part is, the malware can be transmitted to a connected iOS device via USB, regardless of whether or not it’s jailbroken. Read More

 

The EFF ranks iMessage and FaceTime as most secure mass-market messaging options

By Cody Lee on Nov 5, 2014

The Electronic Frontier Foundation (or EFF) has posted a new Secure Messaging Scorecard, which ranks popular messaging offerings based on their security measures. The Scorecard uses a variety of metrics, such as methods of encryption and user privacy, and Apple’s messaging options faired rather well.

While dedicated secure messaging apps like ChatSecure and CryptoCat scored the highest, the EFF found Apple’s iMessage and FaceTime systems to be “the best of the mass-market options.” The two services were found more secure than several high profile apps, including BlackBerry Messenger and Skype. Read More

 

U.S. Court says phone passcodes are protected under the law

By Christian Zibreg on Oct 31, 2014

Criminals should protect their iPhones with a passcode, not Touch ID, as a Virginia District Court has determined that passcodes are protected under the Fifth Amendment of the United States Constitution while fingerprints are not, according to a report Friday by Hampton Roads.

The Fifth Amendment protects citizens from self-incrimination so a phone is protected under the law because otherwise it would require a defendant to divulge knowledge. Put simply, a Circuit Court judge has ruled that a criminal defendant can be compelled to reveal their fingerprint but not the passcode, so that police could search their mobile phone. Read More

 

How to use a passcode with the iOS 8.x jailbreak

By Jeff Benjamin on Oct 29, 2014

At this point in time, running Cydia on a jailbroken iPhone can still be a bit confusing for users who aren’t always knee-deep in this stuff. One of the biggest issues encountered when running Cydia on a jailbroken iOS 8 device at the moment involves using the passcode and Touch ID.

After installing Cydia on a jailbroken iOS 8 device, many are reporting that establishing a passcode sends them into a bootloop. I verified that I encountered the same issue.

Let me just preface this by saying that the problems encountered here are no fault of the Pangu team or of Saurik. This jailbreak is a work in progress, and we’ve been advised that the jailbreak is only for developers at the moment. That said, many of you are adventurous and want to take the plunge as soon as possible; as do I.

In this video, I share an unsanctioned workaround to the boot loop issue. I show you how to establish a passcode on a device with Cydia and Cydia Substrate installed. I’ve tested this out, and have recorded the entire Cydia installation process for your convenience. Have a look inside for the full tutorial. Read More

 

How to stop OS X Yosemite from asking for a password after waking your Mac

By Sébastien Page on Oct 28, 2014

I just got my all new iMac with Retina 5K display last week and I’m still going through all the settings to have it behave the way I want. One thing I noticed is that every time it goes to sleep or the screen saver kicks in, my Mac will require me to enter my user password when I wake it up.

What is a great security feature if you work in an office is somewhat of an annoyance to me, simply because I work from home and no one except my wife ever gets to touch my computer, making this password an extra step that I don’t need.

In this post, I’ll show you how to stop OS X Yosemite from requiring a password after waking up your Mac. Read More

 

SleekCode: improve the look of the Lock screen passcode interface

By Jeff Benjamin on Oct 24, 2014

SleekCode is a brand new jailbreak tweak that just recently touched down on Cydia’s BigBoss repo. SleekCode allows you to change up the look of the passcode screen. You can alter the background of the blur, alpha, and passcode rings, along with hiding the emergency dial button and slide to unlock chevron.

I was fairly impressed with the look of the passcode screen after configuring SleekCode. Have a look at our video walkthrough for more information. Read More

 

Tim Cook flies to China in response to iCloud phishing allegations

By Christian Zibreg on Oct 22, 2014

Apple’s boss Tim Cook went to China to meet with a top Chinese government official in Beijing amid allegations of government-backed phishing attempts on users’ iCloud accounts, according to a report by the state-run Xinhua news agency, relayed by Reuters Wednesday.

The meeting coincides with reports by GreatFire.org, a Chinese web monitoring group, alleging that the Chinese government sponsored man-in-the-middle attacks that redirected local users to a fake iCloud.com login page in an effort to harvest Apple ID user names and passwords. Read More

 
Page 112345...