Security

It’s easy to create a fingerprint from smartphone photos of someone’s finger

Christian Zibreg ∙ December 29, 2014

Admittedly, Touch ID has popularized and mainstreamed biometric security on mobile devices using an impression made on a surface by the inner part of the top joint of a finger.

Having debuted on the iPhone 5s, Apple's in-house sensor built into the Home button is based on a sophisticated technology by Israeli smart sensor maker AuthenTec, which the Cupertino firm snapped up in July of 2012 for a reported $356 million.

However, existing fingerprint-based security solutions could be easily bypassed by generating a fingerprint image from a series of photos of someone's finger, no physical print necessary whatsoever, according to claims by Chaos Computer Club, Europe’s largest association of hackers.

As relayed by VentureBeat, the hackers have now successfully demonstrated a proof-of-concept by copying the thumbprint of German Defense Minister Ursula von der Leyen.

They used a close-up photograph of von der Leyen’s thumb, obtained during a news conference in October, along with photographs taken from different angles, said Jan Krissler aka “Starbug” at the 31st annual Chaos Computer Club convention in Hamburg, Germany.

Read More

Elcomsoft’s Phone Breaker can now help access iCloud data protected with 2-step verification

Christian Zibreg ∙ December 18, 2014

Moscow-based Elcomsoft, which produces a mobile forensic tool used by law enforcement around the world to gain access to a suspect's iOS devices, has updated its Phone Breaker application which now makes it easier to bypass Apple's two-step verification for Apple ID accounts in order to access underlying iCloud data, Engadget reported Thursday.

Not only does this include iWork documents stored in iCloud, but also data in third-party apps such as WhatsApp communications, 1Password password databases — even user dictionaries that may contain secret words and phrases — provided a user has enabled the app in question to sync data with iCloud.

Although hackers still need both your Apple ID username/password and a two-factor code sent to your trusted device (or a digital token stolen from your computer), once they do gain access to your account Phone Breaker can then create a digital token granting them permanent access to iCloud data, no two-step verification code needed — until you change your Apple ID password, that is.

Read More

Poll: is your Apple ID protected with two-step verification?

Christian Zibreg ∙ Updated October 14, 2018

Two-step verification protects your Apple ID from unauthorized access when accessing iCloud.com and the Apple ID web interface or when when making an App Store or iTunes purchase from a new device. It's an additional layer of security which combines something you know (your Apple ID password) with something you have (an iOS device).

Once enabled, it requires that you enter a four-digit code after providing your Apple ID credentials, with the code being pushed to a trusted iOS device.

You will also get a 14-character Recovery Key to regain control of your account should you ever lose access to your trusted devices or forget your password.

So, is your Apple ID protected with two-factor verification or do you still trust your digital life with the good ol' password in conjunction with security questions?

Read More

How losing your Apple ID Recovery Key could permanently lock you out of your account

Christian Zibreg ∙ Updated October 14, 2018

With two-step verification enabled for your Apple ID, you don't need to create or remember any security questions because your identity is exclusively verified using your password, verification codes sent to your trusted devices and your Recovery Key.

The added layer of security is a tremendous convenience, but with great power comes great responsibility and I can't stress enough how crucial it is to ensure you never forget where you stored your Recovery Key. As Owen Williams of The Next Web learned the hard way, they're calling it "Key" for a good reason.

Losing your Recovery Key puts you at risk of being locked out of your Apple ID if Apple's temporarily disabled it as a security precaution because someone's tried to hack it.

Apple cannot grant you access back into your Apple ID. This is by design: the system's been engineered in such a way so that only you can regain access to it. And in order to do that, you absolutely need a Recovery Key.

Here's what to know about securing your Apple ID with two-step verification.

Read More

With new Password Changer feature, Dashlane can change all your passwords at once

Sébastien Page ∙ Updated October 13, 2018

Password manager Dashlane introduced today Password Changer, a new feature that allows you to change all your passwords at once, including accounts secured by two-factor authentication. Powered by Dashlane's recent acquisition of startup PassOmatic came up with the core technology, the feature, that is just entering beta, currently works with about 70 different websites, including Apple, Amazon, Twitter, Facebook, but will open up to more sites in the future.

Read More

Twitter unveils better reporting and blocking tools

Christian Zibreg ∙ December 2, 2014

Twitter isn't exactly a great example of what you'd call a privacy-minded online service with a wide-ranging set of comprehensive tools to prevent harassment and block poor souls who spew abuse at others.

And who could blame them? At its core, Twitter is about sharing quick thoughts with the web at large. Of course, Twitter over the years did roll out a bare minimum of reporting features.

Now Twitter's privacy capabilities have gotten a tad better. Announced Tuesday, a sweeping update to Twitter's existing reporting and blocking tools calls for simplified forms that mobile users can fill out with easy when reporting abuse, a change to blocking policy, a better web interface to manage blocked users and more.

Read More

Department of Justice compelling smartphone makers to bypass encryption

Christian Zibreg ∙ December 2, 2014

The United States Department of Justice is reportedly pursuing an unusual legal strategy to compel cellphone makers to assist investigations by removing device encryption on iPhones and other mobile devices, according to findings by technology website Ars Technica.

Tapping the All Writs Act, feds want Apple’s help to defeat encrypted phones, as revealed by newly discovered court documents from two federal criminal cases in New York and California.

Read More

WhatsApp starts encrypting instant messages on Android, iOS and other platforms coming soon

Christian Zibreg ∙ Updated October 14, 2018

WhatsApp, the most popular instant-messaging platform with more than 600 million users which Facebook snapped up for $16 billions earlier this year, has started to protect data with end-to-end encryption, The Wall Street Journal reports.

For the time being, text messages exchanged between Android users of WhatsApp are being encrypted by default.

It shouldn't be too long until the company adds encryption to the iOS app and other mobile platforms. Encryption protects users' communications from governments and hackers alike by making the data unreadable as it travels between servers.

Read More

Apple credits Pangu team for discovering vulnerabilities patched in iOS 8.1.1

Cody Lee ∙ Updated April 18, 2018

Apple has posted a support page on the security content of the just-released iOS 8.1.1, reaffirming previous reports that the firmware breaks the Pangu jailbreak tool. In the page, the company credits the Pangu team for discovering three vulnerabilities patched in 8.1.1.

Among those vulnerabilities was a state management issue in the dyld directory, which has to do with app launches. There was also a validation issue in the handling of metadata fields with the kernel, and a sandbox profile bug that allowed apps to launch arbitrary binaries.

Read More

Chinese authorities shut down WireLurker site, suspects arrested

Cody Lee ∙ Updated April 18, 2018

Chinese authorities arrested three individuals last Friday that are believed to have developed the "WireLurker" malware, according to a police post on Sina Weibo. The authorities were tipped off by Chinese security company Qihoo 360 technology. Additionally, the post says that authorities have also identified and shut down the website that was hosting and distributing the malware.

Read More

Apple issues statement on Masque Attack, says it’s not aware of any affected users

Cody Lee ∙ Updated April 18, 2018

Apple tonight broke its silence regarding Masque Attack, a recently discovered vulnerability in iOS. In a statement to iMore, the company says it encourages customers to only download apps from trusted sources and that it's not currently aware of any users affected by the exploit.

Research security FireEye announced its discovery of Masque Attack on Monday. The malware installs itself through a phishing link disguised as a new app or game, and then masquerades as a legitimate app. Once installed, it can access login credentials, credit card info and more.

Read More

US government warns iOS users about new ‘Masque Attack’ threat

Cody Lee ∙ November 13, 2014

The United States government issued a warning for iPhone and iPad users today regarding the recently-discovered 'Masque Attack' vulnerability, reports Reuters. The security flaw, which began circulating the web earlier this week, allows malicious third-party apps to be installed to a device using enterprise provision profiles.

Today's bulletin was issued by the National Cybersecurity and Communications Integration Center, and it warns users of how Masque Attack can spread and what it's capable of doing. The malware installs itself through a phishing link disguised as a new app or game, and then it can masquerade as a well-known app like Gmail.

Read More