Archive for Apple

Turkish Crime Family iCloud Data Provided To ZDNet Proven To Be Valid

Posted in Commentary with tags on March 24, 2017 by itnerd

It may be a bit too early to blow of the so called Turkish Crime Family and their threat to cause digital harm to millions of iCloud users. I say that because ZDNet posted a story saying that it had received a set of 54 account credentials from the hacker group for “verification” and subsequently reported that all of the accounts were valid, based on a check using Apple’s online password reset function. What’s interesting is that ZDNet also contact each account holder via iMessage to confirm their password, and found that many of the accounts are no longer registered with Apple’s messaging platform. However, of those that could be contacted, 10 people who were all based in the U.K. confirmed that the passwords were accurate, and they have changed them as a result.

Now these passwords could have been acquired in a number of ways. For example, Yahoo gets hacked and because people tend to use the same password for everything, the rest of their digital lives is under threat. It doesn’t prove that the so called Turkish Crime Family have pwned Apple at all. Which would be consistent with what Apple said yesterday. Also, it is entirely possible that this is all that they have. I say that because of this:

A person representing the group, who is allegedly no longer a member, told me that the data is “handled in groups”, but would not explain how or why. The hackers refused to hand over a US-based sample of accounts

My $0.02 worth? There is a strong likelihood that this is bogus. If someone had some sort of epic exploit on a company like Apple, they’d be asking for way more than $75,000 and they would have provided far more proof that Apple had been pwned. That isn’t the case here. But it doesn’t mean that you shouldn’t take precautions. You should look at your iCloud account in terms of how secure it is. Consider using a strong password that is distinct from other passwords that you have and enabling two factor authentication to ensure that you are as secure as possible. After all, you should do everything possible to avoid getting pwned by this group or any other group of hackers.

Advertisements

Apple Comments On Latest Wikileaks Info Dump

Posted in Commentary with tags on March 24, 2017 by itnerd

Yesterday, Wikileaks did a second info dump which centered around exploits used by the CIA to get into OS X and the fact that the CIA got into the supply chain of iPhone shipments to slip their software onto them. Apple has since come out with a statement that is kind of interesting:

We have preliminarily assessed the Wikileaks disclosures from this morning. Based on our initial analysis, the alleged iPhone vulnerability affected iPhone 3G only and was fixed in 2009 when iPhone 3GS was released. Additionally, our preliminary assessment shows the alleged Mac vulnerabilities were previously fixed in all Macs launched after 2013.

We have not negotiated with Wikileaks for any information. We have given them instructions to submit any information they wish through our normal process under our standard terms. Thus far, we have not received any information from them that isn’t in the public domain. We are tireless defenders of our users’ security and privacy, but we do not condone theft or coordinate with those that threaten to harm our users.

Well….what is in this statement is what I was I was expecting Apple to say as when I read the documents in the dump, it seemed like this was stuff that Apple had already fixed. But one thing to keep in mind is that based on the way the statement is written, they are still looking at this. Thus you can expect that anything that they haven’t already addressed will be fixed very quickly. Another thing to point out is that Apple took the opportunity to take a shot at Wikileaks about their disclosure of the exploits themselves. That’s interesting. I will be interested to see how Wikileaks responds to that.

Apple To Planet Earth: Hackers Are Full Of It

Posted in Commentary with tags on March 23, 2017 by itnerd

In response to a hacker group who wanted to get paid or iCloud users would get hit hard by them, Apple has decided to come out and say something about this threat. They told Fortune there have been no breaches of its systems:

There have not been any breaches in any of Apple’s systems including iCloud and Apple ID,” the spokesperson said. “The alleged list of email addresses and passwords appears to have been obtained from previously compromised third-party services.

The Apple spokesperson went on to say this:

The Apple spokesperson said that Apple is ” actively monitoring to prevent unauthorized access to user accounts and are working with law enforcement to identify the criminals involved. To protect against these type of attacks, we always recommend that users always use strong passwords, not use those same passwords across sites and turn on two-factor authentication.”

That’s good advice that I suggested yesterday which you should still follow. In the meantime, I hope the so called Turkish Crime Family liked its 15 minutes of fame. Because with this statement by Apple, it’s over.

You May Want To Reset Your iCloud Password… Just In Case What I’m About To Tell You Is True

Posted in Commentary with tags on March 22, 2017 by itnerd

Now, I will say up front that I wonder about the veracity of their claims, but I will put this out there just in case there’s something to them. Motherboard is reporting that a group calling itself the Turkish Crime Family is threatening to reset iCloud accounts and remote wipe iPhones if Apple doesn’t pay them by April 7th. What’s got the attention of many is that the group claims to have access to 300 million accounts:

The hackers, who identified themselves as ‘Turkish Crime Family’, demanded $75,000 in Bitcoin or Ethereum, another increasingly popular crypto-currency, or $100,000 worth of iTunes gift cards in exchange for deleting the alleged cache of data.

“I just want my money and thought this would be an interesting report that a lot of Apple customers would be interested in reading and hearing,” one of the hackers told Motherboard.

The hackers provided screenshots of alleged emails between the group and members of Apple’s security team. One also gave Motherboard access to an email account allegedly used to communicate with Apple.

Now, Apple has put it out there that they aren’t going to reward this group. That means that one of two things is going to happen:

A) Nothing. Because this group is bluffing.

B) A lot of Apple users are going to be really upset on April 7th.

My advice? This is a good time to look at your iCloud account in terms of how secure it is. Consider using a strong password that is distinct from other passwords that you have and enabling two factor authentication to ensure that you will not end up being pwned by this group. Assuming that their claims are true of course. We’ll find out if it is true on April 7th.

Apple Releases New And Updated iPads And iPhones

Posted in Commentary with tags on March 21, 2017 by itnerd

This morning Apple released a bunch of new and updated products to the world. Here’s the highlights:

  • Apple announced a new iPhone 7 and iPhone 7 Plus (PRODUCT)RED Special Edition. It will be available in 128GB and 256GB capacities and will be available starting on Friday.
  • Apple is launching a new 9.7-inch iPad equipped with an A9 chip and a brighter Retina display to replace the iPad Air 2, which has been discontinued. It also has a 9.7-inch screen with 2,048‑by‑1,536 resolution and 264 PPI, 8-megapixel rear-facing iSight camera, 1.2-megapixel front-facing FaceTime camera, two speakers, Lightning connector, 3.5mm headphone jack, Touch ID with Apple Pay, Wi-Fi 802.11ac, and Bluetooth 4.2 and an option for celluar. It will come in 32GB and 128GB capacities and will be available this Friday for purchase.
  • Apple announced that the iPad mini 4 which offers 128GB for the price of the 32GB model with Wi-Fi, which has been discontinued.
  • The iPhone SE is now available in 32GB and 128GB capacities.
  • Accessories also got released today. There are new iPhone silicone cases, new Apple Watch bands including Nike+ bands being available separately for the first time.

Is there a product on this list that you can’t wait to get your hands on? If so, please leave a comment and share your thoughts.

Security Expert Exposes Phishing Gang That Targets Victims of iPhone Theft

Posted in Commentary with tags on March 16, 2017 by itnerd

Brian Krebs is one of the foremost experts in computer security having broken a number of stories that cover topics such as Spam, ATM skimming and the like. Now he’s do it again by showing you a phishing gang that is targeting victims of iPhone theft. You see, with the Find My iPhone feature and Activation Lock, any stolen iPhone can be remotely erased and bricked making them worthless. Thus criminals are now resorting to Phishing to bypass Apple’s security. Krebs in turn has exposed one gang who is renting out their services to iPhone thieves everywhere. I encourage you to read the article as it is very eye opening.

In the meantime, if you lose your iPhone or it is stolen, Find my iPhone is a great way to make that stolen iPhone a high tech paperweight. Here’s a link to everything that you need to know about Find My iPhone. More importantly, if you get an e-mail or a text message from someone claiming to be Apple saying that your phone has been found, do not click any links inside the text message. Apple will never send a message like this and all you will do is give the bad guys the means to sell your iPhone.

 

#PSA: How To Lock Down Your iPhone

Posted in Tips with tags on February 28, 2017 by itnerd

These days, you cannot take security for granted. And that includes locking down your iPhone from people who would want to get some of your personal information. If you want an example of how easy it is to get personal information from a locked iPhone, try these Siri commands with a random iPhone that is locked:

  • Siri, who am I
  • Siri, navigate me to home
  • Siri, show me my recent calls

What you’ll see is that the contact card belonging to the owner of the phone will appear. Plus Siri will route you to the address of the owner of the iPhone. Finally, you’ll see the last call that was made from the phone. And you get all of this while the phone is locked. That’s not good. What’s worse is that this is how the iPhone is set up by default which is a bit of a #fail from a company that values privacy. I’ll also add that the Today View, Apple Wallet, notifications as well as control center are also exposed for anyone to see by default on the iPhone. Any of those could expose personal information, and having the control center available could be leveraged to disable the phone’s ability to connect to cellular networks if it is stolen. Which means that you won’t be able to find it or remote erase it using iCloud. For those reasons, I suggest that you take the time to lock down your iPhone. I will admit that by doing so you take away some convenience, but you will make your phone a lot more secure. Here’s what I would suggest that everyone disable:

  1. Go to Settings
  2. Go to Touch ID & Passcode
  3. Enter your passcode
  4. Disable the following:
    1. Today View
    2. Siri
    3. Reply With Message
    4. Home Control
    5. Wallet
  5. Now go back one level and go to Control Center
  6. Disable “Access On Lock Screen”

By doing all of that, it will take away most of the ways that your personal information can leak out. For bonus points, you may want to consider disabling Notifications View under Touch ID & Passcode. I didn’t do that as I find that it is handy for me to have notifications from my various apps pop up on the screen. But if there’s info from those notifications that you don’t want a third party to see, it is worth considering whether you should disable it or not.

The next thing that I suggest that you do is not only improve your passcode, but set your phone to self destruct. I’ll start with the former. Most people use 4 digit passcodes which means that there are 9999 possible combinations. That sounds like a lot, but it really isn’t. Someone with a lot of time on their hands, like a border agent for example, will take the time to crack the passcode. Thus try using a 6 digit passcode or better yet an alphanumeric code for improved security. Now to the part about self destructing the phone. No, you cannot set the phone to self destruct in 5 seconds like they do in Mission Impossible. But iPhones do have a feature that erases the data on the phone after 10 failed passcode attempts. You can enable it  like this:

  1. Go to Settings
  2. Go to Touch ID & Passcode
  3. Enter your passcode
  4. Enable “Erase Data”

Now, you don’t want to enable this unless you back up your iPhone on a regular basis using iTunes. But in my case, I use iCloud Backup which automatically backs up my phone is plugged in, locked, and connected to WiFi. That means that I always have a backup that I can fall back on should the need arise and I can get my phone back to a working state anywhere. Not to mention set up a new phone with the same settings if I have to. Here’s how you set it up (This is assuming that you have set up iCloud before hand. If not, you should create an iCloud account as it is free to do so and it gives you 5GB of storage):

  1. Go to settings
  2. Go to iCloud
  3. Go to Backup
  4. Enable iCloud Backup

One thing to note is that it will only backup your health data, accounts, and phone configuration info. It does not backup music, apps or pictures. But music and apps are easy to restore from your computer using iTunes on your Mac or PC. Ditto for photos if you’re not using something like iCloud Photo Library which keeps your photos in the cloud.

Full disclosure: I use a 4 digit non-obvious passcode (in other words, one that isn’t easily guessed or is tied to anything else in my life) and I have the iPhone set to erase data. My logic is that this configuration will keep my data away from prying eyes because the phone will erase itself after 10 failed passcode attempts. This is on top of the fact that I use Touch ID to unlock the phone which means I am not entering the passcode most of the time. But you have to decide how paranoid you want to be on this front and what steps you’re willing to take to protect yourself.

Now, all of this sounds like a fair amount of work. But I ran through this and it took me 20 minutes to set all of this up. In my mind, that’s a good investment of time to make sure that your phone is locked down and doesn’t reveal personal information about you should it fall into the wrong hands. Thus it is something that every iPhone user should do.