Web Finds for December 11, 2017

Web Finds are from my web surfing travels. You’ll find some unique, informative, and some of the coolest websites and apps that you may have never known existed. Enjoy!

How to Use Do Not Disturb While Driving on iPhone
Do Not Disturb While Driving is an iPhone specific safety feature. When Do Not Disturb While Driving is activated on iPhone, no calls, messages, notifications, or alerts will come through to the iPhone. I have my iPhone set to automatically go to do not disturb as soon as my car starts moving.

How to Lock Your Mac Screen and Protect It from Prying Eyes
Whether you’re at home or at work, you might not want other people snooping on your Mac when you step away. Leaving your Mac unlocked and unattended allows others nearby to read your emails, text messages, browser history, and all your files. You don’t need to shut down your Mac, you don’t even need to log out. You can just lock it.

How to restore deleted files from iCloud Drive
I use Dropbox more often than iCloud Drive. One of Dropbox’s features is the ability to recover deleted files. I didn’t know I could also recover deleted files in iCloud Drive.

Phishers Are Upping Their Game. So Should You. — Krebs on Security
This is read is worth your time. Not long ago, phishing attacks were fairly easy for the average Internet user to spot: Full of grammatical and spelling errors, and linking to phony bank or email logins at unencrypted (http:// vs. https://) Web pages. Increasingly, however, phishers are upping their game, polishing their copy and hosting scam pages over https:// connections — complete with the green lock icon in the browser address bar to make the fake sites appear more legitimate.

Previous Web Finds are here.

Equifax breach caused by failure to patch two-month-old bug

Negligence! If they would have patched their server(s) the day the patch was released this would have never happened.

This is inexcusable! Heads should roll. Maybe it’s time some people go to jail for this kind of sh^t.

Dan Goodin, writing for Ars Technica 9/13/2017, 8:12 PM

We know that criminals exploited a US website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.

The flaw in the Apache Struts framework was fixed on March 6. Three days later, the bug was already under mass attack by hackers who were exploiting the flaw to install rogue applications on web servers. Five days after that, the exploits showed few signs of letting up. Equifax has said the breach on its site occurred in mid-May, more than two months after the flaw came to light and a patch was available.

Up to now, Equifax has said only that criminals exploited an unspecified application vulnerability on its US site to gain access to certain files. Now, we know that the flaw was in Apache Struts and had been fixed months before the breach occurred.

The Equifax Breach: What You Should Know

I’m sure you’re pissed about the Equifax breach just like I am. And I’m sure you’re as concerned about how this affects you as I am.

Brian Krebs of KrebsonSecurity is an expert in the area of data breach’s has written an excellent article about what we need to know to protect ourselves in light of the “Equifax Breach”.

Please – Please take the time to read his article.

Brian Krebs, writing for KrebsonSecurity

Here’s what you need to know and what you should do in response to this unprecedented breach.

Some of the Q&As below were originally published in a 2015 story, How I Learned to Stop Worrying and Embrace the Security Freeze. It has been updated to include new information specific to the Equifax intrusion.

https://krebsonsecurity.com/2017/09/the-equifax-breach-what-you-should-know/

iOS 11 has a way to quickly disable Touch ID and require a passcode

As reported, last week, by The Verge iOS 11 has a way to quickly and discreetly disable Touch ID.

According to The Verge:

Apple is adding an easy way to quickly disable Touch ID in iOS 11. A new setting, designed to automate emergency services calls, lets iPhone users tap the power button quickly five times to call 911. This doesn’t automatically dial the emergency services by default, but it brings up the option to and also temporarily disables Touch ID until you enter a passcode. Twitter users discovered the new option in the iOS 11 public beta, and The Verge has verified it works as intended.

This is a handy feature because it allows Touch ID to be disabled in circumstances where someone might be able to force a phone to be unlocked with a fingerprint. With Touch ID disabled in this way, there is no way to physically unlock an iPhone with Touch ID without the device’s passcode.

As a side note. Last week Mashable reported that according to a Virginia judge a cop can force you to unlock your phone with Touch id but not with a passcode.

As pointed out by John Gruber:

Until iOS 11 ships, it’s worth remembering that you’ve always been able to require your iPhone’s passcode to unlock it by powering it off. A freshly powered-on iPhone always requires the passcode to unlock.

TunnelBear completes industry’s first public security audit

TunnelBear has been my VPN service of choice for just over a year. I was excited to read that TunnelBear has undergone a public security audit by Germany-based penetration testing company Cure53. This gives confidence I’ve chosen the right VPN provider and that TunnelBear isn’t scraping and selling my browsing data.

TunnelBear Blog, 07 August 2017

Consumers and experts alike have good reason to question the security claims of the VPN industry. Over the last few years, many less reputable VPN companies have abused users’ trust by selling their bandwidth, their browsing data, offering poor security or even embedding malware.

Being within the industry, it’s been hard to watch. We knew TunnelBear was doing the right things. We were diligent about security. We deeply respected our users’ privacy. While we can’t restore trust in the industry, we realized we could go further in demonstrating to our customers why they can, and should, have trust in TunnelBear.​

Today, we’d like to announce TunnelBear has completed the Consumer VPN industry’s first 3rd party, public security audit. Our auditor, Cure53, has published their findings on their website and we’re content with the results.

However, the recent crisis of trust in the VPN industry showed us we needed to break the silence and share Cure53’s findings publicly. Today we’re sharing a complete public audit which contains both the results from last year and the results from the current audit.

You can read the full report on Cure53’s website.

1Password responds about local vaults

This is a follow-up to my article July 12, 2017. Dave Teara, in an agilebits blog post, has clarified that for now local vaults will continue to be supported.

blog.agilebits.com · by Dave Teare · July 13, 2017:

Many Mac users worry that the same fate awaits 1Password 6 for Mac, and that we will remove support for local vaults and force them to pay again.

This isn’t going to happen. First, it would be evil to take away something you’ve already paid for. And evil doesn’t make for a Happy 1Password Customer, which is the cornerstone for a Happy 1Password Maker. It’s simply not who we are.

For those who purchased 1Password 6 for Mac already, you’re perfectly fine the way you are and can continue rocking 1Password the way you have been. There’s no requirement to change anything as we will not be removing features or forcing you to subscribe. In fact we’re still selling licenses of 1Password 6 for Mac for those that really need them (you can find them today on the setup screen under More Options).

And you need not worry about 1Password 7 for Mac, either, as it will continue to support standalone vaults just like version 6 does today.

We know that not everyone is ready to make the jump yet, and as such, we will continue to support customers who are managing their own standalone vaults. 1Password 6 and even 1Password 7 will continue to support standalone vaults.

There’s a message in Dave’s closing statement:

But 1Password memberships are indeed awesome and are the best way to use 1Password, and as such, I am going to continue to nudge you over when ever I can.

1Password takes it on the chin over subscriptions and cloud vaults

There was a lot of buzz over the weekend about the future of 1Password when it emerged that the service’s new subscription-based model will push users to adopt a cloud-based password storage system over locally stored password vaults.

Lorenzo Franceschi-Bicchierai writing at Motherboard:

In the last few years, 1Password has become a favorite for hackers and security researchers who often recommend it above all other alternatives… Last weekend, though, several security researchers tweeted that 1Password was moving away from allowing people to pay for a one-time license and have local password vaults, in favor of its cloud-based alternative that requires a monthly subscription.

I moved from LastPass to 1Password in Oct 2015. Why? The main reason was local vault versus having my vault on the web.

I have to say. I wouldn’t be happy if I were being forced to move to a 1Password cloud subscription plan. If I were, I’d be pissed off enough to move back to LastPass. At this point, I’m not. From reading the forums and comments by Dave Teare we tech savvy users, who want control over our vault, will be able to continue using our local vault version of 1Password for the foreseeable future.

For new users, it’s going to be difficult to buy a license for the local vault version. I searched the 1Password website and saw no option to buy the standalone version. From reading the forums It sounds like the only way to do this is to write to 1Password and request it.

Cyberscoop:

Yet even with the statements provided to the public, the messaging has been mixed at best. On the product’s support forums, customers are regularly complaining that it’s become a huge challenge to buy and use the local vault version of 1Password while employees say such a request is now “complicated” and that they “want all new customers to use 1Password.com subscriptions as it is simpler to use by default.”

Dave Teare says, March 1, 2017 at 9:01 pm:

You asked “why not?” have both 1Password memberships and standalone licenses at the same time. Certainly you’re right that I don’t want to do anything to piss off our long time customers. And that’s exactly why we’re rolling out 1Password memberships exactly the way we are. You can purchase a standalone license today just like you could last week.

In defense of 1Password, I would agree that the cloud subscription model is far easier for the average non-techie user to setup and use.

Apple releases security updates for iPhone and Mac. Update now and be safe online.

On Monday Apple released security updates iOS 10.3.2 (for iPhone and iPad users), MacOS, and OS X. They also released updates for watchOS 3.2.2, iTunes, Safari, tvOS and iCloud for Windows 6.2.1.

Looking at the list of fixes it is clear that scores of security vulnerabilities have been addressed for iPhones, iPads and Macs.

US-CERT encourages users and administrators to apply the necessary updates.