Watch out for Apple Phone Phishing Scams

Security researcher Brian Krebs on his Krebs on Security blog recently outlined one of the latest phishing scams he’s seen, where an incoming phone call appears to be from a legitimate Apple support line. I’m writing about this to make you aware so that you don’t fall for the scam. Please take the time to read the blog post so that you know how the scam works.

Brian Krebs, writing for Krebs on Security Apple Phone Phishing Scams Getting Better — Krebs on Security

A new phone-based phishing scam that spoofs Apple Inc. is likely to fool quite a few people. It starts with an automated call that display’s Apple’s logo, address and real phone number, warning about a data breach at the company. The scary part is that if the recipient is an iPhone user who then requests a call back from Apple’s legitimate customer support Web page, the fake call gets indexed in the iPhone’s “recent calls” list as a previous call from the legitimate Apple Support line.

Jody Westby is the CEO of Global Cyber Risk LLC, a security consulting firm based in Washington, D.C. Westby said earlier today she received an automated call on her iPhone warning that multiple servers containing Apple user IDs had been compromised (the same scammers had called her at 4:34 p.m. the day before, but she didn’t answer that call). The message said she needed to call a 1-866 number before doing anything else with her phone.

Apple support also offers a document on how to Avoid phishing emails, fake ‘virus’ alerts, phony support calls, and other scams – Apple Support

Web Finds for October 2, 2018

Web Finds are from my web surfing travels. You’ll find some unique and informative news, apps and websites that you may have never known existed. Enjoy!

Apple, Firefox tools aim to thwart Facebook, Google tracking
New protections in Apple’s Safari and Mozilla’s Firefox browsers aim to prevent companies from turning “cookie” data files used to store sign-in details and preferences into broader trackers that take note of what you read, watch and research on other sites.
Via AP News

National Cybersecurity Awareness Month: Cybersecurity at Home | US-CERT
October is National Cybersecurity Awareness Month (NCSAM), an annual campaign to raise awareness about cybersecurity. The National Cyber Security Alliance (NCSA) has published general tips to help you increase your cybersecurity awareness—including whom to contact if you are the victim of cyber crime—and protect your online activities.

NCCIC encourages users and administrators to review NCSA’s guidance for online safety basicsand the NCCIC Tip on Avoiding Social Engineering and Phishing Attacks for additional information.
Via US-Cert

How to Delete Your Facebook Account: A Checklist
Here’s a guide on how to delete your Facebook account.
Via lifehacker

Previous Web Finds are here.

Facebook gets hacked again. 50 Million users personal information put at risk.

I’m sure you’ve already read or heard about the latest Facebook hack involving the personal information of at least 50 million users. The hack was revealed in a Facebook blog post yesterday. If you haven’t here are the details.

Mike Isaac and Sheera Frenkel, writing for the New York Times

Facebook, already facing scrutiny over how it handles the private information of its users, said on Friday that an attack on its computer network had exposed the personal information of nearly 50 million users.

According to TechCrunch, Instagram and other third-party sites that use Facebook Login may not be out of the woods either.

In a follow-up call on Friday’s revelation that Facebook has suffered a security breach affecting at least 50 million accounts, the company clarified that Instagram users were not out of the woods — nor were any other third-party services that utilized Facebook Login. Facebook Login is the tool that allows users to sign in with a Facebook account instead of traditional login credentials and many users choose it as a convenient way to sign into a variety of apps and services.

As I’ve written before, now is a good time to delete your Facebook account. Between getting hacked and selling your personal data for advertising purposes Zuckerberg and his gang just can’t be trusted.

Facebook is using your 2FA phone number to target you with ads

Facebook has stooped to the lowest possible level. TechCrunch has exposed the fact that Facebook is using 2FA phone numbers to target users with ads. Zuckerberg and his gang are taking the number users are using to additionally secure their accounts and using it for ad targeting.

Some months ago Facebook did say that users who were getting spammed with Facebook notifications to the number they provided for 2FA was a bug. “The last thing we want is for people to avoid helpful security features because they fear they will receive unrelated notifications,” Facebook then-CSO Alex Stamos wrote in a blog post at the time.

I guess the bug wasn’t a bug after all. Just another Facebook lie.

Facebook has confirmed it does in fact use phone numbers that users provided it for security purposes to also target them with ads.

Specifically a phone number handed over for two factor authentication (2FA) — a security technique that adds a second layer of authentication to help keep accounts secure.

Here’s the statement, attributed to a Facebook spokesperson: “We use the information people provide to offer a better, more personalized experience on Facebook, including ads. We are clear about how we use the information we collect, including the contact information that people upload or add to their own accounts. You can manage and delete the contact information you’ve uploaded at any time.”

If you haven’t deleted your Facebook account yet now would be a good time to do so.

iOS Safari content blockers

Ben Brooks has published his test results for Safari content blockers. Since I’ve been thinking about a different blocker I found his testing to be helpful. Up until today, I’ve been using the original 1Blocker which is now called Legacy since 1Blocker X was introduced several months ago. By the way, 1Blocker X is Ben’s overall number one pick.

My concern has been whether the developer will continue to update the Legacy app?

So after reading Ben’s evaluation I’m switching over to BlockBear his second choice overall but his first choice for those who don’t want to tinker with the settings and that’s me. As a side note, I also use TunnelBear VPN by the same developer.

Safari Content Blocker Evaluations – 9/26/18 Edition

I ran another round of content blocker testing for Mobile Safari in order to take a look at which ones are the ‘best’ right now. To be fair: it’s really hard to find these content blockers on the App Store now, so I grabbed the ones which looked the most popular to me (top lists, and top search results) and then did the testing to see which was the best.

BLOCKBEAR

My overall rating on this was: quick, not perfect. If I needed to tell a non-technical friend or family member which content blocker to use, this would be the content blocker I would tell them to use. The setup is “cute” and dead simple. The entire app is dead simple actually, and it worked pretty well overall. No customization, but it does have whitelisting if that family member keeps having trouble with a site.

And it is fast, as it is tied for the fastest of the group. It’s not what I recommend for most people who regularly read this site, as I suspect you’ll want the features of 1Blocker X. That said, I can understand why you would use this. It’s simple and easy. And that you can whitelist from the share sheet in Safari, only makes it an even better pick for those who want ease of use.

Web Finds for September 13, 2018

Web Finds are from my web surfing travels. You’ll find some unique and informative news, apps and websites that you may have never known existed. Enjoy!

Credit Freezes Will Soon Be Free
With the one-year anniversary of the Equifax breach just behind us, here’s a reminder that you will be able to freeze your credit reports and sign up for year-long fraud alerts for free starting Sept. 21 thanks to a federal law passed earlier this year.
Via Lifehacker

IPHONE XS AND XS MAX: HANDS-ON WITH APPLE’S GIANT NEW PHONE
Apple just announced the iPhone XS and XS Max. They’re iterations on last year’s iPhone X, but the XS Max at least stands out in one very notable way: it’s so much larger. The Max has a 6.5-inch screen, making it a bigger phone than even the latest model in Samsung’s famously large Galaxy Note line.
Via The Verge

Apple iPhone XR hands-on: the new default iPhone
The new iPhone XR, which feels like it will be the default iPhone for many people this season. Not only does it have a very similar design to the more expensive iPhone XS model, it has many of the same features for a considerably lower price.
Via The Verge

Hello eSIM: Apple moves the iPhone away from physical SIMs
On Wednesday, Apple announced that its new iPhone XS and iPhone XS Max will use an eSIM—a purely electronic SIM that allows users to maintain a secondary phone line in a single device. That line could be a secondary domestic line (say you’re a journalist and don’t want to have separate personal and work iPhones), or the phone could have an American and Canadian number (if you travel across the border frequently).
Via Ars Technica

Previous Web Finds are here.

Web Finds for June 11, 2018

Web Finds are from my web surfing travels. You’ll find some unique and informative news, apps and websites that you may have never known existed. Enjoy!

17 Basic macOS Terms Every Mac User Needs to Know and Master
Whether a newbie or veteran, you have a whole lot of Apple-specific glossary to pick up and master. But don’t worry, it’s not all that difficult.
Via Makeuseof

10 Strikes and You’re Out — the iOS Feature You’re Probably Not Using But Should
For many years now, iOS has offered an option in the Passcode section of the Settings all: “Erase all data on this iPhone after 10 failed passcode attempts.
Via Daring Fireball

How to Request a Copy of Your Apple ID Account Data
Apple now allows its customers to download a copy of their personally identifiable data from Apple apps and services. This can include purchase or app usage history, Apple Music and Game Center statistics, marketing history, AppleCare support history, and any data stored on Apple servers, including the likes of calendars, photos, and documents.
Via MacRumors

4 Ways to Generate a List of Apps Installed on Your Mac
I ran across this the other day. It’s not something that I would use often but in the right situation it could be very helpful.
Via Makeuseof

Previous Web Finds are here.

iCloud data is stored on Google servers

I always thought my iCloud data was stored in an Apple-owned data center. I’m not sure why I thought that. I guess I just assumed. Turns out it’s not. It’s being stored on Google and Amazon S3 servers.

I’m not sure how I feel about that. I started avoiding Google services several years ago. I left Gmail for Fastmail. I moved my calendars and contacts from Google to Apple Calendar and Contacts. Now I find out that Apple is storing my data on Google servers.

I guess we have to trust that Apple is properly securing our data on Google and Amazon’s servers. They say they are.

iCloud stores a user’s contacts, calendars, photos, documents, and more and keeps the information up to date across all of their devices, automatically. iCloud can also be used by third-party apps to store and sync documents as well as key values for app data as defined by the developer. Users set up iCloud by signing in with an Apple ID and choosing which services they would like to use. iCloud features, including My Photo Stream, iCloud Drive, and iCloud Backup, can be disabled by IT administrators via MDM configuration profiles. The service is agnostic about what is being stored and handles all file content the same way, as a collection of bytes.

Each file is broken into chunks and encrypted by iCloud using AES-128 and a key derived from each chunk’s contents that utilizes SHA-256. The keys and the file’s metadata are stored by Apple in the user’s iCloud account. The encrypted chunks of the file are stored, without any user-identifying information, using third-party storage services, such as S3 and Google Cloud Platform.

​CNBC first reported on this.

Don’t use Facebook’s data tracking Onavo VPN: It’s spying on you!

Facebook is always looking for new ways to violate user privacy. They’ve instituted a new one.

In the Facebook iOS mobile app, they recently added a new button under the Settings menu called “Protect”. When you click on “Protect” it takes you to an app in the App Store called “Onavo Protect – VPN Security”. Don’t install it.

This may seem like a good option for a free security app, but it’s not.

This is indeed a VPN. But, it routes all your web browsing and app usage data to a Facebook server. Think I’m kidding? I’m not. They even tell you they are.

From the Onavo description in the App Store

To provide this layer of protection, Onavo uses a VPN to establish a secure connection to direct all of your network communications through Onavo’s servers. As part of this process, Onavo collects your mobile data traffic. This helps us improve and operate the Onavo service by analyzing your use of websites, apps and data. Because we’re part of Facebook, we also use this info to improve Facebook products and services, gain insights into the products and services people value, and build better experiences.

This is nothing more than Facebook spyware. If you’re looking for a VPN I can recommend TunnelBear. It’s what I use. It’s not free though. But remember if it’s free you’re the product.

Web Finds for January 12, 2018

Web Finds are from my web surfing travels. You’ll find some unique and informative news, apps and websites that you may have never known existed. Enjoy!

Apple planning new, “robust” parental controls to help protect children, teens
In a report by The Wall Street Journal, Apple states it has plans to create new software features that will make its current parental controls on iPhone and other devices “even more robust.”
Via Ars Technica

Apple Shares Updated iOS Security Guide With Info on Face ID, Apple Pay Cash and More
Apple this afternoon published an updated version of its iOS Security white paper for iOS 11 [PDF], with information that covers features introduced in iOS 11.1 and iOS 11.2, like Face ID and Apple Pay Cash.
Via MacRumors

How-To Disable macOS High Sierra Upgrade Notifications
Is it just me or are those daily upgrade notifications for upgrading to macOS High Sierra annoying the bleep out of you? Every time I turn on my MacBook (2017,) it immediately starts up with that exasperating High Sierra notice to upgrade to High Sierra so I can “enjoy the latest technologies and refinements.” And it’s even popping up on my iMac (2015 with Fusion Drive,) that Apple itself recommends NOT updating to High Sierra. And I really DON’T want to upgrade to macOS High Sierra right now on any of my Macs!
Via AppleToolBox

How-To Fix an iPad Keyboard That’s Split in Half or Two
One of the most frequent questions we get from our iPad friends and readers is problems with their iPad keyboards. Specifically, what should you do when your iPad keyboard is split down the middle with half of it on the left side and the other part on the right side of your iPad’s screen. Just how do you get it back together like it should be? For many iFolks, this a very annoying problem that they just can’t figure out how to fix!
Via AppleToolBox

The iPad Gestures You Should Master
Your Dock will follow you wherever you go, in any iPad app. Just swipe up about an inch from the bottom of the screen to bring up your Dock and its list of applications, along with the three most recent apps used. You can add up to 13 apps to your Dock so you have the most important ones at your fingertips, apps you can drag and drop to use for multitasking.
Via lifehacker

Previous Web Finds are here.

Worst passwords of 2017 still include “123456” and “password”

SplashData has published its annual list of the worst passwords of the year. The data was pulled from over five million passwords that were leaked by hackers in 2017.

Despite many well-publicized data leaks in 2017, it looks like many people are continuing to use weak passwords like “123456” and “password” that are easily guessed by hackers.

If you’re still using weak passwords please, please do your self a favor and stop. Get a password manager. I use 1Password. With 1Password I’m able to have a unique strong password for every website that requires a password and the best part is I don’t have to remember them because 1Password does it for me.

1Password has an app for Mac and iOS. LastPass is another option.

Web Finds for December 11, 2017

Web Finds are from my web surfing travels. You’ll find some unique, informative, and some of the coolest websites and apps that you may have never known existed. Enjoy!

How to Use Do Not Disturb While Driving on iPhone
Do Not Disturb While Driving is an iPhone specific safety feature. When Do Not Disturb While Driving is activated on iPhone, no calls, messages, notifications, or alerts will come through to the iPhone. I have my iPhone set to automatically go to do not disturb as soon as my car starts moving.

How to Lock Your Mac Screen and Protect It from Prying Eyes
Whether you’re at home or at work, you might not want other people snooping on your Mac when you step away. Leaving your Mac unlocked and unattended allows others nearby to read your emails, text messages, browser history, and all your files. You don’t need to shut down your Mac, you don’t even need to log out. You can just lock it.

How to restore deleted files from iCloud Drive
I use Dropbox more often than iCloud Drive. One of Dropbox’s features is the ability to recover deleted files. I didn’t know I could also recover deleted files in iCloud Drive.

Phishers Are Upping Their Game. So Should You. — Krebs on Security
This is read is worth your time. Not long ago, phishing attacks were fairly easy for the average Internet user to spot: Full of grammatical and spelling errors, and linking to phony bank or email logins at unencrypted (http:// vs. https://) Web pages. Increasingly, however, phishers are upping their game, polishing their copy and hosting scam pages over https:// connections — complete with the green lock icon in the browser address bar to make the fake sites appear more legitimate.

Previous Web Finds are here.

Equifax breach caused by failure to patch two-month-old bug

Negligence! If they would have patched their server(s) the day the patch was released this would have never happened.

This is inexcusable! Heads should roll. Maybe it’s time some people go to jail for this kind of sh^t.

Dan Goodin, writing for Ars Technica 9/13/2017, 8:12 PM

We know that criminals exploited a US website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.

The flaw in the Apache Struts framework was fixed on March 6. Three days later, the bug was already under mass attack by hackers who were exploiting the flaw to install rogue applications on web servers. Five days after that, the exploits showed few signs of letting up. Equifax has said the breach on its site occurred in mid-May, more than two months after the flaw came to light and a patch was available.

Up to now, Equifax has said only that criminals exploited an unspecified application vulnerability on its US site to gain access to certain files. Now, we know that the flaw was in Apache Struts and had been fixed months before the breach occurred.

The Equifax Breach: What You Should Know

I’m sure you’re pissed about the Equifax breach just like I am. And I’m sure you’re as concerned about how this affects you as I am.

Brian Krebs of KrebsonSecurity is an expert in the area of data breach’s has written an excellent article about what we need to know to protect ourselves in light of the “Equifax Breach”.

Please – Please take the time to read his article.

Brian Krebs, writing for KrebsonSecurity

Here’s what you need to know and what you should do in response to this unprecedented breach.

Some of the Q&As below were originally published in a 2015 story, How I Learned to Stop Worrying and Embrace the Security Freeze. It has been updated to include new information specific to the Equifax intrusion.

https://krebsonsecurity.com/2017/09/the-equifax-breach-what-you-should-know/

iOS 11 has a way to quickly disable Touch ID and require a passcode

As reported, last week, by The Verge iOS 11 has a way to quickly and discreetly disable Touch ID.

According to The Verge:

Apple is adding an easy way to quickly disable Touch ID in iOS 11. A new setting, designed to automate emergency services calls, lets iPhone users tap the power button quickly five times to call 911. This doesn’t automatically dial the emergency services by default, but it brings up the option to and also temporarily disables Touch ID until you enter a passcode. Twitter users discovered the new option in the iOS 11 public beta, and The Verge has verified it works as intended.

This is a handy feature because it allows Touch ID to be disabled in circumstances where someone might be able to force a phone to be unlocked with a fingerprint. With Touch ID disabled in this way, there is no way to physically unlock an iPhone with Touch ID without the device’s passcode.

As a side note. Last week Mashable reported that according to a Virginia judge a cop can force you to unlock your phone with Touch id but not with a passcode.

As pointed out by John Gruber:

Until iOS 11 ships, it’s worth remembering that you’ve always been able to require your iPhone’s passcode to unlock it by powering it off. A freshly powered-on iPhone always requires the passcode to unlock.

TunnelBear completes industry’s first public security audit

TunnelBear has been my VPN service of choice for just over a year. I was excited to read that TunnelBear has undergone a public security audit by Germany-based penetration testing company Cure53. This gives confidence I’ve chosen the right VPN provider and that TunnelBear isn’t scraping and selling my browsing data.

TunnelBear Blog, 07 August 2017

Consumers and experts alike have good reason to question the security claims of the VPN industry. Over the last few years, many less reputable VPN companies have abused users’ trust by selling their bandwidth, their browsing data, offering poor security or even embedding malware.

Being within the industry, it’s been hard to watch. We knew TunnelBear was doing the right things. We were diligent about security. We deeply respected our users’ privacy. While we can’t restore trust in the industry, we realized we could go further in demonstrating to our customers why they can, and should, have trust in TunnelBear.​

Today, we’d like to announce TunnelBear has completed the Consumer VPN industry’s first 3rd party, public security audit. Our auditor, Cure53, has published their findings on their website and we’re content with the results.

However, the recent crisis of trust in the VPN industry showed us we needed to break the silence and share Cure53’s findings publicly. Today we’re sharing a complete public audit which contains both the results from last year and the results from the current audit.

You can read the full report on Cure53’s website.

1Password responds about local vaults

This is a follow-up to my article July 12, 2017. Dave Teara, in an agilebits blog post, has clarified that for now local vaults will continue to be supported.

blog.agilebits.com · by Dave Teare · July 13, 2017:

Many Mac users worry that the same fate awaits 1Password 6 for Mac, and that we will remove support for local vaults and force them to pay again.

This isn’t going to happen. First, it would be evil to take away something you’ve already paid for. And evil doesn’t make for a Happy 1Password Customer, which is the cornerstone for a Happy 1Password Maker. It’s simply not who we are.

For those who purchased 1Password 6 for Mac already, you’re perfectly fine the way you are and can continue rocking 1Password the way you have been. There’s no requirement to change anything as we will not be removing features or forcing you to subscribe. In fact we’re still selling licenses of 1Password 6 for Mac for those that really need them (you can find them today on the setup screen under More Options).

And you need not worry about 1Password 7 for Mac, either, as it will continue to support standalone vaults just like version 6 does today.

We know that not everyone is ready to make the jump yet, and as such, we will continue to support customers who are managing their own standalone vaults. 1Password 6 and even 1Password 7 will continue to support standalone vaults.

There’s a message in Dave’s closing statement:

But 1Password memberships are indeed awesome and are the best way to use 1Password, and as such, I am going to continue to nudge you over when ever I can.

1Password takes it on the chin over subscriptions and cloud vaults

There was a lot of buzz over the weekend about the future of 1Password when it emerged that the service’s new subscription-based model will push users to adopt a cloud-based password storage system over locally stored password vaults.

Lorenzo Franceschi-Bicchierai writing at Motherboard:

In the last few years, 1Password has become a favorite for hackers and security researchers who often recommend it above all other alternatives… Last weekend, though, several security researchers tweeted that 1Password was moving away from allowing people to pay for a one-time license and have local password vaults, in favor of its cloud-based alternative that requires a monthly subscription.

I moved from LastPass to 1Password in Oct 2015. Why? The main reason was local vault versus having my vault on the web.

I have to say. I wouldn’t be happy if I were being forced to move to a 1Password cloud subscription plan. If I were, I’d be pissed off enough to move back to LastPass. At this point, I’m not. From reading the forums and comments by Dave Teare we tech savvy users, who want control over our vault, will be able to continue using our local vault version of 1Password for the foreseeable future.

For new users, it’s going to be difficult to buy a license for the local vault version. I searched the 1Password website and saw no option to buy the standalone version. From reading the forums It sounds like the only way to do this is to write to 1Password and request it.

Cyberscoop:

Yet even with the statements provided to the public, the messaging has been mixed at best. On the product’s support forums, customers are regularly complaining that it’s become a huge challenge to buy and use the local vault version of 1Password while employees say such a request is now “complicated” and that they “want all new customers to use 1Password.com subscriptions as it is simpler to use by default.”

Dave Teare says, March 1, 2017 at 9:01 pm:

You asked “why not?” have both 1Password memberships and standalone licenses at the same time. Certainly you’re right that I don’t want to do anything to piss off our long time customers. And that’s exactly why we’re rolling out 1Password memberships exactly the way we are. You can purchase a standalone license today just like you could last week.

In defense of 1Password, I would agree that the cloud subscription model is far easier for the average non-techie user to setup and use.

Apple releases security updates for iPhone and Mac. Update now and be safe online.

On Monday Apple released security updates iOS 10.3.2 (for iPhone and iPad users), MacOS, and OS X. They also released updates for watchOS 3.2.2, iTunes, Safari, tvOS and iCloud for Windows 6.2.1.

Looking at the list of fixes it is clear that scores of security vulnerabilities have been addressed for iPhones, iPads and Macs.

US-CERT encourages users and administrators to apply the necessary updates.

Apple Says It Has Patched The Vulnerabilities Mentioned In The Wikileaks Dump Of CIA Cyber Tools

Yesterday Wikileaks leaked documents named Vault 7. Vault 7 details the government’s efforts to hack popular devices like iPhones, Android phones, and Samsung smart TVs. According to a Wikileaks Vault 7 press release the CIA has a special branch dedicated to attacks against the iPhone.

Despite iPhone’s minority share (14.5%) of the global smart phone market in 2016, a specialized unit in the CIA’s Mobile Development Branch produces malware to infest, control and exfiltrate data from iPhones and other Apple products running iOS, such as iPads. CIA’s arsenal includes numerous local and remote “zero days” developed by CIA or obtained from GCHQ, NSA, FBI or purchased from cyber arms contractors such as Baitshop. The disproportionate focus on iOS may be explained by the popularity of the iPhone among social, political, diplomatic and business elites.

Yesterday, Apple said in a statement provided to TechCrunch that most of the vulnerabilities detailed in the leaks have been patched.

“Apple is deeply committed to safeguarding our customers’ privacy and security. The technology built into today’s iPhone represents the best data security available to consumers, and we’re constantly working to keep it that way. Our products and software are designed to quickly get security updates into the hands of our customers, with nearly 80 percent of users running the latest version of our operating system. While our initial analysis indicates that many of the issues leaked today were already patched in the latest iOS, we will continue work to rapidly address any identified vulnerabilities. We always urge customers to download the latest iOS to make sure they have the most recent security updates.”

I think this tweet puts the whole thing in perspective.