security

Instagram Password SNAFU Affects “Millions" of Users

A while back, Facebook disclosed that thousands of Instagram users’ usernames and passwords were stored in plain text on Facebook servers and exposed to thousands of employees. Last week, coincidentally the same day as the release of the Mueller Report, Facebook updated the post and admitted the problem was more significant than they initially thought. (Kudos to TechCrunch for catching the update.) With this latest update, Facebook states the security lapse affected “millions” of users.

I know these posts are starting to sound like a broken record, but I cannot emphasize enough how important it is that you manage your own passwords. You have to be extra vigilant because the people you trust on those websites are not necessarily worthy of that trust.

Get yourself a good password manager. (My favorite continues to be Mac Power Users’ sponsor 1Password.) Change your most important passwords frequently. Be careful out there.

Email Breach


Wired recently published an article about the discovery of a database containing 809 million total records exposed online. The MongoDB (freely available to hackers for some time now) contains 150 gigabytes of plain-text marketing data, including 763 unique email addresses.

These days it seems I get nearly as much phishing email as regular email. Setting aside the discussion of email being unproductive, at what point does the medium fail just because we stop believing any email we receive is legitimate? I'm already getting that way with nearly all of my vendors.

Rubbish Passwords

Every year, Splash Data reveals its list of the year's most commonly used passwords. This year the usual suspects, like "123456" and "password", are, again at the top of the list. I had to grin that "starwars" has made its way to the list this year at #16. Funny. I would have that guessed that #diejarjardie would rate higher.

If you're reading this blog, I'm guessing you already have a good password system and are not using any of these rubish passwords. Your family and friends, however, are most likely using lots of them. If you are spending time with some of the damned over the holidays, send them the Splash Data list and try to get through to them just how dangerous these common passwords are. I've been using 1Password since it launched and that's a good recommendation (use this link for 20% off) but regardless of what system you put them on, put them on something. 

Time for an iCloud Security Tuneup

Depending on who you believe, hackers have either compromised 600 million iCloud accounts or they have just a few and are trying shake Apple down for $150,000. Sometimes, humans are the worst. 

Either way, either today (or this weekend) would be a great time to:

  1. Reset your iCloud password. You can do that at appleid.apple.com.
  2. Turn on Apple’s two-factor authentication. 
  3. Have a cookie. You’ve earned it.

All of this will take you 10 minutes and make you a lot less vulnerable to terrible people.

Wikileaks and CIA iOS Exploits

Yesterday Wikileaks barfed up another pile of alleged confidential data, this time from the CIA. Setting aside the separate conversation about exactly who Wikileaks works for these days, I do believe the CIA, NSA, and intelligence agencies of every other country in the world has an interest in hacking iOS devices. Both hackers and governments have significant motivations to read private data. The question is what our hardware and software vendors are doing to protect us.

Apple released a statement on this point yesterday:

Apple is deeply committed to safeguarding our customers’ privacy and security. The technology built into today’s iPhone represents the best data security available to consumers, and we’re constantly working to keep it that way. Our products and software are designed to quickly get security updates into the hands of our customers, with nearly 80 percent of users running the latest version of our operating system. While our initial analysis indicates that many of the issues leaked today were already patched in the latest iOS, we will continue work to rapidly address any identified vulnerabilities. We always urge customers to download the latest iOS to make sure they have the most recent security updates.
— Apple on alleged CIA iOS hacks

The battle to retain our privacy will never end. Apple will continue to build walls and governments and hackers will continue to batter them. I do believe Apple is committed to this fight but the continued protection of our private data is by no means a certainty at this point.

Yahoo Hacked Again for Another 1,000,000,000 Accounts

I'm a little late with this story but thought it worth sharing anyway. Yahoo announced last week that they had another security breach (in addition to the 500 million hacked accounts earlier this year). This newly disclosed breach, which happened in 2013, involved 1 Billion Yahoo accounts. As seen in the title, that's a lot of zeros.

It appears Yahoo's user data has been compromised multiple times in recent years. If you've used Yahoo in the past and cancelled your account, please make sure you didn't use the password you had at Yahoo anywhere else. If you have a Yahoo account, why are you still reading this? Go cancel it .... now.

Knocking and Unlocking

In a recent episode of the Mac Power Users I made an offhand remark how I thought it would be clever to use the Apple Watch to unlock my Mac. I received multiple emails from listeners telling me that this functionality effectively exists already with the application called Knock. I’ve been using Knock (iTunes) (website) now for a few weeks and am happy to report that those listeners were correct.

Knock is an iPhone application. It costs four dollars and once you install it, your iPhone becomes aware of when it gets near your Mac, even when it is locked. (You also need to download and install a utility app on your Mac found on their website.) Once you’ve got the system in place, when you get near your Mac, you will see a message on the lock screen that invites you to unlock by knocking twice on your phone. You can do this right in your pocket. For added fun, do this while pointing a toy sonic screwdriver at your Mac. The developer has a clever video that shows off this feature on their website.

After two weeks I’m convinced that this is more than a cute demo. I love unlocking my Mac simply by walking up to it and knocking on my pocket. I still think the Apple Watch could make this even easier but for now, you should check out Knock.

Weekend Project: Heartbleed Recovery Kit

There has been plenty of news about the Heartbleed bug this week. TidBITS did a great job summing it up. It appears something we all took for granted as really secure (Open SSL) really wasn't. As users that means we've potentially been compromised at a lot of websites. I say "potentially" because there is really no way to log incursions due to the nature of this bug. That's a little terrifying. So what should you be doing this weekend?

First take a look at this handy list from Mashable. If any of your vendors and online accounts show up as compromised AND fixed (that second part is important), log in and reset your password. If the site is compromised but not fixed yet, don't log in. In that case, don't touch it until it is fixed.

You all know how I'll be updating my passwords, with 1Password, which was not compromised. As an aside, someone at Macworld/iWorld asked me why I always change my major passwords (banking, iTunes, Amazon, Dropbox, Paypal) twice a year. Things like this are why (although in fairness this bug is so bad that wouldn't have saved me either).

Secure a Network for Some Turkey

If you are going to be on the road this Thanksgiving visiting your muggle relatives, that would be an excellent time to do them a favor and enable OpenDNS. It is ridiculously easy and I’d bet your hosts will be really thankful if you can ban porn from their homes, especially if there are kids. We talked about OpenDNS on the Mac Power Users ages ago but it is all still relevant. Also, my pal Katie Floyd made this handy screencast. 

Hacking The Onion

I found this article about the Syrian Electronic Army hacking The Onion fascinating. They pulled it off with phishing. In particular, they embedded malicious links in friendly sounding email. Once they got a few people to bite, they used those compromised email accounts to double down and phish more employees using their friends' emails. This really makes me question the use of embedded links in email. They are so convenient but also so easy to abuse.

There are some tools in Apple mail to expose a link before opening it. Regardless, be careful out there. (Link found via John Gruber).

Screen Shot 2013-05-14 at 11.47.45 AM.png

Going on Offense with OpenDNS

My 8-year-old niece slept over our house over the weekend. As I was watching her sit behind the family iMac, I saw her search for "My Little Pony". Her first hit was an OpenDNS blocked porn site. You see, searching "My Little Pony" does not always return the results you would expect. However, instead of being exposed to something that 8 year olds should never see, she got the OpenDNS block screen and moved on. I have to admit I was shocked (though I probably shouldn't have been). My niece didn't even realize what had happened. In a few minutes, she had found the site she was looking for and was very pleased with Pinky Pie. My takeaway is that now, more than ever, perfectly innocent kids can find all sorts of things they shouldn't see without trying. In short, I believe in OpenDNS now more than ever.

If you're not familiar with it, OpenDNS is a free service that offers to replace your local Internet service provider's domain name server (DNS). (DNS is, essentially, the address book of the Internet connecting words like "macsparky.com" with the ones and zeroes behind the Internet.) A lot of ISP's have pretty crummy DNS services and OpenDNS is usually faster at getting you between where you are and where you want to go.

OpenDNS does more than just DNS service though. It also does tracking and, if you please, filtering. I've got the "moderate" filter turned on preventing any computer, iPad, iPhone or other iThingy in my house from connecting to porn sites or other red-flagged security threats. It is really easy to set this up. My pal Katie Floyd even made a video showing you how (below). They also have video tutorials and walkthoughs for every major brand of router. This isn't rocket science.

The only downside that I've ever heard is that some people report streaming content through iTunes (like movies) is sometimes slower when using OpenDNS than when using your local ISP. One clever friend explained this is because Apple will pick the streaming server based on your location and OpenDNS doesn't give them that. I've not noticed a difference between OpenDNS and my local cable company for streaming iTunes so it is not an issue for me.

Not only do I think anyone that has kids on their network should enable OpenDNS, I also think us alpha nerds should be pushing this out to our family, friends, and loved ones. I've decided I'm going on offense with this and am going to start setting it up for friends and family on their home routers. Kids should be able to search "My Little Pony" without finding something that would give me nightmares.

Secure Data in Your Pocket?

The not-so-surprising news this week is that if someone gets physical possession of your stuff, there is a really good chance they’ll get the electronic bits too. Remember to get a separate secured database on those mobile devices (like 1Password secure notes) so there is a second layer. Keyboard lock the phone (not every thief is a hacker) and back up your phone often so you have no hesitation to pull the trigger on a remote wipe if it does go missing. That is all, for now.

MacSparky.com is sponsored by Bee Docs Timeline 3D. Make a timeline presentation with your Mac.

PGP for Snow Leopard Shipping

 

PGP 10.0 is now out of beta and shipping for Snow Leopard. The new version includes several nice upgrades including support for Boot Camp, Windows 7 (32 & 64 bit), and Linux support. I've been running the beta a few months and had no troubles. Encryption and decryption are faster and PGP reports there are additional safeguards against boot disk corruption. If you have sensitive data on your Mac, I've found no better solution than PGP.