Several MacSparky Labs members have asked about my thoughts on Apple devices and the risks of shoulder surfing, where someone looks over your shoulder and steals your passcode. I do, indeed, have thoughts. Here you go…
This is a post for MacSparky Labs Members only. Care to join? Or perhaps do you need to sign in?
Malicious email is not comically dumb any more. One malicious strain, called Emotet, appears to come from a known contact and looks as if it is replying to an existing thread. If you click on the links or attachments, you are done for. Dan Goodin at Ars Technica breaks it down.
For me, if it has an embedded link or an attachment, I assume it is malicious until proven otherwise. This is particularly true from financial institution-related or account-related email. I’ve managed to avoid trouble because of constant vigilance. I wonder how many people out there have been compromised and don’t even realize it.
1Password announced on their blog that they’ll be incorporating passkeys into their app by summer. Passkey is a great technology and will help many folks be more secure on the Internet. I love that 1Password is early to the game. My question is about the app name. If you start using it, will you call it “NoPassword” instead of “1Password”?
Here’s a short video breaking down how this morning I dealt with a Phishing attempt combined with an iCloud outage. That’s exactly the kind of combination that can get people in trouble.
Here’s my short video explainer. I made this a public link so you can share it with friends and family that may not have known better.
Today Apple announced some nice updates to the iCloud security features. The following features now have end-to-end encryption on iCloud:
End-to-end encryption means your data can’t be viewed on the server in these categories (if you opt in). Put simply, Apple will no longer be able to see the above categories of data. If Apple gets hacked in the future, the bad guys can’t see your data either.
Apple has very publicly stated an interest in protecting user privacy. I believe them. What is impressive about this is how they’ve added the encryption at Apple’s user-base scale. That can’t be easy.
At this point, it’s opt-in. You must go into the iCloud settings and click on Advance Data Protection. I will be opting in. Advanced Data Protection is in the latest iOS 16.2 beta. It will be available to all U.S. customers by the end of the year and rolling out to the world in early 2023.
One note of caution, however, is that this means if you ever lose passwords, the data is gone. Apple can’t help you. So get your password security sorted out before you push the button.
Craig Federighi did an interview with Joanna Stern on these updates. She did a great job explaining end-to-end encryption in the process.
With Apple’s latest round of updates, we’ve got a new password feature that lets your computer manage passwords for you in the background. There are a lot of advantages to this new “Passkey” system. (Here’s Apple’s explainer.) It isn’t dependent on user-generated passwords. It’ll guarantee people use different passwords for different sites. It will also help you avoid phishing attacks because it won’t work on spoofed websites. This comes at the cost of some loss of control, but third parties are already working on that (like 1Password in this video).
I’m curious, however, as to when Passkey websites will start showing up. So far, I’ve seen none. For this to work, websites must adopt some new backend technologies, and everyone is now waiting for that to happen. Are website developers untrusting of the new technology? Do they want to see others figure it out first? Do they need the budget for these changes? I expect it is all of the above. I’ve been asking about it for MacSparky.com with some of my platform providers, and I’m told to cool my jets. I sure hope this all gets sorted out. It will help web security for a lot of people once it gets rolling.
Hackers managed to grab names, account details, and telephone numbers from 553 million Facebook users, and now they’ve published all that data on the web. Yikes. I’m shocked at the scope but not the source.
If you have a Facebook account, now is the time to be on alert for scammy phone calls from people who will try and social engineer their way into your credit card numbers and bank accounts. There is already a scam where they call and claim to be the IRS and need “immediate payment to avoid criminal prosecution”. I’m sure they’ll come up with even more dreadful ways to abuse this treasure trove of data.
I continue to dig my Eufy security cameras. However, one issue I have is the camera that looks down at my driveway and the front of my house. It’s a battery camera, and I have to get out a ladder to pull it down and charge every so often.
It was getting just tedious enough for me to consider running a dedicated electric line through the garage when I saw that Eufy now makes a solar charger for their cameras. I ordered one, and it has been running for six weeks. The camera is now always fully charged, and my ladder has not moved.
We’re getting closer to the release of iOS 14.5, and it’s adding a feature that Apple Watch owners are going to dig. Specifically, if you are wearing a face mask and an Apple Watch, you’ll still be able to unlock your iPhone without using a passcode.
Once you turn the feature on, the iPhone has some new unlock logic:
Is the user wearing a face mask?
No – Go to the usual Face ID unlock.
Yes – Go to step 2.
Does the user have a connected, unlocked Apple Watch very close to the phone?
Yes – Unlock.
No – Go to the passcode unlock.
So, if you are wearing a face mask and you have an unlocked Apple Watch in very close proximity (less than 1 meter) to your phone, you get an unlock. In that event, you also get a prompt on your wrist letting you lock the phone back up. Interestingly, that step 1 looks for any person with a face mask. It doesn’t try to figure out if it is specifically you wearing a face mask. John Gruber did all the research on the beta build and reports in further detail.
I plan on turning this feature on once the update ships. I am so tired of tapping in my passcode when using my phone while masked.
I still bump into people that think their Macs are somehow immune from Malware. That just isn’t the case. Mac users are just as able to download malicious code as Windows users are. Historically, however, we’ve had some advantages on the Mac:
A Smaller Target
There just are not as many Macs in the world as there are Windows computers. Moreover, often the targets of malware (business and financial institutions) don’t run Macs.
Apple’s Increasing Emphasis on Security
Apple has been putting the screws down on macOS for years now. They’ve steered users toward the App Store, where they have more control over the apps you install on your Mac. They’ve rebuilt the plugin systems for Apple Mail and Safari so they are much more secure. They’ve implemented a notarization system for apps and they’ve even created a way to disable binaries from Apple Servers.
These two factors have combined to give Mac users a false sense of security. All that said, if you install an app from an untrusted source (or if one of your trusted sources that was unknowingly compromised, which happens), users are fully capable of installing malware on their systems.
That happened over the past few months with a malicious payload known as Silver Sparrow. (Red Canary did an excellent job documenting it.). It looks like this one was caught before it did any real damage (and Apple has now disabled the binary), but the advantage of catching this unexploded bomb was that it gave security researchers an opportunity to study it in detail. Silver Sparrow was designed to launch additional software that would do who knows what. It was also designed to cover its own tracks. It was very sophisticated software designed to run on both Intel and Apple Silicon Macs. Malware is increasingly targeting the Mac at a time when malware is getting increasingly advanced.
You shouldn’t be paranoid, but you also shouldn’t assume you are safe just because you are on a Mac. Don’t install software from unknown developers. Be careful around unknown download links and email attachments. In short, keep your head screwed on.
Whenever this question comes up, I get asked if I’m running virus software on my Mac. Currently, I am not. In my experience, virus software too often comes with its own set of headaches. However, reading about Silver Sparrow has me considering it again.