Wikileaks and CIA iOS Exploits

Yesterday Wikileaks barfed up another pile of alleged confidential data, this time from the CIA. Setting aside the separate conversation about exactly who Wikileaks works for these days, I do believe the CIA, NSA, and intelligence agencies of every other country in the world has an interest in hacking iOS devices. Both hackers and governments have significant motivations to read private data. The question is what our hardware and software vendors are doing to protect us.

Apple released a statement on this point yesterday:

data-animation-override>
“Apple is deeply committed to safeguarding our customers’ privacy and security. The technology built into today’s iPhone represents the best data security available to consumers, and we’re constantly working to keep it that way. Our products and software are designed to quickly get security updates into the hands of our customers, with nearly 80 percent of users running the latest version of our operating system. While our initial analysis indicates that many of the issues leaked today were already patched in the latest iOS, we will continue work to rapidly address any identified vulnerabilities. We always urge customers to download the latest iOS to make sure they have the most recent security updates.”

— Apple on alleged CIA iOS hacks

The battle to retain our privacy will never end. Apple will continue to build walls and governments and hackers will continue to batter them. I do believe Apple is committed to this fight but the continued protection of our private data is by no means a certainty at this point.

Yahoo Hacked Again for Another 1,000,000,000 Accounts

I’m a little late with this story but thought it worth sharing anyway. Yahoo announced last week that they had another security breach (in addition to the 500 million hacked accounts earlier this year). This newly disclosed breach, which happened in 2013, involved 1 Billion Yahoo accounts. As seen in the title, that’s a lot of zeros.

It appears Yahoo’s user data has been compromised multiple times in recent years. If you’ve used Yahoo in the past and cancelled your account, please make sure you didn’t use the password you had at Yahoo anywhere else. If you have a Yahoo account, why are you still reading this? Go cancel it …. now.

Knocking and Unlocking

In a recent episode of the Mac Power Users I made an offhand remark how I thought it would be clever to use the Apple Watch to unlock my Mac. I received multiple emails from listeners telling me that this functionality effectively exists already with the application called Knock. I’ve been using Knock (iTunes) (website) now for a few weeks and am happy to report that those listeners were correct.

Knock is an iPhone application. It costs four dollars and once you install it, your iPhone becomes aware of when it gets near your Mac, even when it is locked. (You also need to download and install a utility app on your Mac found on their website.) Once you’ve got the system in place, when you get near your Mac, you will see a message on the lock screen that invites you to unlock by knocking twice on your phone. You can do this right in your pocket. For added fun, do this while pointing a toy sonic screwdriver at your Mac. The developer has a clever video that shows off this feature on their website.

After two weeks I’m convinced that this is more than a cute demo. I love unlocking my Mac simply by walking up to it and knocking on my pocket. I still think the Apple Watch could make this even easier but for now, you should check out Knock.

Weekend Project: Heartbleed Recovery Kit

There has been plenty of news about the Heartbleed bug this week. TidBITS did a great job summing it up. It appears something we all took for granted as really secure (Open SSL) really wasn’t. As users that means we’ve potentially been compromised at a lot of websites. I say “potentially” because there is really no way to log incursions due to the nature of this bug. That’s a little terrifying. So what should you be doing this weekend?

First take a look at this handy list from Mashable. If any of your vendors and online accounts show up as compromised AND fixed (that second part is important), log in and reset your password. If the site is compromised but not fixed yet, don’t log in. In that case, don’t touch it until it is fixed.

You all know how I’ll be updating my passwords, with 1Password, which was not compromised. As an aside, someone at Macworld/iWorld asked me why I always change my major passwords (banking, iTunes, Amazon, Dropbox, Paypal) twice a year. Things like this are why (although in fairness this bug is so bad that wouldn’t have saved me either).

Secure a Network for Some Turkey

If you are going to be on the road this Thanksgiving visiting your muggle relatives, that would be an excellent time to do them a favor and enable OpenDNS. It is ridiculously easy and I’d bet your hosts will be really thankful if you can ban porn from their homes, especially if there are kids. We talked about OpenDNS on the Mac Power Users ages ago but it is all still relevant. Also, my pal Katie Floyd made this handy screencast.

2.9 Million Adobe Accounts Compromised

It looks like they got customer names and encrypted passwords. I feel for Adobe. With a big database like that, how can you truly keep it safe with hackers always probing for another way in. It takes just one chink in the armor.

Did I mention there is a 1Password update out today? Be careful out there.

∞

Hacking The Onion

I found this article about the Syrian Electronic Army hacking The Onion fascinating. They pulled it off with phishing. In particular, they embedded malicious links in friendly sounding email. Once they got a few people to bite, they used those compromised email accounts to double down and phish more employees using their friends’ emails. This really makes me question the use of embedded links in email. They are so convenient but also so easy to abuse.

There are some tools in Apple mail to expose a link before opening it. Regardless, be careful out there. (Link found via John Gruber).

∞

Screen Shot 2013-05-14 at 11.47.45 AM.png

Going on Offense with OpenDNS

My 8-year-old niece slept over our house over the weekend. As I was watching her sit behind the family iMac, I saw her search for “My Little Pony”. Her first hit was an OpenDNS blocked porn site. You see, searching “My Little Pony” does not always return the results you would expect. However, instead of being exposed to something that 8 year olds should never see, she got the OpenDNS block screen and moved on. I have to admit I was shocked (though I probably shouldn’t have been). My niece didn’t even realize what had happened. In a few minutes, she had found the site she was looking for and was very pleased with Pinky Pie. My takeaway is that now, more than ever, perfectly innocent kids can find all sorts of things they shouldn’t see without trying. In short, I believe in OpenDNS now more than ever.

If you’re not familiar with it, OpenDNS is a free service that offers to replace your local Internet service provider’s domain name server (DNS). (DNS is, essentially, the address book of the Internet connecting words like “macsparky.com” with the ones and zeroes behind the Internet.) A lot of ISP’s have pretty crummy DNS services and OpenDNS is usually faster at getting you between where you are and where you want to go.

OpenDNS does more than just DNS service though. It also does tracking and, if you please, filtering. I’ve got the “moderate” filter turned on preventing any computer, iPad, iPhone or other iThingy in my house from connecting to porn sites or other red-flagged security threats. It is really easy to set this up. My pal Katie Floyd even made a video showing you how (below). They also have video tutorials and walkthoughs for every major brand of router. This isn’t rocket science.

The only downside that I’ve ever heard is that some people report streaming content through iTunes (like movies) is sometimes slower when using OpenDNS than when using your local ISP. One clever friend explained this is because Apple will pick the streaming server based on your location and OpenDNS doesn’t give them that. I’ve not noticed a difference between OpenDNS and my local cable company for streaming iTunes so it is not an issue for me.

Not only do I think anyone that has kids on their network should enable OpenDNS, I also think us alpha nerds should be pushing this out to our family, friends, and loved ones. I’ve decided I’m going on offense with this and am going to start setting it up for friends and family on their home routers. Kids should be able to search “My Little Pony” without finding something that would give me nightmares.

Configuring OpenDNS from Mac Power Users on Vimeo.

Disabling Java on Your Mac

Given the latest stories about Java vulnerabilities, this is probably a good idea. Uncheck “Enable Java” in the Security pane of Safari’s preferences.

Secure Data in Your Pocket?

The not-so-surprising news this week is that if someone gets physical possession of your stuff, there is a really good chance they’ll get the electronic bits too. Remember to get a separate secured database on those mobile devices (like 1Password secure notes) so there is a second layer. Keyboard lock the phone (not every thief is a hacker) and back up your phone often so you have no hesitation to pull the trigger on a remote wipe if it does go missing. That is all, for now.

MacSparky.com is sponsored by Bee Docs Timeline 3D. Make a timeline presentation with your Mac.