How To Turn On Apple’s Two-Step Authentication

You’ve heard the stories about iCloud accounts getting hacked; the ones that make the news are celebrities’ accounts, but there may be people wanting to get into yours too. In addition to your Apple ID–the email address you use to identify your account–your password is the key that lets you into that account.

But anyone can pretend to be you, and attempt to get into your account, saying they’ve forgotten the password, and then attempting to answer the security questions that you chose when setting up the Apple ID. If they get through them, because they know the name of your first pet, your favorite sports team, and whatever else, they can access your account. Unless you add an additional layer of security.

Read the article on the Intego Mac Security blog.

Beware Tech Support Scams

The phone rang the other day. It was “Philip” from Microsoft calling because there was “a problem with my computer.” I told him “No there isn’t.” He said, “What?” I said “There’s no problem with my computer.” He hung up.

This is an increasingly common scam where phishers try and convince you that they’re going to fix some problem with your computer. They ask for remote access, then do some stuff that makes it look like they’re fixing something, but they also copy files, trying to get information about your identity to then access your bank accounts.

This is, of course, mostly targeted at Windows users, but similar scams, on infected websites, are also targeting Mac users. On the Malwarebytes blog, Jérôme Segura has an excellent article on this threat to Mac users. He shows examples of alerts that web pages may display, even on an iPhone.

Iphone 576x1024

Some of these give you a toll-free number to call, where someone will probably ask for your iCloud login credentials or other information to access some of your accounts.

Obviously, you need to steer clear of these things. But the Malwarebytes article is good to read, because it points out that you may not be able to dismiss the alerts, and may need to force quit apps that display them.

As the article concludes:

“The fight against tech support scammers continues more than ever. They are getting more and more aggressive and using techniques that slowly but surely resemble those used by malware authors.

This is a serious development that should make all of us aware of how dangerous it is to deal with unsolicited calls or calls initiated after seeing such scare pages.”

Sony Pictures Employees Now Working in Air-Gapped Offices

the-interview-poster-preview-101292.jpg

There is so much to say about the Sony hack, whether it has been perpetrated by the North Koreans or not, but everyone else is saying it, so I’ll just let them go ahead. I found one thing interesting about the situation: according to TechCrunch article, Sony Pictures employees are now working in air-gapped offices; offices with no internet connection.

“That is what a major corporate security breach sounds like: the squeal of a fax machine and the low murmur of co-workers now required to talk to each other instead of depending on email or instant messages.”

I can understand that they’re worried about more intrusions, but they would do better to hire some computer security experts and get on with things. I did note this interesting tidbit:

“”… A couple of people had their computers removed but people using Macs were fine,” she said. She said most work is done on iPads and iPhones.”

Help a Good Samaritan Return Your Lost iPhone, iPad or Mac

You know it could happen some day: you might lose your iPhone, iPad or laptop. If you’ve activated Find My iPhone (or the similarly named feature for other devices), you’ll get an approximate location for the device, but if it’s in an apartment building or office building, or if there’s no Wi-Fi or cellular access, you might not be able to track it down precisely.

If someone finds your device, it would be good to make it easy for them to get in touch and return the device to you. There are plenty of Good Samaritans out there, and it’s worth preparing your device so if one does find it, they can contact you.

Essentially, you want to add contact information to your device, in a way that anyone who turns it on can find your name, email address and phone number (obviously not your iPhone’s number), and get in touch. An easy way would be to paste a sticker on your device, but that might be ugly and it could wear out. Why not add contact information to the lock screens of your Macs and iOS devices? It’s easy.

Read the rest of the article on Macworld.

How To: Set a Long Passcode on an iOS Device

On the most recent episode of The Committed Podcast, we were discussing security and iPhones, and one of my co-hosts, Ian Schray, mentioned not using a four-digit passcode, that it’s too insecure to use such a simple passcode. I realized after the recording that a lot of people may not know how to set up a longer passcode. Hence, this how-to.

First, why would you want to use a long passcode? If you have a device that offers Touch ID, you’ll use your fingerprint most of the time, and only need to type a passcode when you restart the device, or when Touch ID doesn’t work. The latter only happens when my hands are sweaty; Touch ID has always been very reliable for me, though I know many people who have problems with it.

Your four-digit passcode isn’t very strong, and someone could try a bunch of combinations, unless you have activated a setting (in Settings > Passcode Lock) to erase the device after ten failed passcode attempts. So you might want something more robust.

To set a long passcode, open the Settings app, tap Touch ID & Passcode, and then enter your passcode. Scroll down to where you see a toggle for Simple Passcode, and turn this off.

2014-12-11 14.21.29.png

Enter your passcode to approve this change, then you’ll see a screen allowing you to enter a passcode. Unlike the standard screen, which only displays numbers, this one shows a full keyboard, and you can choose a passcode with letters, numbers, and even symbols and punctuation.

2014-12-11 14.21.59.png

Type the new passcode, and then tap Next; type it again to confirm, and you’ll have a long passcode. Now, whenever you access your device with a passcode, you won’t be limited to just a number pad; you’ll have a full keyboard, and can enter your passcode.

2014-12-11 14.24.19.png

You can still use Touch ID, but whenever you do need to enter a passcode, it will be more secure.

Why Apple’s Two-Step Authentication Can Be Dangerous

Apple offers two-step authentication for iCloud accounts, but their version of this process is quite rigid, and is downlight dangerous. Owen Williams writes about this in an article for The Next Web, showing how he was nearly locked out of his account.

His account was locked for “security reasons;” in other words, someone tried to get into his account, and presumably made too many login attempts, and the account was automatically locked. No problem; just use the recovery key that he got when setting up two-step authentication… But, as Williams says, “How could I be foolish enough to misplace my Apple ID recovery key?”

And there’s the big problem with the way Apple implements two-step authentication.

Two-step authentication combines the need for a password and a code that is sent to you on a device you own. So, when logging into your account from a new device (you don’t do this every time you log in), you’ll get an SMS sent to your phone with a code. You need to have more than one device, in case you lose one of them. For example, if you lose your phone, you need to be able to log in on a computer, and add a new phone as a trusted device. (Hmmm, what does happen if you lose both your computer and phone…?)

HT5570_01-icloud-2stepfaq-001-en.png

In Apple’s case, there is a recovery key, which you can use if you no longer have any trusted devices; this code is also needed if your account gets locked for any reason.

So the real problem is ensuring that you save the recovery key. Apple recommends that you print it out, and keep it in “a safe place,” and that you do not save it on your computer. (Though saving it in an app such as 1Password would be fine.) If you do this, you’ll have no problems. But if you don’t, then you could get locked out of your account; Apple makes this very clear.

So, Apple’s two-step authentication is dangerous, but if you follow the instructions to the letter, you won’t have anything to worry about. As far as I’m concerned, I’ve never set it up, because while the risk of losing access to the account is minimal, it exists. If my house were to burn down, and I lost both physical and digital access to the recovery key, then I’d lose access to a lot of my stuff. If you use this two-step authentication, make sure to have a copy of that key somewhere safe, and make sure to remember, say ten years from now, where you put it, in case you need it then.

I Almost Fell for This Apple ID Phishing Email

I almost fell for this; until I read the subject line. iPhone 3; seriously? These guys need to update their stuff.*


phishing.png

  • Apparently some readers think I was being serious above. I’ve added this footnote for those who didn’t spot the sarcasm, which, perhaps, is not as obvious as I thought.

Apple Now Emails You When You Sign into iCloud on the Web

There is always a fine balance between security and usability. Apple was strongly criticized because of the iCloud selfie breach, and Tim Cook announced that the company would be implementing new security procedures.

As of today, one of them is live: if you sign into iCloud on the web, you’ll get an email:

Mail001.png

This is interesting, but is it useful? First, if you get one of these every time you sign into iCloud on the web, it’ll just be a bother. Sure, if you didn’t sign into iCloud, you can reset your password, but too much security hampers usability. People will, over time, get tired of these messages and just delete them.

And, what if I just accessed iCloud around the same time someone broke into my account? Will I get two emails? Or will I just assume that the email I get is for my access?

In any case, by the time you get the email, it might be too late.

As my friend and editor Michael Cohen pointed out:

“Of course, if someone DID sign into your iCloud account via a Web browser, that person would see the email, too… and could reset your password, locking you out! Unless you use 2-factor authentication; then it might be harder to do the last.”

iCloud or not iCloud: What Really Happened in the Nude Selfie Breach?

You’ve seen it on the internet, even on TV news shows: a number of A-list celebrities had nude selfies swiped from their phones, or their iCloud accounts. Initial thoughts pointed to iCloud, since an exploit was released a couple of days before the photos leaked which targeted Find My iPhone, part of iCloud. This exploit found that Find My iPhone wasn’t rate limited; that it didn’t block users after a certain number of failed password attempts. So the exploit used a list of the 500 most commonly used passwords, and tried them against any Apple ID. If your password was weak, well, you’d get owned. Apple patched iCloud to fix this issue two days later.

But Apple came out with a public statement, saying, “After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved.”

So, who to believe? Some stars jumped the gun, relying on sketchy media reports suggesting that Apple was to blame, and cast aspersion – well, pizza turd – on the company:

Safari001.png

But evidence suggests that if iCloud was to blame for some of these breaches, it was not the case for all of them. Some of the stars claim the photos are fakes, while others point out that they don’t use iPhones. According to Apple, their iCloud security questions – the ones you answer to reset a forgotten password – were too easy to figure out. (Though I haven’t seen any suggestions that any of these stars found themselves locked out of their accounts, which would have happened if their passwords were reset.)

There’s lots of speculation, and one of the more interesting theories comes from Boris Gorin of FireLayers. As PC World reports, Gorin said, “The images leaked have been gradually appearing on several boards on the net prior to the post at 4chan–making it reasonable to believe they were not part of a single hack, but of several compromises that occurred over time.”

The PC World article goes on to say:

“Gorin shared a theory the celebrities may have been hacked while connected to an open public Wi-Fi network at the Emmy Awards. If they accessed their personal iCloud accounts, attackers connected to that network would have been able to intercept and capture the username and password credentials. That’s not a security flaw with iCloud and having a strong or complex password wouldn’t offer protection against transmitting that password in clear text on a public Wi-Fi network.”

So we’re stuck in a he-said-she-said loop. In this corner, Apple is saying that these people were targeted by password-reset hacks, which depended on weak security questions. Yet none of the celebrities have said that they found anything amiss when trying to log into anything with their phones or computers. (Of course, they may not want to admit that.) And in that corner, security researchers are looking at old-school man-in-the-middle hacks on public wifi networks.

What seems likely is that, as Gorin says, these were images that were slowly leaked, and that one person decided to dump all at once, to suggest that they all come from the same exploit or hack. And if so, why? Should one speculate that there is a link between this photo dump and Apple’s new product event next week? That, perhaps, a competitor contracted with some black-hat hackers to try and get Apple to have some egg on their face; or some pizza turd?

Put your tinfoil hat on, dear reader. We will probably never know the answer to this one.

One suggestion to the celebrities reading this article (there might be one or two): you have people who tell you what to say and what to wear; find someone to tell you how to keep your personal data secure. It’s not that complicated.

Update: We now know much more about this breach. There was no one single incident grabbing all the photos, a number of techniques were used, from simple figuring out the answers to security questions to forensic software, which anyone can buy for $400 (or simply torrent). Part of the fault is Apple’s, for those accounts that were accessed using the brute-force script, but not all of the accounts whose photos have been leaked were accessed in that manner.