Using Two-Factor Authentication on Old Apple Devices

· · Link

Glenn Fleishman has a good tip on how to use Apple’s two-factor authentication on older devices that don’t support it.

But 2FA and outdated versions of Apple TV, iOS, and macOS don’t mix. You try to log in on those devices with your Apple ID and popups with codes may appear on other devices, but there’s no way to enter it on the piece of equipment from which you’re trying to log in. Fortunately, there’s a simple workaround.

I always forget about the manual method.

News+: Don't Give Money to Ransomware Scammers

· · Link

In the latest issue of PCMag, Max Eddy writes that you shouldn’t give money to ransomware attackers when they ask.

First, most cyberattacks—including ransomware—don’t last long. The command and control servers that issue the unlock commands and receive payment can be found and taken offline…In either case, anyone who has been infected and not paid the ransom can no longer get their system unlocked, even if they pay.

This is why keeping several backups is important, one online, one offline. And keep your operating system up to date with the latest security patches and improvements.

This is part of Andrew’s News+ series, where he shares a magazine every Friday to help people discover good content in Apple News+.

Online Payment Integrations Can Introduce Vulnerabilities

· · Link

At Black Hat 2019, researcher Joshua Maddux found that security vulnerabilities can arise when websites add online payment integrations like Apple Pay. To be clear, he says it’s not an issue with Apple Pay itself, but rather how websites add it. And other third-party integrations can be similarly affected.

The flaws fit into a well-known type of vulnerability called “server side request forgery,” which allow attackers to bypass protections like firewalls to directly send commands to web applications. These vulnerabilities pose a real threat, and are regularly exploited in the wild. Most recently, they played a role in last month’s massive Capital One breach. Similarly, flexibility in how a website integrates Apple Pay potentially exposes its own backend infrastructure to unauthorized access.

Researchers Spoof Face ID Using Tape and Glasses

· · Link

During the Black Hat 2019 conference, researchers demonstrated a way to spoof Face ID using nothing more than glasses and tape.

To launch the attack, researchers with Tencent tapped into a feature behind biometrics called “liveness” detection, which is part of the biometric authentication process that sifts through “real” versus “fake” features on people. It works by detecting background noise, response distortion or focus blur. One such biometrics tool that utilizes liveness detection is FaceID, which is designed and utilized by Apple for the iPhone and iPad Pro.

Microsoft Launches Azure Security Lab and Doubles Bug Bounty

· · Link

Announced at Black Hat 2019 today, Microsoft launched the Azure Security Lab, as well as doubling its top Azure bug bounty to US$40,000.

The Azure Security Lab takes the idea to the next level. It’s essentially a set of dedicated cloud hosts isolated from Azure customers so security researchers can test attacks against cloud scenarios. The isolation means researchers can not only research vulnerabilities in Azure, they can attempt to exploit them.

The Azure Security Lab isn’t open to the public — you have to apply. Microsoft is promising quarterly campaigns for targeted scenarios with added incentives, including exclusive swag. Security researchers will also be able to engage directly with Azure security experts.

Jamf Gets Native Mac Security With Digita Security

· · Link

Enterprise Mac company Jamf has acquired Digita Security, bringing native Mac security to its platform.

Digita, a two-year old startup, was founded by a team of security experts led by Patrick Wardle, whose background includes a decade as a Mac security researcher, seeking out vulnerabilities on the Mac, and time at the NSA where he honed his security research skills.

Patrick makes a lot of great Mac tools with Objective See that I recommend.

Google's Project Zero Finds 6 iOS 'Interactionless' Bugs

· · Link

Google’s security team Project Zero recently found six “interactionless” iOS bugs. If sold on the black market they would be worth over US$5 million.

According to the researcher, four of the six security bugs can lead to the execution of malicious code on a remote iOS device, with no user interaction needed. All an attacker needs to do is to send a malformed message to a victim’s phone, and the malicious code will execute once the user opens and views the received item.

The fifth and sixth bugs, CVE-2019-8624 and CVE-2019-8646, can allow an attacker to leak data from a device’s memory and read files off a remote device –also with no user interaction.

Capital One Hack Affects Credit Card Customers

· · Link

On July 19 Capital One found it had gotten hacked. The FBI arrested the hacker but 100 million U.S. customers are affected.

The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019. This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income.

What angers me the most about this is the fact that I had to read the news to learn what happened. As a Capital One customer I feel I should’ve been notified by email. Customers affected by this will get an email but I want a notification email as well. Maybe I’ll get five bucks like those affected by Equifax.

William Barr Wants You to Accept Encryption Backdoor Security Risks

· · News

U.S. Attorney General William Barr suggested that Americans should just accept encryption backdoor security risks (via TechCrunch). Encryption Backdoor Risks In a speech today, William Barr called on tech companies to help the federal government to access devices with a lawful order. In other words, ignore the security risks and put a backdoor into their…

NSO Group Tool Harvests Targeted iCloud Data

· · Link

Israel-based NSO Group claims it can harvest iCloud data in targeted attacks. It’s said to be a version of the Pegasus spyware.

Attackers using the malware are said to be able to access a wealth of private information, including the full history of a target’s location data and archived messages or photos, according to people who shared documents with the Financial Times and described a recent product demonstration.

When questioned by the newspaper, NSO denied promoting hacking or mass-surveillance tools for cloud services, but didn’t specifically deny that it had developed the capability described in the documents.