We have a deal on the SANNCE Home Security IP Wireless Camera With Night Vision. This device records in HD, has motion detection and night vision, and it can record 24 hours. It will also pan 355 degrees, and it’s $44.99 through our deal.
Security
New Macs, New Security Flaws – TMO Daily Observations 2019-07-09
Andrew Orr and Dave Hamilton join host Kelly Guimont to talk about the new Mac laptop updates and the latest security flaw courtesy of Zoom.
Open ID Foundation Publishes Letter about Sign in With Apple
The Open ID foundation published an open letter to Craig Federighi regarding Sign in With Apple. Although the foundation praised Apple for the initiative, it worries that it strays too far from Open ID and opens users to security and privacy risks.
The current set of differences between OpenID Connect and Sign In with Apple reduces the places where users can use Sign In with Apple and exposes them to greater security and privacy risks. It also places an unnecessary burden on developers of both OpenID Connect and Sign In with Apple. By closing the current gaps, Apple would be interoperable with widely-available OpenID Connect Relying Party software.
DNS Over HTTPS, New iCloud Login Method – TMO Daily Observations 2019-07-08
Andrew Orr and Bryan Chaffin join host Kelly Guimont to talk new DNS security from Mozilla, and Apple’s new login system coming to iCloud.
News+: How to Stay Safe and Secure Online
In the latest issue of Mac Format magazine, Adam Banks writes a guide on how to stay safe online. This is a PDF version and on page 66.
Using a Mac makes you safer than average when going online. That’s partly because of Apple’s efforts to secure the operating system; partly because the Mac App Store gives you somewhere to get most of your third-party software safely. It’s also partly because bad actors – in the security industry sense, not the Hollyoaks sense – tend to be less interested in targeting macOS. But that doesn’t mean either you or your Mac can’t get fooled. Know your way around the common risks and basic protections to keep yourself out of harm’s way.
This is part of Andrew’s News+ series, where he shares a magazine every Friday to help people discover good content in Apple News+.
Apple Security Chief Ivan Krstic Will Talk at Black Hat 2019
This year the Black Hat 2019 security conference will include a session with Ivan Krstic, head of Apple Security Engineering and Architecture.
Catalina System Volume, ISP Lobbying Budgets – TMO Daily Observations 2019-06-26
John Martellaro and Andrew Orr join host Kelly Guimont to discuss the new macOS read-only volume and ISP budgets for lobbying lawmakers.
OSX/Linker Malware Exploits macOS GateKeeper
Security researchers have discovered a piece of Mac malware called OSX/Linker that can exploit a zero day vulnerability in macOS GateKeeper.
Try Salting Passwords if You Don’t Trust Password Managers
Andrew recently stumbled upon this sweet password trick from Password Bits, and he’s geeking out over the sheer genius of it.
Openly Operated Wants to Improve Privacy Policies
Openly Operated is a certification for apps and services. The certification process ensures that they live up to their privacy and security claims with an audit.
An OO-certified app or site must meet three criteria. First, it needs to demonstrate “a basic level of transparency” by making its code and infrastructure — among other things — public and fully documented. Second, it needs to lay out its policy in the form of “claims with proof,” establishing what user data is collected, who can access it, and how it’s being protected. Third, those claims must be evaluated by an OO-certified auditor who then makes the audit results public.
I’ve complained about privacy policies before, and this sounds like a great idea. I hope it gets traction.
Security 101: What is a Threat Model, and How Do I Create One?
If you hang around privacy or security forums long enough, you’ll eventually come across the term “threat model.” Here’s what they mean.
Security Tool YubiKeys Recalled Over Firmware Flaw
Yubico is recalling its line of YubiKeys, tools used for two-factor authentication that generate one-time passcodes.
Google Builds HTTPS Directly Into Top Level Domains
More websites have encrypted their traffic than ever, but there is a loophole. Some use a mixture of HTTPS and unsecure HTTP. Google is closing this by building HTTPS protection directly into certain top level domains.
Which means that today, when you register a site through Google that uses “.app,” “.dev,” or “.page,” that page and any others you build off it are automatically added to a list that all mainstream browsers, including Chrome, Safari, Edge, Firefox, and Opera, check when they’re setting up encrypted web connections. It’s called the HTTPS Strict Transport Security preload list, or HSTS, and browsers use it to know which sites should only load as encrypted HTTPS automatically, rather than falling back to unencrypted HTTP in some circumstances. In short, it fully automates what can otherwise be a tricky scheme to set up.
Sign in with Apple, Telegram Attacked – TMO Daily Observations 2019-06-13
Charlotte Henry and Andrew Orr join host Kelly Guimont to discuss Google approving of Sign in with Apple, and China’s attack on Telegram.
Governments Are Terrible at Securing Data
It absolutely infuriates me when agencies like the FBI, and governments like Australia, the U.S., Germany, and more want us to break encryption or circumvent it with a back door. As Mathew Gault writes, they are completely inept at securing data. Even the NSA, which likes to think it’s the “world leader in cryptology” got hacked.
Regular phone and internet users remain vulnerable, forced to take individual protective measures, like a poor wage-worker without health insurance who’s told to secure her nest egg by cutting out morning lattes.
News+: Bad Behavior in the VPN Industry
Max Eddy reviews VPNs for PCMag. Although he believes most vendors have good intentions, he highlights several examples of bad behavior in the VPN industry.
From my experience working with VPNs, I can say with certainty there is a culture of sabotage and paranoia among some vendors. Anonymous dumps of damning information about one VPN vendor get blamed on another VPN vendor. Tips come in suggesting that corporate ownership is tied to the Russian mafia or some other criminal operation. Commentators hold up one VPN review site as an example of rectitude; others say the same site is secretly run by a VPN vendor with an agenda. When there is this much disinformation and counter-disinformation (which may also be disinformation), it’s impossible to tell who is telling the truth.
Before I came to The Mac Observer, one of my freelancing gigs was writing for a VPN company. I saw some of the same things as Mr. Eddy. In both privacy and security circles, there is a tint of paranoia and conspiracy thinking, at least with some people.
This is part of Andrew’s News+ series, where he shares a magazine every Friday to help people discover good content in Apple News+.
iOS: How to Manually Configure iCloud Keychain
Unlike a traditional password manager, we don’t have a lot of control over iOS password generation. But there is a manual workaround that lets us configure iCloud Keychain a bit.
Apple Deprecates SHA-1 in iOS 13 and macOS Catalina
Apple is deprecating SHA-1, an old security standard, in iOS 13 and macOS Catalina. This is good news since we now have the more secure SHA-2 and SHA-3.
Two Thirds of iOS Apps Disable App Transport Security
Security firm Wandera scanned over 30,000 iOS apps and found that 67.7% of them disable App Transport Security on purpose.
Apple Thwarts Sensor Fingerprinting With iOS 12.2
A study called “SensorID: Sensor Calibration Fingerprinting for Smartphones” examined sensor fingerprinting techniques against smartphones. It found that Micro Electro Mechanical Systems (MEMS) are inaccurate in small ways that make them unique. But Apple thwarted this technique in iOS 12.2 and used the researchers’ suggestion to add random noise to the analog-to-digital converter output and removing default access to motion sensors in Safari.
We demonstrate that our approach is very likely to produce globally unique fingerprints for iOS devices, with an estimated 67 bits of entropy in the fingerprint for iPhone 6S devices. In addition, we find that the accelerometer of Google Pixel 2 and Pixel 3 devices can also be fingerprinted by our approach.
Bypassing macOS Security With Synthetic Clicks
Security researcher Patrick Wardle found he can bypass macOS security by using synthetic clicks built with AppleScript.
Typically apps are signed with a digital certificate to prove that the app is genuine and hasn’t been tampered with. If the app has been modified to include malware, the certificate usually flags an error and the operating system won’t run the app. But a bug in Apple’s code meant that that macOS was only checking if a certificate exists and wasn’t properly verifying the authenticity of the whitelisted app.
Mr. Wardle refers to this as a “second stage” attack, because the hacker or malware needs access to your Mac to exploit this bug.
Here Are The Top 20 Most Common iPhone Passcodes
Security expert Tarah Wheeler recently tweeted a list of the top 20 most common iPhone passcodes. These are all four-digit passcodes.
AirPort Updates, WWDC Plans – TMO Daily Observations 2019-05-31
Dave Hamilton and Andrew Orr join host Kelly Guimont to discuss AirPort Base Station updates, and look ahead to WWDC plans and coverage.
AirPort Base Stations Get 7.9.1 Firmware Update
Although Apple discontinued its line of AirPort base stations (routers), it recently released a firmware update, version 7.9.1. It fixes several security issues, one of which seems especially bad.
Impact: A base station factory reset may not delete all user information
Description: The issue was addressed with improved data deletion.
CVE-2019-8575: joshua stein
