How to use Dashlane, 1Password and LastPass with iOS 12

MacBook password

The useful thing about third-party password management apps is that they work cross platform

Apple announced plans to make it much easier to use popular third-party password management tools Dashlane and 1Password at WWDC 2018, and kept its promise with the release of iOS 12. How does this system work and how do you enable it?

What is going on?

Apple has opened up a little with the introduction of a Password Manager API that developers can use to access passwords and logins for Safari websites, apps and more. Developers can use this API to securely connect their apps to the passwords you keep stashed in your Keychain.

How does Security Code Autofill work on iOS?

Security Code Autofill

Security Code Autofill also works between Macs and iOS devices, thanks to Continuity

This new iOS 12 feature makes it a lot easier to use two-factor authentication (2FA) on iPhones and iPads. It’s called Security Code Autofill, and new iOS 12 users may need a little insight into how the feature works.

How Apple describes Security Code Autofill

SMS one-time passcodes will appear automatically as AutoFill suggestions, so you never have to worry about quickly memorizing them or typing them again.”

Security Code Autofill

How Security Code Autofill works on iOS

What is two-factor authentication (2FA)?

Typically, when you try to access an online account or service you’ll be asked to enter your passcode, identify yourself (by account name or email), and (perhaps) provide additional memorable information.

If your account or service uses 2FA, you’ll also be required to enter a passcode that will be sent to you in an SMS

A Stainless Steel Trio (Stainless Steel Rat)

Continue reading “How does Security Code Autofill work on iOS?”

New modification of the old cold boot attack leaves most systems vulnerable

Footprints in the snow.

Enlarge (credit: rabiem22 / Flickr)

Cold boot attacks, used to extract sensitive data such as encryption keys and passwords from system memory, have been given new blood by researchers from F-Secure. First documented in 2008, cold boot attacks depend on the ability of RAM to remember values even across system reboots. In response, systems were modified to wipe their memory early during the boot process—but F-Secure found that, in many PCs, tampering with the firmware settings can force the memory wipe to be skipped, once again making the cold boot attacks possible.

The RAM in any commodity PC is more specifically called Dynamic RAM (DRAM). The “dynamic” here is in contrast to the other kind of RAM (used for caches in the processor), static RAM (SRAM). SRAM retains its stored values for as long as the chip is powered on; once the value is stored, it remains that way

Continue reading “New modification of the old cold boot attack leaves most systems vulnerable”

Security flaw left Safari and Edge users vulnerable to fake websites

A security researcher uncovered a flaw in both Safari and Microsoft’s Edge browser that allowed the URL of a safe website to be displayed in the address bar while users were actually being taken to a different, and possibly malicious, website. Rafay Baloch spotted the security issue and notified Apple and Microsoft in early June. But while Microsoft issued a fix in August, Apple has yet to respond to Baloch’s report.

Via: 9to5Mac

Source: Rafay Baloch

Georgia says switching back to all-paper voting is logistically impossible

Article intro image

Enlarge / A stack of voter access cards sit on a table at a polling location during the Georgia primary runoff elections in Atlanta, Georgia, on Tuesday, July 24, 2018. (credit: Elijah Nouvelage/Bloomberg via Getty Images)

A group of activists in Georgia has gone to court with a simple request to election officials: in the name of election security, do away with electronic voting entirely and let the more-than 6.1 million voters in the upcoming November 2018 election cast ballots entirely by paper. Georgia is just one of five American states that use purely digital voting without any paper record.

As part of this ongoing federal lawsuit, known as Curling v. Kemp, Georgia Secretary of State Brian Kemp’s office says that such a change would be “reckless” with the election less than 60 days away. Plus, modifying the voting process would be too expensive, too

Continue reading “Georgia says switching back to all-paper voting is logistically impossible”

How to stop Mac and iOS apps stealing your data

Two fists in a Mac

Be careful what you install an app for, c/o Flickr

Popular Mac App Store apps have been secretly gathering sensitive user dataand uploading it to servers in China and elsewhere, building vast troves of data in places that may not provide the same level of protection as we expect. This is a Very Bad Thing.

What are they doing with this data?

We don’t know what is happening with this data once it is collected. It’s conceivable that this information could be analysed alongside other collections of data to provide insights into a person’s identity, online activity, or even political beliefs. Cambridge Analytica and other dodgy behavioural modification companies taught us this.

The fact is we don’t know what is happening to the data that is being exfiltrated in this way. And in most cases we are not even aware this is taking place.

The only reason we know Continue reading “How to stop Mac and iOS apps stealing your data”

Apple is creating an online portal for law enforcement data requests

Apple and law enforcement have had a contentious relationship, frequently butting heads over what level of access Apple should provide officials when approached. The issue came into a rather public spotlight in 2016 when the FBI took Apple to court over its refusal to unlock an iPhone belonging to the San Bernardino shooter. But, in an effort to work with officials, Apple has provided training for law enforcement officers on what sorts of data are available from Apple and the legal processes for obtaining it. Now, it’s expanding that program and developing an online portal through which officials can submit requests for data.

Source: CNET, Apple

Apple is creating an online portal for law enforcement data requests

Apple and law enforcement have had a contentious relationship, frequently butting heads over what level of access Apple should provide officials when approached. The issue came into a rather public spotlight in 2016 when the FBI took Apple to court over its refusal to unlock an iPhone belonging to the San Bernardino shooter. But, in an effort to work with officials, Apple has provided training for law enforcement officers on what sorts of data are available from Apple and the legal processes for obtaining it. Now, it’s expanding that program and developing an online portal through which officials can submit requests for data.

Source: CNET, Apple

Top-grossing Mac App Store app steals users’ browser histories

Adware Doctor is a top app in Apple’s Mac App Store, sitting at number five in the list of top paid apps and leading the list of top utilities apps, as of writing. It says it’s meant to prevent “malware and malicious files from infecting your Mac” and claims to be one of the best apps to do so, but unbeknownst to its users, it’s also stealing their browser history and downloading it to servers in China.

Via: TechCrunch

Source: Objective-See

Windows 10 support extended again: September releases now get 30 months

Article intro image

Enlarge / Licensing is not really the easiest topic to illustrate. (credit: Peter Bright)

In its continued efforts to encourage corporate customers to make the switch to Windows 10, Microsoft is shaking up its support and life cycle plans again. Support for some Windows 10 releases is being extended, and the company is offering new services to help detect and address compatibility issues should they arise.

The new policy builds on and extends the commitments made in February this year. Microsoft has settled on two annual feature updates (the “Semi-Annual Channel,” SAC) to Windows 10, one finalized in March (and delivered in April) and the other finalized in September (and delivered in October). Initially, the company promised 18 months of support for each feature update, a policy that would allow customers to defer deployment of feature updates or even skip some updates entirely. Going forward, the September releases are going

Continue reading “Windows 10 support extended again: September releases now get 30 months”

Google wants to get rid of URLs but doesn’t know what to use instead

Article intro image

Enlarge / This is how a Chrome 57 displays https://www.xn--80ak6aa92e.com/. Note the https://www.apple.com in the address bar.

Uniform Resource Locators (URLs), the online addresses that make up such an important part of the Web and browsers we use, are problematic things. Their complex structure is routinely exploited by bad actors who create phishing sites that superficially appear to be legitimate but are in fact malicious. Sometimes the tricks are as simple as creating a long domain name that’s too wide to be shown in a mobile browser; other times, such as in the above picture, more nefarious techniques are used.

It’s for this reason that a number of Chrome developers want to come up with something new. But what that new thing should be is harder to say.

Browsers are already taking a number of steps to try to tame URLs and make them less prone

Continue reading “Google wants to get rid of URLs but doesn’t know what to use instead”

Security Researcher Shows How Remote macOS Exploit Hoodwinks Safari Users With Custom URL Schemes

A security researcher has demonstrated how macOS users are vulnerable to remote infection through a malicious exploit involving the “Do you want to allow…” popup that can be encountered when visiting websites in Safari.

In a lengthy breakdown, Patrick Wardle explains how the exploit utilizes document handlers, which request permission to open a link or a file in another app – like a PDF in Preview, for example – and URL handlers, which work similarly in the way they notify macOS that they can accept certain file formats.



The exploit occurs when a user visits a malicious website and a ZIP file is downloaded and automatically unzipped by Safari, whereby the custom URL scheme is initially registered on the user’s filesystem.

Once the target visits our malicious website, we trigger the download of an archive (.zip) file that contains our malicious application. If the Mac user is using

Continue reading “Security Researcher Shows How Remote macOS Exploit Hoodwinks Safari Users With Custom URL Schemes”

Who controls your data?

The average American, one study tell us, touches their phone 2,600 times per day. By the end of a given year, that’s nearly a million touches, rising to two million if you’re a power user.

Each one of those taps, swipes and pulls is a potential proxy for our most intimate behaviors. Our phones are not only tools that help us organize our day but also sophisticated monitoring devices that we voluntarily feed with interactions we think are private. The questions we ask Google, for instance, can be more honest than the ones we ask our loved ones — a “digital truth serum,” as ex-Googler and author Seth Stephens-Davidowitz writes in Everybody Lies: Big Data, New Data, and What the Internet Can Tell Us About Who We Really Are.

Hoover up these data points and combine them with all of our other devices — smart TVs, fitness trackers, cookies that Continue reading “Who controls your data?”

All the Labor Day long weekend news highlights you need in one place

Customers queue down Shijō Dori, the street that has served as the city’s main shopping corridor since the 1600s.

Apple’s new Kyoto store: Customers queue down Shijō Dori, the street that has served as the city’s main shopping corridor since the 1600s.

We’ve had quite a time of it since Apple snuck news of the limited iPhone 8 repair program through late Friday afternoon before the weekend began. Highlights: Always on Apple Watch, new iPad mock-ups, an iPhone XS concept video, AR Maps, the end of mobile security and more. Here’s all the claims in one place for quick and easy reading:

#1: Always on Apple Watch

That thing where you need to raise your watch to your face to check the time (or slowly twist the Digital Crown button)? It’s so over, if a leaked patent for an always-on watch face holds any truth at all. The patent basically suggests using clever brightness enhancement tricks and only using part of the screen to show the time to Continue reading “All the Labor Day long weekend news highlights you need in one place”

Microsoft obliquely acknowledges Windows 0-day bug published on Twitter

A privilege escalation flaw in Windows 10 was disclosed earlier this week on Twitter. The flaw allows anyone with the ability to run code on a system to elevate their privileges to “SYSTEM” level, the level used by most parts of the operating system and the nearest thing that Windows has to an all-powerful superuser. This kind of privilege escalation flaw enables attackers to break out of sandboxes and unprivileged user accounts so they can more thoroughly compromise the operating system.

Microsoft has not exactly acknowledged the flaw exists; instead it offered a vague and generic statement: “Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices

Continue reading “Microsoft obliquely acknowledges Windows 0-day bug published on Twitter”

The adventures of lab ED011—“Nobody would be able to duplicate what happened there”

Enlarge / The University Politehnica building that hosts the Automatic Control and Computer Science (ACCS) program. (credit: Adi Dabu)

BUCHAREST, Romania—At the edge of Europe, Romania’s University Politehnica of Bucharest has long been the most prestigious engineering school in the region. Here, a terracotta-tiled building looms large over the campus, hosting the faculty of the Automatic Control and Computer Science (ACCS) program. On the ground floor, close to the entrance, is a humble computer lab. The label reads ED011.

Back in the early 1990s, after Romania escaped the grip of communism, this room was one of the few places offering an Internet connection free of charge. So every night, when no one was watching, students descended upon the lab to connect to the rest of the world. Eager to learn about life in Western Europe and the US, these students already had the look of their counterparts there—long hair, blue

Continue reading “The adventures of lab ED011—“Nobody would be able to duplicate what happened there””

T-Mobile, AT&T customer account PINs were exposed by website flaws

As if news of a recent breach leaking T-Mobile customer data to attackers weren’t bad enough, Buzzfeed News highlights a pair of issues that could’ve revealed PIN numbers for customers of T-Mobile and AT&T. The security flaws were uncovered by two security researchers, Ryan aka “Phobia” and Nicholas “Convict” Ceraolo.

The T-Mobile issue occurred via its link to Apple’s online store, where they found that a page in the middle of the iPhone purchasing flow would allow an interested party unlimited attempts at guessing an account PIN or last four digits of the account holder’s social security number. Given unlimited tries for a safety feature that’s probably four digits with no rate limiting lets hackers run through all the possibilities quickly.

Source: Buzzfeed News

Chrome 69 will take the next step to killing Flash, roll out new design

Enlarge

Chrome 69, due to be released on September 4, is going to take the next step toward phasing out support for Adobe’s Flash plugin.

Chrome started deprecating Flash in 2016, defaulting to HTML5 features and requiring Flash to be enabled on a per-site basis. Currently, that setting is sticky: if Flash is enabled for a site, it will continue to be enabled across sessions and restarts of the browser.

That changes in Chrome 69—Flash will have to be enabled for a site every time the browser is started. This means that Flash content will always need positive, explicit user permission to run, making the use of the plugin much more visible—and much more annoying.

Read 2 remaining paragraphs | Comments

Australian teen pleads guilty to hacking Apple

An Australian teenager pleaded guilty today to charges over repeatedly hacking into Apple’s computer systems, The Age reports. He reportedly was able to access authorized keys, view customer accounts and download 90GB of secure files before being caught. Once alerted to the repeated intrusions, Apple blocked the teen and notified the FBI of the breaches. The agency in turn contacted the Australian Federal Police who raided the teenager’s home last year, seizing two Apple laptops, a mobile phone and a hard drive.

Via: Apple Insider

Source: The Age

Intel’s SGX blown wide open by, you guessed it, a speculative execution attack

Foreshadow explained in a video.

Another day, another speculative execution-based attack. Data protected by Intel’s SGX—data that’s meant to be protected even from a malicious or hacked kernel—can be read by an attacker thanks to leaks enabled by speculative execution.

Since publication of the Spectre and Meltdown attacks in January this year, security researchers have been taking a close look at speculative execution and the implications it has for security. All high-speed processors today perform speculative execution: they assume certain things (a register will contain a particular value, a branch will go a particular way) and perform calculations on the basis of those assumptions. It’s an important design feature of these chips that’s essential to their performance, and it has been for 20 years.

But Meltdown and Spectre showed that speculative execution has security implications. Meltdown (on most Intel and some ARM processors) allows user applications to read the contents

Continue reading “Intel’s SGX blown wide open by, you guessed it, a speculative execution attack”