Security Archive

Apple Releases Shellshock Security Fix for OS X

OS X users now have a security patch available to address the Shellshock security flaw that was discovered in recent weeks.  The update, which is available on the Apple Support website, is available for OS X Mavericks, OS X Mountain Lion and OS X Lion.  It is presumed that the issue is already addressed in OS X Yosemite or will be updated in a patch during its current beta cycle.

If you aren’t familiar with what the Shellshock security flaw is exactly, Apple provided the following statement to MacRumors last week on it.

Bash, a UNIX command shell and language included in OS X, has a weakness that could allow unauthorized users to remotely gain control of vulnerable systems. With OS X, systems are safe by default and not exposed to remote exploits of bash unless users configure advanced UNIX services. We are working to quickly provide a software update for our advanced UNIX users.

There are a couple of things to keep in mind on this flaw.  First, you likely aren’t impacted so no need to panic at the disco.  Second, even if you never use Terminal and the shell commands, you should update anyway.  Better to be safe than sorry later.

Lessons Learned From The iCloud Security Breach

Earlier this week you undoubtedly heard of the iCloud security breach that happened to some well know celebrities.  While Twitter and other places lit up with nudie pics of the like of Jennifer Lawerence, there were a lot of people at Apple frantically trying to find the source of the problem.  Was it a real breach?  Was there an inherent flaw in iCloud where anyone and everyone could be compromised?

The short answer is no.  This came down to, at the most basic level, a brute force attack against usernames and passwords. It was the latest in what seems to be a weekly announcement of someone having data security compromised by hackers.  The problem of course is that we all have digital data – digital footprints and fingerprints – all over the Internet.  From our Facebook account(s) to Twitter to our Banks.  Even our identification to remotely access our corporate networks.  Nobody is immune but you can protect yourself as best as possible.

Identification security is something we should all be vigilant about whether it is on our smartphones, our PCs or Macs.  Security breaches happen at the weakest point so the goal is to make it difficult to discourage but also no so difficult that you yourself are unable to access your data.  Here then are a few tips that you should consider when it comes to your personal data security.

Use Complex Passwords

The most basic thing you can do in personal data security is use complex passwords.  That is, use passwords with a mixture of:

  • Upper-Case Letters
  • Lower-Case Letters
  • Numbers
  • Special Character such as @£$%!
  • At least 8 characters long

Passwords should also not be associate with any personally identifying information such as:

  • Birthdays (yours, your spouses, your children, etc)
  • Your address
  • Your National Identification/Social Security Number

Complex passwords serve as a strong deterrent for those who would potentially try to gain access to your data.  While any password can be compromised with enough time, complex ones point hackers to easier targets.

Wipe All Traces of Deleted Data with iShredder 2 for iOS

ProtectStar today is pleased to announce ProtectStar iShredder 2 Standard Edition 2.0.7 for iOS, an update to its best-selling utility designed to permanently wipe all traces of files that the user has deleted or put in the trash. Because deleted files remain intact on the iDevice until written over by new files, it is relatively simple to completely recover sensitive, personal data, photos, and videos. The app irretrievably erases files using 11 different, user-selectable algorithms, which have been certified by military/intelligence security experts. Ensuring that deleted files can never be recovered, ProtectStar iShredder 2 Standard Edition is ideal for maintaining privacy on the user’s iDevice, and it is perfect for wiping clean an iDevice before changing its ownership.

Feature Highlights:

Highly Secure Data Erasing on your iOS device with iShredder

Highly Secure Data Erasing on your iOS device with iShredder

* Best-selling, security utility app
* Exceeds international security standards
* Modern and secure erasing methods for flash memory (SSD)
* Standard and advanced deletion algorithms pre-installed
* Advanced secure erasing methods, such as: DoD 5220.22-M E; US Army AR380-19 and HMG InfoSec Enhanced No.5
* Shredded files are completely beyond recovery, even for experts and government agencies
* Friendly technical support by email

Unknown to most iPhone & iPod touch users is the surprising fact that files deleted or trashed are not really deleted. Emails, photos, notes, documents, videos, browser histories, music, messaging logs and reminders all disappear after they are deleted. But they remain intact until new files overwrite them (if ever). Files disappear because the Hierarchical File System in iOS crosses off the file’s name in the Directory that lists every file. According to the HFS, the photo entitled “Me & Jen at the Beach” no longer exists. If necessary, the HFS can use the storage space occupied by the picture to hold some other file. However, until it is actually replaced in memory by new data, the photo can be easily recovered.

File recovery apps can help restore files accidentally deleted. File recovery apps and algorithms can also reinstate thousands of files, large and small, deleted over years of typical iPhone usage. Users expect deleted files to be deleted; ProtectStar iShredder 2 makes good on that expectation. The app offers 5 different, user-selectable choices for securely and permanently erasing deleted files. These algorithms work by repeatedly writing over the remains of deleted files with random characters. Commonly employed by such organizations as DoD 5220.22-M E from the Department of Defence and the U.S. Army AR-380-19, iShredder’s algorithms provide the user with absolute assurance that their deleted data can never be recovered by anyone, even government computer experts.

It takes just three simple steps to overwrite the necessary flash memory using patented security standards, making it impossible to rescue any deleted files:

* 1st, open ProtectStar 2 iShredder
* 2nd, select a secure deletion algorithm
* 3rd, start the deletion process

“An independent IT security provider, ProtectStar, Inc. supplies SMEs, government agencies, and large corporations with comprehensive consulting and individualized solutions in domains such as process management and process optimization,” stated company founder Christopher Bohn. “The ProtectStar Testing Center continuously carries out extensive testing of IT security products from prominent vendors. You can be certain that the ProtectStar app you purchase is backed by our years of experience in data security.”

iShredder 2 Standard is $2.99 in the App Store and available for iPhone.  In-App Purchases to the Pro version are available which brings support to your iPad.

iShredder Standard – $2.99 (In-App Purchases) – Download Now

Apple Adds Two-Factor Authentication for Apple ID

Apple has joined the long list of sites and services that are offering two-factor authentication after recent security challenges for the Cupertino company.  Now you have the option to enable this added level of security to your Apple ID, making it more difficult for hackers to access your account and potentially run up a big bill of in-app purchases on iTunes.

The new authentication is available on all Apple ID holders and is outlined in this How To on the Apple support site.  Essentially all you have to do is go to your Apple ID while you have your iPhone or iPad with you as will need a trusted device to send a verification code to in the process.  Once the process in complete you will be given a recovery code which you will need should you lose or change your trusted devices (i.e. get a new iPhone).  This prevents someone from gaining access to your Apple ID if they get their hands on your device.

The two-factor authentication is a good thing although it takes some time to set up.  It gives you piece of mind, especially if you are out-and-about with your devices (which is really all of us).  Apple joins companies such as Dropbox who have enabled this added level of security.

As a reminder, if you have multiple Apple ID you should set up this authentication on all of them to prevent any security holes to your personal data.  As I posted a couple of weeks ago, you should also follow some best practices around passwords by making them complex.

To get started, go to http://appleid.apple.com to enable the two-factor authentication.

Lessons To Learn From The Evernote Security Breach

Over the weekend Evernote posted on their blog that they had detected suspicious behaviour in their network and, as a precaution, were having everyone reset their passwords.  It was the latest in what seems to be a weekly announcement of someone having data security compromised by hackers.  The problem of course is that we all have digital data – digital footprints and fingerprints – all over the Internet.  From our Facebook account(s) to Twitter to our Banks.  Even our identification to remotely access our corporate networks.  Nobody is immune but you can protect yourself as best as possible.

Identification security is something we should all be vigilant about whether it is on our smartphones, our PCs or Macs.  Security breaches happen at the weakest point so the goal is to make it difficult to discourage but also no so difficult that you yourself are unable to access your data.  Here then are a few tips that you should consider when it comes to your personal data security.

Use Complex Passwords

The most basic thing you can do in personal data security is use complex passwords.  That is, use passwords with a mixture of:

  • Upper-Case Letters
  • Lower-Case Letters
  • Numbers
  • Special Character such as @£$%!
  • At least 8 characters long

Passwords should also not be associate with any personally identifying information such as:

  • Birthdays (yours, your spouses, your children, etc)
  • Your address
  • Your National Identification/Social Security Number

Complex passwords serve as a strong deterrent for those who would potentially try to gain access to your data.  While any password can be compromised with enough time, complex ones point hackers to easier targets.

Apple Release Java Update After Yesterdays Hacking Shenanigans

If you missed all the fun yesterday, Apple had several employees hacked yesterday.  The exploit made its way into the Cupertino Macs via, wait for it, Java.  Yes that programming language applet that we all hate but seemingly cannot divorce (as a colleague of mine said, “a bugger you can’t flick”) has become THE gateway for malware into Macs.  It would seem that Apple themselves are not immune.

Not sitting back on this one, Apple has release a Java update today to fix this and other improvements.  Here is the summary from the Apple Support Page

This release updates the Apple-provided system Java SE 6 to version 1.6.0_41 and is for OS X versions 10.7 or later.

 

 

This update uninstalls the Apple-provided Java applet plug-in from all web browsers. To use applets on a webpage, click on the region labeled “Missing plug-in” to go download the latest version of the Java applet plug-in from Oracle.

 

 

This update also removes the Java Preferences application, which is no longer required to configure applet settings.

Mac users are recommended to install this update immediately as it is available now in the Mac App Store under Updates.  Even if you do not normally use Java you should install this update.  This release supersedes any previous updates.

To get the update, open up the App Store on your Mac and go to the Updates tab.

How To Setup Restrictions on Your iPhone or iPad

Time for another AlliOSNews How To!  With many young people receiving iPhones and iPads this Christmas, the question of being able to protect your kids from not-so-great things comes into play.  While we all want our children to use and enjoy technology, we also need to protect them from particular types of media content as well as help guide them on responsibilities with their new iPhone or iPad.

Apple has made this easy for parents with the Restrictions settings in iOS.  With restrictions, parents can restrict the type of content their children can access or use as well as restrict their ability to purchase or delete apps, access to apps like Facebook or FaceTime and even restrict if changes can be made to Contacts.  This How To is not to tell you how to parent:  Rather it is designed to give you information so you can make the right decision for your family.

To start, go to Settings on your iPhone or iPad and then scroll down to find Restrictions settings.  By default these are

How to Find Restrictions in General Settings

How to Find Restrictions in General Settings

disabled.  Tap on the Enable Restrictions button and you are prompted to enter a 4-digit PIN.  Think of this as the “Administrator PIN”.  It is for you as a parent to know but not your children.  By having the PIN, it prevents unwanted changes from happening on the iPhone but it also allows you to log in and tweak to make the content levels you want for your children grow with them.  Once you have entered a PIN, all of the various restrictions you can put into effect are enabled.

Remember, this How To is to show you how, not tell you which restrictions to set into place.  To disable the ability for your youngster to say delete an app, scroll down to the Deleting App and turn it off.  Now when they tap-and-hold on an app to delete it, the iPhone will go into “wiggle” mode but the small X to delete an app will not appear.

There is also the ability to restrict the content that they can view for films, TV programmes, music and apps and these are based on your country’s ratings system.  So for example you can restrict much that has been tagged as Explicit from being available to play or you can prevent any films for a rating of 18 from being played for your 12 year old.

How To Select which apps to restrict

How To Select which apps to restrict

You can also restrict what apps have access to what content on the iPhone or iPad.  For example, if you have given the permission to install an app and that app wants access to your child’s Facebook account, you can restrict the iPhone to allow the app to install but not allow it to access their Facebook account.  This could prevent them from installing a rogue app that they don’t know is going to search through their Facebook profile and potentially expose them to unwanted materials.

Finally, like enabling the Restrictions settings, to disable them you must have the PIN.  This will assure that your teen doesn’t “accidentally” turn them off. :-)

While every parent has to make the right decision for their child on what is appropriate for them.  This How To is designed to help you make that right decision without having to dive into the guts of iOS to figure it out.  Apple has made it easy.

Was this How To helpful?  Leave a comment below or let us know on Facebook or Twitter!

 

 

 

How to setup a Lock Screen Message in OS X

Security should always be a priority when it comes to your Mac.  In the past Mac owners have felt naturally safer because there wasn’t that many Macs out in the wild and quite frankly, thieves didn’t have much interest in them.  Today is a different game with Macs becoming a mainstream part of the consumer and corporate landscape and thieves specifically targeting Macs, iPhones and iPads.  In this How To I’m going to show you how to make your Mac more secure by requiring a password and displaying a Lock Screen message when your Mac is locked or booted up.

To start, go to System Preferences on your Mac and open up the Security & Privacy.  Once it is open you will see several items which you can adjust to make your Mac more secure.  First is the Require Password.  You can set this up to require a password to access your Mac immediately, after a few seconds or up to 4 hours.  I recommend setting this very low – 5 seconds to 1 minute – to lower the risk of a quick snatch of your Mac and someone gaining access to your data as they literally walk away with it.  Whatever time you have this set up, it will go into effect when your display is turned off (part of the power settings), your screensaver starts, or you boot up/log into your account.

The next thing to do is setup a Lock Message.  You’ll see below the Require Password setting a button Lock Message – Lock Message Setup in Settings in OS Xclick it to open up the Lock Message editor.  What you put in here is entirely up to you.  You can put something like your name, a contact phone number and if you will be rewarding anyone with the return of your Mac.  I would discourage you from putting anything derogatory in the Lock Message on the outside chance that you may actually get it returned to you.  Once you have composed the message that you like, it will Creating a Lock Messageimmediately go into effect based on how long the Required Password timer is set.

Now that you have your Lock Message set and your Required Password timer, your Mac is that much more secure.  While you are on the Security & Privacy settings, you can also Disable automatic logins by checking the box to do so which will require anyone who boots up your Mac to enter a password.  Below that you can set up where apps can be downloaded from on your Mac – from the App Store only or anywhere.  This is part of the Gatekeeper functionality built into Mountain Lion.

From this point forward, when you log in or when your screen is disabled as part of the Power settings you will see your Lock Message.

There is another great use for the Lock Message aside from the security implications I’ve outlined here.  I work in a corporate environment where when I show up at a meeting in a large conference room, a full 75% of the room is usually OS X Lock Screenfull of MacBook Pros – the exact same 13″ model as mine.  It is our corporate issued unit so naturally there are a lot of them around.  How do you tell yours from others when you walk out of the room to get lunch for that working lunch meeting?  With Lock Message you can make sure that when you return you actually return to your MacBook.  Oh, and back to security – this also prevents co-workers with prying eyes from getting into your Mac. :-)

Was this How To helpful?  Let me know!  Leave a comment below or send me a Tweet on Twitter.

 

LinkedIn Calendar Sync gives access to your meeting notes – Privacy issue anyone?

Sometimes the over-reaches and assumptions are simply stunning.

The New York Times posted today in their blog about a potentially serious privacy breach in the new LinkedIn apps for iPhone and iPad and the apparent lack of disclosing what exactly is being synchronized to the LinkedIn servers.  The new apps, which were updated a few weeks ago, provide a service called Calendar Sync.  This allows you to synchronize your calendars with the LinkedIn app so you can check your calendar directly from within it.  It’s a pretty cool feature actually as it also shows you which of your LinkedIn contacts will be in a particular meeting.

Here though is the problem.  Not only are your calendar appointments synchronized – which makes sense given you are wanting this feature – but your meeting notes are synchronized as well.  So what’s the problem with that?  Play pretend for a minute with me.

Let’s say that you work for a publicly traded company (which I do in my “day job”) and you your CEO sets up a meeting with the Board of Directors to discuss the last quarter financials.  He puts relevant information in the meeting notes as items to discuss.  Once that is synced up to LinkedIn, they have that information.  This could cause a whole plethora of issues for public companies if the data got into the wrong hands.

The reality is that if you are syncing information with LinkedIn then you likely want those meeting notes with it as well as the calendar appointment itself.  It makes sense if you think about it.  The problem, as is often the case with these types of situations (remember Path?) is that users are not explicitly told this data will be synced with LinkedIn.  They assume that since you are syncing your calendar with them then you should know that everything related to that calendar appointment is synchronized as well.  If LinkedIn had simply put in their EULA, “By the way, we are going to sync your calendar meeting notes as well as the appointment itself”, this would be a non-issue.

LinkedIn, sorry but you over-reached on this one.  Making a blanket assumption about user data is, um, dumb.  If there is anything that is true in this digital age, people are willing to give you information but you have to let them know they are giving it to you.  You need to address this one – quick.

Readers, if you want to disable the Calendar Sync function in the LinkedIn app, you can go to Settings>Show Calendar and disable it by moving the slider to OFF.