All posts in “Cyber Security”

Apple’s going to mandate 2-factor authentication, so you better get used to it now

Apple’s trying its hardest to protect the security of your account — whether you like it or not. 

In an email sent out in the early hours of June 6, the company confirmed that going forward it will mandate the use of 2-factor authentication (2FA) for many of its services. 

“If you install the iOS 11 or macOS High Sierra public betas this summer and meet the basic requirements, your Apple ID (xxxx@xxxx.com) will be automatically updated to use two-factor authentication,” reads the email. “This is our most advanced, easy-to-use account security, and it’s required to use some of the latest features of iOS, macOS, and iCloud.”

To be clear, this means that it’s not just early adopters downloading public betas of iOS 11 and High Sierra that will be required to use 2FA, but rather everyone that wants access to all the hot new features.   

And what is 2FA, you ask? Two-factor authentication is a basic security measure which requires two pieces of information for a user to access his or her account. Think of taking cash out of an ATM machine. You need your physical bank card (“something you have”), and your PIN (“something you know”). Only with both those keys can you get your cash. 

That High Sierra goodness.

That High Sierra goodness.

Image: apple

With email, 2FA frequently manifests as your account password (“something you know”) and a random code sent to you either via SMS or an authenticator app (“something you have”). With these two elements required to gain access to an online account, it is much harder for hackers to gain unauthorized access. 

“Once updated, you’ll get the same extra layer of security you enjoy with two-step verification today, but with an even better user experience,” the email continues. “Verification codes will be displayed on your trusted devices automatically whenever you sign in, and you will no longer need to keep a printed recovery key to make sure you can reset a forgotten password.”

So, whose Apple IDs will be automatically updated to 2FA? We reached out to Apple to determine if it’s just people downloading the public betas, or if the same requirements will apply to everyone downloading iOS 11 and High Sierra later this year. Unfortunately, we received no response as of press time. 

Either way, with Apple stating that 2FA is required to use “the latest features of iOS, macOS, and iCloud,” it’s clear the company is making a hard push toward better account security. 

So go ahead and update those security settings now — before Apple does it for you. After all, medicine’s always easier to swallow when it’s not being shoved down your throat. 

Https%3a%2f%2fvdist.aws.mashable.com%2fcms%2f2017%2f6%2fdbf25738 af8f c133%2fthumb%2f00001

Hackers just gave you another reason to hate vaping

It turns out vaping may be bad for more than just your look. 

With a few tweaks of the pen, a security researcher has demonstrated that vaporizers can be modified in such a way as to pass code to your computer. 

The problem, as with many things security related, comes down to the USB port. Used for both charging and data transfer, the port is a convenient place to plug in phones or other devices that need a battery boost—devices like vape pens. 

In a video demonstrating his work, the researcher, who goes by FourOctets, plugs an e-cigarette into a computer’s USB and the device immediately lights up as if to charge. A few seconds go by and the computer starts to react. 

“DO U EVEN VAPE BRO!!!!!,” reads a message that pops up on the screen. 

Essentially, the vaporizer issued a custom command to the computer, and the computer was all too happy to oblige. 

Take this as the weirdest example yet that you should never plug random devices into your USB ports.

While FourOctets has no ill-intent, it is easy to imagine someone less scrupulous loading a computer with something not quite as funny. Like, say, a keylogger. Or ransomware

So how did he make this happen? Thankfully for people worried about their e-cigs catching a virus, it required some hands-on work. 

“It started as more of a joke than anything,” FourOctets elaborated over Twitter direct message (he declined to give his real name). “This is done with extra hardware and a little bit of code.”

As to the point of the demonstration, other than the fact that it is legitimately hilarious? 

“Another goal usually when doing dumb stuff like this is that stuff is not always what it seems and that random stuff that can plug into a computer can be dangerous,” he explained. “A lot of folks aren’t aware that something like this is even possible whether it be with firmware or added hardware and a tiny bit of code found online.” 

So should you be worried that your vape pen is delivering malicious code to your laptop? 

“It’s probably pretty unlikely to ever get something like this from the factory that would do this,” FourOctets noted, “but the possibility is there and people need to be mindful of that.”

So, you know, something to maybe consider the next time you’re ripping that sweet cotton. 

Https%3a%2f%2fvdist.aws.mashable.com%2fcms%2f2017%2f5%2f3169faf5 09a3 89a1%2fthumb%2f00001

Surprise! U.S. Senate email lacks the most basic of security features.

When it comes to United States Senate email accounts, you’d think the powers that be would enact a basic security feature that even Yahoo Mail and AOL have down.

Shocker: You would be wrong. 

As an April 20 open letter from Oregon Senator Ron Wyden makes clear, Senate email accounts lack the option to enable two-factor authentication. Like, senators can’t turn it on even if they want to. 

“As you know, the cybersecurity and foreign intelligence threats directed at Congress are
significant,” wrote Wyden in the letter addressed to two Senate colleagues. “However, the Senate is far behind when it comes to implementing basic cybersecurity practices like two-factor authentication.”

What exactly is two-factor authentication (2FA), and why does this matter? Let’s let the experts over at the Electronic Frontier Foundation explain. 

“Login systems that require only a username and password risk being broken when someone else can obtain (or guess) those pieces of information,” notes the organization. “Services that offer two-factor authentication also require you to provide a separate confirmation that you are who you say you are. The second factor could be a one-off secret code, a number generated by a program running on a mobile device, or a device that you carry and that you can use to confirm who you are.”

An easy-to-grasp example of 2FA is your bank ATM card. In order to withdraw cash, you need the PIN (something you know) and the card itself (something you have). Those two factors combine to allow you, and hopefully only you, to access to your hard-earned dollars.

Sen. Ron Wyden just can't believe this.

Sen. Ron Wyden just can’t believe this.

Image: Chip Somodevilla /Getty Images

With 2FA turned on, even if someone gains your email password (like maybe just possibly through a phishing attack) they still lack the necessary credentials to get into your inbox. This seems like something sitting members of the United States Senate and their staff would be interested in, right?

And yet.

“Today, the Senate neither requires nor offers two-factor authentication as an additional
protection for desktop computers and email accounts,” writes Wyden. “The Senate Sergeant at Arms does require two-factor authentication for staff who wish to log in to Senate IT systems from home, using a Virtual Private Network. This is a good first step, but the Senate must go further and embrace two-factor authentication for the workplace, and not just for staff connecting from home.”

Offering 2FA is often viewed as one of several basic security litmus tests for online services. Gmail, Twitter, Facebook, AOL, and even the much-maligned Yahoo Mail make it easy to turn this on — meaning your grandmother’s email account is potentially more secure than your senator’s.

As that depressing little nugget of information sinks in, Wyden hits us with a jaw-dropping follow. The executive branch, you see, offers employees Personal Identity Verification (PIV) cards which contain smart chips. The chips work as part of a 2FA system for employees to log into computers. The senate also offers PIV cards, Wyden tells us, but these don’t have smart chips.

What do they have instead?

“[In] contrast to the executive branch’s widespread adoption of PIV cards with a smart
chip, most senate staff ID cards have a photo of a chip printed on them, rather than a real chip.”

That’s right, a photo of a chip printed on them.

So, to recap: Senate email accounts aren’t protected by 2FA, and most Senate staff ID cards have fake smart chips. 

Next on the agenda, we assume, is the revelation that the password to each and every senators’ personal voicemail account is just “0000.” 

WATCH: Edward Snowden says Russians probably hacked the NSA

Hackers threaten to wipe out 200 million iCloud accounts

Hackers claim they've stolen a ton of iCloud accounts -- and they've demanded a ransom.
Hackers claim they’ve stolen a ton of iCloud accounts — and they’ve demanded a ransom.

Image: mashable composite/shuterstock; apple

A group of hackers claims it has access to over 300 million Apple email accounts — and they say they’re ready and willing to wipe the user data from hundreds of millions of iCloud accounts if Apple won’t pay up by April 7.

The group, which is calling itself the Turkish Crime Family, demanded a $75,000 ransom in either Bitcoin or Ethereum, another form of online currency, to delete the data, reports Motherboard. The site broke the story Tuesday morning after corresponding with multiple people online claiming to represent the group, which will also settle for $100,000 worth of iTunes gift cards as payment.

Members of Turkish Crime Family provided Motherboard with a video, screenshots of emails and access to an email account allegedly used to correspond with Apple’s security team to prove their claims. Reps from Apple flatly denied the group’s request before threatening to forward the information to authorities, according to the report.     

The video shared in the email, which was uploaded to YouTube, reportedly shows the group scrolling through multiple stolen iCloud accounts. This was the only proof provided to Motherboard of the cache’s existence. 

A Twitter handle claiming to represent the group popped up shortly after Motherboard‘s report went live. As of this article’s publication, the account has been used to reiterate the group’s threats and retweet news coverage. 

A Twitter account claiming to represent the group is broadcasting its threats.

A Twitter account claiming to represent the group is broadcasting its threats.

Image: screenshot/twitter

The group has since made itself available to the press via a direct email account, which was also shared with the world via tweet. 

It’s story isn’t exactly consistent, though: one rep told Motherboard that its cache numbered around 300 million accounts, but another estimated they had access to 559 million emails. Meanwhile, the Turkish Crime Family Twitter handle is capping the number of iCloud accounts that will be affected in an attack at 200 million.   

When reached by Mashable, Apple reps had no comment on the matter.

Cyber attacks on our personal data storage systems are no joke — and iCloud has experienced wide scale breaches before, most notably in 2014 when multiple celebrity accounts where accessed and personal photos were shared online. In that instance, the security issue stemmed from the iCloud accounts’ weak personal safety settings rather than any flaw in Apple’s system. 

The Turkish Crime Family hasn’t provided any insight into how it claims to have hijacked the accounts, so we’re cautious to accept their claims at face value — especially since the group doesn’t seem to have its story straight. Even though it provided Motherboard some alleged communications with Apple and a video, that doesn’t prove it has the ability to follow through on its threats. 

This may well be little more than an overblown stunt, unless the group comes forward with some more proof.