Possible replacement for Clarify (but maybe we don’t need it), a clean install tip for iOS from Joop Bruggink, a second look at iPhone X after a bit more time, my attempt at Animoji Karaoke, Denise Crown brings us her review of the Hue Motion Sensor. Then we have an installment of Security Bits with Bart Busschots.
- A report from the Norwegian Consumer Council finds that smart watches aimed at kids are a security and privacy train wreck — nakedsecurity.sophos.com/…
- The head of the IRS in the US tells reporters Americans should assume their identity has been stolen and act accordingly — nakedsecurity.sophos.com/…
- IRS freezes its fraud prevention contract with Equifax — engadget.com/…
- Security researchers warn of a new way to abuse the DDE (Dynamic Data Exchange) Microsoft Office feature to get macro-less remote code execution. TL;DR – don’t click on links in emails and be suspicious of office documents you didn’t expect to receive:
- The download server for another Mac software developer, Eltima, have been hacked, and malware was injected into the non-App-Store versions of Elmedia Player (a media player) & Folx (a download manager) — www.intego.com/…
Bart was on the Phileas Club this week to talk about Ireland, and I was on Daily Tech News Show with Sarah Lane. Rick from Baltimore joins us with his first audio submission, where he tells us about how he discovered how to reset the People album in Apple Photos. I’ve found a tool called Grammarly to help me minimize typos that makes me happy. Bart brings us an out-of-band Security Bits session because of the big vulnerability discovered this week in WiFi. It’s oddly a reassuring session!
Security Medium 1 – WPA WiFi Encryption Develops KRACKs
This week started with a big security news announcement (responsibly disclosed, which is nice). Security researchers at the Belgian university KU Leuven revealed a collection of related attacks against the WPA2 protocol (WiFi Protected Access version 2). The problem at the root of these attacks was not related to any specific implementation of the spec, but with the spec itself, so every manufacturer who implemented the spec correctly would have introduced these vulnerabilities into their WiFi drivers. Because you have to give a bug a fancy name to get any media attention these days, it was given the somewhat strained pseudo-acronym KRACKs, from key reinstallation attacks.
We’re not going to go into the technical minutia here, but I have included links to some good explanations below. I do want to give a high-level overview of the problem though.
Barry Porter tells us about another way to address Bluetooth problems by resetting the Bluetooth hardware module. I’ll tell you why I like Setapp and how it helped me find Cloud Outliner Pro from xwavesoft.com/…. In a Tiny Tip I tell you how to solve the problem of your Apple TV remote always being upside down. Then I’ll tell you the process of how I sell my Apple products so I can afford new toys. We’ve got Bart Busschots with Security Bits.
Correction – Apple’s Better Cookies are iOS 11 & macOS High Sierra Only
A few weeks ago we looked at Apple’s new and improved cookie handling algorithm in detail, and we at the very least implied it was a Safari 11 feature, but it’s not, it’s an iOS 11 & macOS High Sierra feature. Even though macOS Sierra got a Safari update, it did not get this new feature.
Here is a nice article showing how to control the feature in the two OSes that do support it: www.macobserver.com/….
In this mammoth show, I’ll tell you how I’m an idiot, then I’ll talk about what surprises and delights me in iOS 11 and watchOS 4. Then Bart is back with Security Bits that includes a giant tutorial about cookies, and why third-party cookies are a bad thing.
One of the best things about being retired is having the time to talk to companies on the phone. When I was working, I would simply let things go that were irritating me because there just wasn’t the time.
This week my mission became talking to every bank I deal with about their security model. For reasons that are irrelevant to the discussion, (and highly annoying to me) I’m associated with four different financial institutions, and each of them got some messaging from me this week.
Their current service varied from two of them having no two-factor authentication, and two having SMS, email and phone call verification. None of them use a software authenticator method like Google Authenticator or the one built into 1Password.
Before I spoke to them, I decided it would sound a bit weak to say, “My friend Bart is real smart on this stuff and HE says…” So I started to do my research. I wanted to make sure I had a crisp explanation of why using SMS is a bad idea for two-factor authentication.
This week I was on the Clockwise Podcast (Clockwise #205: Candy-Coated Vegetables on relay.fm) and on Brett Terpstra’s Systematic podcast (201: Not the Man I Thought He Was with Allison Sheridan on esn.fm). I interview Bart about the security implications of Face ID on the new iPhone X. I give you what I hope is a different view on the Apple announcement. Security Bits is really huge this week with three Security Mediums thanks to companies like AT&T and Equifax.
This week when Apple announced Face ID on the iPhone X I think they raised a lot of questions about the security of this technology. In the Mac Geek Gab Facebook group, someone asked an interesting question. They asked whether Face ID would work if someone had one eye that focused straight ahead and the other eye at a different angle.
That got me to thinking, what about blind people who often keep their eyes closed? I pinged Shelly Brisbin, author of the book iOS Access for All to see if she knew anything. She sent me a link to a blog post by Jonathan Mosen on his blog called Mosen Consulting: Face ID Accessibility. Apple offers some answers. Continue reading “Face ID Security Questions with Bart Busschots”