The Security Measure iPhone Owners Need To Take

Early Tuesday, a number of Australian iPhone and iPad owners awoke to find their devices locked, with an alert asking for $50 to $100 to give access back. The lesson: It’s easier than you think for someone to get into your Apple products — even if a thief doesn’t have the actual iPhone in his or her hands.

One way to make yourself that much safer? Start using two-step verification for your Apple ID.

When you enable two-step verification, Apple will make you prove you’re actually you whenever you buy anything on iTunes, the App Store or the iBooks Store. It works like this: Apple will text you a code anytime you try to sign into your Apple account to make a purchase. You will then have to input that number to verify your identity. That way, nobody else can access your account unless they have both your password and your device, making it far more difficult to steal your identity and credit card information.

Here’s how you do it:

First, go to the Apple ID site, click “Manage your Apple ID” and sign in. From there, click “Password and Security.”

iphone security

From there, you’ll see “Two-Step Verification.” Under that you should click “Get started…”

iphone security

There you’ll be able to sign up for two-step verification. For security reasons, Apple makes you wait three days after setting up two-step verification for it to take effect. Once you sign up, you’ll get an email telling you exactly when you’ll be able to use it.

Once you have two-step verification, this is how it works when you sign into Apple to make a purchase:

iphone security

You’ll also get a Recovery Key, which is a 14-digit series of numbers and letters that you can use to access your account if you ever lose access to your iPhone and are unable to receive text messages. Apple recommends you print our your Recovery Key and keep it in a safe place.

Many people don’t think about Apple security — even though the devices and accounts can contain a ton of personal information. Half of iPhone users don’t even use their phone’s regular passcode, and some people probably still haven’t updated their iPhones after a major security flaw was discovered in February. Two-step verification is just one extra way you can protect yourself.

EBay’s Massive Security Breach: What It Means for You

eBay HQ

Samantha Murphy at Mashable.

eBay is the latest victim of a cyberattack, and if you are one of the 145 million users with an account, you’re likely affected.

While eBay is urging users to update their passwords immediately (here’s how to do that), many are left wondering what this means for their data and what they can do to keep it safe.

The breach, which was confirmed by investigators this week, happened in early May (not late February and early March, as eBay first said) when hackers snatched up information such as usernames, email addresses, physical addresses, phone numbers and dates of birth. The hackers were even able to access passwords, but they were in encrypted form, so it’s unlikely they were compromised.

eBay said no financial information was taken and that the cyberattackers found their way in through employee login information.

While your credit card information may be safe, experts believe the ramifications of the security breach could be vast.

“The impact of the eBay compromise will likely spread beyond just eBay because people often reuse passwords across multiple sites,” Trey Ford, global security strategist at Rapid7, told Mashable. “It’s hard to predict just how serious that might be, and there may be other compromises that happen as a result that are never directly tied back to this breach. Users really need to change their passwords as soon as possible, and avoid reusing passwords across sites.”

The news comes just a few weeks after an encryption flaw called the Heartbleed bug affected many popular websites and services such as Gmail and Facebook. The bug quietly exposed sensitive account information, such as passwords and credit card numbers, over the past two years and went widely undetected until recently.

Following the Heartbleed bug news, a survey conducted by Software Advice revealed 67% of web users didn’t update their passwords.

With enough time and resources, Ford says, a hacker can fly under the radar for a while; until he is able to steal information, it’s challenging for an organization to defend against or detect it.

“Big companies have incredibly complex environments, with hundreds of thousands of users and systems they need to monitor, which means there are a lot of potential entry points for attackers to target,” Ford said. “And in the case of big companies, they often are targets for attackers because they have a lot of customers and a lot of valuable data. So attackers that are well-resourced will invest real time in casing a large company to find a way in, which frequently involves manipulating the company’s employees or trusted network in some way.”

Similar to other high-profile breaches, hackers move slowly in order to remain stealthy.

“We’re seeing this increasingly being the case in high profile breaches, like with Target — attackers take their time, do some reconnaissance and figure out an entry point that often leverages credentials stolen from a user related to the organization,” Ford said. “This kind of infiltration is really hard to spot, and it looks like a normal user accessing the system.”

While eBay’s breach might even be larger than Target’s large-scale attack, which affected its 40 million card devices at checkout stations across stores nationwide and about 110 million shoppers earlier this year, it depends on how you look at the two cases.

“Payment details were not taken at eBay so the question comes down to the value of the data,” said Raj Samani, VP at McAfee.

Staying safe

While security breaches are becoming increasingly common, it’s a reminder to always keep on top of password management, too. Passwords should also be updated because eBay stores private customer information that can be used against the user in subsequent phishing scams, said Darren Guccione, CEO of password management firm Keeper Security.

“There is always risk of future loss so the key is to practice good password management,” Guccione added. “We encourage consumers to change passwords on their most important and frequently used sites every six months. When creating a password, it’s important to use letters, numbers and symbols which can be accomplished with a password manager.”

Microsoft Fixes Internet Explorer Security Bug

The security glitch that allowed data thieves using a network computer to get around security protections and access personal information has been taken care of

Internet-Explorer-650x412

 

Microsoft has fixed the security glitch in Internet Explorer that caused the Department of Homeland Security to advise users not to use the browser until the problem was resolved, the tech giant announced on Thursday.

Most users will not have to take any action as the fix will be downloaded automatically, but customers who haven’t enabled automatic updates are encouraged to apply the update manually as quickly as possible.

The security glitch, which was announced by Microsoft last weekend, potentially gave data thieves using a networked computer the same level of access to personal information as the legitimate user.

Web users who are still using Windows XP were especially vulnerable.

Microsoft: Windows XP Update An ‘Exception’

InformationWeek, Michael Endler

XP users shouldn’t expect additional support from Microsoft, despite its heroic last-minute security update for Internet Explorer.

Many Windows XP users are no doubt relieved that Microsoft decided to include Windows XP in a security update for a recently-disclosed bug — but they shouldn’t assume support will continue. Microsoft said XP remains an unsupported product, and that it made an exception to include it in this update only because the issue arose so near the operating system’s end-of-life deadline.

Microsoft began deploying the update around 1 p.m. EST on Thursday. Users who have enabled automatic updates shouldn’t need to take any action. Otherwise, users can access the update via the Control Panel’s Windows Update section. Microsoft rarely releases out-of-cycle updates like this one. Most arrive during the company’s monthly Patch Tuesday releases.

After disclosing the bug last weekend, Microsoft suggested a number of workarounds, many of which were inapplicable to XP machines. In a blog post, Microsoft Trustworthy Computing GM Adrienne Hall encouraged XP users to upgrade.

 

Image: Nick Perla (Flickr)

Image: Nick Perla (Flickr)

She wrote that today’s cyberthreats are too sophisticated for an operating system first released over a decade ago. Microsoft officials have repeated this message countless times in recent months, but many users remain unpersuaded; over a quarter of PC users still relied on XP in April, according to web-tracking firm Net Applications.

Attacks against XP are already ongoing, according to FireEye, the security firm that took credit for discovering the vulnerability and gave it its nickname, “Operation Clandestine Fox.”

In a Thursday blog post, the firm said it has detected a “version of the attack that specifically targets out-of-life Windows XP machines running IE 8.” FireEye said earlier attacks involved only IE 9, 10, and 11 on Windows 7 and 8. The bug affects all versions of IE from 6 to 11. The firm warned that the new method that involves XP “means the risk factors of this vulnerability are now even higher.”

FireEye said it initially observed attacks against the defense and financial sectors but has since detected campaigns against government and energy institutions as well.