Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label iCloud. Show all posts

Say Goodbye to Login Struggles with Apple’s New ‘Passwords App’

 


With its much-awaited iOS 18, Apple is now launching an app called Passwords, created to help improve one of the oldest but least-tampered-with needs when it comes to digital security: password management. Now, the 'Passwords' app is downloadable on iPhones, iPads, and Macs. In an effort to make the habits of how users store and protect their digital credentials seem less mysterious, Apple is hoping to bring about better password security to millions of people with this long-standing feature being moved into a dedicated application.


All New Standalone Password Manager

Years ago, Apple's Keychain system stealthily protected its users' passwords, so they never had to remember complex login information for every app and website. But with iOS 18, Keychain is revamped and placed into an app that is not only visible but friendly to users: the new passwords app gathers all login credentials and passkeys in one place, thus making them easier to control. And this finally speaks to the increasing focus of Apple on usability as well as security- the app promises to be easier to use than ever before for consumers who are hardly familiar with password managers.

Apple's new app was warmly welcomed by Talal Haj Bakry and Tommy Mysk from the security firm Mysk because it represented a far easier approach toward password management. According to them, it will also make users realise that password management is quite essential by giving users a secure default tool preinstalled on every Apple device. Interestingly, Passwords makes use of end-to-end encryption, meaning no one, including Apple, knows what is saved in your credentials.


Password Manager Features and Design

In terms of design, the Passwords app presents a minimal interface with six main sections: All, Passkeys, Codes, Wi-Fi, Security, and Deleted. All these can be used to securely store several types of information. It's particularly noteworthy in the Security section, as this would identify weak or compromised passwords so that one can work out improved login credentials.

Apple saves all the login details synchronised through iCloud, hence a user can always access his or her account in whichever device he may be using. However, users who want to maintain their privacy are given the option of turning off the syncing feature for certain devices. With Face ID protection, the app is secured from unauthorised access by others.

All the information previously saved will automatically migrate from Keychain to Passwords, including sign-in details from the Sign In feature from Apple.


Why Improve Your Password Habits?

Part of that effort is Apple's Passwords, introducing passwords with the goal of streamlining and encouraging better password practices among users. According to cybersecurity expert Siamak Shahandashti, making the Passwords app more notable is encouraging users to start embracing stronger passwords and be more meticulous in the digital sphere in general. To Shahandashti, existing authentication systems are too complex for everyday folks, and that's what he sees the Apple app doing- filing in the gap.

The other feature is that the app supports passkeys, which are considered to be the next-generation replacement for passwords. Passkeys provide better security without having you remember such long, convoluted passwords. To promote the passwordless security feature, Apple automatically activated an option available in the security setting that enables existing accounts to be updated to utilise passkeys when possible.


Impact on the Password Management Industry

With its entry into the password management space, Apple holds high potential to seriously disrupt long-standing players in this area, namely third-party apps. As the new Passwords app on Apple is integrated throughout its ecosystem and synced through iCloud, it can easily attract many users searching for an easy included solution instead of seeking third-party apps. Critics instead point out that Apple locks users into the system when it constrains ease of exporting data to other platforms.

Ultimately, with so many options in the market for password management, this new application from Apple can turn out to be the "one stop shop" for millions of users. It simplifies password management and strengthens security, and hence forms a great option for those who haven't adopted a password manager yet or are looking for an integrated solution.

All in all, Apple's Passwords app is a meaningful step forward in digital security, letting people manage their passwords and passkeys in a streamlined and secure way. For many, it may be the perfect solution toward solving log-in issues while also amplifying online security.


Apple ID Shuts Down: Users Panic While Trying to Reset Password

Apple ID Shuts Down: Users Panic While Trying to Reset Password

Apple IDs serve as the gateway to our digital ecosystem. They unlock access to our beloved photos, messages, apps, and more. But what happens when that gateway suddenly slams shut, leaving us confused outside? 

Recently, Apple users have been struggling with this very issue, as widespread reports of forced password resets have surfaced.

Locked out of your Apple ID? Here’s what you need to know

If you've been locked out of your Apple ID in the last day or so without warning, you're not alone

Apple users have been suffering a wave of forced lockouts, with some indicating that they have been forced to reset their passwords to regain access.

The lockouts have resulted in customers losing access to their devices, but there appears to be no root cause or anything in common across incidents, and Apple has yet to comment on the matter. 

The company's System Status website indicates that all services are "operating normally," with Apple ID services particularly listed as "available."

The lockout mystery

If your Apple ID has locked you out, you might panic and try your usual password, but it’s useless. You’re left staring at the blank “Incorrect Password” message. What gives?

The cause behind these lockouts remains hidden in mystery. Experts believe it’s a security measure triggered by suspicious activity, while others suspect a glitch in the matrix. Regardless, the concern is real. Users have taken to social media, sharing their stories of being shut. 

Have you had your password reset?

If your Apple ID has been blocked out and you must change your password, any app-specific passwords you may have created will also need to be reset. That's something you'll have to do whether you utilize apps like Spark Mail, Fantastical, or any number of others.

It could potentially cause significant issues if you use iOS 17.3's Stolen Device Protection. You'll need to use biometrics on your iPhone, such as Face ID or Touch ID, to access your account or use Apple Pay.

Apple’s silence

As the lockout story falls out, Apple has remained silent. No official statements, no explanations. The tech giant continues to operate, but the users are panicking to regain control of their digital lives. Is it a glitch? A security enhancement? At this moment, we can only wait for Apple’s response

What can you do?

1. Reset Your Password: Change the password. But remember the app-specific ones too.

2. Biometrics: If you’ve set up Face ID or Touch ID, use them to reclaim your digital ID.

3. Stay Tuned: Keep an eye on Apple’s official channels. 

iCloud Keychain Data and Passwords are at Risk From MacStealer Malware

 


Uptycs, a cybersecurity company that discovered the information-stealing malware while searching for threats on the dark web, is warning that Mac computers have been the latest targets of updated info-stealing malware. 

The iCloud Keychain can easily access cryptocurrency wallets with the help of MacStealer. This is an innovative malware that steals your credentials from your web browsers, cryptocurrency wallets, and potentially sensitive files stored in your iCloud Keychain. 

The MacStealer malware is distributed as malware-as-a-service (MaaS), whereby the developer sells pre-built builds for $100, allowing customers to run their marketing campaigns and spread the malware to their victims. 

On the dark web, cybercriminals use Mac computers as a breeding ground to launch malware and conduct illegal activities. This makes the dark web a prime place to conduct illegal activities and launch malware. 

Upon discovering the newly discovered macOS malware, the Uptycs threat research team reported that it could run on multiple versions of Mac OS. This included the current Mac OS, Catalina (10.15), and the latest and greatest Apple OS, Ventura (13.2). 

Sellers claim that the malware is still in beta testing and that there are no panels or builders available. In China, Big Sur, Monterey, and Ventura provides rebuilt DMG payloads that infect macOS with malware. 

To charge a low $100 price for a piece of malware without a builder and panel, the threat actor uses this fact. Despite this, he will release more advanced features as soon as possible. 

A new threat named MacStealer is using Telegram as a command and control (C2) platform to exfiltrate data, with the latest example being called PharmBot. There is a problem that affects primarily computers running MacOS Catalina and later with CPUs built on the M1 or M2 architecture. 

According to Uptycs' Shilpesh Trivedi and Pratik Jeware in their latest report on the MacStealer exploit, the tool steals files and cookies from the victim's browser and login information. 

In its first advertising on online hacking forums at the beginning of the month, this project was advertised for $100, but it is still far from being finished. There is an idea among the malware authors of adding features to allow them to access notes in Apple's Notes app and Safari web browser. 

Functioning of Malware

MacStealer is distributed by the threat actors using an unsigned DMG file which is disguised as being something that can be executed on Mac OS if it is tricked into going into the system.

As a result, the victim is presented with a fake password prompt to run the command, which is made to look real. The compromised machine becomes vulnerable to malware that collects passwords from it. 

Once it has collected all the data described in the previous section, the malware then begins to spread. As soon as the stolen data is collected, it is stored in a ZIP file. It is then sent to a remote server for processing and analysis. Later on, the threat actor will be in a position to collect this information as well.

Additionally, MacStealer is also able to send some basic information to a pre-configured Telegram channel, which allows the operator to be notified immediately when updates to the stolen data have been made, which will enable him to download the ZIP file immediately as well.

What can You do to Protect Your Mac?

You can do a few things right now to ensure that you have the latest software update installed on your Mac computer, beginning with opening the Settings app and checking that it is the latest version. 

The first thing you should do is install it as soon as possible if it has not been installed already. You should make sure that all of your Apple devices are up-to-date before you begin using them since Apple is constantly improving its security. 

Your devices will be protected from malware if you use antivirus software, which protects you from potentially malicious links on the internet. By clicking the magnifying glass icon at the top of my webpage, you can find my expert review of the highest-rated antivirus protection for your Windows, Mac, Android, and iOS devices, which includes reviews of which ranked antivirus protection for Windows, Mac, Android, and iOS devices.  

Different forms of malware, such as email attachments, bogus software downloads, and other techniques of social engineering, are utilized to spread stealer malware. 

Keeping up-to-date the operating system and security software of the computer is one of the best ways to mitigate such threats. In addition, they should not download files from unknown sources or click on links they find on the internet. 

"It becomes more important for data stored on Macs to be protected from attackers as Macs become more popular among leadership teams as well as development and design teams within organizations", SentinelOne researcher Phil Stokes said in a statement last week.

What Must You Do Before Uploading Your Sensitive Data to the Cloud?


Cloud storage has emerged as a prominent tool when it comes to managing or storing users’ data. Prior to the establishment of cloud storage technology, more than a decade ago, emailing individual files to yourself or saving them to an external drive and physically moving them from one computer to another were the two most popular methods for backing up documents or transferring them between devices. 

But now data storage has witnessed a massive breakthrough in technology, thanks to cloud storage solutions. Some of the prominent cloud storage services like Google Drive, Microsoft OneDrive, Dropbox, and Apple iCloud Drive made it dead simple to back up, store, and keep our documents synced across devices. 

Although, this convenience came to the users at a cost of privacy. When we use any of the Big 4's major cloud services, we theoretically give them—or anybody who can hack them—access to whatever we keep on their cloud, including our financial and health information, as well as our photos, notes, and diaries. 

One of the major reasons why user privacy is at stake is because all four prominent cloud service providers meagerly encrypt the documents while uploading. Since these documents are not end-to-end encrypted, it indicates that the user is the only one with the ability to decrypt. 

Minimal encryption would mean that the service provider too holds the key to decrypt users’ documents, and is capable of doing so at all times. Moreover, in some severe instances, a hacker may as well get hold of the decryption key. 

Out of the four major cloud services, Apple is the only service provider with Advanced Data Protection for iCloud, launched recently, which enables users to choose to have their documents end-to-end encrypted when stored in iCloud Drive. This makes Apple void of any access to the files, ensuring the user’s privacy. However, this setting is still optional, making the merely encrypted iCloud Drive a default setting. 

Since the remaining three major cloud storage providers are yet to provide users with the choice of end-to-end encryption and taking into consideration the exploded usage of such personal cloud services in recent years, billions of users are currently at risk of getting their sensitive documents exposed to the third party. 

Encrypt First, Then Upload to the Cloud 

It is possible to use the popular cloud storage services while preventing anyone who gains access to your account from seeing the files stored therein by encrypting those files prior to uploading them. The best part? You do not require a computer scientist or a security developer to do so. With the numerous applications, that are available for free, one could encrypt any file on one's own. 

What is Encrypto?

One such well-known encryption program is Encrypto, sponsored by a company called MacPaw. You may drag a file into the program, give it a password, and then encrypt it using industry AES-256 encryption. The software then enables you to save a file with an encrypted version (.crypto file type). 

After encrypting the files, the user can now upload the encrypted version of the file to their preferred cloud storage provider rather than the original file containing sensitive data. If your cloud storage is then compromised, the attacker should be unable to open the Crypto file without knowing the password the user has established for it. 

Encrypto is a cross-platform tool that works on both Macs and Windows PCs, despite the fact that MacPaw is known for producing Mac-specific utility apps. The recipient merely needs to download the free Encrypto app to be able to open sensitive documents that have been sent to them over email and have been encrypted using Encrypto (and you need to let them know the password, of course). 

Another nice feature that the app possesses is that it enables users to set different passwords for each file they create. One can even include a password hint in the encrypted file to remind what password is being used in the file. Users are advised to establish a password that would be difficult to decipher through brute force or something that would be difficult to guess. 

This being said, no matter the choice of app, encrypting the files yourself before uploading them to Google Drive Microsoft OneDrive, Dropbox, or iCloud Drive adds an additional layer of encryption and security to the sensitive data while still maintaining to reap the numerous benefits of cloud storage.  

Apple Improves iCloud Data End-to-End Encryption

Apple took a step further in its continuous effort to offer people even better ways to safeguard private data when it unveiled new cutting-edge security capabilities aimed at defending against attacks on user data in the cloud. 

Advanced Data Protection allows trusted devices of iCloud users sole access to the data encryption for the majority of their data. It is already available in the U.S. for participants in the Apple Beta Software Program and will be available to all U.S. customers by the end of the year.

According to a press release from Apple, the only essential categories excluded from Advanced-Data Protection are iCloud Mail, Contacts, and Calendar due to the necessity to interoperate with the worldwide email, contacts, and calendar systems.

Apple apparently abandoned plans to provide end-to-end encryption to iCloud backups after the FBI objected. Privacy organizations like the Electronic Frontier Foundation have long urged Apple to do this.

These new features join a number of other safeguards that make Apple products the most secure on the market, including the setups directly into our specially made chips with efficient system encryption and data protections and features like Lockdown Mode, which provides an extremely high level of optional security for users like journalists, human rights activists, and diplomats. Apple is committed to enhancing device and cloud security or continuously introducing additional safeguards.

Despite the fact that the great majority of users will never be the target of extremely sophisticated assaults, the functionality adds an essential degree of security for users. If a highly skilled opponent, such as a state-sponsored attacker, were ever to be successful in accessing cloud servers and inserting its personal device to spy on these encrypted communications, conversations between users who have activated iMessage Contact Key Verification receive immediate alerts.

According to an Apple official, the company has been trying to add hardware keys for some time, but most recent version of FIDO standards, it was cautious about implementation and usability. A recent increase in the availability of the keys, the spokesman added, as well as evolving and intensifying threats, were further driving factors for the business.

Apple iCloud Outage Caused Setup Issues and Account Activation Failures


On December 25th, Apple users started facing issues in iCloud sign-in in the early morning. The outage that lasted for around 24 hours prevented users from setting up new Apple gadgets and devices; users experienced problems in the activation of Apple Watch, HomePod, iPhone along with several other devices. Reportedly, the problem was caused by an unspecified problem that occurred in Apple's iCloud backend. However, it was only a matter of a day before Apple resolved the issue by the evening of December 26th. 

The problem surfaced around 5 a.m. on the day of Christmas, making users wait longer than usual to relish the experience of their Apple product for Christmas. On Friday, while replying to a supposedly eager customer, Apple's support team tweeted acknowledging the customer's eagerness and indicating that the iCloud outage that lasted until Saturday was a result of the heightened demand experienced by the company.  

"We know your mom is eager to have everything working and appreciate you helping to set them up. We are experiencing a high capacity at this time which is impacting your ability to set up iCloud, please try back in a couple of hours," the tweet read. 

A lot of users upon noting the unusually long waiting time, some for as long as 32 hours and device activation failures reported the same on Twitter, while others said to have faced complete activation failures.  

Furthermore, certain users facing similar troubles reported their problem at forums.macrumors.com, "I realize it's Christmas morning and Apple's activation servers are probably on overload, but this still seems unnecessarily frustrating," BeatCrazy wrote.  

While explaining the issue in-depth, BeatCrazy further told, " I'm able to start the pairing process using my iPhone, sign into their Apple IDs with their passwords, but I keep getting hung when Apple wants me to enter the passcode of another device. I'm given options like their iPad passcodes, or one of my Macs. After entering any of these, the watch spins for about 2 minutes and I get the error "Verification Failed - There was an error verifying the passcode of your (or insert family member name here) iPhone (or insert iPad/Mac)." Apple gives me a choice to "reset encrypted data", which I take as an offer to destroy all their existing Apple ID passwords and data - not a good option IMO."  

Seemingly, due to the ongoing COVID-19 pandemic, the year's wrap and the holiday season is busier than usual for Apple, which delayed the release of its newest iPhone 12 series by a month.

Hacker Jailed on Charges of Blackmailing Apple


A twenty-two-year-old hacker has agreed that he tried to threaten Apple company by alleging that he had data of accounts of millions of iPhone users and that he would destroy these accounts if not given the ransom. The hacker is known to be Kerem Albayrak, living in North London, who scared to clear more than 300 million Apple users' iCloud accounts, demanding that the company gave him iTunes reward vouchers amounting to £76,000 ($1,00,000), as a ransom. However, while enquiring about the issue, Apple discovered that Kerem's claims were false, and he didn't jeopardize the company's safety system.


Kerem has been charged with the crime of data breach and blackmailing and has been sentenced 2 years of jail imprisonment, and 300 hours of community service (unpaid). Two years back, in March 2017, Kerem e-mailed Apple company's safety unit, declaring to have hacked more than 300 Million iCloud accounts of Apple users. To strengthen his claim, Kerem showed him hacking two iCloud accounts in a video that he uploaded on Youtube. The hacker blackmailed to trade the iCloud accounts' data, drop his data on the internet and restore the iCloud accounts if he was denied by Apple to give his iTunes bonus voucher-request. Kerem also agreed to accept cryptocurrency as a payoff, saying he would accept a return of $75,000, but later raised it to $1,00,000. 2 weeks after the threat was sent, Kerem was caught in his house in north London, by the London police.

The attack is called Credential Stuffing-
Apple examined his allegations but was unable to obtain any solid proof that the users' iCloud accounts were hacked. "The hacker collected passwords and e-mail addresses from different aids, that were exposed recently on charges of the data breach," says UK's National Crime Agency in its inquiry. It further says that the hacker sought his chance, checking whether the user had similar iCloud accounts and passwords. The attack is known as 'Credential Stuffing,' which allows the process to complete faster.

While the investigation was in process, Kerem told the investigators, "You have fame and everyone starts to respect you, once you have power on the internet." Along with the 300 hours of unpaid community service, Kerem has also received an electronic curfew of 6 months. "Kerem thought that he could avoid prosecution when he hacked 2 iCloud accounts and blackmailed Apple, an MNC giant," says Anna Smith, senior investigative officer, NCA.