THIS WEEK'S SPONSOR:

Kolide

Endpoint Security for Teams That Want to Meet Compliance Goals without Sacrificing Privacy


Posts tagged with "security"

Apple Has Stopped Development of System to Identify Child Sexual-Abuse Material

Joanna Stern of The Wall Street Journal, who interviewed Craig Federighi, Apple’s Senior Vice President of Software Engineering, in connection with the new security features coming to its platforms, reports that Apple has abandoned its efforts to identify child sexual-abuse materials in its devices. According to Stern:

Last year, Apple proposed software for the iPhone that would identify child sexual-abuse material on the iPhone. Apple now says it has stopped development of the system, following criticism from privacy and security researchers who worried that the software could be misused by governments or hackers to gain access to sensitive information on the phone.

Federighi told Stern:

 Child sexual abuse can be headed off before it occurs. That’s where we’re putting our energy going forward.

Apple also told The Wall Street Journal that Advanced Data Protection that allows users to opt into end-to-end encryption of new categories of personal data stored in iCloud, will be launched in the US this year and globally in 2023.

For an explanation of the new security protections announced today, be sure to catch Joanna Stern’s full interview with Craig Federighi.

Permalink

Apple Announces a Trio of Security Features Coming to Its Platforms

Today, Apple announced three new security features.

First, iMessage Contact Key Verification allows users to verify that they are communicating with the person with whom they think they’re communicating. The feature will alert users who use it if someone has infiltrated cloud services to gain access to the user’s iMessage conversations. For even greater security, users can compare a Contact Verification Code in person, on FaceTime, or through another secure channel.

Second, Security Keys lets users adopt hardware security keys when logging into their iCloud accounts. The new system is an enhancement over two-factor authentication because it prevents someone from obtaining a your second factor through a phishing scam.

Third, Advanced Data Protection for iCloud adds encryption on the iPhone, iPad, and Mac for a long list of data categories. According to Apple’s press release:

iCloud already protects 14 sensitive data categories using end-to-end encryption by default, including passwords in iCloud Keychain and Health data. For users who enable Advanced Data Protection, the total number of data categories protected using end-to-end encryption rises to 23, including iCloud Backup, Notes, and Photos. The only major iCloud data categories that are not covered are iCloud Mail, Contacts, and Calendar because of the need to interoperate with the global email, contacts, and calendar systems.

Apple says that iMessage Contact Key Verification will be available globally in 2023, and Security Keys is coming early 2023. Advanced Data Protection for iCloud is available in the US today for participants in Apple’s beta OS program, and will presumably roll out with the next point release to Apple’s OSes.


Hands On: iCloud Shared Photo Library and Family Checklist

iCloud Shared Photo Library

Over the years, I’ve shared family photos with my wife Jennifer in three ways: iMessage, AirDrop, and Shared Albums. However, of those, iMessage won hands down, not because it’s the best way to share photos, but because Messages is an app we already use every day to communicate. Plus, sharing photos with Messages is easy whether you’re already in the app and using the Photos iMessage app or in the Photos app itself and using the share sheet. From conversations with friends and family, I know I’m not alone in my scattershot approach to sharing photos with my family.

It’s into that chaotic, ad hoc mess and all of its variations that users have improvised over the years that Apple is stepping in with iCloud Shared Photo Library, its marquee new Photos feature for iOS and iPadOS 16 and macOS Ventura. And you know what? It just works.

The feature lets anyone with an iCloud photo library share part or all of their photo library with up to five other people. Once activated, a new library is created that sits alongside your existing one and counts against the iCloud storage of the person who created it.

One critical limitation of iCloud Shared Photo Library is that you can only be a member of one shared library, a restriction that is designed to limit the library to your immediate household. That means I could share photos with my wife and kids because there are fewer than six of us, but I couldn’t set up another library with my siblings or parents for our extended families. Nor could I invite one of my extended family members to use the extra slot I’ve got in my family library unless they were willing to forego being part of any shared library their own family created.

Unwinding a shared library.

Unwinding a shared library.

So, what do you do if you’re in a shared library and want to join a different one? There’s a button in the Photos section of Settings to leave a library, so you can do so with one tap, saving all of the photos in the shared library to your personal library or keeping just those you originally contributed to the shared pool. Deleting libraries is possible too, but only by the person who created them, who is given the choice of keeping all images or just the ones they contributed when they do so.

Read more


Apple, Google, and Microsoft Announce Their Commitment to Expand Standard-Based Passwordless Sign-Ins

Today, Apple, Google, and Microsoft committed to expand the use of passwordless sign-in technology developed by the FIDO Alliance and the World Wide Web Consortium. The companies say that the standard will ‘offer consistent, secure, and easy passwordless sign-ins to consumers across devices and platforms.’

If this rings a bell, it’s because the passwordless technology announced today was first covered by Apple at WWDC 2021 when the company released a technology preview to developers to start implementing the tech into their apps and websites. The goal of passwordless sign-ins is to make sign-ins more convenient and secure by eliminating password management. Instead of passwords, sign-ins for apps and websites will happen through face, fingerprint, or device PIN authentication and eliminate the need for the use of one-time passcodes over SMS.

Apple, Google, and Microsoft already have FIDO Alliance standards built into their devices, but with the expansion announced today, the system will make authentication easier for users. According to the companies’ joint press release:

  1. Allow users to automatically access their FIDO sign-in credentials (referred to by some as a “passkey”) on many of their devices, even new ones, without having to reenroll every account. 
  2. Enable users to use FIDO authentication on their mobile device to sign in to an app or website on a nearby device, regardless of the OS platform or browser they are running.

Kurt Knight, Apple’s Senior Director of Platform Product Marketing, said of the joint effort:

Just as we design our products to be intuitive and capable, we also design them to be private and secure. Working with the industry to establish new, more secure sign-in methods that offer better protection and eliminate the vulnerabilities of passwords is central to our commitment to building products that offer maximum security and a transparent user experience — all with the goal of keeping users’ personal information safe.

With the number of devices in our lives today and the use of multiple platforms by many people, those two changes should go a long way to making passwordless sign-ins easier to use. As good as password management apps and OS-level tools have become, juggling passwords for hundreds of websites and apps is a burden on consumers, which often leads to password reuse and other insecure practices. The FIDO Alliance’s standard promises to change that, and with Apple, Google, and Microsoft on board, the likelihood that we will see a more secure, passwordless future is better than ever.


Apple Publishes AirTag Additions to Its Personal Safety Guide

First spotted by 9to5Mac, Apple has expanded its Personal Safety Guide that serves as a hub for information about device and data access when your safety is at risk. New details in the guide cover AirTags, which have received a lot of attention as stories have surfaced of their use to stalk people, but the guide is broader than that, covering a wide range of topics. As Apple explains at the beginning of the guide:

This user guide is a personal safety resource for anyone who is concerned about or experiencing technology-enabled abuse, stalking, or harassment. It can help you sever digital ties with those you no longer want to be connected to and outlines the personal safety features that are built into Apple devices.

In addition to accessing the Personal Safety Guide on Apple’s website, it’s available as a downloadable PDF.

Regarding AirTags and other Find My accessories, Apple’s guide explains what the device’s alerts mean, providing users with the context necessary to know how to respond. The guide also offers suggestions of what to do if an unknown device is following them.

It’s good to see Apple’s Personal Safety Guide actively maintained. Apple has built-in safety measures for devices like AirTags, but it’s equally important that users know how to take advantage of those safety features, which the Personal Safety Guide should help with.

Permalink

Are AirTags Causing Stalking or Making Us More Aware of It?

The problem of AirTags being used to stalk people has been in the news ever since they were released last spring, but a recent story in The New York Times has brought the issue to the forefront again. AirTags are fantastic when used as intended to keep track of your keys, luggage, and other personal items, but stalking is a serious problem that Apple should do everything it can to prevent.

Apple is also in a unique position given the vast size of its Find Me network. That puts the company in a different league than competitors like Tile, which carries greater responsibility with it.

In a story on Peer Reviewed, Matt VanOrmer puts a finger on something I’ve been wondering for a while: Are AirTags contributing to the problem of stalking or merely making us more aware of it because of the unique stalking countermeasures built into the device? It’s a classic causation/correlation question that is worth reflecting on. As VanOrmer explains:

I think the increase in news stories about AirTag stalking situations are less indicative of AirTags causing more stalking, and more indicative of how frequently stalkings already occur — with AirTags’ anti-stalking features simply bringing more of these horrible situations to light. These stories may be a classic example of the Baader-Meinhof phenomenon (AKA the “Frequency Illusion”) — in which increased awareness of creeps using AirTags to stalk women creates the illusion that it is happening more often, or even that AirTags are responsible for this illusory increase in incidence.

As VanOrmer rightly points out, Apple should do everything it can to prevent AirTags from being used to track people, which includes improving the tools available to Android users for whom Apple has made an app that is generally viewed as insufficient. This is also a topic where some added transparency about what Apple is doing to address concerns about stalking would help observers decide whether it’s enough instead of having only anecdotal news reports to go on. However, given the wide-reaching impact of the Find My network, which affects people who aren’t even Apple customers, I think a third-party audit of how Apple is handling the security and privacy implications of AirTags is warranted.

Permalink

Apple Updates Its Platform Security User Guide

Yesterday, Apple updated its Platform Security User Guide to cover new hardware and software features on its platforms. The guide is broken down into hardware security, system security, encryption and data protection, app security, services security, network security, development kit security, and secure device management sections that cover every aspect of Apple’s platforms.

Many of the latest updates to the guide hinge on aspects of Apple silicon as the introduction to the user guide explains:

Apple continues to push the boundaries of what’s possible in security and privacy. This year Apple devices with Apple SoC’s across the product lineup from Apple Watch to iPhone and iPad, and now Mac, utilize custom silicon to power not only efficient computation, but also security. Apple silicon forms the foundation for secure boot, Touch ID and Face ID, and Data Protection, as well as system integrity features never before featured on the Mac including Kernel Integrity Protection, Pointer Authentication Codes, and Fast Permission Restrictions. These integrity features help prevent common attack techniques that target memory, manipulate instructions, and use javascript on the web. They combine to help make sure that even if attacker code somehow executes, the damage it can do is dramatically reduced.

There are new materials spread throughout the guide that add security details about items like the company’s new M1 chips, the boot process of the M1 Macs, the new iOS car key feature, Safari’s password monitoring feature that lets you know when a password you use has been compromised, among many others. To review a full list of what has been added to and changed in the Platform Security User Guide, the guide includes a comprehensive revision history. If you’ve ever wondered about how the security of an Apple platform feature is implemented, the Platform Security User Guide is an excellent place to start your research.

Permalink

Apple and Privacy in 2020: Wide-Reaching Updates with Minimal User Intrusion

Privacy has increasingly become a competitive advantage for Apple. The bulk of the company’s revenue comes from hardware sales, in stark contrast to competitors like Google who depend heavily on ad revenue and thus benefit tremendously from collecting user data. Apple calls privacy one of its core values, and the structure of its business makes it easier to hold true to that value. But that doesn’t mean its privacy work is easy or without cost – behind the huge number of privacy enhancements this year was surely significant effort and resources that could have been diverted elsewhere. The company’s privacy discourse isn’t empty marketing speak; it’s product-shaping. Not only that, but thanks to Apple’s enormous influence in tech, it can be industry-shaping too, forcing companies that otherwise may not prioritize user privacy to do business differently.

This year in its WWDC keynote, Apple dedicated an entire section of the presentation to privacy, detailing its latest efforts within the framework of what it calls its four privacy pillars:

  • On-device processing
  • Data minimization
  • Security protections
  • Transparency and control

Evidence of each of these pillars can be seen throughout much of what Apple announced during the rest of the keynote. On-device processing, for example, powers the new Translate app in iOS 14, HomeKit Secure Video’s face recognition feature, and more. New security protections have been implemented to warn you if a Keychain password’s been compromised, and to enable Sign In with Apple for existing in-app accounts, both of which make your accounts more secure. But the majority of this year’s most prominent privacy updates fell under the remaining two core pillars: data minimization and transparency and control.

Here are the privacy-focused changes you’ll see this fall across iOS and iPadOS 14 and macOS Big Sur.

Read more


Apple Shares Open Source Resources for Password Manager Apps

Today on Apple’s developer site, the company announced the release of new resources for password manager apps:

Apple has created a new open source project to help developers of password managers collaborate to create strong passwords that are compatible with popular websites. The Password Manager Resources open source project allows you to integrate website-specific requirements used by the iCloud Keychain password manager to generate strong, unique passwords. The project also contains collections of websites known to share a sign-in system, links to websites’ pages where users change passwords, and more.

The open source project can be accessed on GitHub.

Apple has continually deepened its investment in the area of password management with iCloud Keychain upgrades in recent years and new APIs for third-party apps. Today’s announcement takes things a step further down the path of openness and collaboration, enabling apps to share important site-specific information with one another so that users have the best, most secure experience possible no matter their choice of password manager.

Permalink