The newest registered user is kumarsharma91910
Our users have posted a total of 33976 messages in 5059 subjects
Just download and install
During a conversation i mentioned that the one(1) thing to remember about Internet Security is "There is no Security". Some blah blah blah was suddenly halted by "I BET YOU". The bet was that Apple / iTunes iCloud Activation Lock is a solid security feature which was the selling point behind all iDevices. A factory reset still had user confront the "iCloud Activation Lock" page. Sooooooo.
This past Monday evening, Mr.A got into Mr.X's Apple account, remotely erased the data on his iPhone, iPad, and MacBook, deleted his Google account and commandeered his Twitter account, and then posted a string of nasty stuff under Mr.X’s name.
Put That In Your Pipe and Smoke It...
Mr.A got into Mr.X's account not by guessing his passwords but by asking for them. On Monday, Mr.A called Apple’s tech support line and, pretending to be Mr.X, claimed he’d been locked out of his Apple account. Apple’s support guy asked the Mr.A to answer the security questions on Mr.X’s account, but Mr.A said that he’d forgotten the answers.
No problem, because the Mr.A knew something most of us don’t: If you can’t answer your security questions, Apple will issue you a new password if you can prove that you’re who you say you are using another form of identification. What identification does Apple ask to reset your password? A billing address and the last four digits of your credit card number.
Billing addresses are easy to find online, and credit card numbers are only slightly more difficult to come by. Mr.A had both bits of data on Mr.X. He’d found the billing address by looking up the registration of Mr.X’s personal website, and he’d gotten the credit card number by calling the support line of another tech behemoth, Amazon. Mr.A asked Amazon to place his—Mr.A's—email address on Mr.X’s account, which Amazon happily did. Then the Mr.A issued a forgotten password request on Amazon’s website—this sent a link to the Mr.A’s email, allowing him to change Mr.X’s password and get full access to his Amazon account, including the ability to see the last four digits of his credit card.
Bingo! Now Mr.A could get into Mr.X’s Apple account, which allowed him to delete everything connected to Mr.X’s iCloud profile (his iPad, iPhone, and Mac). Because Mr.X had set his Apple account as his Google account’s alternate address, Mr.A only had to issue another forgotten-password request for Mr.X’s Gmail to fall, too.
Here are the four things users and companies could do immediately to reduce these kinds of attacks:
1) Everyone should turn on two-factor authentication now.
To get into most online accounts, you only need to dig up a single piece of data—a password. (The username on many services—including email accounts, Twitter, and Facebook—is your public handle, available to everyone.)
There was a time when passwords were enough (and you should follow my advice on how to create very strong, easy to remember passwords). But now we’ve all got so many online accounts protecting so much valuable information that we need something in addition to passwords.
Fortunately, that something exists. Unfortunately, very few people use it. It’s called “two-factor authentication”—a security system that requires two credentials to let you into an account. The first is something you know—your password. The second is something you have with you: a biometric marker (say, your fingerprint), an electronic key tag, or—easiest of all—a cellphone that can generate a unique code.
Last year, Google turned on two-factor authentication for its accounts. The system works pretty well: After you turn it on, install the “authenticator” app on your smartphone. Now, when you log in, you type in your password and the code generated by your phone (it works even if your phone is offline). If you don’t have a smartphone, you can also have the code texted to you. Facebook also added two-factor authentication last year.
The problem with two-factor authentication is that it’s a bit of a hassle. You can set your Google account to only ask you for the code every two weeks on registered devices, but for some lazy people that’s too much trouble. Worse, because some programs that connect to your Gmail account don’t use two-factor authentication—programs like your smartphone’s mail app—you need to jump through some extra hoops to configure them to work with the system. All this requires a little bit of tech savvy, and the whole thing is not quite user-friendly enough for the majority of computer users just yet.
I’d guess that’s why Apple hasn’t added two-factor authentication to its services. But I hope Apple is working on some way to make this level of protection easy enough for the masses. (One option: built-in fingerprint readers in all its devices.) If such a system was in place, the attack on Mr.X’s Apple devices wouldn’t have happened. Mr.A might have gotten his password, but he wouldn’t have had the second factor—fingerprint, code, something—to get into his accounts.
Mr.X also didn’t have two-factor authentication enabled on his Google account. If he had, Mr.A would not have been able to get into his Gmail after compromising his Apple account. Mr.A would have still been able to issue the forgotten password request to Gmail, but he’d have lacked the authentication code generated by Mr.X’s smartphone.
2) Seriously, sign up to a backup service. Do it now. What are you waiting for?
This one is easy: You should be backing everything up. There’s a good chance you’re not. Maybe you think doing so is difficult or expensive. Maybe you think nothing will happen to you. Maybe you’re just putting it off until your next free weekend.
But the perfect time to do it is now. Despite what you’ve heard, backing up is easy and cheap. Years ago, after testing out a few cloud backup services, I recommended that people use Mozy. Since then, I’ve switched to a service called CrashPlan—the cheapest, easiest way to back up all your data.
Here’s how to do it. Go to CrashPlan. Download the software. Choose the stuff on your computer you want to back up—your documents, photos, videos, music, etc. Then, let the program run. Over the next few days, depending on how much data you have and the speed of your broadband line, your data will first be encrypted and then sent over to CrashPlan’s servers, where it will be secured far better than you can secure it.
For all this, CrashPlan’s rates (after your 30-day free trial) are really great: You’ll pay as little as $1.50 a month for storing 10 GB of data from one computer, $3 a month for unlimited data from one computer, and $6 a month for unlimited data from up to 10 computers (in other words, for protecting all the devices in your house).
Whenever I recommend cloud backup services, people chime in with worries about storing stuff in the cloud—what if CrashPlan’s servers get destroyed or hacked? I think these worries are baseless (if CrashPlan gets hacked, your data there is encrypted anyway), but when it comes to backups, you can never be too safe. So if you want to supplement your cloud backup with a local backup on your own external drive, please do so. You can even use CrashPlan’s software to do that.
Does this read like an advertisement for CrashPlan? The company hasn’t paid me a dime to write this, but I’m not kidding when I say that CrashPlan is the most important, valuable add-on service that you can buy for yourself.
Indeed, if I were king of the Internet, I would turn on backups by default. Every device you buy should come with a backup system, and it should store your data online automatically unless you tell it not to. The first company to realize this will make a killing. If Apple really wants to do right by its users, it would buy CrashPlan, build its service into all its devices, and offer unlimited backups to everyone for free. Apple has enough money to do this, and the firm must understand how well built-in backups would work in a marketing campaign: “Never lose anything again.” How’s that for a slogan?
3) Remote wiping is unnecessary. Turn off “Find My Mac.” Instead, encrypt your data.
Being able to find your lost devices sounds great. You paid a lot for that tablet, phone, and laptop. Why wouldn’t you want to locate it if it’s gone? And if someone else has it, wouldn’t you want to delete your stuff remotely so that they can’t monkey with your data?
In theory, sure. But the way that Apple implements its “Find My” system isn’t very secure. If a hacker gets into your iCloud account, he doesn’t need any other credentials to find your devices and delete all your data. That’s what happened to Mr.X, and it could happen to you, too.
Until Apple figures out a better way to protect against others wiping your data (perhaps by requiring a second form of authentication for remote wipes), you should turn off Find My Mac.
But what happens if someone gets your computer—how will you prevent unauthorized access to your data if your computer gets into the wrong hands? It turns out there’s a better security system than remote delete: It’s called whole-disk encryption, and it’s built into the Mac and some versions of Windows. You just have to turn it on. (Here’s how to do so in Mac OS Lion, and here’s how to do so in the Ultimate or Enterprise versions of Windows 7.)
Whole-disk encryption works by scrambling all of the bits on your entire hard drive; the only way to gain access to the data is by entering a password. (Here, too, of course, it would be better if two forms of authentication were required.) Turning encryption on slows down your computer by a tiny bit, but it’s not that big of a deal. And when your computer is gone, you can be sure that your data is safe—unless the hacker knows your password, your data will remain hidden to him.
4) Password recovery is a menace. Make sure your accounts aren’t daisy-chained together.
Lastly, you should examine how your various online accounts are linked through forgotten password request services. In particular, look up your various important email accounts, financial accounts, social networks, and other services. Each of these accounts will ask you for an email address where your password requests should be sent.
If they’re all pointing to one another, a single hack could let an attacker get into everything else. For instance, if Gmail is set to send password resets to your Apple account, and your bank is sending requests to Gmail, then all the hacker needs to do to wreak havoc on your finances is steal your iTunes password (which is probably not very strong, because you hate typing out a tough password on a touchscreen to download apps). With your iTunes password, he can get into Gmail through a password request, and once inside Gmail, another password request will let him into your bank. This is exactly what happened to Honan.
What should you do about this? I would create a single, secret, ultra-secure email address that you designate as the one place to send all password resets. What do I mean by ultra-secure? I mean a new Gmail account—something like firstname.lastname@example.org—with a very strong password and two-factor authentication turned on. Now go to all your other accounts and have them send password requests to this secret address. It’s important that you don’t use this address for anything else—don’t send mail from it, don’t use it to sign up for newsletters, don’t let anyone know that it has anything to do with you. As long as it remains secret, any password resets that are sent its way should be safe.
Nothing online is perfectly secure—determined hackers can get into anything if they really put their minds to it. But the guy who attacked Mr.X wasn’t some mastermind. He was a guy who just wanted to wreak havoc, and he happened to know about a few key vulnerabilities at Apple, Amazon, and in the systems that govern our online lives. But a few simple steps would have made his attack much more difficult. The stuff I’m suggesting isn’t hard to do. You should do it now.
The Ball is in Your Court, This post is for educational purposes ONLY. Not liable for any repercussions from any misuse of this data.
Trust the effort that went into presenting this report will benefit any member of VOTSCC that believes in preventive maintenance of their data.
John - azdewars
» Free VPN to surf anonymously and protect your privacy
» Public Citizen : *tell Congress: protect workers from extreme heat*
» 50 Insanely Cool Gadgets That Are Going to Sell Out This March, Ideally As Gifts
» Public Citizen : *'confront authoritarianism, protect voting rights, ensure election integrity, and defend democracy'*