This Week's Sponsor:

DEVONTHINK

Store, Organize, and Work the Smart Way

Posts tagged with "security"

Apple Answers Two-Factor Authentication Questions Raised by Developers

A week ago, Apple sent an email to developers announcing that it would require two-factor authentication for all developer accounts beginning February 27, 2019. The message linked to an Apple two-factor authentication support page that applies to all Apple IDs. The trouble was, the support page didn’t answer many of the developer-specific questions that were immediately raised.

The concern I’ve heard voiced most often by developers is whether someone who uses one Apple ID to log into their developer account would be able to do so using an Apple device that is logged in using a different Apple ID. Today, Apple published a new support page answering this and many other questions. Specifically with respect to the two-Apple ID scenario, Apple’s FAQ-style support page says:

Will I need a trusted device dedicated to my Apple Developer account if I enable two-factor authentication?

No. You’ll need to use a trusted device to enable two-factor authentication for the first time. However, you can use the same trusted device for multiple Apple IDs that are enabled for two-factor authentication. Additionally, if you do not have access to your trusted device, you can get your verification code via SMS or phone call. When possible, you should use a trusted device to increase security and streamline the process.

The document covers many other situations as well including:

  • How to check if you have two-factor authentication enabled
  • Configuring an iOS device or Mac to accept authentication codes for multiple Apple IDs
  • Enabling multiple trusted phone numbers that can receive authentication codes

The support page concludes with a link to a contact form for Apple’s developer team to raise any other circumstances that prevent a developer from enabling two-factor authentication.

Although it would have been better if this level of detail was published when Apple’s initial email went out to developers last week, the company has clearly heard the concerns raised by the developer community and has put together a thorough explanation that should address most situations. By answering the most common questions, Apple Developer Relations will hopefully be freed up to deal with any outlier issues that aren’t addressed in its support documentation.

How iOS Makes Good Password Practices Easier for Users

We’ve all been there. You’re signing up for a new service or creating an account for a new app, and you’re asked to pick a password. You know you should use a strong, random password, but in a rush to get started, you take the easy path and choose a weak, memorable password instead because it’s the path of least resistance.

Apple has been pushing back against those bad habits with new iOS features designed to combat password reuse by flipping the calculus on its head. In an excellent presentation given at PasswordsCon 2018 in Stockholm, Sweden last week, Apple engineer Ricky Mondello explains the iCloud Keychain features implemented in iOS since iOS 11 and the thinking behind them. He also provides tips and resources for web and app developers who want to integrate better with those features.

What I especially like about Mondello’s talk is the insight into the thought and effort that’s gone into making good passwords easy to create. It’s not something I’ve thought about much before, which I take as a sign that Apple’s Safari and iCloud Keychain engineers are succeeding.

The presentation is also fascinating from a design and user experience standpoint. As Mondello explains, people are ill-suited to create and remember random passwords. It’s a problem that’s right in a computer’s wheelhouse, but one that also requires users’ trust and an understanding of their habits to solve.

I recommend watching Mondello’s talk. There are a lot of interesting implementation details throughout the talk and insights into the thinking behind them, which are approachable whether you have a background in the topics covered or not.

Permalink

Apple Strongly Refutes Bloomberg Report That Its Servers Were Compromised by Malicious Chips

Earlier today, Bloomberg published a story claiming that Apple and Amazon discovered tiny, malicious chips on Elemental network servers built by Super Micro. According to the story, the chips were the work of Chinese spies and designed to infiltrate the tech companies’ networks. Shortly after publication, Apple responded in an email statement strongly refuting Bloomberg’s account.

Amazon’s chief information security officer similarly discredited the claims saying in part:

There are so many inaccuracies in this article as it relates to Amazon that they’re hard to count.

A short time ago, Apple elaborated on its initial statement to Bloomberg on its Newsroom website:

In response to Bloomberg’s latest version of the narrative, we present the following facts: Siri and Topsy never shared servers; Siri has never been deployed on servers sold to us by Super Micro; and Topsy data was limited to approximately 2,000 Super Micro servers, not 7,000. None of those servers have ever been found to hold malicious chips.

Topsy is a startup that Apple acquired in 2013.

For over 12 months, Apple says it repeatedly told Bloomberg reporters and editors that they and their sources were incorrect.

We are deeply disappointed that in their dealings with us, Bloomberg’s reporters have not been open to the possibility that they or their sources might be wrong or misinformed. Our best guess is that they are confusing their story with a previously-reported 2016 incident in which we discovered an infected driver on a single Super Micro server in one of our labs. That one-time event was determined to be accidental and not a targeted attack against Apple.

Security and privacy are cornerstones of Apple’s business that it uses to differentiate the company’s products from competitors’, so the fact that the company takes this sort of claim seriously isn’t unusual. This also isn’t the first time Apple has taken Bloomberg to task on the veracity of its reporting. However, the forcefulness of the responses from Apple and Amazon, followed by Apple’s press release on its Newsroom site is something that is unprecedented. It will be interesting to see whether Bloomberg responds.

A Redesigned 1Password 7 for Mac Enhances Watchtower and Adds Flexibility to Vaults, App Login Support, and More

AgileBits has released 1Password 7 for Mac, a significant update that is free to subscribers but also available as a standalone download. I’ve used 1Password since I started using a Mac. The app has always been the best way to store passwords for websites, and for years, that’s primarily how I’ve thought of it.

There’s been more to 1Password than just password storage for a while now though, and what sets this update apart is the depth of those other features and the ease with which they can be incorporated in your everyday computing life. That’s important because it doesn’t take much friction for someone to get lazy about security.

1Password 7 is a comprehensive update that touches every corner of the app. The app will still be familiar to long-time users, but features like Watchtower and Vaults have been extended with new capabilities that are worth exploring if you haven’t in a while. 1Password also works better than ever with app logins. There are dozens of other changes big and small that along with a design refresh that make 1Password 7 an excellent update.

Read more

Apple’s Updated Security Guide for iOS 11.1 and iOS 11.2

Apple’s iOS Security guide is one of the most fascinating technical documents I’ve read in recent years. While the topics are intricate, they’re presented clearly in readable English. Earlier this week, the document was updated with new information on the latest additions to the iOS ecosystem – including Face ID, Apple Pay Cash, and Password AutoFill. There are some interesting details I didn’t know in each section.

On Face ID:

Facial matching is performed within the Secure Enclave using neural networks trained specifically for that purpose. We developed the facial matching neural networks using over a billion images, including IR and depth images collected in studies conducted with the participants’ informed consent. Apple worked with participants from around the world to include a representative group of people accounting for gender, age, ethnicity, and other factors. The studies were augmented as needed to provide a high degree of accuracy for a diverse range of users. Face ID is designed to work with hats, scarves, glasses, contact lenses, and many sunglasses. Furthermore, it’s designed to work indoors, outdoors, and even in total darkness. An additional neural network that’s trained to spot and resist spoofing defends against attempts to unlock your iPhone X with photos or masks.

On Apple Pay Cash, which details the new ‘Apple Payments Inc.’ subsidiary:

When you set up Apple Pay Cash, the same information as when you add a credit or debit card may be shared with our partner bank Green Dot Bank and with Apple Payments Inc., a wholly owned subsidiary created to protect your privacy by storing and processing information separately from the rest of Apple and in a way that the rest of Apple doesn’t know. This information is only used for troubleshooting, fraud prevention, and regulatory purposes.

[…]

Apple Payments Inc. will store and may use your transaction data for troubleshooting, fraud prevention, and regulatory purposes once a transaction is completed. The rest of Apple doesn’t know who you sent money to, received money from, or where you made a purchase with your Apple Pay Cash card.

To read more, get the full PDF here and check out the document revision history for January 2018.

Permalink

Apple Addresses the Meltdown and Spectre Exploits With Additional Mitigations to Come

In a support article, Apple has acknowledged that the recently-disclosed Meltdown and Spectre exploits, which affect virtually every CPU in computers, mobile devices, and other platforms, also impact every Mac and iOS device. Although there are no known exploits of the vulnerabilities, Apple advises that users proceed with caution and download apps from trusted sources only.

Mitigations to defend against Meltdown have already been shipped by Apple in iOS 11.2, macOS 10.13.2, and tvOS 11.2. watchOS is unaffected by Meltdown. Development of mitigations for both exploits is ongoing and new defenses will be released to each Apple OS as they become available.

The support article published by Apple provides a high-level explanation of how each exploit works. If there’s any good news to be found in the widespread concern caused by these exploits it’s that Apple says the recently-released mitigations have no measurable impact on performance:

Our testing with public benchmarks has shown that the changes in the December 2017 updates resulted in no measurable reduction in the performance of macOS and iOS as measured by the GeekBench 4 benchmark, or in common Web browsing benchmarks such as Speedometer, JetStream, and ARES-6.

Apple’s support document also reveals that Spectre can be exploited in web browsers, including Safari, using JavaScript. Apple is working to address the problem with an update to Safari that will be released in the coming days. Apple says that:

Our current testing indicates that the upcoming Safari mitigations will have no measurable impact on the Speedometer and ARES-6 tests and an impact of less than 2.5% on the JetStream benchmark.

The gravity of the exploits, which affect virtually all computing platforms, cannot be understated, but it’s reassuring that the initial mitigations released and those coming in the days ahead should have little or no impact on performance. It’s also worth noting that this is probably not the last we’ll hear about Meltdown and Spectre. As Apple notes:

We continue to develop and test further mitigations within the operating system for the Spectre techniques, and will release them in upcoming updates of iOS, macOS, tvOS, and watchOS. 

Permalink

Twitter Now Supports Third-Party Apps for Two-Factor Authentication

Earlier today Twitter announced that you’ll now be able to use a third-party app (such as Google Authenticator, Authy, or 1Password) for two-factor authentication instead of SMS. The company has updated their support document with instructions on how to set it up here.

This is great news as Twitter was the last service with 2FA that only supported sending codes via SMS. Switching from text messages to 1Password (which I use for one-time codes) was easy: in Twitter for iPad, I went to Settings ⇾ Account ⇾ Security, and enabled the ‘Security app’ toggle. I then selected to use another app to generate my codes and opened 1Password on my iPhone, where I hit Edit on my Twitter login item and scrolled to the OTP section. Here, I tapped the QR button, scanned the QR code Twitter was displaying on my iPad with the iPhone’s camera, and that was it.

Unless you specifically want to receive 2FA codes from Twitter via SMS, you should consider switching to a dedicated authentication app: these codes work independently from carriers and location, and they can be generated offline.

Permalink

Apple Fixes Root Access Bug with Security Update

Yesterday a serious security flaw in macOS High Sierra was discovered that let someone with access to a Mac running Apple’s latest OS gain root access to the its data. Today, Apple released Security Update 2017-001, which fixes the issue. The release notes to the update describe the issue as follows:

Impact: An attacker may be able to bypass administrator authentication without supplying the administrator’s password
Description: A logic error existed in the validation of credentials. This was addressed with improved credential validation.

In a comment to Rene Ritchie of iMore.com, Apple said:

Needless to say, this is an important update that should be installed as soon as possible.

Permalink

macOS High Sierra’s Root Access Bug

Greg Barbosa, writing for 9to5Mac:

A newly discovered macOS High Sierra flaw is potentially leaving your personal data at risk. Developer Lemi Orhan Ergin publicly contacted Apple Support to ask about the vulnerability he discovered. In the vulnerability he found, someone with physical access to a macOS machine can access and change personal files on the system without needing any admin credentials.

Users who haven’t disabled guest user account access or changed their root passwords (likely most) are currently open to this vulnerability. We’ve included instructions on how to protect yourself in the meantime until an official fix from Apple is released.

Incredibly embarrassing and dangerous screwup for a company as devoted to security as Apple. They’re working on a fix, and in the meantime you should follow these steps to change your root password (thankfully, I had guest user access disabled, so the bug didn’t affect my machine).

See also: Rene Ritchie’s explainer.

Permalink