Apple adds two-step verification option to iCloud accounts

Apple has finally introduced a two-step verification feature that will allow its users to secure their iCloud (Apple ID) accounts, 9 to 5 Mac reports.

The option is currently available only to users based in the US, UK, Australia, Ireland, and New Zealand, and is definitely an improvement over the previous additional protection mechanism that included security questions.



Users can set up the feature in the "Password and Security" settings in their Apple accounts, and will be required to add (if they haven't already) the number of the phone(s) to which Apple will be sending the verification code.

They will also be given a recovery key to use in case they lose the device or forget their password, and are advised not to store it on the device or computer in case they are compromised.

Apple has also decided to prevent their support personnel falling for social engineering attacks such as those that led to the unfortunate compromise and trashing of Mat Honan's Twitter, Google and iCloud accounts by making it impossible for anyone but the account owner to reset their password, manage their trusted devices, or create a new recovery key once 2-step verification is turned on.

"You must be responsible for remembering your password, keeping your trusted devices physically secure, and keeping your Recovery Key in a safe place," the Apple FAQ page additionally warns. "If you lose access to two of these three items at the same time, you could be locked out of your Apple ID account permanently."

Ten simple things you should do this Data Privacy Day

When was the last time you ran a search on your own name – do you know if someone has been pretending to be you, or if unwanted eyes have easy access to your personal details?

Don’t stand idly by as the trail you leave online gets larger – be vigilant and take steps to protect your own information. In line with Data Privacy Day on January 28, here are ten simple things you can do to better protect
the information you share online.

1. Password protect your mobile devices – only 6 in 10 Singaporeans use passwords on their mobile device. Leaving your devices unprotected is equivalent to leaving your home or car unlocked. If you’re lucky, no one will take advantage of the access. If not, you might find yourself at the mercy of cyber risks and fraud.

2. Run a search on yourself – it’s not narcissistic, and is an easy way to stay on top of what’s available about you online. You never know who might be assuming your identity or sharing your private information.

3. Be stingy with your personal details – some websites will prompt you for information such as your email, address or phone number. Be cautious as this information might end up being used in unexpected ways.

4. Mobile security software can add another layer of protection – yes it exists, and yes it works.

5. Unknown sources are usually bad news – emails and text messages that contain links or ask for information might do you more harm than good. Make sure you know who the sender is before opening these messages.

6. Be in charge of your privacy settings – some social networks and applications can share your personal information and location with strangers. You should only share personal details with those you trust.

7. Download apps from reliable sources – mobile malware is spreading via fake app markets. Be mindful of what apps you’re downloading and where you’re downloading them from.

8. Keep your apps updated – security patches exist for a reason, use them when available.

9. Log off and log out – unless you want others to have easy access to your accounts, you should always log out after use.

10. Stay informed – keep up to date with the latest mobile threats and dangers by visiting websites such as MobileSecurity.com, which has the latest news on all things related to protecting yourself and your mobile devices.

Researcher points out critical Samsung Android phone vulnerabilities

Tired of waiting for Samsung to fix a string of critical flaws in their smartphones running Android, Italian security researcher Roberto Paleari has decided to inform the public about the seriousness of the matter and maybe make

matter and maybe make the company pick up the pace.



Mindful of the danger that the vulnerabilities present to the users if they are exploited by malicious individuals, he decided not to share any technical details, but to just give a broad overview of what their misuse would allow:

•a silent installation of highly-privileged applications with no user interaction
•SMS sending and changing of various phone settings without the app requiring the permission to do so
•an app performing almost any action on the victim's phone.

"All these issues were caused by Samsung-specific software or customizations," he noted. "All the vulnerabilities I reported can be exploited from an unprivileged local application. In other words, no specific Android privileges are required for the attacks to succeed. This allows attackers to conceal the exploit code inside a low-privileged (and apparently benign) application, distributed through Google Play or the Samsung Apps market."

He admits at being surprised at the length of time it takes for Samsung to patch the vulnerabilities, especially because he believes they are easily fixed. The company replied to him that "any patches [Samsung] develops must first be approved by the network carriers."

In the meantime, UK blogger Terence Eden has demonstrated another lock screen bypass flaw he found on Samsung Android phones, which allows anyone to completely disable the lock screen and get access to any app.

The lock screen bypass flaw he discovered earlier this month has still not been patched by Samsung, but Bkav has released a patch that not only fixes the flaw, but also takes a photo of anyone trying to misuse the flaw and emails it to the phone's owner.

UPDATE (March 22): Bkav has developed a patch for the Samsung lock screen flaw disclosed by Eden.

Android, iOS bugs expose phones to voyeurs, data thieves

The first line of defense against smartphone snoops is a handset's lock screen, but the two largest smartphone makers are having trouble keeping them secure.

Bugs were discovered Wednesday in both Android and Apple smartphones.

A bug discovered by Android researcher Terence Eden allows anyone to bypass the security measures in place at a phone's lock screen and gain total access to the contents of a handset.

Eden outlined the method for bypassing the lock screen in his personal blog. The technique exploits the 911 feature of a phone, which allows emergency calls to be made whether a phone is locked or not.

The researcher noted that he found his attack to work only on a Samsung version of Android. It does not work on phones running a stock version of Android from Google.

He tested the attack on a Galaxy Note II from Samsung, but he predicted it would also work on a Samsung Galaxy III, as well as other Samsung devices, too.

Samsung did not respond to a request for comment for this story.

Eden explained that he reported the bug to the company in February, and that he expected a bug fix to be issued shortly.

Meanwhile, another lock screen bug was discovered in Apple's iPhone. The bug was discovered less than a day after Apple began pushing a version of its iOS operating system, version 6.1.3, to address a lock screen flaw discovered several seeks ago.

The bug was revealed by a reader of the Cult of the Mac website. It uses an iPhone's control feature to bypass the lock screen. However, the exploit appears to only work on iPhone 4's.

When a call is voice dialed, the publication explained, if the phone's SIM card is ejected during the dial-up, the phone will display its recent call log. From that screen, a peeper can browse and edit contacts and add pictures to the phone.

Both the Android and Apple bugs are similar, according to Diogo Monica, a security engineer with Square, a mobile payments company in San Francisco.

"They both exploit the emergency call system," he said in an interview. "When an emergency call is made, it allows a logic bug to be exploited and let you access the screen without authentication."

Once the lock screen is bypassed, not only can the information in it be eyeballed, but it can be copied, too. If your phone is unlocked, it can be connected to a computer and its contents dumped to the device, Monica explained.

He estimated that all the important data in a phone can be siphoned into a computer in a couple of minutes. A complete data dump of everything in a phone would take a maximum of 15 minutes.

Faulty lock screens would create serious concerns for corporations, maintained Glenn Chisholm, CSO and vice president of Cylance, a cyber security firm in Reston, Va.

"When you try to access your corporate mail, it usually forces you to enable your lock screen," he explained  in an interview. "If the corporation can't trust a lock screen to protect their corporate information ... that's a big problem."

Another big problem for corporations is lost or stolen smartphones, added Giri Sreenivas, vice president and general manager of mobile for Rapid7.

To mitigate those risks, companies require their employees to secure their phones with a PIN. "These vulnerabilities allow those controls to be bypassed," he said in an interview.


A video run through of the issue:

Hackers launch DDoS attack on security blogger's site, send SWAT team to his home

Thankfully, award-winning US computer security reporter Brian Krebs is safe.

Nobody was harmed. But they could have been.

Given a DOSed website, a fake and libelous FBI letter sent to his website host, and a dinner party delayed by a SWAT team training guns on him and ordering him to "Put your hands in the air!", Krebs last week surely endured the most dramatic retribution ever meted out to a security blogger.

Krebs has a good idea of the specific criminal element behind the trio of attacks. Since the dramatic events of Thursday, he's traced the denial-of-service attack to a common operator who apparently launched a similar attack on Ars Technica following its coverage of Krebs's victimization.

As described by his fellow security scribe Dan Goodin at Ars Technica, Krebs is known for work that includes:

• "Exposés [that] completely shut down a California hosting service that coddled spammers and child pornographers and severely disrupted an organized crime syndicate known as Russian Business Network" and, more recently,
• "Investigative journalism that followed the money to the people who sell malware exploit kits, illicitly procured credit reports, and denial-of-service services  in underground forums."

In short, Krebs has enemies.

Last week, one or more of those enemies targeted him, likely in retaliation for his most recent investigation.

What actually went on? Full report here.

Doctors used silicone fingers to fool fingerprint scanner

Fingerprint scanners might not work with severed fingers, but artificial ones still manage to fool them, as proved by the recent discovery of a fraudulent scheme set up by doctors working in the Ferraz de Vasconcelos hospital in the Sao Paulo state in Brazil.



The story broke when Globo TV managed to get its hands on a video that shows 29-year old doctor Thauane Nunes Ferreira first clocking in at work by pressing her own finger onto the device, then doing the same for two colleagues by using silicone fingers.

In the footage, she seems uncomfortable doing it, and collecting the slips of paper that proved that those persons checked in. After having been arrested, she admitted to doing it for a while now, but pointed out that she was coerced into doing it by Jorge Cury, the head of the emergency room, who allegedly organized the whole scheme and threatened the ones who didn't want to participate with dismissal from their job.

It is also alleged that his own daughter was employed by the hospital, in which she hasn't set foot for over three years.

The scheme - and Cury's involvement in it - has apparently been confirmed by a doctor who resigned two years ago because he (she?) refused to break the law.

Five doctors have been suspended while the investigation goes on. Acir Fillo, the mayor of Ferraz de Vasconcelos commented that it is possible that as many as 300 hospital employees were in on the scheme and were paying to be clocked in while working somewhere else and collecting two pays.

Unfortunately, the report does not mention which fingerprint scanners are used at the hospital, but it proved that the development of this particular type of biometric device still has a way to go in order to reach a satisfactory level of assurance.

Protecting Against APTs: Network Visibility

Worldwide spending on IT security reached approximately $60 billion in 2012 – a 8.4% rise from $55 billion in 2011. Yet, Fortune 500 companies continue to be in the news headlines due to data breaches. One can’t help wonder how these attacks by-pass the security controls that are already in place.

John Kindervag of Forrester Research explains why traditional security controls such as IPS and FW are inadequate against advanced targeted attacks.

Fake Pope Twitter account proves malicious potential of breaking news

Mere minutes after it become publicly known that Argentinian cardinal Jorge Mario Bergoglio was elected to serve as the new Pope, Internet users around the world began searching for him on social networks.



A Twitter account (@JMBergoglio) using his name and photo was promptly discovered, and as many users considered it to be legitimate, it attracted over 100,000 followers in just a day. They were able to read that he was very happy at being elected as Pope, and that kids are going to love him more than Santa Claus.

But, as it turns out, the account is fake and has been promptly suspended by Twitter, presumably after the Vatican PR machine got involved and requested it.

Luckily for the followers, the individual behind the account wasn't set on promoting malicious links, but this example shows just how easy it is for scammers to find a way of reaching hundreds of thousands of users by simply taking advantage of the massive interest some global events garner.

Even the Verified Account option is sometimes not enough to guarantee that the account you follow belongs to the person you are interested in.

All in all, users are advised to never follow links included in tweets, Facebook posts, or emails unless they are absolutely, 100 percent sure they will not take them to malicious sites.

Tips for removing data from mobile devices

AVG released tips on how consumers can remove their personal data before they recycle or throw away their old smartphones.



In an era of frequent and seamless device upgrades, it’s easy to ditch an old handset and move on to the next. However, chances are the old device has personal information lingering on it, putting consumers at a greater risk of identity theft.

“Think about all the personal data stored on your phone: text messages, emails, even intimate photos of you or your significant other,” said Tony Anscombe, senior security evangelist at AVG. “Consumers are now carrying more and more personal information on their devices, and AVG wants to ensure everyone is well equipped to wipe out that data when the time comes. Your identity is essentially yours to lose, so take every precaution possible to stay safe.”

While the factory reset button seems like the logical place to start, numerous industry and security experts report that even after consumers carry out this exercise, personal information often remains.

The following tips will help ensure private information is erased:

• Remove the memory and SIM cards. Both store personal data and are best kept safe in your possession or destroyed.
• Use a data removal application to ensure data really is deleted.
• Once the data is deleted, then run a factory reset. Instructions can be found on manufacturers’ or carriers’ websites.
• If you are going to simply throw away your mobile phone, older handsets can contain toxic materials. Consult your local authority or drop it off at a mobile phone retailer, where they will be able to dispose of it correctly. Additionally, there are specialist companies that will take it apart and recycle each component.
• Of course, recycling or handing it on for use is a good option; there are many charities and organizations that redistribute old phones and will even send you a pre-paid postage box to send it in. Just search on the Internet for the many options!

The Five Easiest Ways to Get Your Identity Stolen

Identity theft is a huge black market industry, costing US consumers $1.52 billion in 2011 and stealing headlines all last year. Here are five habits that all but guarantee you'll become just another statistic in 2013—and how to break them:

http://gizmodo.com/5987376/