Apple Releases iOS 17.1.2 and macOS Sonoma 14.1.2 with Security Updates

On November 30th, Apple released updates for macOS, iPadOS, iOS and the Safari web browser to address two serious security flaws in the way they process web content. Apple credited Clément Lecigne of Google’s threat analysis group for discovering the vulnerabilities. The day before, Google issued an urgent patch for their Chrome web browser to address a vulnerability credited to the same researcher, so it’s likely that they’re the same underlying bug in the code, even though Chrome and Safari use different engines to interpret web content. Apple says that the bugs have been used by hackers, but it’s not clear yet what exactly the bugs permit hackers to do.

The Bottom Line: These vulnerabilities are in active use by hackers, so it’s important to update right away. Now that the updates have been sent out to billions of devices, additional groups of hackers can reverse engineer the update to find out how to exploit the vulnerability. This will mean that devices lacking the update may become more likely to be targeted than they were before Apple made a patch.

Apple Admits that Governments Can and Do Spy On Citizens Using Push Notifications on iPhone

Governments have been forcing Apple to turn over push notification traffic, revealing details of the user’s habits, apps, and sometimes text from emails or other communications. The contents of an iPhone are encrypted and cannot be read without unlocking the iPhone. However, the little signals that tell an iPhone to pop up a notification, such as when you’ve received an email, or when your post on social media has been reshared, must transit Apple's servers, which means Apple (or Google, for Android phones) can see and read any unencrypted info. Only a handful of apps encrypt their push notifications, including iMessages, Signal, and Telegram, but not including Mail or most other email apps and most social media apps. Analyzing this traffic in bulk can reveal details of the user, including where they are and what they're doing.

This was revealed by U.S. Senator Ron Wyden, and his push for more transparency is appreciated. Apple has updated their terms of service to make it clear that your push notifications may be requested by governments and law enforcement.

The Bottom Line: Use encrypted communications services for sensitive information. Encrypted messengers include Signal and Telegram. Consider possibly disabling push notifications for apps that might convey sensitive information such as certain medical, journaling, or health apps. That option is available in the Settings app under Notifications, and can be toggled off on a per-app basis.

Viral Videos Falsely Claim NameDrop Feature Is a Privacy Risk

A series of viral TikTok videos have spread false claims that the iOS 17 feature called NameDrop, which lets you easily share your contact info with another iPhone user, is a privacy risk. As reported by Reece Rogers at Wired, the videos claim that anybody could just bump their phone against yours, perhaps on a crowded subway car, and steal your contact info. The videos recommend that everybody should turn NameDrop off, especially children. These claims are mostly false. Simply using a passcode on your iPhone should completely protect against accidentally sharing your contact info by way of NameDrop.

NameDrop requires you to tap a prompt agreeing to share any information, so somebody bumping against your hip on the subway cannot reliably take your contact information using this feature.

NameDrop will only share your information if:

• Another iPhone is practically touching yours
• Our phone is unlocked
• You tap a prompt agreeing to share the information.

While it is possible you may accidentally put your iPhone in your pocket without locking it, and it’s further possible that your unlocked iPhone in your pocket might accidentally bump the screen to activate random commands, both of those things would need to happen at the same moment that a malicious actor brought their phone near your pocket. There’s no practical way for a malicious actor to exploit the random bumping in your pocket.

The Bottom Line: As long as you have a passcode on your iPhone, and you’ve set your screen to lock after a few minutes, you should not accidentally initiate NameDrop with a stranger.

Hackers Target Hospitals, Health Data

A healthcare data and communications company called Welltok had a cybersecurity breach and hackers made off with the personal data of 8.5 million people. This is just one example of a swath of recent info-heists where ransomware crews targeted hospitals and health related services. The health sector is considered easy pickings for ransomware because there are so many entities involved in healthcare—from insurance, to rural hospitals, to private ambulance companies, and all those companies may be entrusted with very personal healthcare related data even though they often have not allocated budget for expensive cybersecurity staff to protect their networks. Attacking hospitals should be unconscionable, but it has become increasingly common.

In another incident this month, a healthcare provider called Ardent that operates 30 hospitals in the United States had to deactivate their networks to try to stop a cyber incident, which forced them to divert all incoming emergency patients to other hospitals and shut down provider access to medical databases and tools. It’s still unclear whether Ardent’s attackers gained access to any sensitive data or if Ardent successfully stopped them.

The Bottom Line: As regular tech enthusiasts, we can’t help hospitals protect their networks, nor can we decline to share necessary information with healthcare providers. What we can do is keep on the lookout for scammers who have access to information about us that we would normally expect to only exist in medical databases. For example, a scammer could call pretending to be from a hospital billing department, or a thief could try to open a new line of credit using your private and identifying information gleaned from stolen hospital records. To protect against these kinds of trouble, remember to treat any unsolicited call as highly suspect, even if they have accurate information about you. Hang up, and call the provider back at their official number. Also, consider credit monitoring services.

Fake Browser Updates on macOS

There’s a campaign underway that’s tricking Mac users into clicking on links to download what looks like an update for their web browser but is actually an info-stealing malware. This happens when a hacker has compromised a website and is able to serve some visitors to that site with a different page than everyone else. They set up this page to look like a little warning claiming that the visitor’s browser is out of date and will need to be updated in order to view the web page, with a button to download the “update.” This is a trap.

The Bottom Line: Keep an eye out for websites with update warnings. You will never need to download a file from some strange website in order to update your browser or your Mac. Modern web browsers (like Firefox, Safari, and Chrome) will automatically download new updates from the official servers whenever they are available. The update is installed when you quit the browser. For this reason, it’s important to occasionally quit your web browser so that it can update.

Auto-updating is important for web browsers because of the pace of cybersecurity innovation, with new bugs and hacks emerging all the time but getting fixed almost as fast. If in doubt, go visit the browser’s official website and check to see if they have a new version.

Cryptocurrency Heists Go Low, and Low-Tech

Cryptocurrency theft, where hackers break into the digital vaults of cryptocurrency exchanges or private wallets of crypto traders and make off with all the goods, have been a booming industry for hackers. North Korea, in particular, is well known for its remarkable facility at stealing cryptocurrency—that country’s agents have carried off an estimated $3 billion worth of crypto since 2017. But such heists are done remotely, using default passwords, stolen credentials, social manipulation, and an arsenal of computer bugs to get the various digital vaults open and win an ill-begotten payday.

Now crypto-traders may have a new threat on the horizon: the old fashioned kind. Canadian police have warned they’re seeing what might be a growing trend of home robberies, where the thieves figure out who owns all the crypto, then break into that person’s real home, in real life.

The Bottom Line: As with any traditional asset, keeping large quantities of high-value material in view of the public will increase your risk of unwanted attention. Consider distributing your crypto assets through multiple wallets and accounts.

North Korean Hackers Develop New Malware for macOS

The state-sponsored hacking groups in North Korea have developed two new malware tools to attack macOS computers. Security researchers have named the two new strains RustBucket and KandyKorn. RustBucket is delivered through a maliciously crafted PDF file and simply downloads and installs a more powerful piece of malware in the background when the PDF is opened. KandyKorn works through the chat program Discord, infecting that app on the target computer, then using it to install software that lets the hacker remotely access the computer.

It’s been postulated that North Korean interest in hacking Mac computers (even though they are a much smaller proportion of the market than Windows) may be driven by cryptocurrency traders using Macs. RustBucket was detected in targeted phishing campaigns against individuals who appeared to hold access to crypto.

The Bottom Line: Continue to treat Adobe PDF files attached to emails as highly suspicious. If you use the chat program Discord and also trade cryptocurrency, consider running Discord in a browser tab rather than installing the app.

FCC Adopts New Rules for Cell Carriers to Help Protect Domestic Violence Survivors

A little bit of good news in the United States: the Federal Communications Commission has adopted new rules designed to make it easier for domestic violence victims to regain control of their cellphone and its vital connections to friends, family, and support services. One of the key strategies of the perpetrators of domestic violence is to control the victim’s access to communications, who they talk to, and how. A multi-line family cellphone plan is a common way to do this. To empower survivors, the FCC is requiring cell companies to make it much easier for an adult to remove their phone from any family billing plan, they’re defining the requirements of a system to hide communications with domestic violence hotlines and services from call logs and message history, and they’ve launched a program to allow survivors access to low-cost replacement phones.

The Bottom Line: It will soon be possible to message domestic violence services without concern that the messages or calls will be logged. Should you or someone you know require access to a private cellphone, it will soon be possible to remove the existing phone from the family plan, or to acquire a new low-cost phone and plan. These options are not available yet, but when they are you will be able to talk to your cell carrier to learn more.

Green Message Bubbles to Get a Promotion: iPhones Will Adopt RCS

The Messages app on your Apple devices will be getting a big upgrade next year that will let you enjoy iMessage-like features like encryption, reactions, and animations, even when messaging Android users! As of now, Apple’s iMessages, which appear in blue bubbles, can only be sent to other Apple devices. The older SMS/MMS messages, which appear in green bubbles, aren’t encrypted but can be read by Android devices and other types of phones besides Apple’s own.

Google has their own messaging standard called RCS, which offers similar functionality to Apple’s iMessages, including encryption. RCS is now in use by over a billion devices, and Apple has just announced that it will be providing support for it on iPhones, right there in the native Messages app. I wonder what color the bubbles will be?

The Bottom Line: Sometime next year, you’ll be able to like, reply, and send animations to Android users, all protected by native encryption. We’ll be sure to let you know once all the details emerge.

Data Breach at 23andMe Has Lost Data of 6.9 Million Users

The genealogy company 23andMe has had a serious data breach, with hackers making off with some amount of data for nearly seven million users. The company says they have not seen any malicious use of the stolen data yet. Affected data may include family trees, birth years, and physical location. To date, no genetic information has been identified as stolen.

The Bottom Line: If you used 23andMe, then make sure to change your passwords on any account that used the same password as 23andMe; beware of scammers using access to your 23andMe data to convince you of their legitimacy; and keep an eye on your credit score.

Patternz in the Code

Google takes bids on ads targeted to you based on their spooky ability to track your interests and habits across platforms, devices, browers, etc. It's always been spooky but it's never been used maliciously that we know of, because there was no way to turn the bid price on the tag for "home improvement" that's been associated with your profile into information about you specifically. Until now.

As reported by the Irish Council for Civil Liberties, a private company has figured out how to interrogate the google real time bidding interface to extract the details of any individual person's gender, age, place of residence, friends, coworkers, habits, tools, family members, and interests, and to follow their physical movement in the world. The information is accessible through a tool called Patternz. They possess these profiles for 5 billion people.

The Bottom Line: As Apple enthusiasts, we have paid for premium privacy protections as part of the purchase cost of our Apple devices and an iCloud subscription. It is worthwhile to employ tools like Safari safe browsing, Private Relay, and Hide My Email to make it harder for online advertisers to profile us individually, as families, and as communities. It is probably impossible to know how much any given individual privacy tool might help in this case, but given that we do not know who is watching over the shoulders of the advertisers, a push for better privacy practice serves us all.

NordPass Publishes the Top Most Used Passwords List of 2023

Some passwords, like 01234, just get reused all the time by millions of people around the world. Hackers can easily run a little program to try each of these very common passwords, so accounts protected by them are not protected at all.

The Bottom Line: Have a look at NordPass’s list of shame for the most common passwords of 2023, and make sure that you’re not using any of these passwords. Instead, use a password manager so that all your passwords are unique and you don’t have to memorize them.

How to Turn On Face ID for Apps on iPhone (iOS 17)

You can lock some of your apps on your iPhone behind an additional Face ID check. This could be useful if you’re worried about handing your phone to someone to make a call or look at a picture, only to have them flip through your app switcher. While the feature only exists for certain high-security apps, it’s worth going to check to see what you have installed that supports it.

Open the Settings app and select Face ID & Passcode. Then enter your iPhone passcode to authenticate that it’s really you making changes to your security settings. On this menu, select Other Apps. You’ll see a list of apps that support Face ID. Green toggles show you which apps have Face ID enabled and a gray toggle means Face ID is disabled. Tap the toggle to change it to green and enable Face ID for that app.

And that’s it for now! See you next year!