Nest to Require Two-Factor Authentication for All Accounts From This Month

Google will require compulsory use of two-factor authentication for all Nest accounts starting this month, the company has announced.


In other words, users who haven't already enabled smartphone-based 2FA or migrated to a Google account will have to verify their identity via email-based authentication every time they log in. The change was spotted by Engadget in an updated Nest help page:
Earlier this year, we announced that starting in the Spring, we will now require all Nest account users who have not enrolled in two-factor authentication or migrated to a Google account to take an extra step by verifying their identity via email when logging in to their Nest account.

The time has come, and beginning in May, Nest will be adding this new account security feature. When a new login is initiated, you’ll receive an email from accounts@nest.com with a six digit verification code to be entered in order to successfully sign in. This code is to verify it is you trying to access your account and without this code, you will not be able to log in.
As mentioned, the intention to switch all accounts to 2FA was announced earlier this year, following reports that Nest security cameras across the U.S. were being hacked.

Google responded to those stories by explaining that their systems hadn't in fact suffered critical security breaches. Rather, affected users had failed to use unique passwords and the compromised accounts were the result of "credential stuffing attacks," where hackers logged into Nest accounts using login credentials leaked in older unrelated data breaches.

Google says it will notify users before making the 2FA security change. Until then, it advises Nest owners to ensure they still have access to the email they use for Nest.
This article, "Nest to Require Two-Factor Authentication for All Accounts From This Month" first appeared on MacRumors.com

Discuss this article in our forums

Over 500,000 Zoom Accounts Sold on the Dark Web and Hacker Forums

Hundreds of thousands of Zoom accounts are being sold or given away for free on the dark web and hacker forums, according to a new report by BleepingComputer.


Zoom has surged in popularity in recent weeks as the number of people working from home has increased, but concerns about the videoconferencing app's security have also made the headlines. However, the availability of Zoom accounts on the dark web does not appear to be a direct consequence the app's failings.

Rather, the sale of the login details are said to be the result of "credential stuffing attacks," where hackers attempt to log in to Zoom using accounts leaked in older data breaches.

Successful logins are then collated into lists and sold on or offered for free to other hackers, with the intention of using them in zoom-bombing pranks or for malicious reasons.

The accounts are reportedly being shared via text sharing sites as lists of email addresses and password combinations. The accounts can include a victim's email address, password, personal meeting URL, and their HostKey.

Zoom accounts sold on hacker forums

Cybersecurity firm Cyble, which was able to purchase 530,000 Zoom credentials for less than a penny each at $0.0020 per account, said the Zoom accounts began appearing in the hacker community at the beginning of April, with hackers offering the accounts to build reputation.

The finding underscores the importance of using unique passwords for each website where an account is registered. Concerned users are encouraged to check if their email address has been leaked in data breaches using the Have I Been Pwned website or Cyble's AmIBreached data breach notification service, and change their Zoom password if used elsewhere.
Tags: security, Zoom

This article, "Over 500,000 Zoom Accounts Sold on the Dark Web and Hacker Forums" first appeared on MacRumors.com

Discuss this article in our forums

Zoom Accused of Misleading Users With ‘End-to-End Encryption’ Claims

Zoom is facing fresh scrutiny today following a report that the videoconferencing app's encryption claims are misleading.


Zoom states on its website and in its security white paper that the app supports end-to-end encryption, a term that refers to a way of protecting user content so that the company has no access to it whatsoever.

However, an investigation by The Intercept reveals that Zoom secures video calls using TLS encryption, the same technology that web servers use to secure HTTPS websites:
This is known as transport encryption, which is different from end-to-end encryption because the Zoom service itself can access the unencrypted video and audio content of Zoom meetings. So when you have a Zoom meeting, the video and audio content will stay private from anyone spying on your Wi-Fi, but it won't stay private from the company.
As the report makes clear, for a Zoom meeting to be end-to-end encrypted, the call would need to be encrypted in such a way that ensures only the participants in the meeting have the ability to decrypt it through the use of local encryption keys. But that level of security is not what the service offers.

When asked by The Intercept to comment on the finding, a spokesperson for Zoom denied that the company was misleading users:
"When we use the phrase 'End to End' in our other literature, it is in reference to the connection being encrypted from Zoom end point to Zoom end point… The content is not decrypted as it transfers across the Zoom cloud."
Technically, Zoom's in-meeting text chat appears to be the only feature of Zoom that is actually end-to-end encrypted. But in theory, the service could spy on private video meetings and be compelled to hand over recordings of meetings to governments or law enforcement in response to legal requests.

Zoom told The Intercept that it only collects user data that it needs to improve its service – this includes IP addresses, OS details, and device details – but it doesn't allow employees to access the content of meetings.

Last week, Zoom's data sharing practices were criticized after it emerged that the service was sending data to Facebook without disclosing the fact to customers. The company subsequently updated the app to remove its Facebook log-in feature and prevent the data access.
This article, "Zoom Accused of Misleading Users With 'End-to-End Encryption' Claims" first appeared on MacRumors.com

Discuss this article in our forums

Israel Passes Emergency Law to Track and Trace Mobile Users With Suspected COVID-19

Israel has passed emergency measures that will allow security agencies to track the smartphone data of people with suspected COVID-19 and find others they may have come into contact with (via BBC News).


The Israeli government said the new powers will be used to identify people infected with coronavirus and make sure they're following quarantine rules.

On Monday, an Israeli parliamentary subcommittee discussed a government request to authorize the security service to assist in a national campaign to stop the spread of COVID-19, but the group decided to delay voting on the request, arguing that it needed more time to assess it.

The emergency law was passed on Tuesday during an overnight sitting of the cabinet, effectively bypassing parliamentary approval.

The government has yet to explain how the mobile tracking will work, but the BBC reports that it is understood the location data collected through telecommunication companies by Shin Bet, the domestic security agency, will be shared with health officials.

Israeli prime minister Benjamin Netanyahu last week announced his intention to bypass parliamentary oversight in order to push through the emergency regulations. Netanyahu says the new powers will last for 30 days only. Civil liberties campaigners in Israel called the move "a dangerous precedent and a slippery slope."

Israel is still in the relatively early stages of the pandemic. It had 200 confirmed cases of the coronavirus as of Tuesday morning. On Wednesday, the country's health ministry reported that cases had risen to 427.

Note: Due to the political or social nature of the discussion regarding this topic, the discussion thread is located in our Political News forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.
This article, "Israel Passes Emergency Law to Track and Trace Mobile Users With Suspected COVID-19" first appeared on MacRumors.com

Discuss this article in our forums

iPhones Can Now Be Used to Generate 2FA Security Keys for Google Accounts

A new update to Google's Smart Lock iOS app lets users set up their iPhone or iPad as a security key for two-factor authentication when signing into native Google services via Chrome browser.

Once the feature is set up in the app, attempting to log in to a Google service via Chrome on another device such as a laptop results in a push notification being sent to their iOS device.

The user then has to unlock their ‌iPhone‌ or ‌iPad‌ using Face ID or Touch ID and confirm the log-in attempt via the Smart Lock app before it can complete on the other device.

After installing the update, users are asked to select a Google account to set up their phone's built-in security key. According to a Google cryptographer, the feature makes use of Apple's Secure Enclave hardware, which securely stores ‌Touch ID‌, Face ID, and other cryptographic data on iOS devices.

The Smart Lock app requires that Bluetooth is enabled on both the ‌iPhone‌/‌iPad‌ and the other device for two-factor authentication to work, so they have to be in close proximity, but the advantage of the system is that it ensures the process is localized and can't be leaked onto the internet.

The Google Smart Lock app is a free download for ‌iPhone‌ and ‌iPad‌ on the App Store. [Direct Link]

(Via 9to5Google.com)


This article, "iPhones Can Now Be Used to Generate 2FA Security Keys for Google Accounts" first appeared on MacRumors.com

Discuss this article in our forums

‘Turkish Crime Family’ Hacker Pleads Guilty to Blackmailing Apple

A 22-year-old man who claimed to be the spokesman for a hacker group called the "Turkish Crime Family" has pleaded guilty in London to trying to blackmail Apple, reports Bloomberg.


In March 2017, Kerem Albayrak claimed to have access to several million iCloud accounts and demanded that Apple pay $75,000 in cryptocurrencies, or he would reset a number of the accounts and make the database available online. He later raised his demand to $100,000.

Apple responded to the ransom threat at the time by saying there had been no breaches of its systems. Indeed, according to the U.K.'s National Crime Agency (NCA), the data Albayrak claimed to have was from previously compromised third-party services which were mostly inactive, as Apple originally claimed.

A senior investigative officer at the NCA said in a statement that during the investigation, "it became clear that Albayrak was seeking fame and fortune."
Branded a "fame-hungry cyber-criminal" by the NCA, Albayrak told investigators that "when you have power on the internet it's like fame and everyone respects you, and everyone is chasing that right now."
Albayrak avoided prison time and instead was given a two-year suspended sentence following the NCA investigation. He was also sentenced to a six-month electronic curfew and 300 hours of unpaid work.


This article, "'Turkish Crime Family' Hacker Pleads Guilty to Blackmailing Apple" first appeared on MacRumors.com

Discuss this article in our forums

Google Pixel 4’s Face Unlock Feature Works With Eyes Closed, Sparking Security Concerns

Google has ignited security concerns over the facial authentication system in its new Pixel 4 smartphone by admitting that it will unlock the device even when the user's eyes are shut.


Google unveiled the Pixel 4 this week to mostly positive reviews, many of which praised the phone for is super-fast new face unlock system, which replaces the fingerprint sensor and works much the same as Apple's Face ID on iPhones, except for one key security feature.

The BBC has discovered that the Pixel 4 can be unlocked even with the user's face even if they're sleeping (or pretending to be asleep). That contrasts with Apple's Face ID system, which engages by default an "Attention Aware" feature that requires the user's eyes to be open for the iPhone to be unlocked. Attention Aware can be disabled for convenience, but the Pixel 4 lacks an equivalent security feature entirely.

To its credit though, Google isn't hiding this fact. A Google support page reads: "Your phone can also be unlocked by someone else if it's held up to your face, even if your eyes are closed. Keep your phone in a safe place, like your front pocket or handbag."

To "prepare for unsafe situations," Google recommends holding the power button for a couple of seconds and tapping Lockdown, which turns off notifications and face recognition unlocking.

In early leaks of the Pixel 4, screenshots revealed a "require eyes to be open" setting for face unlock, so it looks as if Google tried to implement a similar feature to Apple's Attention Aware, but couldn't get it working in time for the device's launch.

Subscribe to the MacRumors YouTube channel for more videos.

Speaking before the launch, Pixel product manager Sherry Lin said: "There are actually only two face [authorisation] solutions that meet the bar for being super-secure. So, you know, for payments, that level - it's ours and Apple's."

Cyber-security experts disagree.

"If someone can unlock your phone while you're asleep, it's a big security problem," security blogger Graham Cluley told the BBC. "Someone unauthorized - a child or partner? - could unlock the phone without your permission by putting it in front of your face while you're asleep."

In a statement given to the BBC, Google said it would "continue to improve Face Unlock over time."


This article, "Google Pixel 4's Face Unlock Feature Works With Eyes Closed, Sparking Security Concerns" first appeared on MacRumors.com

Discuss this article in our forums

How to Use Firefox Private Network to Encrypt Your Web Traffic

Mozilla this week began piloting its own browser-based VPN service, and if you're located in the U.S. you can start testing it for free right away.

Called the Firefox Private Network, the service promises Firefox users a more secure, encrypted path to the web that prevents eavesdroppers from spying on your browsing activity and hides your location from websites and ad trackers.

In that respect, it won't protect any internet traffic outside of your web browser, but it's a good option if you want to use an encrypted connection on the fly when you're using Firefox on a public Wi-Fi network, for example.


As a time-limited beta, the Firefox Private Network is currently free to try, although this does suggest it may become a paid service in the future. You also need to be a U.S. resident logged into your Firefox account using Firefox desktop browser.

If you can fulfill those pre-requisites, you can install the private network by navigating to this page, clicking the blue + Add to Firefox button, then granting permission for the network to be added to the browser.


Click the door hanger icon that appears at the top-right corner of the toolbar, and you'll see a switch that you can use to toggle the VPN on and off. A green tick in the icon indicates the secure network is active and your browsing activity is being encrypted.

Opera browser offers a similar free VPN service that cloaks your web browsing, but with the added benefit that it lets you choose the continent that you want your connection to reside. So if you're looking to access a location-restricted service (Netflix, say) from abroad, you might have better luck using it instead.


This article, "How to Use Firefox Private Network to Encrypt Your Web Traffic" first appeared on MacRumors.com

Discuss this article in our forums

Israeli Security Firm Claims Spyware Tool Can Harvest iCloud Data in Targeted iPhone Attack

An Israeli security firm claims it has developed a smartphone surveillance tool that can harvest not only a user's local data but also all their device's communications with cloud-based services provided by the likes of Apple, Google, Amazon, and Microsoft.


According to a report from the Financial Times [paywalled], the latest Pegasus spyware sold by NSO Group is being marketed to potential clients as a way to target data uploaded to the cloud. The tool is said to work on many of the latest iPhones and Android smartphones, and can continue to harvest data even after the tool is removed from the original mobile device.
The new technique is said to copy the authentication keys of services such as Google Drive, Facebook Messenger and iCloud, among others, from an infected phone, allowing a separate server to then impersonate the phone, including its location.

This grants open-ended access to the cloud data of those apps without "prompting 2-step verification or warning email on target device", according to one sales document.
Attackers using the malware are said to be able to access a wealth of private information, including the full history of a target's location data and archived messages or photos, according to people who shared documents with the Financial Times and described a recent product demonstration.

When questioned by the newspaper, NSO denied promoting hacking or mass-surveillance tools for cloud services, but didn't specifically deny that it had developed the capability described in the documents.

In response to the report, Apple told FT that its operating system was "the safest and most secure computing platform in the world. While some expensive tools may exist to perform targeted attacks on a very small number of devices, we do not believe these are useful for widespread attacks against consumers." The company added that it regularly updates its operating system and security settings.

The news raises concerns that such spyware could be used by repressive regimes and other shady attackers to monitor members of the public. In May, for example, WhatsApp disclosed a vulnerability that allowed hackers to remotely exploit a bug in the app's audio call system to access sensitive information on an iPhone or Android device.

Security researchers said that the spyware that took advantage of the WhatsApp flaw featured characteristics of the Pegasus spyware from NSO Group, which maintains that its software, costing millions of dollars, is only sold to responsible governments to help prevent terrorist attacks and criminal investigations.

However, the WhatsApp flaw was used to target a London lawyer who has been involved in lawsuits against the NSO Group, and security researchers believe others could have been targeted as well.

Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.


This article, "Israeli Security Firm Claims Spyware Tool Can Harvest iCloud Data in Targeted iPhone Attack" first appeared on MacRumors.com

Discuss this article in our forums

Serious Vulnerability in Zoom Video Conference App Could Let Websites Hijack Mac Webcams

A serious zero-day vulnerability in the Zoom video conferencing app for Mac was publicly disclosed today by security researcher Jonathan Leitschuh.

In a Medium post, Leitschuh demonstrated that simply visiting a webpage allows the site to forcibly initiate a video call on a Mac with the Zoom app installed.


The flaw is said to be partly due to a web server the Zoom app installs on Macs that "accepts requests regular browsers wouldn't," as noted by The Verge, which independently confirmed the vulnerability.

In addition, Leitschuh says that in an older version of Zoom (since patched) the vulnerability allowed any webpage to DOS (Denial of Service) a Mac by repeatedly joining a user to an invalid call. According to Leitschuh, this may still be a hazard because Zoom lacks "sufficient auto-update capabilities," so there are likely to be users still running older versions of the app.

Leitschuh said he disclosed the problem to Zoom in late March, giving the company 90 days to fix the issue, but the security researcher reports that the vulnerability still remains in the app.

While we wait for the Zoom developers to do something about the vulnerability, users can take steps to prevent the vulnerability themselves by disabling the setting that allows Zoom to turn on your Mac's camera when joining a meeting.

Note that simply uninstalling the app won't help, because Zoom installs the localhost web server as a background process that can re-install the Zoom client on a Mac without requiring any user interaction besides visiting a web page.

Helpfully, the bottom of Leitschuh's Medium post includes a series of Terminal commands that will uninstall the web server completely.

Update: In a statement given to ZDNet, Zoom defended its use of a local web server on Macs as a "workaround" to changes that were introduced in Safari 12. The company said that it felt running a local server in the background was a "legitimate solution to a poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator."


This article, "Serious Vulnerability in Zoom Video Conference App Could Let Websites Hijack Mac Webcams" first appeared on MacRumors.com

Discuss this article in our forums