- đď¸â Your Security Checklist
- đđď¸ Test Your Security Skills
- đ° Your Weekly Security Update
- 𤨠This Should Be on Your Radar đĄ
- đ Security Fail of the Week đ
- đđą Security Updates from Apple đ
If you take nothing else from this newsletter, just do these three things to protect yourself:
- Limit which photos you share with apps. The latest privacy controls for iOS allow you to prevent apps from accessing your entire photo library and instead limit their access to specific photos.
- Use a security key to lock your Apple Account. You can use physical keys to lock your Apple Account the same way you lock the front door to your house. These keys serve as a second form of authentication.
- Review your Facebook privacy settings. Meta has never been the best when it comes to privacy, so if youâre a regular Facebook or Instagram user, be sure to check your privacy settings and limit the information you share with the apps.
What should you do in the following scenario?
Youâve made a new friend in an online chat group. Theyâre friendly, funny, and itâs charming to have befriended a stranger. How can you be sure that this is not a long-term scam? đ¤
- Itâs probably safe as long as youâre never coaxed to reach for your wallet (crypto, gift cards, etc).
- A video call.
- A little light stalking on social media, including Facebook and LinkedIn.
Scroll to the bottom to see how you did!
Know someone with an Android phone? Well, sharing photos and videos with your Android friends will soon be much easier. Androidâs version of AirDrop, Quick Share, has been upgraded on the new Google Pixel 10 family of phones to be compatible with Appleâs AirDrop. That means iPhones can now AirDrop photos and videos to Pixel 10 phones and vice versa. Google insists that Quick Share is secure and has a more detailed write-up about the more technical security details on its blog. While this upgraded version of Quick Share is currently only available on the Pixel 10 family of smartphones, Google says that it looks forward to âexpanding it to more Android devices,â so hopefully, all Android phones will soon be able to use Quick Share.
The Bottom Line: Being able to quickly share photos and videos between Android and iPhone is great for convenience. However, just as you would with other iPhones, donât accept AirDrops that you werenât expecting. Both AirDrop and Quick Share can be used to share malicious files as well, so only accept AirDrops from people you know and trust.
New Google Chrome Update Fixes Security Flaw
Google has pushed out a patch to fix a zero-day vulnerability in its Chrome web browser. The vulnerability is actively being used by threat actors, and the search giant is keeping details about the bug under wraps to prevent further exploitation. Google is urging Chrome users to update their browsers as soon as possible. Tomâs Guide has more details.
The Bottom Line: If youâre a Chrome user, update your browser right away. If youâre not sure how to do that, the Tomâs Guide article linked above has instructions. We generally recommend against using Chrome, since Google does not have the best reputation when it comes to privacy. We recommend using privacy-focused web browsers like Firefox, DuckDuckGo, or Brave.
Why Cloudflare Went Down Last Week
Last week, Cloudflare suffered a major outage that brought down hundreds of websites across the internet. The company has now published a debrief about what went wrong and why. Thankfully, the outage was not the result of a cyberattack or a distributed denial-of-service (DDoS) attack. Instead, the problem originated from Cloudflareâs own database. Essentially, a single file was doubled in size when it wasnât supposed to, and then said file was propagated to every device that makes up Cloudflareâs network. This, in turn, caused Cloudflareâs Bot Management software to fail, bringing down the network. You can find more details from Cloudflare itself.
The Bottom Line: There isnât much practical advice for you or me to take from this, other than maybe double-checking your work before submitting something important. Though, like the Amazon Web Services outage last month, this incident does highlight the danger of the vast majority of the internet relying on a select few companies for infrastructure.
Fighting Back Against Pig Butchering
The pernicious relationship investment scams that have cost US consumers millions of dollars over the past few years are facing concerted international pushback. The scams involve a scammer building a long-term relationship of trust with the intended victim, messaging back and forth for months or years. Then the scammer invites their mark to invest in a cryptocurrency trading scheme, which will ultimately cost them their entire savings and more. The scammers are usually operating in so-called âscam centersâ along the border of Thailand and Myanmar, where people are often human trafficked, held against their will, and forced to execute scams. The US has formed a special task force to combat these scam centers. At the same time, the Myanmar military has teamed up with regional militia to demolish scam compounds, as well as liberate and repatriate the people held there. Reports suggest many thousands of imprisoned workers have been freed, at least for now.
The Bottom Line: International action is good, but the problem persists for now. Continue to practice caution whenever contacted by a stranger online. Verify identities by insisting on a video call, and watching out for any reference to too-good-to-be-true investment opportunities.
Congress Wants Meta Investigated Over Fraudulent Ads
Remember that Reuters report from a couple of weeks ago that said Meta makes 10% of its revenue from scam ads? Well, we werenât the only ones to read it. Two US senators, Josh Hawley and Richard Blumenthal, wrote a letter to the Federal Trade Commission (FTC) and the Securities and Exchange Commission (SEC), urging them to investigate Metaâs ad revenue and penalize the company if Reutersâ report is accurate. A Meta spokesperson says that the senatorsâ letter is âexaggerated and wrong,â and that the company has âreduced user reports of scams by 58%.â You can read more at The Guardian.
The Bottom Line: We see no downsides to the FTC and SEC investigating Meta. If the company has really been fully aware of the amount of scam ads running on its platforms, it should be penalized.
Is Google Using Gmail Data to Train AI?
Over the past week, posts on social media have been going viral, alleging that Google will start analyzing user emails to train its Gemini AI. The discussion started based on a Malwarebytes blog post that went over Gmailâs Smart features and how to turn them off. However, Google has been quick to deny these allegations and claims that the Malwarebytes blog post is misleading. A spokesperson for the company said, âWe do not use your Gmail content for training our Gemini AI model,â and clarified that Gmail Smart features have been around for years. You can read more at ZDNet.
The Bottom Line: Whether Google is being honest or not is up for debate. A class action lawsuit has been filed against Google over these claims, so the outcome of that lawsuit could tell us more about how Google uses Gmail data. If you are concerned, the ZDNet article above has instructions on how to disable Gmailâs Smart features and opt out of this supposed AI training. However, keep in mind that this will prevent you from using features like Smart Compose. It also means your email will not be automatically sorted into different categories, like Primary, Social, Promotions, and Updates.
Did the FBI Hack Signal? (They Didnât)
According to The Guardian, the FBI was able to infiltrate a Signal group chat for immigrantsâ rights activists. This has been widely reported as the FBI âHackingâ Signal, but that is likely misleading. Signal, as you probably know by now, is the most private instant messaging app with end-to-end encryption, making it nearly impossible for third parties or even Signal itself to access your chats. So how did the FBI spy on a Signal group chat? Well, according to its own report, the FBI had a âsensitive source with excellent access,â which likely means someone in the group chat gave the agency access and/or screenshots.
The Bottom Line: Signal is still the most secure messaging app available. The FBI did not hack Signal; it very likely gained access to the group chat through an informant.
Too Many People Are Reusing Passwords
Gen Z has worse password habits than Baby Boomers, according to a report from NordPass. The report says that 72% of Gen Z use the same password across multiple platforms, while only 42% of Baby Boomers reuse login credentials. However, Gen Z is more likely to use more secure login options like passkeys, Face ID, and multi-factor authentication. You can read more at The Independent or check out the report itself at NordPass.
The Bottom Line: If you want to avoid reusing passwords, the best thing you can do is start using a password manager. A password manager can create passwords and remember them for you. You should also use multi-factor authentication and passkeys for any accounts that support it.
Related: How Passkeys Work & How to Use Them on iPhone
FCC Undoes Requirements for Telecom Companies
Back in January, the FCC ruled that telecom companies would be required to secure their networks under the Communications Assistance for Law Enforcement Act. The ruling was made in response to attacks by Salt Typhoon, a hacking group linked to China, which compromised US networks last year. Under the new ruling, carriers and network providers would need to prioritize cybersecurity and protect their networks from foreign interference. This week, the FCC decided to roll back those rules. FCC Chairman Brendan Carr believes the ruling to be too broad, without any âreal-world impact.â Instead, the FCC will leave it up to the carriers to voluntarily take proper precautions to protect their customers from cyberattacks. TechSpot has more details on the ruling.
The Bottom Line: The FCCâs January ruling would have been a benefit to consumers, so itâs disappointing to see it rolled back. According to the TechSpot article, the FCC will instead be pursuing ânarrower, more targeted rules,â such as collaboration between telecom companies to better respond to threats.
Major Banking Vendor Hacked
SitusAMC, a vendor used by hundreds of banks for real estate transactions, was hit by a cyberattack on November 12. The company has since been working to determine what and how much data was stolen. Banks that rely on SitusAMC include JPMorgan Chase, Citi, and Morgan Stanley. While the banks themselves were not hacked, there is a possibility that client data was exposed in the breach. SitusAMC and the affected banks are working with the FBI to determine the extent of the damage. Read more about the incident at The New York Times.
The Bottom Line: Itâs unclear what this means for customers who bank with the above companies. If this breach affects you, you will likely be notified in the coming weeks. In the meantime, we always recommend freezing your credit to help protect your identity.
The Importance of Keeping Track of Your Passwords
Here at Security Friday, weâre big proponents of password managers. A password manager can generate secure passwords that you or I could never think up ourselves, and it remembers every password for us. For this weekâs fail, we have two great stories about the importance of remembering your passwords.
First up, the International Association of Cryptologic Research (IACR) held an election to determine the organizationâs leadership. The election votes are encrypted to ensure the privacy of every ballot. To decrypt the election results, there is an election committee of three members who each hold a third of a cryptographic key that is used to decrypt the votes. Except that one member of the committee lost their private key, meaning the votes cannot be counted, and the election results have been canceled (presumably until the organization can hold a second election).
Next, a magician named Zi Teng Wang wanted to wow people with a wave of his hand. Literally. He implanted an RFID chip into his hand with the idea being that people could hold their phones to his palm and be linked to a meme that Zi had created. However, when the link to the meme broke, Zi figured he could simply replace the link with a different one. Except that he had lost the password required to reprogram the RFID chip. Thankfully for Zi, the original link started working again.
The Bottom Line: Use a password manager to store your important passwords. At the very least, if you have something as important as a cryptographic key, write it down on a piece of paper and store it in a safe or a safe deposit box.
Everything you need to know about Appleâs latest software updates.
- The most recent iOS and iPadOS is 26.1
- The most recent macOS is 26.1
- The most recent tvOS is 26.1
- The most recent watchOS is 26.1
- The most recent visionOS is 26.1
Read about the latest updates from Apple.
The correct answer is 2: A video call. Live video, such as in a Zoom call or a FaceTime call, is very hard to fake, but it actually can be done with modern technology! So when you do a live video call, make sure to keep an eye out for lip-synching issues. Do not accept pre-recorded video as a substitute.
Option 1: Itâs probably fine as long as you never reach for your wallet, is not a very good strategy. Once somebody has become dear to you over months or years, you will want to help them when they are in trouble, and scammers use this by forming years-long relationships before actually implementing the scam.
There is far too much security and privacy news for us to cover it all. When building this newsletter, we look for scams, hacks, trouble, and news to illustrate the kinds of problems Apple enthusiasts may encounter in our private lives, and the self-defense we can practice to keep our devices, accounts, and lives secure. Our commentary focuses on practical advice for everyday people. This newsletter was written by Cullen Thomas and Rhett Intriago and edited by August Garry.
Want to learn more about multi/two-factor authentication? Check out:
|
