- šļøā Your Security Checklist
- ššļø Test Your Security Skills
- š° Your Weekly Security Update
- š¤Ø This Should Be on Your Radar š”
- š Security Fail of the Week š
- šš± Security Updates from Apple š
If you take nothing else from this newsletter, just do these three things to protect yourself:
- Lock sensitive apps behind Face ID. You can lock any app with Face ID, and we recommend doing so for important apps like banking or credit card apps.
- Be sure to update any compromised passwords. The Passwords app can show you which of your passwords have been compromised and help you with updating them on their associated websites.
- Keep your network connection private. If you have an iCloud+ subscription, you can enable iCloud Private Relay to prevent websites from collecting your data or tracking you.
What should you do in the following scenario?
You receive a notification that a company you use has had a security breach, and your information may be affected. What should you do? š¤
- Change your password with that company. If you use the same password with any other services, change it there, too.
- Freeze your credit.
- Employ credit monitoring.
- Download and back up any of your data that the company was storing.
- Consider finding an alternative service provider.
- All of the above
Scroll to the bottom to see how you did!
Apple is in the process of rolling out a new global system to support age-verification laws around the world. iPhone owners will be able to privately verify their age with their iPhone, and that information will be securely stored in the deviceās local memory. Any app that is limited by law to only serve adults, such as social media apps in many jurisdictions, can then ask the iPhone if the user is of-age and receive a simple yes/no, without giving the app access to any personal and identifying information, such as the userās government ID, or even birthday.Ā
Governments around the world have been pushing social media bans for children and teens, and the UK has already passed a (controversial) age-verification law. We reported last week on how the chat app Discord has struggled to find a secure way to verify user ages, and Appleās solution neatly solves their problem, should they choose to use it.
The Bottom Line: Appleās age verification system is currently available to app developers, but it will likely reach the general public with continued iOS 26 updates later this year, probably in stages for the various jurisdictions where these laws apply. If you are in a jurisdiction where age verificationis required, the system will attempt to verify your age by checking the credit and debit cards in your wallet. If that fails, you may be asked to enter charge card details to verify your age. In some jurisdictions, users may not be able to download apps at all unless they verify their age.
More Breaches: Paypal, Student Admissions Website, Medical Records
The march of companies suffering breaches and exposing customer information goes on. The PayPal Working Capital (PPWC) loan application, a form used by PayPal as part of a loan application process for small businesses, had a security bug that left customer data exposed, including social security numbers. This doesnāt affect all PayPal users, only a small subset who should have been notified already.
Separately, TechCrunch found a bug in Ravenna Hub, a service that schools employ to manage student admissions and event registration. The bug exposed the personal information of children, including names, pictures, school details, dates of birth, and home addresses. Ravenna Hubās parent company declined to confirm whether it would be notifying affected parties, but it is unknown whether the bug had been exploited by hackers at the time it was discovered by TechCrunch.
In yet another unrelated incident, a medical facility in Mississippi had to close clinics and cancel outpatient care due to a cyberattack. The full extent of that breach isnāt known yet.
The Bottom Line: You canāt control which software your school or hospital uses, and opting out of using services like PayPal is of limited utility. At the end of the day, these kinds of compromises are going to continue, and we, as regular people, canāt stop hackers from exploiting them. What we can do instead is compartmentalize our accounts so that one compromise does not affect every accountāyou do that by using a password manager to make unique, strong passwords for every account, and by backing up your critical information so that no single failure can destroy all of it. We also recommend freezing your credit in the USA or, in other countries, checking if your jurisdiction offers a similar program to help protect you from identity theft.
What Happens After a Breach? How Hackers Turn a Compromise into Stolen Identities
We hear a lot about data breaches every week, but what actually happens when hackers steal personal data, and what do the consequences look like? Cybersecurity researchers at Specops analyzed more than 90,000 leaked data sets to illustrate how hackers can link this data to real people and organizations. They do this by looking for reused usernames and passwords, as well as data from social media platforms like LinkedIn, Facebook, YouTube, and other sites where your real name may be visible. Read more about infostealers and their impact at Bleeping Computer.
The Bottom Line: As we mentioned previously, using a password manager is a great way to reduce the impact of data breaches. Since password managers ensure every website has a unique username and password combination, a single breach of one account wonāt affect all of your other accounts.
Donāt Use GenAI to Make Passwords
This one is a pretty good candidate for our security fail of the week, but the one we chose is even funnier (scroll down to see it). GenAI can generate any text or image you ask for. We recommend using completely random passwords or passphrases, where the series of characters or words is generated and saved in a password managerāweāre not alone, thatās universal security advice. Truly random passwords are much harder for password-cracking programs to guess.
Now, you might think that GenAI would be great at generating a random series of three to five words for a passphrase or characters for a password, but the problem is that GenAI is fundamentally not random: It is a text predictor. It produces a series of characters to look like other examples of the thing youāre asking for. So when you ask for a passphrase, it generates something that looks like a passphrase by considering what the prompt and previous text were and therefore what the next character should be. That is not random. It turns out, passwords and passphrases created by GenAI can be guessed by a password-cracking program in just a few minutes, because the patterns are discernible. Read More in The Register.
The Bottom Line: Use a password manager to generate your passwords and passphrases. Donāt use GenAI.
The Wired Guide to Organizing Safely in the Digital Surveillance Age
We wanted to share this guide because itās great. Across the world, people engage in community organizing efforts, from soup kitchens, to voting drives, to church groups, to protests, and more. But in some jurisdictions, even peaceful and lawful organizers have to worry about adversarial action: harassment from counter-activists, crackdowns from the government, etc. Activists rightly worry that their personal information leaking on social media or through other surveillance technologies may result in threats to their projects and personal safety. Wired has written a very helpful guide to navigating the digital security and privacy side of community organizing efforts.
The Bottom Line: If you or someone you know is engaged in community activism, have a look at Wiredās guide.
The Limits of Security Codes: How Phishing Defeats Modern Defenses
Modern phishing can be highly sophisticated. When scammers send you a phishing email, the link they want you to click has to look benign, the page it leads to has to look real, the whole process has to be extremely seamless, and it has to be customized to you, or else you will notice right away, and the phishing attempt will fail. To create these unique, customized phishing websites for thousands of phishing emails, scammers rely on software called phishing kitsācriminal toolkits that are bought and sold on the dark web. Brian Krebs at Krebs on Security has taken a look at one such kit, called Starkiller. His article highlights how Starkiller is able to create a perfect copy of the website the victim intends to visit, while loading the real website in the background, actively entering everything the victim does into the real website. This lets Starkiller bypass multi-factor authentication: The real website sends the user a text with a code, and Starkiller simply captures the numbers when the victim enters them, logs in to the real website, and gains access to the victimās account. Read all about it at Krebs on Security.
The Bottom Line: Multi-factor authentication codes, such as the ones sent to you via text message, will help protect your accounts against crooks guessing your password, or if the password was compromised in a breach, but they will not protect you from modern phishing kits. If you click a phishing link and enter information in the malicious lookalike website, you will compromise that account. To protect yourself, use a password manager to make sure that compromising one account doesnāt compromise others as well.
Developer Builds App to Scan for Meta Smart Glasses
Remember that New York Times story last week about Meta adding facial recognition to its smart glasses? An independent developer named Yves Jeanrenaud read that story too and decided to do something about it. They built an app that can scan for nearby smart glasses and alert you if any are detected. The app works by looking for specific Bluetooth signals emitted by smart glasses and then sending a push notification to your phone to warn you. At this time, the app is only available on Android devices, but hopefully an iOS equivalent will pop up soon. Read more at 404 Media.
The Bottom Line: While this app wonāt stop Metaās facial recognition from scanning your face, it can at least help you avoid the smart glasses in the first place. If you have an Android device and want to know when smart glasses are nearby, the 404 Media article linked above has a Google Play Store link for you.
Head of AI Safety at Meta Lost Her Email to AI
Summer Yue is the Director of Alignment at Meta Superintelligence Labs and one of Metaās lead researchers on AI, tasked specifically with making sure that AI does not go rogue. She accidentally set an agentic GenAI to delete her entire email inbox. Skilled people sometimes make rookie mistakes, and itās fair to laugh when they do. Thanks for the chuckle, Summer! Read more at 404 Media.
The Bottom Line: GenAI sometimes forgets earlier instructions because its space for remembering a set of instructions and materials is limited. If an important guardrail is given early in the process, that needs to be reiterated with each new instruction. Even this doesnāt prevent agentic GenAI from making mistakes and ignoring instructions. Regular safeguards would normally include things like robust review and testing before any new engineering product, such as computer code to sort an inbox, is deployed to make permanent changes.
Everything you need to know about Appleās latest software updates.
- The most recent iOS and iPadOS is 26.3
- The most recent macOS is 26.3
- The most recent tvOS is 26.3
- The most recent watchOS is 26.3
- The most recent visionOS is 26.3
Read about the latest updates from Apple.
The correct answer is F: All of the above.
There is far too much security and privacy news for us to cover it all. When building this newsletter, we look for scams, hacks, trouble, and news to illustrate the kinds of problems Apple enthusiasts may encounter in our private lives, and the self-defense we can practice to keep our devices, accounts, and lives secure. Our commentary focuses on practical advice for everyday people. This newsletter was written byĀ Cullen ThomasĀ andĀ Rhett IntriagoĀ and edited byĀ August Garry.
Interested in keeping your iPhone secure? Check out:
|
