- 🗒️✅ Your Security Checklist
- 🏆🎖️ Test Your Security Skills
- 📰 Your Weekly Security Update
- 🤨 This Should Be on Your Radar 📡
- 🙈 Security Fail of the Week 👎
- 🍎📱 Security Updates from Apple 🍎
If you take nothing else from this newsletter, just do these three things to protect yourself:
- Use Sign in with Apple wherever possible. Sign in with Apple is a feature that allows you to create an account and sign in without a password.
- Turn off app tracking. Apps can ask to track your activity when you open them for the first time. You should never allow apps to track you, and you can stop them from asking in the first place.
- Take a few minutes to review which apps and people have access to your data. Safety Check is a feature that lets you quickly review what data you are currently sharing with apps and people in your contacts.
What should you do in the following scenario?
You're setting up a new account and you're prompted to add a second form of authentication. Which option is best? 🤔
- Passkey
- Authenticator app
- SMS verification
- Hardware key
Scroll to the bottom to see how you did!
At Apple's annual Worldwide Developers Conference keynote on Monday, the company unveiled its new Apple Intelligence-powered Siri, which will be available in beta when iOS 27 launches later this year. Siri AI will have its own dedicated app, allowing you to interact the same way you might use ChatGPT or other AI models. You will also still be able to invoke your virtual assistant by saying "Siri" or "Hey Siri." Siri AI promises to be smarter than the original Siri, able to process more complex requests and carry conversation while remaining aware of prior context. Find out more about the new-and-improved Siri.
What we're most curious about is how this more advanced Siri will handle user privacy. Siri AI will require more computing power. While the AI model partially runs on-device, it still requires Private Cloud Compute (PCC) to function. Apple's own data centers alone cannot get the job done, so the company is expanding PCC to third-party data centers, offloading some of the resources onto Google Cloud. Check Apple's security blog post for more details.
The Bottom Line: Apple designed Private Cloud Compute as a way to make artificial intelligence work without compromising the privacy of its users. Anyone using Apple Intelligence could rest easy knowing it was running through Apple servers, on hardware built and maintained by Apple. By expanding PCC to third-party hardware, that will no longer be true.
Whenever we use Apple Intelligence now, our requests are being routed through PCC on Google Cloud. According to Apple, PCC is still completely private and your requests are as confidential as they were before. Apple still has complete control over PCC software and is still publishing all binaries for public inspection. The only difference is the hardware implementation. Now, we don't know for sure how honest Apple is being here. Partnering with Google is not exactly ideal, but the possibility of a truly private AI is exciting. We hope that Apple will remain committed to user privacy and will protect our data from Google or any other third parties.
DuckDuckGo & NordVPN Threaten to Pull Out of Canada
Last month, we reported that Signal was threatening to pull its services from Canada if the new Bill C-22 is allowed to pass. This controversial bill requires tech companies to retain a year's worth of user metadata and allow law enforcement to access it. Now, DuckDuckGo and NordVPN have both announced that they'll be joining Signal and will also pull out of Canada if the bill passes. Read more at TechSpot.
The Bottom Line: This bill is reminiscent of the UK's attempts to force Apple to create a backdoor into the encryption of Advanced Data Protection. If the prospect of this bill passing concerns you, be sure to voice your concerns to your representatives.
ICE's Facial Recognition App to Expand to Local Law Enforcement
Immigration and Customs Enforcement (ICE) have been using facial recognition software to determine people's immigration status—despite the fact that it has mistakenly identified individuals in the past. ICE will now be supplying its facial recognition app to law enforcement agencies across the US. State and local police will be able to use this app when detaining anyone they suspect of being in the country undocumented. Read more at 404 Media.
The Bottom Line: Facial recognition technology cannot provide 100% positive proof of identity, not even the Face ID sensor on your iPhone. It is safe to use Face ID to unlock your iPhone—that information never leaves your device.
Another Reason to Avoid Meta’s AI Smart Glasses
Meta's smart glasses are everywhere, and anyone who uses them likely has installed the glasses' companion app, Meta AI. The app was recently updated and silently installed a facial recognition component, albeit not yet activated. If enabled by Meta, it would allow its smart glasses to scan the faces of anyone they see. Internal documentation from Meta suggests that the company planned to introduce facial recognition as an accessibility feature for the blind. However, critics of facial recognition tech have pointed out how this feature could be abused by stalkers or other malicious actors. After Wired brought attention to this update, Meta was quick to release a second update, which removed all traces of its facial recognition feature. Check out the full story over at Wired.
The Bottom Line: While Meta has put its facial recognition feature on hold for the time being, it doesn't mean it won't be enabled in a future update. We would recommend against using Meta's smart glasses.
WhatsApp Targeted by NSO Group
WhatsApp has identified and disrupted phishing campaigns linked to NSO Group, a spyware developer known for creating the Pegasus spyware. According to Meta, NSO was sending malicious links to users, attempting to trick them into clicking them. The group was also creating test accounts on WhatsApp, which the company quickly took down. This is especially significant since there is a court-ordered injunction in place preventing the NSO Group from targeting WhatsApp. Read Meta's newsroom article for more details.
The Bottom Line: Phishing attacks are one of the most common ways scammers and hackers steal credentials or other personal information. If you receive unsolicited messages containing links, do not open them. Additionally, while WhatsApp offers end-to-end encryption, we still recommend Signal as the go-to messaging platform for the privacy-conscious.
Microsoft Shuts Down GitHub Repositories in Response to Breach
Back in May, Microsoft was targeted by hacking group TeamPCP, who infected the GitHub repository of a tool called durabletask with malicious packages. While Microsoft managed to purge the infected packages, it appears that the company's GitHub repositories have been targeted a second time. The company has temporarily shut down many of its repositories to investigate the breach. 404 Media has the full story.
The Bottom Line: If you work in software development, it is now more important than ever to not rush into installing updates for the applications you use. Hacking groups are targeting software supply chains—that is the components of code that software users assemble to make software—more and more frequently. Malicious updates pushed by reputable companies unaware that they’ve been compromised, updates that turn existing software already on your device into malware, are rapidly becoming a serious threat. For regular people who are not working in software development, it’s still probably better to keep your devices and apps up to date as much as possible, for now.
License Plate Readers Will Now Be Able to Track Your Phone, AirPods, and Apple Watch Too
Automated License Plate Readers (ALPRs) are spreading rapidly, and now a company called Leonardo wants to equip them with a technology called SignalTrace that can track Bluetooth-enabled devices such as AirTags and AirPods. That means any phones, Bluetooth trackers (like AirTags), wireless earbuds and headphones, smartwatches, etc., would be logged when they pass by an ALPR. This would give law enforcement real-time location data of almost anybody at any given moment—accessible without a warrant. Head over to 404 Media for more information.
The Bottom Line: If this technology is implemented, it would be very bad for anyone who uses a smartphone. If you value your privacy, you should oppose SignalTrace. While there are no known installations of this technology, if you hear about SignalTrace coming to your city, be sure to contact your local representatives to voice your concerns.
The Dangers of Police Access to Flock Databases
In case we needed any more evidence that giving the police unfettered access to Flock cameras is a bad idea, San Diego law enforcement have just given us another reason. After an attempted carjacking, police used San Diego's Flock cameras to track down the suspect. Once they located a car that roughly matched what the witness had described, they moved quickly to arrest who they thought was responsible for the crime. San Diego police jailed Hugo Parra for a month before it was discovered that the same Flock data that had been used to arrest him showed that he was five miles away from the crime when it took place. Parra is now suing the police department. Check out the full story at Ars Technica.
And if that wasn't bad enough, there are numerous reports of police abusing their access to Flock databases to stalk exes or romantic partners. 404 Media recounts how an officer in Florida used his department's access to Flock's database 69 times to track his ex-girlfriend's location. Back in April, we reported that the Institute of Justice had identified 15 cases involving law enforcement stalking romantic partners through Flock. That number has since grown to 18.
The Bottom Line: If your city has installed or is planning to install ALPRs like Flock, be sure to voice your concerns to your local representatives.
Microsoft's Terrible, Horrible, No Good, Very Bad Week
Microsoft has had quite a busy week. In addition to the breach in its GitHub repositories, the company has also been busy addressing the most vulnerabilities they’ve ever patched in one week. Some of these include a denial of service vulnerability which affects Microsoft's Internet Information Services, and two zero-days (vulnerabilities that were previously undisclosed, giving the developer "zero days" to patch it) that were uncovered by a security researcher going by Nightmare Eclipse. The company also repaired a bug in Visual Studio Code that could steal GitHub credentials. For more details on everything Microsoft fixed this week, head over to Krebs on Security.
The Bottom Line: While hackers and security researchers have kept Microsoft busy this week, the company has done an admirable job patching these vulnerabilities.
- The most recent iOS for the iPhone 17 lineup and iPhone Air is 26.5.1
- The most recent iOS for the iPhone 11 through 16e is 26.5
- The most recent iPadOS is 26.5
- The most recent macOS is 26.5.1
- The most recent tvOS is 26.5
- The most recent watchOS is 26.5
- The most recent visionOS is 26.5
Read about the latest updates from Apple.
The correct answer is D. Hardware key. A hardware security key is a physical key that can be used to authenticate any accounts that support it. That means even if someone has your password, they won't be able to log in to your account without physical access to your key. Of course, not every account supports hardware keys just yet, so it's important to consider other options.
After hardware keys, the next best thing is passkeys. A passkey is stored in a password manager and used to log into an account without a password.
After that, authenticator apps come next. They generate six digit codes every 30 seconds which, as the name suggests, are used to authenticate your login credentials.
Lastly, SMS codes should be avoided at all costs. SMS text messages are not encrypted and can be intercepted by malicious actors. If SMS verification is your only option, it's better than nothing but we always recommend any of the other options listed above.
There is far too much security and privacy news for us to cover it all. When building this newsletter, we look for scams, hacks, trouble, and news to illustrate the kinds of problems Apple enthusiasts may encounter in our private lives, and the self-defense we can practice to keep our devices, accounts, and lives secure. Our commentary focuses on practical advice for everyday people. This newsletter was written by Cullen Thomas and Rhett Intriago and edited by August Garry.
Interested in using a password manager? Check out:
|
