- ๐๏ธโ Your Security Checklist
- ๐๐๏ธ Test Your Security Skills
- ๐ฐ Your Weekly Security Update
- ๐คจ This Should Be on Your Radar ๐ก
- ๐ Security Fail of the Week ๐
- ๐๐ฑ Security Updates from Apple ๐
If you take nothing else from this newsletter, just do these three things to protect yourself:
- Use a password manager. Your iPhone has a password manager pre-installed, called the Passwords app. It can create and store strong passwords for you.
- Switch your iPhone to an alphanumeric passcode. An alphanumeric passcode allows you to create a passcode using both letters and numbers, and make it as long as you want.
- Use an authenticator app for MFA codes. The Passwords app has an authenticator app built in, so that you can easily generate multi-factor authentication codes.
What should you do in the following scenario?
Youโre setting up a new account, and the service asks for a password. ๐ค What would set you up for the easiest way to log in, going forward?ย
- Enter your tried-and-true favorite password that you can always remember.
- Use your password manager to generate a unique password.
- Create a passphrase and save it to a secure storage.
- Look to see if there is a way to use a passkey instead.
Scroll to the bottom to see how you did!
The Federal Communications Commission (FCC) has banned all foreign-made internet routers, due to concerns over national security. The FCC claims that attackers can exploit security flaws in foreign-made routers and steal Americans' data. If you already own a foreign-made router, you can continue using it without issue, though new models will need to seek approval from the FCC before they can be imported or sold in the US. This ban includes companies that are based in the US but manufacture their routers overseas. Unfortunately, the list of US-made routers is very small, but some foreign routers could be exempted from the ban if deemed safe by the Department of Defense or the Department of Homeland Security. As far as we are aware, there is no basis for the claim that foreign-made routers are intrinsically dangerous. Find out more at the BBC.
The Bottom Line: If you were planning on upgrading your router, you may want to consider doing so sooner rather than later, or you may no longer be able to purchase the router you wanted. If you already have a foreign-made router, you should still be able to use it just fine.
FBI Buying US Citizens' Advertising Profiles
In the US, it is illegal for law enforcement and federal agencies to surveil American citizens without a warrant. However, corporate data brokers regularly collect your data through the apps and websites you visit and sell it to the highest bidder, which is typically advertisers. Law enforcement agencies have found a loophole that allows them to obtain personal data without a warrant by purchasing from data brokers. When asked by Congress about the FBI purchasing the location data of American citizens, FBI director Kash Patel said that they "do purchase commercially available information that's consistent with the Constitution and the laws under the Electronic Communications Privacy Act." As a result, privacy and security advocates are urging Congress to close this loophole. Read more at NPR.
The Bottom Line: There are steps you can take to reduce your digital footprint and reduce the amount of information that data brokers have access to. Use privacy-focused web browsers like Firefox, DuckDuckGo, Brave, or Safari. You can also use a VPN to mask your online identity, and register with a data removal service like Incogni or DuckDuckGo Privacy Pro to get as much of your personal information removed from the internet as possible. For a complete list of our recommendations about digital privacy, see our Scam-Proof Your Life online course.
Use a VPN Service? The NSA May Consider That Fair Grounds to Surveil You
Speaking of VPNs, US lawmakers have raised concerns about what using a VPN means for the privacy rights of US residents. Ordinarily, US residents have certain privacy rights that make it illegal for agencies like the National Security Agency (NSA) to surveil them without a warrant. However, the NSA does not need a warrant to monitor communications with foreigners. When an American uses a VPN that connects internationally, such as when they want to make it look like theyโre in another country, then their internet connection could be perceived as foreign communication. If that's the case, then it's possible that government agencies could bypass VPN users' right to privacy. Lawmakers have been seeking clarification as to whether the NSA spies on VPN services under this logic, and have thus far not gotten a straight answer. You can read more at Wired.
The Bottom Line: So does this mean you should stop using a VPN? Not necessarily. That depends on what concerns you most. If you are worried about the NSA wiretapping your internet communications, using a foreign-based VPN may reduce your security. If, on the other hand, you need to hide your home IP address from advertisers or stalkers, a reputable, safe VPN service can be helpfulโfor most people, this is probably a more important concern in daily life.
New White House App Tracks Your Location
The White House recently released its own official app to provide users with real-time updates, livestreams, and news directly from the Oval Office. Except that researchers have already found some glaring privacy issues with the app. For example, the app requests excessive permissions, including access to user locations,ย storage, biometrics, and more. One user found that the app pings the user's location every 4.5 minutes and syncs it to a third-party server. Find out more at the International Business Times.
The Bottom Line: While this invasion of privacy has only been reported for the Android version of the White House app, it is likely that the iOS version makes similar requests. If you have the app installed on your iPhone, be sure to disable location access (though we would recommend against installing the app in the first place). You can find the same information provided by the app on the White House website, which you can always add to your Home Screen instead of the app.
What to Do When Traveling to the US
If you're traveling to the US from another country, you may be required to have your phone or other digital devices searched. Thankfully, there are steps you can take to limit how much access ICE or CBP has to your data. The Intercept has put together a great guide on what you need to do when flying to the US.
The Bottom Line: We definitely recommend checking out the Intercept's guide if you're planning on visiting the US from overseas.
A Clever New Security Feature Added to macOS
About a month ago, we told you about the ClickFix malware campaign, in which fake CAPTCHAs would ask you to prove that you're not a bot by copying and pasting text into your computer's terminal. Apple has been quick to respond to this threat in the latest version of macOS. Now, when pasting a potentially malicious command into your Mac's terminal, a warning will pop up to inform you that the command could install malware and give you a chance to cancel before you paste the text. Head over to Bleeping Computer for more details.
The Bottom Line: Unless you know exactly what you're doing, you should never copy and paste text into a command terminal. Any CAPTCHA that asks you to do this is malicious. On both Macs and PCs, the terminal is an extremely powerful program that can change how your machine operates and is often an easy way for scammers to convince users to install malware. If you're ever pasting a command into your Mac's terminal and it warns you about potential malware, do not paste the text.
FBI Director's Email Hacked
A hacking group associated with Iran has breached the personal Gmail of FBI Director Kash Patel. The attackers stole and published personal photos, documents, and emails from Patel's inbox. In response to this blunder, the FBI announced a $10 million reward for information on the group's members. Most likely, this hack was a simple phishing attack or a result of Kash Patel reusing an old password. Between a password manager and hardware multi-factor authentication, this kind of breach is highly preventable. Read more about the hack at Bleeping Computer.
The Bottom Line: Do not reuse the same password across multiple accounts. Use a password manager to ensure every account is protected by a strong, unique password so that even if your password is phished, only one account is compromised.
Apple has taken the unusual step of releasing a patch for iOS 18 devices to address the DarkSword vulnerabilities. Any device updated to iOS 26 had already been patched, but about a third of iPhone users are still on iOS 18. Apple released iOS 18.7.7 and iPadOS 18.7.7 on April 1st, and if your device is not updated, we would recommend updating. It is purely a security update.
- The most recent iOS and iPadOS is 26.4
- The most recent macOS is 26.4
- The most recent tvOS is 26.4
- The most recent watchOS is 26.4
- The most recent visionOS is 26.4
Read about the latest updates from Apple.
The easiest way to log in is to use a passkey, so D: Look for a way to use a passkey instead. Passkeys will unlock the website using your device's biometrics, so you don't have to memorize anything, and they're fast. Using a passkey is both easier and more secure than even a random password stored in a password manager.
There is far too much security and privacy news for us to cover it all. When building this newsletter, we look for scams, hacks, trouble, and news to illustrate the kinds of problems Apple enthusiasts may encounter in our private lives, and the self-defense we can practice to keep our devices, accounts, and lives secure. Our commentary focuses on practical advice for everyday people. This newsletter was written byย Cullen Thomasย andย Rhett Intriagoย and edited byย August Garry.
Want to know how to easily spot scams? Check out:
|
