LastPass is warning its customers about a recent security breach. This follows another hacking incident that occurred in August, which looks like the two are related.

Earlier this week, LastPass CEO Karim Toubba shared a message to customers notifying them of the breach. It also sent emails to its customers with the same message.

Initially, the company noticed strange activity in its third-party cloud storage service. It immediately began investigating with the help of Mandiant, a leading security firm.

Toubba says the company discovered an ‘unauthorized party’ gained access to certain elements of its customers’ information.

LastPass claims that users’ passwords are safe

The messages confirm that the bad actor accessed this data using information they obtained in the breach back in August. Thankfully, LastPass ensures that users’ passwords are safe, however

“Our customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture,” reads the statement to customers.

The company is traditionally transparent about breaches and similar activities that could endanger its customers. It will likely update the message page with more information as soon as more details are added.

LastPass didn’t share exactly what kind of information the hacker accessed. But it did confirm that passwords remain safe.

Additionally, the company recommends following these steps to ensure you use the best practices when setting up LastPass.

Consequently, it’s not a good look for a security-focused company to have multiple breaches as much as LastPass has had in the past few months.

However, the company has been very transparent, and it seems like it’s working hard to overcome and avoid these breaches in the future.

Have any thoughts on this? Carry the discussion over to our Twitter or Facebook.

Editors’ Recommendations:

• LastPass says your passwords are totally safe and no one’s account was compromised
• LastPass users: it seems some master passwords are out in the wild and compromised
• How to export your LastPass data and switch to another password manager
• LastPass’ Android app is chock-full of trackers, says a security researcher

The post LastPass reports yet another security breach (updated) appeared first on KnowTechie.

Eufy, an affordable security camera brand from Anker, is under fire for security concerns regarding uploaded footage.

The brand markets itself as a local security system where footage is stored locally, and not uploaded to the cloud. But a recent discovery challenges that entire premise.

Paul Moore is a security consultant. Last week, Moore discovered a significant flaw in how the Eufy Doorbell Dual Camera had been storing data.

Moore shared a video showing how the camera had been uploading and storing images of faces on the cloud. The camera did this despite Moore not signing up for a Eufy Cloud Storage account.

The flaw was later confirmed by other users and recreated by Android Central. The publication reached out to Eufy, and the company explained what exactly was happening that required these uploads.

Eufy says this particular flaw comes from push notifications. If a user opts to have push notifications from the app for motion detection, Eufy temporarily uploads the thumbnail to its servers before sending it out.

Moore had turned on the push notification setting for the Doorbell Dual Camera. Eufy’s default notification settings are text-only, and they don’t require the uploaded thumbnail.

Eufy plans on addressing the wording of its push notification setting to make it clear that it has to temporarily upload thumbnails. It also says it will change its marketing materials to better reflect its use of the cloud.

Eufy has found itself the center of controversy in the past. Users discovered a strange glitch in the cameras in early 2021 that allowed people to see into other users’ homes.

The company quickly addressed that problem, and nothing terrible seemingly came out of it. I would imagine it does the same this time, delivering on the changes it promised.

Have any thoughts on this? Carry the discussion over to our Twitter or Facebook.

Editors’ Recommendations:

• GoPro’s new action cameras are perfect for social media videos
• Police in one city are using Ring Doorbells to monitor video livestreams
• Kangaroo’s new weatherproof security camera can go anywhere you need it
• Review: Akaso Brave 8 action camera

The post Eufy cameras secretly uploaded footage to cloud (updated) appeared first on KnowTechie.

Even if you aren’t part of that group, it’s wise to change your DraftKings password. In the data breach notification, DraftKings said that the credentials used in the attack came from other websites.

Once in an account, the attacker did an initial $5 deposit, then changed the password and the phone number used for two-factor authentication. Then they withdrew money from any linked bank accounts.

BleepingComputer says that the compromised accounts cost $10 to $35 each on an online marketplace for hackers. The seller even included step-by-step instructions on how to drain the accounts.

DraftKings has cut off access to the hackers

DraftKings says it has reset the password of all 67,995 accounts it identified as breached in the latest attack. Any customer funds taken in the attack will be replaced.

A credential stuffing attack compromised the accounts in November. That’s when hackers automate bots to try millions of username and password combinations to gain access to online accounts.

The data in these attacks usually comes from other data breaches sold on hacker forums.

How to stay safe online

The best defense against hackers is unique passwords. Use a password manager like the one built into your browser and generate long, individual passwords for every online account.

That keeps your other accounts safe when one is breached.

Use two-factor authentication (2FA) methods wherever possible. The safest is an authenticator app, but even SMS 2FA provides another layer of defense.

Okta, a leading identity and access management provider, says credential-stuffing attacks are rising. The problem is so widespread that they say one in three sign-in attempts on sites they manage is fraudulent.

Have any thoughts on this? Carry the discussion over to our Twitter or Facebook.

Editors’ Recommendations:

• Android users: remove these apps ASAP, they contain malware
• A viral TikTok trend is spreading malware
• Netflix officially cracking down on password sharing in 2023
• Comcast report proves people still don’t care about cybersecurity

The post DraftKings hack exposes 67,000 users’ personal and financial info appeared first on KnowTechie.

The update includes a new feature called Advanced Data Protection. Users can now encrypt Apple Photos, Notes, iMessage conversations, and iCloud backups kept in the cloud.

If you turn on this feature, most of what you put in iCloud is only accessible to you. And if someone hacks iCloud, your data is safe.

Not even Apple can see your stuff when it’s on their servers, and the cops can’t get to it even with a warrant.

But since Apple won’t have the keys to your stuff anymore, you’ll have to set up another way to get it back if you lose access to your account.

Advanced Data Protection means users are on their own when recovering their data if they lose access. So, no more trips to the Genius Bar and no more easy backups in the case of an emergency.

If you find yourself locked out of your account, Apple says you’ll need your device password, recovery contact, or recovery key to get your iCloud data back.

How to set up Advanced Data Protection on your iPhone

First, update all your Apple products. This includes updating your iPhone, iPad, and Mac to the latest version of their operating systems.

After updating your Apple devices to the latest version of their operating systems, you’re ready to proceed.

There you go. You have now enabled Advanced Data Protection on your iPhone.

A couple of things to remember with Advanced Data Protection

Remember, if you don’t have your recovery key stored safely or a recovery contact set up – you’re screwed. Your data is as good as gone.

Don’t say we didn’t warn you.

A couple of things to note, as pointed out by MacRumors Joe Rossignol: iCloud Mail, Calendar, and Contacts are still not end-to-end encrypted.

Have any thoughts on this? Carry the discussion over to our Twitter or Facebook.

Editors’ Recommendations:

• iPhone Crash Detection and Emergency SOS credited in rescue
• When was the iPhone 14 released?
• This simple iPhone trick gives you better volume control
• iPhone 15: News, rumors, leaks, pricing, and release date

The post How to update your iPhone to get end-to-end encryption appeared first on KnowTechie.

The Ad Verification program is part of the invite-only Amazon Shopper Panel program. When users opt-in, it allows Amazon to track which ads the user sees as they use their device.

That is a worrying privacy concern, with Amazon being able to see your browsing data.

The way the feature is enabled is also worrying. Amazon requires users to replace their DNS provider with DNS servers maintained by the company.

That allows for ad tracking and access to information about the user’s browsing habits.

The Ad Verification program is only available in the US and UK. It’s also invite-only, with Amazon not releasing details of how they choose participants.

Is your privacy only worth $2 a month? We don’t think so, and neither should anyone else.

Meta had a similar program, the “Facebook Research” app, that paid teenagers $20 monthly to monitor their mobile phones. The company shut the app down in 2019 amid mounting pressure.

Google also had a similar program that snooped on everything a user did on the internet and paid them in Amazon gift cards. Again, that was shut down in 2019.

The thing is, these companies already know everything about us. Please don’t give them more access to your private data. It’s yours. Don’t let Amazon monitor your mobile phone.

Have any thoughts on this? Carry the discussion over to our Twitter or Facebook.

Editors’ Recommendations:

• Meta brings Twitter-like Notes feature to Instagram, but will anyone use it?
• TikTok is moving forward with its music streaming plans
• Google hit with record $391 million settlement over shady tracking
• Twitter shutting down Substack-like Revue platform

The post Amazon will pay you $2 a month to monitor your phone appeared first on KnowTechie.

Before you get up in arms about how Comcast knows your browsing history, it’s not that kind of report. It deals with cybersecurity topics like password sharing and two-factor authentication.

Cyber attacks are on the rise, and it’s important to know how to stay safe online. Here’s what Comcast found out and what you can do to avoid being a statistic.

Americans often do unsafe things online

Okay, raise your hand if you’ve reused your password across multiple accounts. You’re not alone, with 56% of those surveyed doing the same.

How about putting off doing updates because you were using the device? 28% of users noted they neglected to install recommended software updates on smart devices.

Another 18% used the default password instead of changing it. That isn’t good, as those can be figured out from the device network address.

Comcast found that 78% of Americans have done at least one of these risky behaviors online. Yikes.

Do you know which devices are targeted most?

It’s no surprise that smartphones and computers are the two most targeted devices, with approximately 300 million threats each. We carry everything from passwords to banking details and emails on these devices.

Most Americans realize these are the most likely devices to let cyber criminals onto their home network. 61% of those surveyed reported “computer” as their top answer, with 53% noting smartphones.

The problem is that our homes are full of internet-connected devices, so security issues don’t stop there.

Generic IoT devices like IP cameras are a favorite target for criminals, with a reported 224 million threats in 2022. Why? Because these usually don’t have a password to access, and the firmware is often outdated.

Storage like NAS units is also popular to attack. They provide a convenient stepping-off point to your other devices. They also store large amounts of personal data.

Even your smart light switches or outlets could be attacked and set up to sniff data from your network.

Tips for staying safe online

With all of those potential threats, it could be hard to know where to start. Comcast put together five main things to do, which also match our usual recommendations.

Use unique passwords

Use strong, unique passwords for every single one of your online accounts. Passkeys are becoming more popular, which is another option for securing your accounts.

You can use a password manager, because remembering passwords leads to using easy-to-remember ones or repeating them across multiple services.

Use multi-factor authentication

Your password secures your account. With how often data breaches occur, it’s a fair bet that your password will get into the hands of criminals at some point.

Using multi-factor authentication (2FA or MFA) adds a second step to the login process. This usually consists of a one-time code sent to your phone or email, or generated from a security app.

Without that code, nobody is getting into your account.

Enable auto-updates

Device updates are an important part of keeping your home secure. Set up auto-updates on everything that supports it, so you don’t have to worry about bugs and exploits ruining your day.

Mixpanel says that only 41 percent of iPhone users are on iOS 16, the latest version. Eight percent are on iOS 14 or earlier.

That’s a lot of missing security updates on those iPhones running out-of-date iOS versions. Set them to auto-update to be better protected.

Know what connected devices you have

Comcast says that the average Xfinity household has 15 connected devices. Power users have 34 on average.

That’s a large number of devices you might not think about daily. Keeping a list of which devices are connected to your home network is an excellent way to improve your cybersecurity efforts.

Reviewing that list regularly will show if you still need to keep those devices connected. It’ll also remind you to run updates for any devices that can’t auto-update.

Learn about phishing

Do you know about phishing? That’s when you get emails, SMS, or other messages that look official. Except — they’re not; they’re fraudulent and try to get your login details.

It’s one of the most common cyberattacks, and many email providers scan for it before email hits your inbox.

For the things that get through, be wary about any email with an attachment or a link that goes to a website URL you don’t recognize.

Google made a quick quiz to test your phishing knowledge. It’s still relevant, even with attackers getting more sophisticated.

Cybersecurity is everyone’s problem

Our lives and homes are becoming increasingly connected. That means we all need to know a little bit about digital security.

Staying safe online can be as simple as reading things twice before clicking. And remember, even seasoned cybersecurity professionals get tricked sometimes.

Have any thoughts on this? Carry the discussion over to our Twitter or Facebook.

Editors’ Recommendations:

• Apple is making iMessage and iCloud safer for stored data
• Twitter data breach exposes millions of email addresses
• A viral TikTok trend is being used to spread malware
• Android users: remove these apps ASAP, they contain malware

The post Comcast report proves people still don’t care about cybersecurity appeared first on KnowTechie.

And every year, without fail, the most common ones used still consist of ‘password,’ ‘123456,’ ‘qwerty,’ or some other easy-to-hack combination.

Your password is the best defense you have from hackers on your accounts. And in today’s world, think of how many accounts you have.

From social media and banking apps to Amazon, we’re plugged in now more than ever. Each of those accounts can cause you some damage in its own way if they get compromised.

But, typically, passwords protect you from most exploits that could cause damage to you and your accounts.

The most common passwords of 2022

NordPass shared the most common passwords found on the web in 2022. Many of these passwords are so simple that they can be cracked in less than one second.

These are the top 20 most common passwords this year:

As you can see, there’s a bit of a pattern emerging from the most common passwords out there. Unsurprisingly, any sequence of numbers in a particular pattern will be pretty easy to crack.

NordPass also offers a few suggestions for things to consider when creating passwords. For starters, try not to share the same password across different accounts.

Go for long, complex passwords. The harder they are to remember, the harder they will be to hack.

And make sure that you maintain all of your online accounts. Update passwords regularly, deactivate accounts you no longer use, and keep your eye out for suspicious activity.

You can always use a password manager, like NordPass or 1Password, to maintain your complex passwords.

Verified

Staff Pick

NordPass 2-Year Plan
For a limited time, save 43% on a 2-year plan to NordPass. That’s only $1.69 per month. With just a few clicks, NordPass generates strong and unique passwords. No more frustration

Rating

43% off at NordPass

On-Going Offer

We have too much to lose in our online accounts these days. Be sure to maintain strong passwords (and enable 2FA when available) to protect yourself from online threats.

Have any thoughts on this? Carry the discussion over to our Twitter or Facebook.

Editors’ Recommendations:

• How to see WiFi passwords in iOS 16
• 2K Games was hacked – change your passwords and enable MFA
• Your browser’s spell checker is reportedly leaking passwords
• Musk unbans Donald Trump but don’t expect him back on Twitter

Just a heads up, if you buy something through our links, we may get a small share of the sale. It’s one of the ways we keep the lights on here. Click here for more.

The post Here are the most used passwords in 2022 appeared first on KnowTechie.

Google launched the Pixel 7 and Pixel 7 Pro smartphones yesterday. One new feature will please the security conscious – free access to the Google One VPN.

A VPN or Virtual Private Network shields your internet activity from anyone by encrypting your data as it’s transferred. They are useful for any internet user, especially on always-connected devices like the Pixel 7.

Android phones have had VPN capability from the start, with Android 4.0 introducing the ability to run VPNs via an app. This is the first time we could find that an Android phone came with a VPN that didn’t require any setup.

It’s the same VPN that Google bundles with its 2TB or above Google One plans. This plan normally costs $9.99 a month, with access to the VPN likely a nominal part of that cost.

Google says that “some restrictions apply.” Not all data on your Pixel handset and Pixel Watch will be transmitted via the VPN. The VPN is unavailable in some countries, likely those that restrict or ban VPN usage.

It’s also worth noting that the Google One VPN won’t help you circumvent region locks. It’s there to keep your data private, not to make websites think you are physically in another country.

Still, it’s a nice perk for Pixel 7 owners. Google has always had Pixel-specific benefits since the first handset. One was unlimited, full-resolution photo storage.

Have any thoughts on this? Carry the discussion over to our Twitter or Facebook.

Editors’ Recommendations:

• The Pixel Tablet is a welcome return to the space for Google
• Google’s Pixel Watch comes with Fitbit tracking and all-day battery
• Google rolls out iOS 16 lock screen widgets to iPhone users
• What is Matter? Everything to know about the smart home standard

The post Pixel 7 and 7 Pro owners get a free VPN from Google appeared first on KnowTechie.

Like the ancient mythological fish bearing its name, the Bahamut cybercrime group is hidden from sight, swimming deep below the surface of the digital realm.

Further earning the moniker, Bahamut specializes in phishing attacks. It targets corporations and individuals in the Middle East and South Asia. 

After a year of staying off the radar, the advanced persistent threat (APT) group reemerged in 2022 to attack mobile devices, deftly tricking users into thinking they were downloading a VPN.

What is a VPN?

A virtual private network, or VPN, lets you surf the web with a degree of anonymity.

It makes your IP address appear to be coming from a different location, meaning you can bypass laws specific to your area that block certain content.

It often does this by encrypting your internet connection. VPNs also make it harder for cybercriminals to locate your computer.

They help protect private data by only allowing remote user access through encryption and tunneling protocols.

Ironically, the people tricked by Bahamut’s scheme were probably trying to bolster their network security. 

Bahamut enters the scene

In 2016, the cyber-mercenary group began launching espionage campaigns in South Asia and the Middle East. Their victims seemed to have only one thing in common: They were human rights activists.

After a few years of illicit activity, Bahamut disappeared for a while, only to reemerge this year. In 2022, Bahamut began targeting Android users who wanted to download a VPN.

The cybercrime group created a well-designed fake website that offered supposed VPN software. It most likely reaches its audience with the power of targeted messaging, sending them links to the site.

Anyone who tries to download the software from an Android phone is hacked. 

What type of data can they gather?

The hack installs spyware in the form of apps on victims’ phones.

This allows cybercriminals to access sensitive information such as usernames, passwords, SMS messages, and even people’s current locations.

Virtually any information on someone’s phone becomes accessible in this attack. 

Bahamut seems to gather sensitive or embarrassing information about users, which it could use for blackmail purposes. The motives are still unclear. 

None of the infected apps are available on the Google Play store. Users must download them through the malicious website masquerading as a legitimate VPN service.

Still, because the website is so polished, victims’ suspicions are not aroused. 

What is spyware?

“Spyware” is a portmanteau of spying and software. It’s a type of passive cyberattack that lets criminals monitor someone’s activity.

Hackers install software on a victim’s device that allows them to gather personal information.

The hacker can watch the user’s online behavior — such as which websites they visit and keystrokes they use the most — and use this data for profit.

Spyware may take screenshots of someone’s online activity and can gather information such as login credentials, credit card numbers, account PINs, and email addresses.

In the case of the Bahamut VPN scheme, users download the app and enter an activation key. The spyware becomes active when they do this. 

How to avoid Bahamut’s latest scheme

Install antivirus software on your phone if you’re an Android user. Be wary of apps you have to download from a third-party site.

Additionally, never open links from unfamiliar email accounts, as these can lead to malicious sites that install spyware or rope you into a phishing scam.

Even if a site looks legitimate, be aware that it could be a case of website spoofing, as anyone can make a professional-looking site. 

Following these common-sense online safety tips should keep you out of Bahamut’s sinister grasp.

Have any thoughts on this? Carry the discussion over to our Twitter or Facebook.

Editors’ Recommendations:

• VPN security: How VPNs help protect your data online
• Pixel 7 and 7 Pro owners get a free VPN from Google
• What is a VPN, and what can you do with it?
• Top VPN scams revealed – here’s what to look out for in 2022

The post ‘Bahamut’ hackers target Android users with phony VPN apps appeared first on KnowTechie.

As reported by BleepingComputer, the four apps are from the same developer and have over a million combined downloads.

So, how do they work? First, the apps stay dormant for a few days to trick the Google Play Store and any on-device protections before introducing malicious code.

That code either shepherds the user to sites that phish for personal information or generate ‘pay-per-click’ cash for the developer via adware. The code refreshes every two hours, even if the screen is locked.

With that said, if you have any of these on your Android device, it’s time to delete them.

Delete these four Android apps immediately

All four apps are still on the Google Play Store. Under no circumstances should you download them. And if you have them installed on your device, you should delete them immediately.

Be on the lookout for these four malicious Android apps:

• Bluetooth Auto Connect – 1,000,000+ installs
• Bluetooth App Sender – 50,000+ installs
• Driver: Bluetooth, Wi-Fi, USB – 10,000+ installs
• Mobile transfer: smart switch – 1,000+ installs

The developer, Mobile apps Group, can somehow still upload apps to the Google Play Store. That’s despite falling foul of Google’s policies around distributing adware twice (via Malwarebytes).

How to stay safe from malicious apps

The first defense against malicious apps happens before you even install them.

The four apps mentioned here all had high download counts, even when the reviews section warned about malicious behavior.

Many users decided to install the app without reading the reviews. If they had read any user feedback, they might have thought twice.

How does one protect themselves from malicious apps? First, enable Google Play Protect to scan your device to identify any threats.

In addition, you can also install an antivirus app, but make sure to choose a reputable one, as malicious actors tend to target antivirus software too.

Have any thoughts on this? Carry the discussion over to our Twitter or Facebook.

Editors’ Recommendations:

• These Android apps are riddled with malware – delete them
• Where do Android apps store data?
• Android apps are pretty much useless on Windows 11
• You can now install Android apps from the Windows 11 Store – here’s how

The post Android users: Delete these apps – they’re stealing your data appeared first on KnowTechie.

Ad fraud is essentially a way for developers to game ad systems in order to make more ad revenue. But why do you care about that?

Well, you should care because it means the malicious apps are constantly running. That leads to battery drain on your device.

On top of that, the constant reconnections can also bog down your network bandwidth. So, yeah, you’re going to want to get rid of these apps ASAP.

You can see a quick example of the network bandwidth strain below:

Thankfully, Google has removed the offending apps from the Google Play Store. You’re still going to want to remove them from your device, however.

Which Android apps were removed for ad fraud?

To make sure your Android device is free from bad apps, make sure the following apps have been removed from your device.

If you have any of these Android apps on your phone still, delete them. Google’s removal helps, but you don’t want apps on your phone that were taking advantage of you.

Have any thoughts on this? Carry the discussion over to our Twitter or Facebook.

Editors’ Recommendations:

• Google’s Pixel 7 Pro is a bad gaming phone
• The Meta Quest Pro will track your eyeballs when it serves ads
• Android users: Delete these apps, they are stuffed with malware
• Does your Mac need antivirus software?

The post Android users: Delete these apps, they’re draining your battery appeared first on KnowTechie.

As the full name indicates, CAPTCHAs present computerized challenges that people can solve but computers can’t. 

Some might take you back to elementary school math class, asking you to answer what’s two plus four. Others make you squint at a string of distorted characters and type what you see.

Some CAPTCHAs show you several low-quality pictures and ask you to choose all the traffic lights or motorcycles.

However, some images are so blurry that it’s hard to differentiate the objects you need to find. 

These puzzles may slow your browsing activity as you try to click through them, but CAPTCHAs serve a relevant purpose by thwarting fraudulent activity online.

Computerized bots can’t solve CAPTCHA equations, so this technology helps weed them out. However, it can also present barriers for people with disabilities. 

The release of iOS 16, Apple’s new mobile operating system, will allow users to bypass CAPTCHA. Here’s a closer look at how the option works. 

Apple utilizes private access tokens

Apple developers pointed out that when people interact with websites for the first time, they’ve typically already done things that are hard for bots to imitate.

For example, they’ve unlocked the device with a password. They probably also used an Apple ID if they were on an Apple device. 

Private access tokens help web servers automatically trust users. Apple’s approach relies on a new HTTP authentication method called PrivateToken.

The tokens use cryptography to issue an unlinkable signature affirming that someone passed a security check.

Due to the unlinkable nature of the signatures, the servers can only verify they got through a check. However, they cannot learn client identities. 

A step-by-step look at the process

When a user’s compatible device attempts to access a server, the server responds with a token using the PrivateToken authentication scheme.

Apple then determines the person’s identity by checking it against certificates in the Secure Enclave. That’s the hardware-based key manager separated from the main processor to provide extra security. 

Apple’s attester can also carry out a process called rate limiting. It examines whether a user’s behavior follows expected patterns or may be associated with fraudulent internet activity, such as click farming. 

The signed token eventually gets to the server through a multi-step process. The server doesn’t know anything about the user or device but trusts the attester enough to validate the process.

All this happens quickly and in the background. The user notices nothing except a friction-free transition to their destination websites. 

Apple’s approach is one of the emerging strategies based on the move away from traditional security models and principles.

For example, there’s the zero-trust model, which has quickly gained traction in cybersecurity circles. It works on the principle that people’s identities must always be verified before they access the content.

They are never automatically trusted, even if they are the most senior person in the organization or someone who has worked there for decades. 

Automatic verification is easy to activate 

Apple’s CAPTCHA-elimination option sounds a bit technical to the average person. However, the company makes it easy to turn the feature on or deactivate it as needed.

First, tap Settings and click on your name in the left-hand panel. Next, go to Passwords & Security. From there, switch Automatic Verification on or off.

You’ll find it under the Advanced heading of that section. You’ll also find it turned on by default in iPhone and iPad versions of iOS 16.

How to enable Automatic Verification

If you’re on the beta of iOS 16 right now, Automatic Verification is on by default. We’re not sure if that will be the case when the public builds come this fall.

1. Open the Settings app

2. Tap on your Apple ID

3. Tap on Password & Security

4. Scroll down and toggle Automatic Verification to ON

The end of pesky CAPTCHAs?

This progress represents a major step forward for Apple. Even when people know how CAPTCHAs work, they typically find them frustrating due to the way they disrupt the internet experience.

For now, this technology only works on Apple devices running iOS 16.

However, if this approach proves viable in the real world, there may soon be similar options for Android devices and other operating systems.

That’s especially likely since Apple makes it easy for people to turn the feature on or off.

Many less tech-savvy users won’t bother with CAPTCHA-free technology if they perceive it will be too cumbersome.

That’s not the case with Apple’s option, and hopefully, other technology companies will follow suit with user-friendliness.

Have any thoughts on this? Carry the discussion over to our Twitter or Facebook.

Editors’ Recommendations:

• iOS 16.0.3 is out – here’s what to know about the update
• Google rolls out iOS 16 lock screen widgets to iPhone users
• How to remove the background from images in iOS 16
• How to set up a dynamic weather Lock Screen wallpaper in iOS 16

The post The science behind how iOS 16 can bypass CAPTCHA appeared first on KnowTechie.

Telegram founder Pavel Durov recently took to Telegram to share his thoughts on WhatsApp (h/t, Independent). In his messages, Durov warned WhatsApp users that hackers could have access to their entire phones.

Durov cited a recent security issue that WhatsApp brought to light last month. The security flaw allowed hackers to access a user’s phone with a malicious video.

“Every year we learn about some issue in WhatsApp that puts everything on their users’ devices at risk… It doesn’t matter if you are the richest person on Earth – if you have WhatsApp installed on your phone, all your data from every app on your device is accessible,” Durov said in his messages.

But Durov isn’t convinced that WhatsApp’s flaws are random. He calls the app’s security flaws “planted backdoors” for law enforcement, governments, and anyone who wants to exploit the app and users.

Durov’s Telegram app has exploded in popularity over the last few years. The app is known for its privacy, and it has garnered over 700 million active daily users.

But that’s still a fraction of the popularity of its competition. WhatsApp has a staggering 2 billion-plus users around the world.

However, Durov says this is not an attempt to draw users to Telegram. “You can use any messaging app you like, but do stay away from WhatsApp – it has now been a surveillance tool for 13 years.”

Meta, who owns WhatsApp, told The Independent that Durov’s statements are “complete rubbish.”

Have any thoughts on this? Carry the discussion over to our Twitter or Facebook.

Editors’ Recommendations:

• Telegram now lets you hide spoilers and react to messages
• How to make custom WhatsApp Sticker Maker stickers
• How to enable end-to-end encryption on Messenger
• How to unsend iMessages in iOS 16

The post Telegram founder says we should ‘stay away’ from WhatsApp appeared first on KnowTechie.

The report from Atlas VPN organizes the popular web browsers in order of how many vulnerabilities they have had this year. Chrome came out way ahead of the rest of the pack, with 303 total vulnerabilities.

Next on the list is Mozilla Firefox, with a total of 117 vulnerabilities in 2022. Microsoft Edge and Safari follow up with 103 and 26 vulnerabilities, respectively.

Just because developers discover a vulnerability doesn’t mean that a web browser is dangerous. In fact, discovering a vulnerability is a good thing, as it gives the developers a chance to fix the potential problem.

With Google Chrome’s constant updates and changes, vulnerabilities are bound to pop up.

The company already discovered several vulnerabilities in October, but Google patched them in the latest Chrome version 106.0.5249.61.

As a user, the best thing you can do to combat any potential vulnerabilities is to make sure you keep your browser up to date at all times.

Developers are generally pretty quick to patch any vulnerabilities. So keeping your browser updated is the best way to avoid any trouble from potential vulnerabilities that have popped up.

Have any thoughts on this? Carry the discussion over to our Twitter or Facebook.

Editors’ Recommendations:

• Chrome users: Delete these extensions, they’re stealing data
• Microsoft adds Xbox features to Edge to entice gamers
• How to automatically show the full URL in Safari
• Is Mozilla Firefox not loading pages for you? Here’s the fix

The post Chrome has more vulnerabilities in 2022 than any other browser appeared first on KnowTechie.

Original Story: A U1S technology expert has identified troubling behavior within macOS that could potentially expose the user’s location and IP address to third parties. 

The potential issue relates to how macOS handles QR codes saved locally on the user’s computer. 

According to Matt Hodges, Executive Director of Zinc Labs, MacOS silently interprets QR codes saved on the computer’s local storage. If the QR code contains a URL, macOS will open the link as a background process.

This process occurs without the user’s active consent or knowledge. Yea, not good.

Canaries in the Coal Mine

Hodges, who formerly served as the Director of Engineering for Joe Biden’s 2020 presidential campaign, encountered the behavior while experimenting with QR Canary Tokens. 

Canaries are an essential concept within cybersecurity. Think of them as a laser tripwire. However, they don’t serve a functional purpose within a computer system other than to warn of unauthorized activity. 

QR Canary Tokens work in the same way. You’d place one where a potential intruder might see it. Then, the owner receives a notification if their curiosity gets the better of them. 

In addition to sending alerts, QR canaries can capture information about the user, including their IP address and user-agent string. 

Hodge says he placed a QR canary within his downloads folder. Several days later, he received “a flurry of emails” warning it was triggered. 

“The first thing I noticed was that the source IP was my IP. The second thing I noticed was the User Agent,” he tweeted. 

When you visit a website, your browser transmits a User-Agent String (UA String).

A UA String identifies your browser and operating system to the web server, allowing them to deliver the most consistent experience with your software. 

The UA String captured by Hodge’s Canary revealed the browser was the built-in web scraper used by macOS’ iMessage when rendering previews of web-based content. 

Although this isn’t a smoking gun, it provides compelling evidence that this behavior is innate to MacOS and not merely Hodges accidentally clicking on a link. 

Putting the Issue in Context 

It’s essential to put this potential issue in context. It isn’t a catastrophic security flaw. But it does raise serious concerns. 

When you use the Internet, you expose details about your identity. Your IP address and your UA string are two good examples. 

IP addresses may look like indecipherable lists of numbers, but they can reveal a lot about a person. Most importantly, they correspond (albeit imperfectly) with a person’s location, often down to the city. 

It’s easy to imagine how this behavior could be weaponized. Somebody, for example, could surreptitiously leave a QR code on someone’s computer and receive updates as they move from city to city. 

Hackers could use this behavior as a tool to spread malware

Suppose someone identifies a critical vulnerability within Safari that allows a third party to execute a drive-by-download on someone’s computer. 

If they manage to deploy a QR code on the victim’s computer, macOS would automatically open it, triggering the exploit in the process. 

I don’t want to scare you. This is all theoretical. There’s no evidence — none — that anyone has used this behavior for any nefarious purposes. But it does illustrate an oversight within Apple. 

On a basic level, users should be able to opt out of this automatic QR scanning.

Or, it should restrict to areas that make sense — like images received over iMessage. Not anything stored in the user’s local storage. 

Have any thoughts on this? Carry the discussion over to our Twitter or Facebook.

Editors’ Recommendations:

• New macOS security feature auto-blocks unfamiliar USB-C devices
• Stage Manager for macOS Ventura is a multitasker’s dream
• MacBook battery draining super-fast in sleep mode with macOS 12.2? Bluetooth might be why
• macOS 12.2 beta includes a new-and-improved version of Apple Music

The post macOS silently opens locally-stored QR codes (updated) appeared first on KnowTechie.

By doing this, the company created regional disparities in access to mobile apps at a time when many economies are becoming increasingly dependent on them.

The mobile phone giants have removed over 200 Chinese apps, including widely downloaded apps like TikTok, at the Indian government’s request in recent years.

Similarly, the companies removed LinkedIn, an essential app for professional networking, from Russian app stores at the Russian government’s request.

However, access to apps is just one concern. Developers also regionalize apps, meaning they produce different versions for different countries.

This raises the question of whether these apps differ in their security and privacy capabilities based on region.

In a perfect world, access to apps and app security and privacy capabilities would be consistent everywhere.

Popular mobile apps should be available without increasing the risk that users are spied on or tracked based on what country they’re in.

Especially given that not every country has strong data protection regulations.

My colleagues and I recently studied the availability and privacy policies of thousands of globally popular apps on Google Play, the app store for Android devices, in 26 countries.

We found differences in app availability, security and privacy.

While our study corroborates reports of takedowns due to government requests, we also found many differences introduced by app developers.

We found instances of apps with settings and disclosures that expose users to higher or lower security and privacy risks depending on the country in which they’re downloaded.

Geoblocked apps

The countries and one special administrative region in our study are diverse in location, population and gross domestic product.

They include the U.S., Germany, Hungary, Ukraine, Russia, South Korea, Turkey, Hong Kong and India. We also included countries like Iran, Zimbabwe and Tunisia, where it was difficult to collect data.

We studied 5,684 globally popular apps, each with over 1 million installs, from the top 22 app categories, including Books and Reference, Education, Medical, and News and Magazines.

Our study showed high amounts of geoblocking, with 3,672 of 5,684 globally popular apps blocked in at least one of our 26 countries.

Blocking by developers was significantly higher than takedowns requested by governments in all our countries and app categories.

We found that Iran and Tunisia have the highest blocking rates, with apps like Microsoft Office, Adobe Reader, Flipboard and Google Books all unavailable for download.

We found regional overlap in the apps that are geoblocked. In European countries in our study – Germany, Hungary, Ireland and the U.K. – 479 of the same apps were geoblocked.

Eight of those, including Blued and USA Today News, were blocked only in the European Union, possibly because of the region’s General Data Protection Regulation.

Turkey, Ukraine and Russia also show similar blocking patterns, with high blocking of virtual private network apps in Turkey and Russia, which is consistent with the recent upsurge of surveillance laws.

Of the 61 country-specific takedowns by Google, 36 were unique to South Korea, including 17 gambling and gaming apps taken down in accordance with the national prohibition on online gambling.

While the Indian government’s takedown of Chinese apps happened with full public disclosure, surprisingly most of the takedowns we observed occurred without much public awareness or debate.

Differences in security and privacy

The apps we downloaded from Google Play also showed differences based on country in their security and privacy capabilities.

One hundred twenty-seven apps varied in what the apps were allowed to access on users’ mobile phones, 49 of which had additional permissions deemed “dangerous” by Google.

Apps in Bahrain, Tunisia and Canada requested the most additional dangerous permissions.

Three VPN apps enable clear text communication in some countries, which allows unauthorized access to users’ communications.

One hundred and eighteen apps varied in the number of ad trackers included in an app in some countries.

Categories include Games, Entertainment and Social, with Iran and Ukraine having the most increases in the number of ad trackers compared to the baseline number common to all countries.

One hundred and three apps have differences based on country in their privacy policies.

Users in countries not covered by data protection regulations, such as GDPR in the EU and the California Consumer Privacy Act in the U.S., are at higher privacy risk.

For instance, 71 apps available from Google Play have clauses to comply with GDPR only in the EU and CCPA only in the U.S.

Twenty-eight apps that use dangerous permissions make no mention of it, despite Google’s policy requiring them to do so.

The role of app stores

App stores allow developers to target their apps to users based on a wide array of factors, including their country and their device’s specific features.

Though Google has taken some steps toward transparency in its app store, our research shows that there are shortcomings in Google’s auditing of the app ecosystem.

Some of which could put users’ security and privacy at risk.

Potentially also as a result of app store policies in some countries, app stores that specialize in specific regions of the world are becoming increasingly popular.

However, these app stores may not have adequate vetting policies, thereby allowing altered versions of apps to reach users.

For example, a national government could pressure a developer to provide a version of an app that includes backdoor access.

There is no straightforward way for users to distinguish an altered app from an unaltered one.

Our research provides several recommendations to app store proprietors to address the issues we found:

• Better moderate their country targeting features
• Provide detailed transparency reports on app takedowns
• Vet apps for differences based on country or region
• Push for transparency from developers on their need for the differences
• Host app privacy policies themselves to ensure their availability when the policies are blocked in certain countries

Have any thoughts on this? Carry the discussion over to our Twitter or Facebook.

Editors’ Recommendations:

• Researchers reveal how they detect deepfake audio – here’s how
• Household robot servants are still a long way off – here’s why
• FTC lawsuit exposes major privacy risk, and it’s your phone’s fault
• Is Twitter putting its users’ security at risk?

The post Apps downloaded from different countries pose higher privacy risks appeared first on KnowTechie.

Researchers found that nearly 100 apps contained adware, with a total of 13 million installs.

When these apps are enabled, the software abuses advertising networks to display out-of-context ads or, in some cases, invisible ads.

In turn, the user has no idea that their device is generating ad revenue for the bad actor posing as a developer.

The team reached out to Google and Apple, and these apps have been removed from their app stores.

That removal doesn’t mean they disappear off your devices, so it’s time to check your installed apps.

The report doesn’t say that these apps were stealing data. With this in mind, you should still delete them if you have them installed.

Delete these adware apps asap

Apple and Google have removed all of these apps from their app stores, but that doesn’t remove them from your devices.

So, time to get deleting if you know you have any of these installed.

NOTE: Any misspellings in this list are intentional, and how the report reads.

iOS

Some adware-containing apps got past the App Store’s usually solid checks.

Delete any of these apps if they’re installed on your device.

Android

Some of the Android apps in the report don’t include the app name, only the package name.

Those have a zero-install count, according to Google Play’s statistics. Check those out in the full report.

As you can see, there is a running theme of lotto scratchers and promises of other incentives for installing the apps.

Just a heads up, you can’t win real money on Apple’s App Store; the company’s policies forbid it.

On the other hand, Google Play has loosened its rules recently, but they are only allowed in specific countries with a valid gambling license.

There also seem to be a lot of puzzle games; presumably, these work as puzzles, and the longer you spend in the app, the longer the criminals have to commit ad fraud.

If you find any of these adware-containing apps on your device, it’s time to delete them.

Then, reboot your phone, clearing any cache and running memory.

Android users, you’ll want to enable Google Play Protect, which can remove apps like these automatically.

Apple doesn’t have any clear guidelines for Apple users looking to remove apps, but deleting them and rebooting your device should clear most malware apps.

We suggest sticking to more established developers when downloading new apps.

Also, just because something is in the charts in any respected App Store doesn’t mean they’re safe – these rankings get manipulated all the time.

Have any thoughts on this? Carry the discussion over to our Twitter or Facebook.

Editors’ Recommendations:

• These Android apps are riddled with malware – delete them
• Samsung’s Galaxy Store is hosting malicious apps that distribute malware
• Malware is being hidden in Windows 11 installers – here’s how to avoid it
• The amount of malware on Mac computers is now outpacing PCs

The post Delete these Android and iOS apps: they’re riddled with adware appeared first on KnowTechie.

Previously, Microsoft and Google announced issues – Rogue System Register Read and Speculative Store Bypass – which are technical variants of the Spectre and Meltdown vulnerabilities.

So what does this mean for you? Well, it probably means that you’ll have some updates to deal with for your CPU, likely delivered in the form of a firmware update for your system.

This is conventionally called a BIOS update, though you’re more likely updating your Unified Extensible Firmware Interface, or UEFI, instead.

If this all sounds Greek to you, don’t worry. Even though it’s slightly more involved than a standard operating system update, you don’t need to be afraid to update your BIOS.

Thankfully, it’s a pretty easy process nowadays. Here’s how to do it.

Mac users have it easy

Okay, so if you’re a Mac user concerned about missing security updates that address the hardware issues in the news – don’t worry.

The App Store will automatically download system updates for you if you tell it to, or you could check it regularly if you don’t like the autoroute.

Apple makes this process painless, one of the benefits of having a closed ecosystem.

Windows users, not so much

Make some coffee and sit comfortably, you might be here a while. Updating your system’s firmware isn’t terrible, but it’s not as easy as on a Mac. First things first, check Windows Update.

That won’t update the motherboard BIOS, but it will update all your system files to include any bug fixes or security updates.

If you’re a laptop user, the best way to get any driver or BIOS update files is to go to the manufacturer’s website and look for the support section.

You’ll probably need to know the exact make and model of the laptop you’re using, which will likely be on a sticker on the underside of your machine.

Suppose your laptop is already registered with the manufacturer. In that case, sign into your account on their website and look at the section of your account that talks about registered devices.

Each manufacturer hosts updates in different locations on their sites, so this might require a little searching.

If luck is on your side, your laptop manufacturer will offer some kind of software utility that will help you find out what drivers and updates you need for your machine.

There might also be a BIOS update utility to make updating that easier.

There are a million different laptops, and the process of updating your BIOS could vary even with the same manufacturer.

If your manufacturer doesn’t have their own utility for running all your updates for you, you’ll want to look for the latest BIOS file at a minimum.

Whether that update then gets installed using a special utility or a tool like Rufus to make a bootable USB key and run the BIOS update from MS-DOS, that’s entirely at the whim of how your laptop manufacturer handles these kinds of updates.

If you’re on a desktop PC, you also have a few options for updating. Your system’s manufacturer might offer BIOS updates, especially if you bought a pre-built system.

Editor’s Recommendation

To fix various PC problems, we recommend DriverFix

This software will keep your drivers up and running, thus keeping you safe from common computer errors and hardware failures. Running this application will automatically install all relevant drivers.

Download Now

If so, it’s the same route as for laptop users. You might also have to hunt down your motherboard’s manufacturer to get BIOS updates that way, this is mainly for if you built your system yourself.

If you don’t know which motherboard is in your system – hit the Windows Key + R, type in ‘msinfo32,’ and look for the System Manufacturer and System Model listings.

If this doesn’t show enough specifics, you can use a third-party app such as CPU-Z or HWInfo to help you out.

Once you’ve figured out your manufacturer and model number, search for the corresponding support page on the manufacturer’s website.

Just like with the laptop instructions, you’ll be looking for the driver’s page for your motherboard and then either a utility that will update your drivers and firmware for you, a BIOS file, or a combination BIOS file and flashing utility.

Depending on your file, your process for updating the BIOS will differ.

Mostly you’ll find yourself running either a utility directly out of Windows or copying the file to a USB drive, rebooting your computer, hammering the DEL key (or whatever key your system uses) during POST to enter BIOS and flash the updated BIOS file onto the motherboard.

Sometimes this can be a bit hard to find, on my Gigabyte motherboard, it’s a little popup on the bottom of the screen.

If you’re overclocking on your system, use the BIOS reset selection to put everything to a stock configuration before the update.

Your motherboard manufacturer will have documentation on how best to do this for the specific board.

I recommend looking on their support pages for the right steps, as there might be something I’ve not mentioned here.

Just an FYI – BIOS updates can be a bit scary

Just so you’re aware, BIOS updates are deceptively simple and also something you don’t want to mess around with – if something goes wrong, it’ll go wrong big time.

Before running the BIOS update, make sure you back up your important files, just in case. You could also use Macrium Reflect to make a system image if you have enough space on a secondary drive.

Make sure your laptop is plugged into a power socket, not on battery power, and do not turn off or reboot your desktop or laptop during the updating process unless the update utility tells you that it is safe to do so.

After the update is finished, you might need to boot back into your system’s BIOS – usually by button mashing DEL or F2 as it boots – and reset whatever settings were previously configured.

You’ll also probably have to redo any fan settings you had, and you can go ahead and apply any overclocks that you previously had.

Presuming that your system manufacturer is similar to most, you’ll have to find out about BIOS updates by checking your manufacturer’s support page regularly unless you’re running an auto-update program.

A good way to ensure this is to make a recurring reminder in your favorite calendar, so you don’t miss out on anything critical for your key components.

To fix various PC problems, we recommend DriverFix

This software will keep your drivers up and running, thus keeping you safe from common computer errors and hardware failures. Check all your drivers now in three easy steps:

1. Download DriverFix (verified download file)
2. Click Start Scan to find all problematic driers
3. Click Update Drivers to get new versions and avoid system malfunctioning.

Running these applications will automatically install the relevant drivers, and you can further update them from the same place.

Have any thoughts on this? Carry the discussion over to our Twitter or Facebook.

Editors’ Recommendations:

• How to check if your PC meets the requirements for a VR headset
• How to type out emojis on a PC
• How to give new life to an old gaming PC
• How to connect Bluetooth headphones to a PC

Just a heads up, if you buy something through our links, we may get a small share of the sale. It’s one of the ways we keep the lights on here. Click here for more.

The post How to update your PCs BIOS to help protect yourself appeared first on KnowTechie.

Supposedly, a hacker broke into 2K Support through a help desk program. The company says the hacker sent out multiple, legitimate-looking emails from the platform containing malicious links.

“Earlier today, we became aware that an unauthorized third party illegally accessed the credentials of one of our vendors to the help desk platform that 2K uses to provide support to our customers,” wrote 2K Support in a tweet.

“The unauthorized party sent a communication to certain players containing a malicious link. Please do not open any emails or click on any links that you receive from the 2K Games support account.”

With that said, do yourself a favor and don’t open any emails from them or click on any links inside those emails.

How to secure your 2K Games account

If you clicked on anything in a recent email from 2K Support, here’s what to do:

1. Go to accounts.2k.com/forgot-password and reset your password, and update the new one in your password manager
2. Enable multi-factor authentication on all of your internet accounts (not just the 2K one)
3. Install and run an anti-virus program
4. Check and make sure that email forwarding isn’t enabled on the email account you use with 2K

2K is still in control of their Twitter account and posted the news with the mitigation steps above.

2K says the support site will stay down until they finish their internal investigation. So if you’ve got a support ticket with them, unfortunately, all you can do is wait.

“We deeply apologize for any inconvenience and disruption that this matter may cause. We appreciate the ongoing support and understanding from our player communities,” wrote 2K Support.

This is the latest in a series of high-profile hacks. A hacker got into Rockstar Games and released videos of the upcoming title, Grand Theft Auto 6.

That hacker also seemingly hacked Uber. In addition, Blizzard’s upcoming Diablo 4 also had nearly an hour of gameplay leaked online.

Have any thoughts on this? Carry the discussion over to our Twitter or Facebook.

Editors’ Recommendations:

• New TikTok hack reportedly exposes source code and user data
• A new exploit lets hackers unlock any Honda made since 2012
• You can now play Xbox One discs offline on your Series X
• PlayStation 5 with detachable disc drive reportedly coming in 2023

The post 2K Games was hacked – change your passwords and enable MFA appeared first on KnowTechie.

Now, this isn’t entirely new. Enhanced spellcheck in Chrome warns you it will send data to Google’s servers. Microsoft Edge says it “connects to a Microsoft online service.”

That doesn’t mean it’s not an issue. For example, it could contain sensitive information depending on which form you’re filling in.

Anything from your Social Security Number (SSNs), banking details, and more is in plain sight. The spellcheck even sends passwords in plaintext in some situations. Via the company’s blog post:

“Chrome’s enhanced spellcheck & Edge’s MS Editor are sending data you enter into form fields like username, email, DOB, SSN, basically anything in the fields, to sites you’re logging into from either of those browsers when the features are enabled. Furthermore, if you click on “show password,” the enhanced spellcheck even sends your password, essentially Spell-Jacking your data.”

Your browser spellchecker is leaking your passwords

The browser-based spellchecker works on almost any website. A way to mitigate sending sensitive information is by adding an HTML attribute to the password field.

Most websites don’t use this, and even popular password managers like LastPass didn’t have the mitigation. However, as has AWS with its Secrets Manager, LastPass has mitigated the issue.

While this is undeniably an issue for everyone using these browser tools, it’s more of a problem for companies.

Think of all the passwords to internal tools that Chrome and Edge have passed across to Google or Microsoft’s servers.

For their part, Google told BleepingComputer that “to further ensure user privacy, we will be working to exclude passwords proactively from spell check.” That might also fix the issue in Edge, as they both use the Chromium core.

To keep your data safe until then, remove or disable the Microsoft Editor extension in Edge.

Chrome users will want to check if Enhanced spell check is disabled. If it’s not, turn it off if you feel at risk. The basic spell check works on any device, so your data is safe.

Have any thoughts on this? Carry the discussion over to our Twitter or Facebook.

Editors’ Recommendations:

• How to view and edit saved passwords in Google Chrome
• How to turn on Google Chrome’s secret Reader Mode
• How to stop Chrome from saving history on Windows and Mac
• Microsoft Edge is testing a free in-browser VPN

The post Your browser’s spell checker is reportedly leaking passwords appeared first on KnowTechie.