6 Digits Are Better Than 4! iOS 9 to Boost Passcode Security | The Mac Security Blog

And although there were plenty of new features announced for the upcoming upgrade to OS X — dubbed El Capitan — perhaps the security news which will impact the most iPhone and iPad users is that Apple will be beefing up security on iDevices running iOS 9, by requiring users to upgrade from a 4-digit passcode to one containing 6 digits.

Two extra digits. Can that really add a whole lot more security?

Well, actually yes.

You see, a six digit passcode has one million possible combinations instead of 10,000.

Graham Cluley, writing on the Mac Security Blog, explains why a six-digit passcode is good, but an alphanumeric passcode is even better.

This is only available on a device with a Touch ID. Presumably, not having a Touch ID means you’ll be typing your PIN a lot more often, so they didn’t include the feature for older devices.

Source: 6 Digits Are Better Than 4! iOS 9 to Boost Passcode Security | The Mac Security Blog

Apple Explains How to Remove Adware From Your Mac

For a long time, Apple shied away from discussing any types of malware: viruses, trojan horses, even adware. This latter form of malware is also called ad-injection software, and, as Apple says, “come from third-party download sites.” This can result in annoying ads popping up on your Mac, or being inserted into web pages. Again, quoting Apple:

“If your Mac has ad-injection software installed, you might see pop-up windows, ads, and graphics while surfing the web, even if “Block pop-up windows” is selected in Safari preferences. Ad-injection software might also change your homepage and preferred search engine.”

Apple has created a technical document, Remove unwanted adware that displays pop-up ads and graphics on your Mac, explaining how to get rid of these annoyances. But it’s not that simple. You need to check a lot of system folders for obscure files, such as com.genieo.completer.update.plist, com.VSearch.bulk.installer, or com.genieoinnovation.macextension.client.plist. And some of the file names may vary, so Apple explains how to look for files that may contain any of a number of different words.

This is all quite disturbing, and highlights the risks of installing software from many third-party websites. But it’s not just these sites that install crap like this; Oracle recently added adware to its OS X Java installer.

So what should you do? Most commercial antivirus software will remove adware, but it’s best to have a look in the folders that Apple mentions in its document. I actually check those folders from time to time, because software that I’ve tried out can leave files behind which may launch processes that I don’t need to have running. It’ll take a few minutes, but if you are seeing unwanted ads on your Mac, you should definitely do it.

OS X’s Keychain Password Request Dialog Does Not Inspire Trust

I use the OS X Keychain, but I have the password for my keychain set to a different one than my login password. As such, when I start up one of my Macs, I see a dialog asking me to enter the password to unlock my keychain.

But I’ve often felt that this dialog is not very clear, and does not inspire trust. It mentions one of a number of different system services, none of which the average user has ever heard of. Here’s the dialog I saw after I booted my MacBook Pro today:

Keychain password request

What is CallHistoryPluginHelper? Even I don’t know. Sometimes I see different services requesting the password, such as accountsd, or some other “d” (for daemon, or background process). I don’t know why today I saw a different process ask for the password.

The problem with this is that the dialog does not inspire trust. How do I know that it is really the system level keychain that is asking for this password? Couldn’t a third-party app toss up a similar dialog, and get me to enter my keychain password?

When it’s the Keychain Access app itself asking for the password, this dialog is different, but not by much:

Keychain app password request

Or if a different app requests access to the keychain, that app’s icon displays in the dialog:

Mail keychain request

But just after I saw the above dialog (I locked my keychain to get Mail to ask for it) I also saw this:

Keychain request

I don’t think that com.apple.internetaccounts.xpc is a very user-friendly name.

Apple should think about changing this dialog to make it more understandable. It’s quite an important dialog: if you do give away you keychain password to some random app, you can give away the keys to all your online accounts.

Beware Dropbox Shared File Phishing Emails

Every now and then, I get a phishing email that’s well enough crafted that it’s worth highlighting. Yesterday, I got one purporting to be from Dropbox, alerting me to a file shared by “David.” Well, I know a few Davids, so I wondered who it could be from. But then I used the standard method of checking these emails: I hovered my cursor over the button in the email to see what the link was behind it.

Dropbox phishing

As you can see above, the link went to a server in Denmark (I’ve blurred the name of the server), but the link also has www.dropbox.com in it, trying to trip up users who look at links.

So heed the warning: be very careful about clicking links in emails. This one probably led to a bogus Dropbox login page (the page had been removed when I clicked the link to check it), which would give up your Dropbox credentials, and potentially provide access to a lot of personal files.

How To: Save Multiple iOS Device Backups in iTunes

You probably know that iTunes can back up your iOS device when you sync it. You can choose to have your device backed up to iCloud or to your computer.

Itunes backups

You can also manually back up your device; just click Back Up Now.

iTunes’ preferences shows you the backups available for your devices:

Itunes backups prefs

As you can see above, I’ve got two backups for my iPhone, Sugaree: one from this morning, at 8:55 am, and another from yesterday afternoon. iTunes saves one backup from each device – as you can see for the other devices listed in the window – but you can force it to “archive” a backup; when you do this, you’ll see the device name and the date and time of the archive, as in the last backup you see in the above screenshot.

To do this, right-click on a backup and choose Archive. iTunes quickly renames the backup, and saves it. You can do this as often as you wish, with the understand that these backups do take up a bit of space on your computer, depending on the type of content on your device. (My backups take up from 500 MB to about 1 GB, currently.)

If you have too many backups, you can delete some of them. Just right-click on a backup and choose Delete.

iTunes used to make these archived backups whenever you clicked Back Up Now; whenever you made a manual backup. Now you must choose to archive a backup yourself in the Devices preferences.

If you ever have serious problems on your iOS device, you can restore a backup, by connecting the device, and then clicking the Restore Backup button.

Phishing Dangers in Business and How to Avoid Getting Hooked

Gone are the days when malware simply rendered a computer useless or deleted files. Instead of creating malware to show off, hackers are now in it for the money. Because of this, most malware these days are designed to collect personal information, such as user names and passwords. Cyber-criminals leverage this information to hack accounts, such as email, Twitter and Facebook accounts, to spam your friends.

But the real jackpot is when hackers can trick you into giving up your banking information or credit card numbers. When that happens, they can drain your money, at least until you block the accounts.

The main way online thieves get these credentials is through “phishing,” or sending out emails that look exactly like official emails from your bank, credit card company, PayPal, Amazon or other online companies or services.

Falling for these scams can be detrimental to individuals, but they are even more harmful to businesses. If one of your employees gets fooled by phishing and inadvertently gives up the credentials for your company’s accounts, the results could be disastrous. Here’s how to detect phishing emails and make sure that you don’t get hooked.

Read the rest of the article at The Mac Security Blog.