Sony Pictures Employees Now Working in Air-Gapped Offices

the-interview-poster-preview-101292.jpg

There is so much to say about the Sony hack, whether it has been perpetrated by the North Koreans or not, but everyone else is saying it, so I’ll just let them go ahead. I found one thing interesting about the situation: according to TechCrunch article, Sony Pictures employees are now working in air-gapped offices; offices with no internet connection.

“That is what a major corporate security breach sounds like: the squeal of a fax machine and the low murmur of co-workers now required to talk to each other instead of depending on email or instant messages.”

I can understand that they’re worried about more intrusions, but they would do better to hire some computer security experts and get on with things. I did note this interesting tidbit:

“”… A couple of people had their computers removed but people using Macs were fine,” she said. She said most work is done on iPads and iPhones.”

Help a Good Samaritan Return Your Lost iPhone, iPad or Mac

You know it could happen some day: you might lose your iPhone, iPad or laptop. If you’ve activated Find My iPhone (or the similarly named feature for other devices), you’ll get an approximate location for the device, but if it’s in an apartment building or office building, or if there’s no Wi-Fi or cellular access, you might not be able to track it down precisely.

If someone finds your device, it would be good to make it easy for them to get in touch and return the device to you. There are plenty of Good Samaritans out there, and it’s worth preparing your device so if one does find it, they can contact you.

Essentially, you want to add contact information to your device, in a way that anyone who turns it on can find your name, email address and phone number (obviously not your iPhone’s number), and get in touch. An easy way would be to paste a sticker on your device, but that might be ugly and it could wear out. Why not add contact information to the lock screens of your Macs and iOS devices? It’s easy.

Read the rest of the article on Macworld.

How To: Set a Long Passcode on an iOS Device

On the most recent episode of The Committed Podcast, we were discussing security and iPhones, and one of my co-hosts, Ian Schray, mentioned not using a four-digit passcode, that it’s too insecure to use such a simple passcode. I realized after the recording that a lot of people may not know how to set up a longer passcode. Hence, this how-to.

First, why would you want to use a long passcode? If you have a device that offers Touch ID, you’ll use your fingerprint most of the time, and only need to type a passcode when you restart the device, or when Touch ID doesn’t work. The latter only happens when my hands are sweaty; Touch ID has always been very reliable for me, though I know many people who have problems with it.

Your four-digit passcode isn’t very strong, and someone could try a bunch of combinations, unless you have activated a setting (in Settings > Passcode Lock) to erase the device after ten failed passcode attempts. So you might want something more robust.

To set a long passcode, open the Settings app, tap Touch ID & Passcode, and then enter your passcode. Scroll down to where you see a toggle for Simple Passcode, and turn this off.

2014-12-11 14.21.29.png

Enter your passcode to approve this change, then you’ll see a screen allowing you to enter a passcode. Unlike the standard screen, which only displays numbers, this one shows a full keyboard, and you can choose a passcode with letters, numbers, and even symbols and punctuation.

2014-12-11 14.21.59.png

Type the new passcode, and then tap Next; type it again to confirm, and you’ll have a long passcode. Now, whenever you access your device with a passcode, you won’t be limited to just a number pad; you’ll have a full keyboard, and can enter your passcode.

2014-12-11 14.24.19.png

You can still use Touch ID, but whenever you do need to enter a passcode, it will be more secure.

Why Apple’s Two-Step Authentication Can Be Dangerous

Apple offers two-step authentication for iCloud accounts, but their version of this process is quite rigid, and is downlight dangerous. Owen Williams writes about this in an article for The Next Web, showing how he was nearly locked out of his account.

His account was locked for “security reasons;” in other words, someone tried to get into his account, and presumably made too many login attempts, and the account was automatically locked. No problem; just use the recovery key that he got when setting up two-step authentication… But, as Williams says, “How could I be foolish enough to misplace my Apple ID recovery key?”

And there’s the big problem with the way Apple implements two-step authentication.

Two-step authentication combines the need for a password and a code that is sent to you on a device you own. So, when logging into your account from a new device (you don’t do this every time you log in), you’ll get an SMS sent to your phone with a code. You need to have more than one device, in case you lose one of them. For example, if you lose your phone, you need to be able to log in on a computer, and add a new phone as a trusted device. (Hmmm, what does happen if you lose both your computer and phone…?)

HT5570_01-icloud-2stepfaq-001-en.png

In Apple’s case, there is a recovery key, which you can use if you no longer have any trusted devices; this code is also needed if your account gets locked for any reason.

So the real problem is ensuring that you save the recovery key. Apple recommends that you print it out, and keep it in “a safe place,” and that you do not save it on your computer. (Though saving it in an app such as 1Password would be fine.) If you do this, you’ll have no problems. But if you don’t, then you could get locked out of your account; Apple makes this very clear.

So, Apple’s two-step authentication is dangerous, but if you follow the instructions to the letter, you won’t have anything to worry about. As far as I’m concerned, I’ve never set it up, because while the risk of losing access to the account is minimal, it exists. If my house were to burn down, and I lost both physical and digital access to the recovery key, then I’d lose access to a lot of my stuff. If you use this two-step authentication, make sure to have a copy of that key somewhere safe, and make sure to remember, say ten years from now, where you put it, in case you need it then.

I Almost Fell for This Apple ID Phishing Email

I almost fell for this; until I read the subject line. iPhone 3; seriously? These guys need to update their stuff.*


phishing.png

* Apparently some readers think I was being serious above. I’ve added this footnote for those who didn’t spot the sarcasm, which, perhaps, is not as obvious as I thought.

Apple Now Emails You When You Sign into iCloud on the Web

There is always a fine balance between security and usability. Apple was strongly criticized because of the iCloud selfie breach, and Tim Cook announced that the company would be implementing new security procedures.

As of today, one of them is live: if you sign into iCloud on the web, you’ll get an email:

Mail001.png

This is interesting, but is it useful? First, if you get one of these every time you sign into iCloud on the web, it’ll just be a bother. Sure, if you didn’t sign into iCloud, you can reset your password, but too much security hampers usability. People will, over time, get tired of these messages and just delete them.

And, what if I just accessed iCloud around the same time someone broke into my account? Will I get two emails? Or will I just assume that the email I get is for my access?

In any case, by the time you get the email, it might be too late.

As my friend and editor Michael Cohen pointed out:

“Of course, if someone DID sign into your iCloud account via a Web browser, that person would see the email, too… and could reset your password, locking you out! Unless you use 2-factor authentication; then it might be harder to do the last.”