Eliana Willis

Not a week goes by that I don’t hear from someone who has lost access to their Apple ID. It can be pretty traumatic — you can lose access to a lot of different features and services.And Apple has several ways for users to get themselves out of a jam.

It’s just they’re all a bit of a hassle.A far easier way is to plan in advance and set up an account recovery contact (or contacts!).What is an account recovery contact?If you lose access to your Apple ID, you can follow the steps on your device to share the onscreen instructions with your recovery contact and request a six-digit code that will allow you to reset your Apple ID password.Oh, and don’t worry. Your account contacts don’t get access to any of your data.

On the iPhone or the iPad, you must be running iOS 15 or later:Tap on Settings and then on your name at the top of the screenTap Password & Security, then Account RecoveryTap on Add Recovery Contact (you’ll need to authenticate with Face ID or Touch ID), and then you can choose your contact (those in your Family Sharing group are added automatically, whereas any other contact will need to accept your request first)It’s that simple.You can also do the same on the Mac, but you must be running macOS Monterey or later:Click on the Apple menu, then go to System PreferencesClick on Apple IDClick Password & SecurityNext to Account Recovery, click on ManageClick on + and then Add Recovery Contact (you will need to authenticate with Touch ID or your password), and then you can choose your contact (those in your Family Sharing group are added automatically, whereas any other contact will need to accept your request first)Again, it’s all quite straightforward.Apple has detailed information on how to set this up, along with information for those who are set as account recovery contacts.I recommend you set up a recovery contact today because having one — or several, you can have up to five — set up can save you a lot of grief down the line. More

Smartphones like the

iPhone

 are home to so much information.

Texts, emails, financial, medical. Then on top of that, smartphones can be used to track our movements and what we do online.It’s vital to keep them secured.But what do you do if someone has figured out a way into your iPhone? How do you even know if someone has found a way into your iPhone?Yeah, scary, isn’t it.Over the past few weeks, I’ve been assisting someone in this exact position. Someone that they trusted turned out not to be worthy of that trust and The first reaction of most people is to change their passcode, but that’s not where I’d start.Note: If someone does have access to your iPhone, either because they’ve guessed your passcode, or by another means, remember that making changes to revoke that access will be noticeable to them.

Here’s the process that I follow for securing an iPhone that someone might have gained access to:#1: RebootThere’s a reason we start with a reboot. Bottom line, if someone has compromised an iPhone using a jailbreak or some other exploit, a simple reboot should get rid of it. Instruction on how to reboot your iPhone can be found here. A regular reboot will also help to keep your iPhone running swiftly and smoothly, and it’s something that I do once a week.#2: Change your passcodeIt has to be done. Make it a secure one because this is the key to everything on your phone: birthdays, pet names, names of children, these all such as passcode.Apple has information here on how to change the passcode for versions of iOS ranging from iOS 12 to iOS 15.Also: iOS 15.3.1: A pleasant surprise after the chaos#3: Check for rogue Face ID or fingerprints.You can have more than one face, and set of fingerprints enrolled in your iPhone. To check if someone has added their face to Face ID, tap Settings > Face ID & Passcode and enter your passcode.If you see the option to Set Up an Alternative Appearance, then there’s only one face enrolled, and you’re OK.However, if that option is not visible, there are two faces enrolled (or perhaps you enrolled your face twice). If this is that case, and you’ve not set up your device so someone else can access it, tap on Reset Face ID and go through the enrollment process again (it takes seconds).If your iPhone users the Touch ID fingerprint reader, I recommend deleting all the stored fingerprints and adding them again.Go to Settings > Touch ID & Passcode, then tap on each fingerprint and then tap Delete Fingerprint to remove it.#4: Run an anti-spyware scanIt might be overkill, but it’s better to be on the safe side. My favorite is Certo AntiSpy, and you can get more information about it here. A lower-cost solution that you can run is iVerify. This app is great because it is packed with awesome hints, tips, and tricks on how to secure your iPhone.
#5: Don’t hand your phone to other peopleIt can be hard to set certain boundaries in life, but the one of not passing your unlocked iPhone over to someone else is probably a good one to build. A smartphone is packed with personal information, and it’s OK to want to keep that private. 

More iPhone More

Akamai CEO Tom Leighton touted the company’s expansion this week on the heels of a Q4 earnings report that saw the company bring in a revenue of $905 million for the quarter and $3.5 billion for the full fiscal year. Akamai announced on Tuesday that it is acquiring infrastructure-as-a-service (IaaS) platform provider Linode for about $900 million. Leighton said Linode is a very developer-friendly IaaS provider that makes it very easy to spin up a virtual machine or a container to build and run applications. “By combining that with Akamai, we’re the world’s leaders in content delivery and web security. We make your applications really fast and we protect them from all sorts of attacks. We have the world’s most distributed edge computing platform for applications that need to be scaled up instantly on a global basis to respond to demand and various geographies in a serverless way,” Leighton told ZDNet in an interview. “Putting them together is a very powerful combination because now developers and enterprises will be able to much more easily do the whole thing on Akamai. They can build the apps on Akamai, run them there, deliver them from Akamai and have them be secured as part of Akamai. Akamai becomes the world’s most distributed cloud services provider, all the way from the cloud to the edge, and we’ll make it really easy to build, run and secure your applications online.”He went on to explain that Linode has great customer support and is already in 11 locations, which Akamai is going to “dramatically” expand. Linode does not have much of a sales force today, so Akamai will help them build that out, Leighton said. Akamai will be integrating in more than 250 employees from Linode’s headquarters in Philadelphia, which will bring them to well over 9,000 employees globally. Leighton also noted the September 2021 acquisition of Israel-based Guardicore, a cybersecurity company that offers a micro-segmentation solution to reduce the potential attack surface of corporate networks, secure applications, and meet compliance standards.

Leighton said the two acquisitions are the largest they have done in the last 20 years and noted that since closing the Guardicore deal, they have nearly doubled their initial projections of $30 million to $35 million in revenue for the company. “The micro-segmentation that they do is really important for stopping the impact of ransomware. Ransomware is a huge problem today and the visibility it gives our customers into what’s going on in their internal networks is really important,” he explained.  “When you put it all together, Akamai is now positioned as the most distributed cloud services provider, with three market-leading capabilities and pillars to support growth. That’s a pretty exciting place to be.” Akamai saw significant growth throughout 2021 in their security services, which contributed to revenue increases of 25% year over year and growth in their edge application services, which was up 30% year over year. According to Leighton, the company is expecting the cloud compute category — which includes edge applications, its net storage business and Linode — to reach “well over half a billion dollars in 2023.”While the company has seen growth in overall revenue, their earnings per share may grow a bit less than usual due to the acquisitions. But Leighton predicted the EPS would bounce back next year. “We generate a ton of cash so we’re in a position to make acquisitions that would benefit our customers and shareholders. I’m really excited about the future. We have a great history of innovation in the internet, beginning with the invention of content delivery and then bringing high quality streaming online, application acceleration, and of course, web security,” he said. “We were pioneers in edge computing and now we’re taking a big step forward in cloud computing with Linode.”

Tech Earnings More

There’s a lot of FUD about how Linux is being shown recently to be less secure than proprietary systems. That’s nonsense. But, now there are hard facts from Google’s Project Zero, Google’s security research team, showing Linux’s developers do a faster job of fixing security bugs than anyone else, including Google.

Project Zero looked at fixed bugs that had been reported between January 2019 and December 2021. The researchers found that open-source programmers fixed Linux issues in an average of only 25 days. In addition, Linux’s developers have been improving their speed in patching security holes from 32 days in 2019 to just 15 in 2021. Its competition didn’t do nearly as well. For instance, Apple, 69 days; Google, 44 days; and Mozilla, 46 days. Coming in at the bottom was Microsoft, 83 days, and Oracle, albeit with only a handful of security problems, with 109 days. By Project Zero’s count, others, which included primarily open-source organizations and companies such as Apache, Canonical, Github, and Kubernetes, came in with a respectable 44 days. Generally, everyone’s getting faster at fixing security bugs. In 2021, vendors took an average of 52 days to fix reported security vulnerabilities. Only three years ago the average was 80 days. In particular, the Project Zero crew noted that Microsoft, Apple, and Linux all significantly reduced their time to fix over the last two years.As for mobile operating systems, Apple iOS with an average of 70 days is a nose better than Android with its 72 days. On the other hand, iOS had far more bugs, 72, than Android with its 10 problems.Browsers problems are also being fixed at a faster pace. Chrome fixed its 40 problems with an average of just under 30 days. Mozilla Firefox, with a mere 8 security holes, patched them in an average of 37.8 days. Webkit, Apple’s web browser engine, which is primarily used by Safari, has a much poorer track record. Webkit’s programmers take an average of over 72 days to fix bugs.Project Zero gives developers 90-days to fix security problems. Besides the average now being well below the 90-day deadline, the team has also seen a dropoff in vendors missing the deadline or the additional 14-day grace period. 

Last year, only a single bug, a Google Android security problem, exceeded its fix deadline, though 14% of bugs required the extra two weeks. Still, everyone’s doing a much better job of fixing security bugs than they’ve been doing in years past. Why? The Project Zero crew suspects it’s because “responsible disclosure policies have become the de-facto standard in the industry, and vendors are more equipped to react rapidly to reports with differing deadlines.” Companies have also been learning best practices from each other with the increase in transparency. I credit much of this to the growth of open-source development methods. People are realizing that it’s to everyone’s advantage to fix bugs together. Related Stories: More

Google has expanded plans to limit data tracking on its Chrome browser by extending that coverage to apps running on Android devices. The Privacy Sandbox project aims to limit the amount of user data that advertisers can gather from browsing and app usage.

But details are scant, and it’s not happening just yet.Google will begin by allowing developers to review initial design proposals and share feedback. Over the year, Google plans to release developer previews, with a beta being available by the end of the year.And it’s clear that Google is worried that by making changes too quickly, it could upend its app ecosystem.”Currently over 90 percent of the apps on Google Play are free,” writes Anthony Chavez, VP of Product Management, Android Security & Privacy at Google, “providing access to valuable content and services to billions of users. Digital advertising plays a key role in making this possible. But in order to ensure a healthy app ecosystem — benefiting users, developers and businesses — the industry must continue to evolve how digital advertising works to improve user privacy.”It seems that right out of the gate, Google is worried that making apps more private could scare off developers from making free apps (although where they might go is unclear).

“We know this initiative needs input from across the industry in order to succeed. We’ve already heard from many partners about their interest in working together to improve ads privacy on Android, and invite more organizations to participate.” Google also took the opportunity to take a pop at Apple at its App Tracking Transparency feature: “We realize that other platforms have taken a different approach to ads privacy, bluntly restricting existing technologies used by developers and advertisers. We believe that — without first providing a privacy-preserving alternative path — such approaches can be ineffective and lead to worse outcomes for user privacy and developer businesses.”One of those businesses is Meta (Facebook), which estimates the changes that Apple made will cost it $10 billion this year alone.Problem is, Apple’s path has been effective for the people that matter — the users. And users, when given a choice as to whether they want apps to track them or not, have overwhelmingly chosen to retain their privacy. Apple also paved the way for greater transparency by forcing app developers to outline how data collected by apps would be used.It’s clear that Google feels it needs to make some positive sounds with regards to privacy, but it’s also clear that simply handing the reigns of control to users isn’t what Google wants to do, and instead, the company wants to come up with a solution that’s more within its control.What does this mean for users? It means that if you want privacy on a mobile device, the choice is clear — you should be ditching Android and buying an iPhone.

ZDNet Recommends More

Cybersecurity labels could convey a software product’s or connected gadget’s cybersecurity status. But would these labels be useful, and what is a software product anyway in connected cars and consumer appliances? The idea of cybersecurity labels for Internet of Things (IoT) and consumer software has been kicked around for years, and has recently been looked at more seriously in the EU, Australia, UK and elsewhere. In October, Singapore and Finland agreed to recognize each other’s cybersecurity labels for IoT devices.But labels were required to be seriously considered in the US as part of president President Biden’s May 2021 cybersecurity Executive Order 14028, “Improving the Nation’s Cybersecurity”. Biden signed the EO shortly after the massive SolarWinds software supply chain attack and a spate of ransomware attacks on critical infrastructure. Part of the order required the US National Institute of Standards and Technology (NIST) to consider product labelling for IoT devices and software development practices for consumer software, in order to boost cybersecurity education. NIST only makes guidelines for a US cybersecurity labelling scheme, which would more likely be enforced by the Federal Trade Commission (FTC), given its existing oversight of consumer protection and data privacy laws.NIST released its guidelines for such labels on February 4, and now its two leads for consumer software and IoT have shared their views on the pros and cons of cybersecurity labels.As they point out, there are working examples of labels for food safety, device performance, and the electrical safety of appliances. These help consumers make informed choices and provide incentives to improve product safety and quality. But software is different.

Michael Ogata, NIST Computer Scientist, says that developing the recommended criteria for consumer software labelling was a “nerve-wracking experience”, in part because of the difficulties in defining where software begins and ends today. “What is consumer software? Is the firmware in your car consumer software? What about an online service like an office suite or email client? Certainly, a video game counts as consumer software, but do you measure a mobile game, a console game, and a PC game in the same ways?,” he writes.A definition of consumer software eventually emerged as: “software normally used for personal, family, or household purposes.”One of NIST’s key recommendations for labels, whichever scheme runs it, is that they’re “binary”, in that the product either 1) does meet the criteria at a given time or 2) does not. Additionally, they should not be “bogging down” non-technical consumers with jargon.  Another complication in labelling software can be seen in soda cans that list the number of calories per serve. Is the tool used to measure calories accurate? So there’s an explicit and implicit claim being made on soda cans. NIST recommended software labels should cover both explicit and implicit claims.These include both descriptive claims and security software development claims. Descriptive claims cover whether the labelled software is still receiving security patches and how these are delivered to consumers. Also, what body stands behind the claims, and when the claim was made.On the secure development side, NIST leaned on its own NIST Secure Software Development Framework (SSDF) as the basis for industry best practice. It’s a non-prescriptive document, but it “identifies common practices that are represented in, and mapped to, existing formalized industry guidance.”      “Our recommendations encourage scheme owners to express development requirements by way of the SSDF while also identifying specific elements that signal that industry best practices have been employed,” explains Ogata. Katerina Megas, a program manager for NIST’s Cybersecurity for IoT program, offers a snapshot on how complicated it would be to create cybersecurity labels for IoT devices. After surveying other labelling schemes around the world, Megan says her team was reassured that there seemed to be a developing “general consensus” that IoT products include not just the device but also its supporting software, such as a smartphone app or hardware such as a controller device.Megas says the group took a risk-based view of the question of baseline security with “risk being both contextual (based on specific use) as well as on the unique nature of IoT products being capable of interacting with the physical world by collecting data or effecting changes without human intervention.” NIST guidelines also acknowledged “no-one-size-fits-all when it comes to IoT.” NIST appears to prefer the market leads in creating a baseline rather than having hard rules handed down to manufacturers.  “Allowing for a marketplace of standards, programs, and schemes to evolve would permit the market to drive how best to achieve the desired outcomes and offer the flexibility to suit a variety of stakeholders’ needs. Doing so also would accommodate, and not hinder, a rapidly evolving technology landscape,” writes Megas. More