security

Jump to How Tos Articles

'security' How Tos

How to Use Secure Code AutoFill in iOS 12 and macOS Mojave

Most readers will have at some point received a two-factor authentication code delivered to them by SMS text message. Many apps and websites send the one-time codes to confirm that the person attempting to log in to an account is the legitimate account holder, and not just someone using a stolen password. Depending on how notifications are set up on your iPhone, receiving a code via text message may mean that you have to switch out from the app or website to read the message and memorize or copy the code, and then switch back to paste it or type it into the login screen manually. To make this process less of a hassle, Apple is introducing Security Code AutoFill for iOS 12. The new feature ensures that SMS one-time passcodes that you receive instantly appear as AutoFill suggestions in the QuickType bar above the virtual keyboard, letting you input them in the passcode field with a simple tap. If you've enabled Text Message Forwarding on your iPhone, you can use the Secure Code AutoFill feature in macOS Mojave, too. The code should appear in Safari as an AutoFill option in the relevant field as soon as the SMS is delivered to Messages on your Mac. iOS and macOS use local data detector heuristics to work out whether an incoming message carries a security code, and Apple says the Security Code AutoFill feature does not alter the security of this two-factor authentication method. So as long as developers craft their secure code text messages correctly, Security Code AutoFill should work in all third-party apps updated for iOS 12 and macOS Mojave, which are

How to Secure Your Apple ID Using Two-Factor Authentication

Apple introduced two-factor authentication (2FA) in 2015 to provide an enhanced level of security when accessing Apple ID accounts. With 2FA enabled, you'll be the only person who can access your account, regardless of whether someone learns your password – as the result of a hack or a phishing scam, for example – so it's well worth taking the time to enable the feature. In this article, we'll show you how. How Two-Factor Authentication Works 2FA offers hardened security during login attempts by requesting that the user provides an extra piece of information only they would know. With 2FA enabled on your Apple ID account, the next time you try to log in you will be automatically sent a six-digit verification code to all the Apple devices you have registered to that Apple ID. If you try to access the account from an unknown device or on the web, 2FA also displays a map on all registered devices with an approximate location of where the Apple ID login attempt occurred. In basic terms, this is an improved version of Apple's older two-step verification method, which prompted users to send a four-digit code to a registered SMS-capable device. Apple automatically upgraded most two-step verification users to 2FA as of iOS 11 and macOS High Sierra, but if you're still on two-step verification for some reason, follow the steps below to manually upgrade to 2FA. How to Turn Off Two-Step Verification Open a browser and go to appleid.apple.com Enter your Apple ID and password in the login fields. In the Security section of your account page, click the Edit

'security' Articles

Timehop Service Suffers Data Breach Affecting 21 Million Users [Updated]

The company behind social media app Timehop has revealed its servers suffered a data breach in which the personal details of around 21 million users were stolen. The company, whose service integrates with users' social media accounts to display photos and memories they may have forgotten about, said it became aware of the attack as it was happening in the early hours of July 4. In a statement published on Saturday, the company said it was able to shut down its cloud servers two hours and twenty minutes into the attack, but not before a significant number of users' data was stolen. Hackers made off with the names and emails of 21 million users and the phone numbers of 4.7 million users, but no private/direct messages, financial data, social media, photo content, or Timehop data including streaks were affected, according to the company. However, the keys that enable the service to read and send social media content to users were compromised in the breach. Timehop has deactivated the keys as a security measure, but that means users will need to re-enable the app's permission to access their accounts if they want to continue using the service. While we investigate, we want to stress two things: First: to date, there has been no evidence of, and no confirmed reports of, any unauthorized access of user data through the use of these access tokens. Second, we want to be clear that these tokens do not give anyone (including Timehop) access to Facebook Messenger, or Direct Messages on Twitter or Instagram, or things that your friends post to your Facebook wall. In

ElcomSoft's Latest Tool Can Allegedly Access iMessages in iCloud, But Only in Extreme Circumstances

Russian company ElcomSoft today claimed that the latest version of its Phone Breaker software can remotely access iMessage conversation histories stored in iCloud, although there are several strings attached. Namely, the person attempting to extract iMessages from an iCloud account would need the following before being able to do so:Elcomsoft Phone Breaker version 8.3 The associated Apple ID email and password for the iCloud account The passcode, if an iPhone, iPad, or iPod touch, or system password, if a Mac, of at least one device on the account enrolled in Messages in iCloud, which requires iOS 11.4 and macOS 10.13.5 or later Access to a two-factor authentication method, such as a trusted secondary device, which may or may not have the same passcode or system password, or a SIM card for a phone number that has been authorized to receive one-time verification codes via SMSIt's worth noting that if the perpetrator has obtained physical access to at least one of your trusted secondary devices, and its passcode, they would be able to read at least part of your iMessage history regardless by simply opening the Messages app. Apple obviously cares very deeply about the security of its customers, but if a bad actor has gained access to another person's Apple ID credentials, your passcode, and at least one of your Apple devices, or your SIM card, there arguably isn't really much the company can do at that point to protect you. That's why it's so important, as Apple routinely stresses, to set a strong password for your Apple ID, not share that password with others, e

Third-Party macOS Security Tools Vulnerable to Malware Code-Signing Bypasses for Years

Hackers have had an "easy way" to get certain malware past signature checks in third-party security tools since Apple's OS X Leopard operating system in 2007, according to a detailed new report today by Ars Technica. Researchers discovered that hackers could essentially trick the security tools -- designed to sniff out suspiciously signed software -- into thinking the malware was officially signed by Apple while they in fact hid malicious software. The researchers said that the signature bypassing method is so "easy" and "trivial" that pretty much any hacker who discovered it could pass off malicious code as an app that appeared to be signed by Apple. These digital signatures are core security functions that let users know the app in question was signed with the private key of a trusted party, like Apple does with its first-party apps. Joshua Pitts, senior penetration testing engineer for security firm Okta, said he discovered the technique in February and informed Apple and the third-party developers about it soon after. Okta today also published information about the bypass, including a detailed disclosure timeline that began on February 22 with a report submitted to Apple and continues to today's public disclosure. Ars Technica broke down how the method was used and which third-party tools are affected: The technique worked using a binary format, alternatively known as a Fat or Universal file, that contained several files that were written for different CPUs used in Macs over the years, such as i386, x86_64, or PPC. Only the first so-called Mach-O file in

Thousands of Apple ID Passwords Leaked by Teen Phone Monitoring App Server

ZDNet reports that a server used by an app for parents to monitor their teenagers' phone activity has leaked tens of thousands of login credentials, including the Apple IDs of children. The leaked data belonged to customers of TeenSafe, a "secure" monitoring app for iOS and Android that allows parents to view their child's text messages and location, call history, web browsing history, and installed apps. The customer database was reportedly stored on two servers hosted by Amazon Web Services, where it remained unprotected and accessible without a password. The discovery was made by a U.K.-based security researcher specializing in public and exposed data, and the servers were only taken offline after ZDNet alerted the California-based company responsible for the TeenSafe app. "We have taken action to close one of our servers to the public and begun alerting customers that could potentially be impacted," said a TeenSafe spokesperson told ZDNet on Sunday. The information in the exposed database included the email addresses of parents who used TeenSafe, the Apple ID email addresses of their children, and children's device name and unique identifier. Plaintext passwords for the children's Apple ID were also among the data set, despite claims on the company's website that it uses encryption to protect customer data. Compounding the lax security is the app's requirement that two-factor authentication is turned off for the child's Apple account so that parents can monitor the phone without consent. This means a malicious actor could potentially access a child's

LocationSmart Bug Provided Easy Access to Real-Time Location Data of Millions of Phones

Robert Xiao, a computer science student at Carnegie Mellon, recently discovered a vulnerability in LocationSmart's website that made the real-time location of millions of phones readily available to anyone with the knowhow. For background, LocationSmart is a company that collects location data of mobile customers from major carriers, including Verizon, AT&T, Sprint, and T-Mobile in the United States, and then sells it to other companies for a range of purposes, including compliance, cybersecurity, and proximity marketing. Up until the vulnerability was discovered, LocationSmart offered a trial webpage that allowed anyone to enter their phone number, confirm the request via SMS or a phone call, and view their approximate real-time location. LocationSmart's since-removed trial page via Krebs on Security The problem, as Xiao discovered, was that the webpage had a bug that allowed anyone with the technical skills to bypass the phone number verification process and view the real-time location of any subscriber to most major carriers in the United States, in addition to Bell, Rogers, and Telus in Canada. In a blog post, Xiao said the bug essentially involves requesting the location data in JSON format, instead of the default XML format:If you make the same request with requesttype=locreq.json, you get the full location data, without receiving consent. This is the heart of the bug. Essentially, this requests the location data in JSON format, instead of the default XML format. For some reason, this also suppresses the consent (“subscription”) check.Upon discovering

Researchers Discover Vulnerabilities in PGP/GPG Email Encryption Plugins, Users Advised to Avoid for Now

A warning has been issued by European security researchers about critical vulnerabilities discovered in PGP/GPG and S/MIME email encryption software that could reveal the plaintext of encrypted emails, including encrypted messages sent in the past. The alert was put out late on Sunday night by professor of computer security Sebastian Schinzel. A joint research paper, due to be published tomorrow at 07:00 a.m. UTC (3:00 a.m. Eastern Time, 12:00 am Pacific) promises to offer a thorough explanation of the vulnerabilities, for which there are currently no reliable fixes. There are currently no reliable fixes for the vulnerability. If you use PGP/GPG or S/MIME for very sensitive communication, you should disable it in your email client for now. Also read @EFF’s blog post on this issue: https://t.co/zJh2YHhE5q #efail 2/4— Sebastian Schinzel (@seecurity) May 14, 2018 Details remain vague about the so-called "Efail" exploit, but it appears to involve an attack vector on the encryption implementation in the client software as it processes HTML, rather than a vulnerability in the encryption method itself. A blog post published late Sunday night by the Electronic Frontier Foundation said:"EFF has been in communication with the research team, and can confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages."In the meantime, users of PGP/GPG and S/MIME are being advised to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted

Russia Bans Access to Telegram Encrypted Messenger Service [Updated]

A Russian law court has ordered that access to the Telegram encrypted messaging service should be blocked, according to Russian news agencies on Friday (via Reuters). The development follows last week's news that Russia's media regulator had filed legal proceedings to block the app in the country because the company refused to enable state security services to access users' messages. The Telegram platform allows people to communicate with each other using end-to-end encryption, meaning no-one – not even Telegram – has access to messages sent between users. The app has over 200 million users globally. They include Kremlin staff, who use Telegram to coordinate conference calls with Vladimir Putin's spokesman. Many government officials also use the messenger app to communicate with media, according to Reuters. When Reuters asked a person in the Russian government on how they would operate without access to Telegram, the person, who asked not be identified due to the sensitivity of the issue, replied by sending a screenshot of his mobile phone with an open VPN app.Telegram becomes the second global network after LinkedIn to be blocked in Russia. In 2016, a court found LinkedIn guilty of violating a law that requires companies holding Russian citizens' data to store it on servers within Russia. Update 04/17: The Russian government has formally requested that Apple remove Telegram from its regional App Store in the country, reports Reuters. Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics,

'ProtonMail Bridge' Brings Encryption to Outlook, Thunderbird, and Apple Mail

Swiss-based encrypted email provider ProtonMail today announced Bridge, an app for premium account holders that aims to bring easy-to-use email encryption to desktop email clients like Outlook, Thunderbird, and Apple Mail. One of our goals has always been to bring easy-to-use encrypted email to desktop. The problem is formidable. Desktop systems encompass multiple operating systems with dozens of popular email clients with their own adherents, and virtually none of them natively speak PGP, the email encryption standard upon which ProtonMail is built. Around two years ago, we created a small task force to tackle this challenge. Today, we are finally ready to present ProtonMail Bridge.Basically, the downloadable Bridge app enables ProtonMail users to access their encrypted email accounts using their favorite email client, without compromising on the security provided by the end-to-end encrypted service, and without needing to modify their email application. At the same time, local copies of the emails are stored on the user's computer, allowing them to use the search features of their email client as normal. To achieve this, the Bridge app functions like a local IMAP/SMTP email server capable of communicating with the remote ProtonMail server to encrypt and decrypt incoming/outgoing messages locally. In this way, it translates end-to-end encrypted email data into a language that any email client can understand, thus "bridging" the gap between ProtonMail's end-to-end encryption and a user's standard email client. The Bridge app aims to fit right into email clients

Signal Encrypted Messenger 2.19 Update Finally Available Following App Store Hiccup

Encrypted messaging app Signal pushed out its v2.19 update late on Friday after a post-release 48-hour delay, owing to an App Store issue that Apple has now resolved. The update includes a number of new features and improvements, including full UI display support for iPhone X. After the update is applied, users will no longer see the "Load Earlier Messages" link within chat threads, because additional messages now appear automatically upon scrolling to the top of a conversation. In other improvements, a new simplified interface has been introduced to the Signal mobile app that aims to make sending photos, files, and GIFs easier and quicker. For example, attachment previews are now displayed directly in the message bar instead of on a separate confirmation screen. Adopting a design concept popularized by Facebook Messenger known as "Jumbomoji", emoji characters are now also visibly larger in Signal chat bubbles that don't contain any other text. Elsewhere, messages that fail to send have been made easier to spot and re-send, while a new "Tap for More" option should make navigating extremely long messages a more pleasant experience. The list of supported languages has also been expanded to include Burmese, Hebrew, and Persian, while users with an external keyboard linked to their device can now make use of new key combination shortcuts for sending messages (Shift + Enter, and Command + Enter). Apart from the above changes, Open Whisper Systems has revamped the layout code to improve performance and flexibility, so everything should feel smoother and more

$199 Wink Lookout Home Security Pack Bundles All-Wink Products for the First Time

Connected smart home company Wink on Tuesday announced its first home security bundle featuring all its own-brand products, rather than including compatible products made by other companies. The Wink Lookout set includes two open/close sensors for use on doors and windows, a motion sensor with pet sensitivity for placement anywhere in the home, a siren and chime alarm with built-in flashlight, and the unifying Wink hub. No subscription is required to use the products, which communicate through the hub and can be monitored using an updated Wink iOS app that features sensor-trip alerts, siren control, and an emergency services/trusted contact call option. The new Wink home security bundle costs $199, which is significantly cheaper than the similar Nest Guard at $499. The Wink Lookout set will be available from October 31 at Home Depot and on Amazon. Sensors can be picked up individually for $29, as can the home motion sensor and siren, which cost $39 each. The set includes free shipping in the U.S. backed by a 30-day return policy. (Via Engadget.)

FBI Unable to Retrieve Encrypted Data From 6,900 Devices Over the Last 11 Months

The United States Federal Bureau of Investigation was unable to retrieve data from 6,900 mobile devices that it attempted to access over the course of the last 11 months, reports the Associated Press. FBI Director Christopher Wray shared the number at an annual conference for the International Association of Chiefs of Police on Sunday. During the first 11 months of the current fiscal year, Wray says the 6,900 devices that were inaccessible accounted for half of the total devices the FBI attempted to retrieve data from. Wray called the FBI's inability to get into the devices a "huge, huge problem." "To put it mildly, this is a huge, huge problem," Wray said. "It impacts investigations across the board -- narcotics, human trafficking, counterterrorism, counterintelligence, gangs, organized crime, child exploitation."Wray did not specify how many of the 6,900 devices the FBI could not access were iPhones or iPads running a version of Apple's iOS operating system, but encryption has been an issue between Apple and the FBI since last year when the two clashed over the unlocking of an iPhone 5c owned by Syed Farook, one of the shooters in the December 2015 attacks in San Bernardino. The FBI took Apple to court in an attempt to force Apple to create a version of iOS that would disable passcode security features and allow passcodes to be entered electronically, providing the FBI with the tools to hack into the device. Apple refused and fought the court order, claiming the FBI's request could set a "dangerous precedent" with serious implications for the future of

Apple Says 'KRACK' Wi-Fi Vulnerabilities Are Already Patched in iOS, macOS, watchOS, and tvOS Betas

Apple has already patched serious vulnerabilities in the WPA2 Wi-Fi standard that protects many modern Wi-Fi networks, the company told iMore's Rene Ritchie this morning. The exploits have been addressed in the iOS, tvOS, watchOS, and macOS betas that are currently available to developers and will be rolling out to consumers soon. A KRACK attack proof-of-concept from security researcher Mathy Vanhoef Disclosed just this morning by researcher Mathy Vanhoef, the WPA2 vulnerabilities affect millions of routers, smartphones, PCs, and other devices, including Apple's Macs, iPhones, and iPads. Using a key reinstallation attack, or "KRACK," attackers can exploit weaknesses in the WPA2 protocol to decrypt network traffic to sniff out credit card numbers, usernames, passwords, photos, and other sensitive information. With certain network configurations, attackers can also inject data into the network, remotely installing malware and other malicious software. Because these vulnerabilities affect all devices that use WPA2, this is a serious problem that device manufacturers need to address immediately. Apple is often quick to fix major security exploits, so it is not a surprise that the company has already addressed this particular issue. Websites that use HTTPS offer an extra layer of security, but an improperly configured site can be exploited to drop HTTPS encryption, so Vanhoef warns that this is not a reliable protection. Apple's iOS devices (and Windows machines) are not as vulnerable as Macs or devices running Linux or Android because the vulnerability

Major Wi-Fi Vulnerabilities Uncovered Put Millions of Devices at Risk, Including Macs and iPhones

Mathy Vanhoef, a postdoctoral researcher at Belgian university KU Leuven, has discovered and disclosed major vulnerabilities in the WPA2 protocol that secures all modern protected Wi-Fi networks. Vanhoef said an attacker within range of a victim can exploit these weaknesses using so-called KRACKs, or key reinstallation attacks, which can result in any data or information that the victim transmits being decrypted. Attackers can eavesdrop on network traffic on both private and public networks. As explained by Ars Technica, the primary attack exploits a four-way handshake that is used to establish a key for encrypting traffic. During the third step, the key can be resent multiple times. When it's resent in certain ways, a cryptographic nonce can be reused in a way that completely undermines the encryption. As a result, attackers can potentially intercept sensitive information, such as credit card numbers, passwords, emails, and photos. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites. Note that the attacks do not recover the password of any Wi-Fi network, according to Vanhoef. They also do not recover any parts of the fresh encryption key that is negotiated during the four-way handshake. Websites properly configured with HTTPS have an additional layer of protection, but an improperly configured site can be exploited to drop this encryption, so Vanhoef warned that it is not reliable protection. Since the vulnerabilities exist

Study Finds Significant Number of Macs Running Out-of-Date Firmware Susceptible to Critical Exploits

A new research paper from Duo Security, shared by Ars Technica, reveals that a significant number of Macs are running out-of-date EFI versions, leaving them susceptible to critical pre-boot firmware exploits. The security firm analyzed 73,324 Macs used in production environments and found that, on average, 4.2 percent of the systems were running the incorrect EFI version relative to the model and version of macOS or OS X installed. The percentage of incorrect EFI versions varies greatly depending on the model. The late 2015 21.5" iMac had the highest occurrence of incorrect EFI firmware, with 43 percent of systems running incorrect versions. EFI, which stands for Extensible Firmware Interface, bridges a Mac's hardware, firmware, and operating system together to enable it to go from power-on to booting macOS. EFI operates at a lower level than both the operating system and hypervisors, providing attackers with a greater level of control.Successful attack of a system's UEFI implementation provides an attacker with powerful capabilities in terms of stealth, persistence, and direct access to hardware, all in an OS and VMM independent manner.Duo Security found that 47 models capable of running OS X Yosemite, OS X El Capitan, or macOS Sierra, for example, did not have an EFI security patch for the Thunderstrike exploit publicly disclosed nearly three years ago. The research paper noted that there seems to be something interfering with the way bundled EFI updates are installed alongside macOS, while some Macs never received EFI updates whatsoever, but it doesn't

Apple's Latest Transparency Report Shows Jump in National Security Requests

Apple this week released its latest transparency report [PDF] outlining government data requests received from January 1, 2017 to June 30, 2017. In the United States, Apple received 4,479 requests for 8,958 devices and provided data 80 percent of the time (in 3,565 cases). Worldwide, Apple received 30,814 requests for data from 233,052 devices and provided data 80 percent of the time (in 23,856 cases). Overall demands for data were slightly down compared to requests during the same time period last year, but Apple disclosed a much higher number of national security requests that include orders received under FISA and National Security Letters. According to Apple, to date, it has not received any orders for bulk data. Apple says it received 13,250 - 13,499 National Security Orders affecting 9,000 to 9,249 accounts. That’s up from 2,750 - 2,999 orders affecting 2,000 to 2,249 accounts received during the first half of 2016. Though Apple attempts to be as transparent as possible in its reports, the government does not allow the company to release specific details when it comes to the number of National Security requests received, instead requiring a number range to be provided to customers. Apple uses the narrowest range permissible by law. Apple lately has been making more of an effort to be clearer about the type of information governments around the world have asked for, and its last two reports, this one included, have been highly detailed. Along with the total number of device requests and National Security Orders, Apple also provides data on a

macOS High Sierra Automatically Performs Security Check on EFI Firmware Each Week

Mac users who upgrade to macOS High Sierra will benefit from a significant new security feature that works in the background. macOS High Sierra automatically checks a Mac's EFI firmware against Apple's database of "known good" data to ensure it hasn't been tampered with, according to a series of tweets from an Apple engineer. The tweets have since been deleted, but a summary remains available on the Mac blog The Eclectic Light Company.The new utility eficheck, located in /usr/libexec/firmwarecheckers/eficheck, runs automatically once a week. It checks that Mac's firmware against Apple's database of what is known to be good. If it passes, you will see nothing of this, but if there are discrepancies, you will be invited to send a report to Apple.If the check fails, a prompt will appear with options to "Send to Apple" or "Don't Send." The selection is remembered in subsequent weeks. The "eficheck" tool sends the binary data from the EFI firmware, and preserves user privacy by excluding data which is stored in NVRAM, according to The Eclectic Light Company. Apple will then be able to analyze the data to determine whether it has been altered by malware or anything else. The database's library will be automatically and silently updated so long as security updates are turned on. EFI, which stands for Extensible Firmware Interface, bridges a Mac's hardware, firmware, and operating system together to enable it to go from power-on to booting macOS. macOS High Sierra will be publicly released on the Mac App Store later

Hacker Releases Firmware Decryption Key for Apple's Secure Enclave

A hacker released what he claimed to be a firmware decryption key for Apple's Secure Enclave on Thursday, initially sparking fears that iOS security had been compromised. Apple's Secure Enclave Processor (SEP) handles all cryptographic operations for the Apple Watch Series 2, the A7 processor that powers the iPhone 5s, the iPad Air, the iPad mini 2 and 3, and subsequent A-series chips. The encrypted SEP is completely isolated from the rest of the system and handles Touch ID transactions, password verifications, and other security processes on a separate OS to maintain data protection integrity even if the kernel has been compromised. One of the ways the SEP does this is by generating a Unique ID (UID) for each device for authentication purposes. The UID automatically changes every time a device is rebooted and remains unknown to other parts of the system, further enhancing its security. Beyond that, little is known about how the SEP actually works outside of Apple, but that's by design – the enclave's isolation serves to obfuscate it from the rest of the system, preventing hackers from rifling through its code to make it as secure as possible. key is fully grown https://t.co/MwN4kb9SQI use https://t.co/I9fLo5Iglh to decrypt and https://t.co/og6tiJHbCu to process— ~ (@xerub) August 16, 2017 The decryption key posted on GitHub yesterday would not enable hackers to access data stored inside the Secure Enclave, but it could allow hackers and security researchers to decrypt the firmware that controls it and potentially spot weaknesses in the code. Speaking to T

'Real People' Don't Need Encrypted Messaging Services, Claims U.K. Home Secretary

The U.K. home secretary Amber Rudd has argued that "real people" do not want secure end-to-end encryption on messaging platforms and are more concerned with usability and features than unbreakable security (via Yahoo News). Rudd made her case in a newspaper article, published ahead of a meeting today with technology companies in San Francisco, where she will warn tech giants that their services are being misused by terrorists. Writing in The Daily Telegraph, Rudd said: "Who uses WhatsApp because it is end-to-end encrypted, rather than because it is an incredibly user-friendly and cheap way of staying in touch with friends and family? "So this is not about asking the companies to break encryption or create so-called 'back doors'. "Companies are constantly making trade-offs between security and 'usability', and it is here where our experts believe opportunities may lie. "Real people often prefer ease of use and a multitude of features to perfect, unbreakable security."Rudd's comments were immediately criticized by privacy campaigners, with civil liberties organization Big Brother Watch calling her viewpoint "at best naïve, at worst dangerous". "Suggesting that people don't really want security from their online services is frankly insulting," said Renate Samson, chief executive of BBW. "What of those in society who are in dangerous or vulnerable situations, let alone those of us who simply want to protect our communications from breach, hack or cybercrime." "Once again the government are attempting to undermine the security of all in response to the

Encrypted Chat App Telegram to Remove Terrorist Content Following Ban Threat in Indonesia

Telegram is to form a team of moderators to remove terrorist-related content from the encrypted messaging platform in Indonesia, after the country's government threatened to ban the app. Indonesia's Ministry of Communications and Information Technology has already blocked access to the web version of the chat platform, citing concerns that it was being used to spread "radical and terrorist propaganda" in the country, according to Reuters. "This has to be done because there are many channels on this service that are full of radical and terrorist propaganda, hatred, ways to make bombs, how to carry out attacks, disturbing images, which are all in conflict with Indonesian law," the communications ministry said in a statement on its website.Telegram co-founder Pavel Durov said on Sunday that the service had blocked channels reported by the government and that it would take further action to remove the illegal content. "We are forming a dedicated team of moderators with knowledge of Indonesian culture and language to be able to process reports of terrorist-related content more quickly and accurately," Durov said in a Telegram post quoted by Associated Press.Telegram has been criticized by governments before for its use by terrorist groups to spread propaganda and recruit members. Last month Telegram agreed to provide basic information about the company to Russia after authorities threatened to block access to the service. Despite pressure from governments, Telegram's founders have refused to bow to demands for backdoors into the platform for authorities to access

Australia Proposes Law That Would Compel Tech Companies to Decrypt Messages

Australia on Friday proposed new laws that would require companies like Apple to provide law enforcement authorities with access to encrypted communications (via Reuters). Australia's proposed legislation will compel companies to help security agencies intercept and read messages sent by suspects. It appears to take cues from the U.K.'s Investigatory Powers Bill, which includes provisions that require technology companies to bypass encryption where technically feasible. "We need to ensure the internet is not used as a dark place for bad people to hide their criminal activities from the law," Australian Prim Minister Malcolm Turnbull told reporters in Sydney. "The reality is, however, that these encrypted messaging applications and voice applications are being used obviously by all of us, but they're also being used by people who seek to do us harm."The proposal will be introduced when parliament resumes in August and could be adopted within months, according to lawmakers. Other nations have said they will introduce similar laws. Apple, along with Facebook, Google, and other major tech companies, have historically opposed such law changes, which they say threaten online security protocols. For example, Apple claimed the U.K.'s recent bill would "weaken security" for millions of law-abiding customers. "The creation of backdoors and intercept capabilities would weaken the protections built into Apple products and endanger all our customers," Apple stated in December 2015. "A key left under the doormat would not just be there for the good guys. The bad guys