Category: Mobile

Why you should act like your CEO’s password is “qwerty”

A poor password at the highest levels of an organisation can cost a company millions in losses.

Recent findings show that half of IT leaders store passwords in shared documents. On top of that, it seems that folks at executive level are not picking good passwords either. Researchers from NordPass combed through a large list of CEO and business owner breaches. Their findings should renew considerations for additional security measures at executive level.

The findings

The five most common passwords among C-level executives, managers, and business owners were “123456”, “password”, “12345”, “123456789”, and our old friend “qwerty”. Terrifyingly, but perhaps not surprisingly, this looks exactly like every other list of the most frequently used passwords, suggesting no extra precautions are in place (or enforced) at the top.

Executives really love to use the names “Tiffany”, “Charlie”, Michael”, and “Jordan” for their passwords. I was curious to know if these are the names of executives’ name their kids. My entirely unscientific trawl for the names of CEO’s children turned up list of CEOs themselves. Henry, William, Jack, James, and David are all very popular names. This doesn’t match up with our list of password names. However, there is one list which claims that the Michaels of this world are most likely to become CEOs. Are CEOs naming their passwords after themselves? I’d like to think not, but then I probably wouldn’t have expected to be writing about “123456” either.

Animals and mythical creatures are popular choices. When not naming passwords after themselves, dragons and monkeys are both incredibly popular and also incredibly easy to guess.

Breaking and entering

Common ways corporate breaches and basic passwords spill all over the floor are issues we’ve covered at length. We recently highlighted recommendations from the Cybersecurity and Infrastructure Security Agency which deal with most of the causes of CEO password loss.

A combination of weak and reused passwords, and risky password-sharing habits make up the majority of hits on the “these passwords can lead to nothing good” indicator.

What happens when you combine bad password practices with human error and poor security infrastructure? These weak and obvious passwords just help to bring the whole thing crashing down that little bit faster.

There are some very smart attacks and compromises out there. Clever attackers can exfiltrate data from a network for weeks or months before making a more overt move. You’d expect people hijacking CEO data to be made to really work for it at every level. Sadly this research seems to suggest the opposite is happening in a lot of cases.

If nothing else, I’d love to see the actual response on the part of the criminals. What do they think when pulling down a C-Level executive’s data and discovering their email password is “sandwich”? Are they surprised? Is it business as usual? Do they think it can’t possibly be real, and they’re staring down the wrong end of a prank or law enforcement bust?

Is the CEO password sky falling? A word of caution…

There are some caveats here. The research doesn’t go into detail with regard to additional security measures in place. Yes, a CEO may have the worst password you’ve ever seen. That doesn’t mean the business has been popped right open.

Maybe they had two-factor authentication (2FA) set up. The password may be gone, but unless the attacker also has access to the CEO’s authentication app on their phone, it may not be much use. The CEO may use a hardware authentication token plugged into their desktop. Admins may have set up that one machine specifically for use by the CEO, for all CEO-related activity. It may not be usable remotely, and could be tied to a VPN an added precaution.

Having said all of that

Manager? Use a password manager

If we’re talking purely about fixing the short, terrible, obvious passwords, then some additional work is required. 2FA, lockouts, and hardware tokens are great. Ultimately they’re fixing a myriad of additional problems regardless of whether the password is good or bad.

To fix bad password practices, we need to look to tools which can improve them and help keep them a bit more secure at the same time. I am talking about password managers, of course.

A password manager is a software application that gets around the twin evils of poor passwords and password reuse by creating strong, random passwords and then remembering them.

They can function online, so they are accessible via the web and can sync passwords between devices, or they can work entirely offline. Offline password managers are arguably more secure. Online components can add additional risk factors and a way for someone to break in via exploits. The important part is to keep the master password to access your vault secure, and to use 2FA if available for an additional layer of protection. Make your master password long and complex—don’t use “qwerty”.

Password managers with browser extensions can help deter phishing. Your password manager will object to entering a password into the wrong website, no matter how convincing it looks. No more risk of accidental logins!

Some password manager tools allow you to share logins with other users in a secure fashion. They don’t show or display the password to the other users, rather they just grant a form of access managed by the tool or app itself. If your CEO has no option but to share a password with somebody else, this is the only safe way to do it.

There’s never been a better time to wean ourselves away from shared password documents and the name “Michael” as the digital keys to an organisation’s kingdom. It’s perhaps time for CEOs and other executives to lead from the front where security is concerned.

Source :
https://blog.malwarebytes.com/malwarebytes-news/2022/05/why-you-should-act-like-your-ceos-password-is-querty/

General Motors suffers credential stuffing attack

American car manufacturer General Motors (GM) says it experienced a credential stuffing attack last month. During the attack customer information and reward points were stolen.

The subject of the attack was an online platform, run by GM, to help owners of Chevrolet, Buick, GMC, and Cadillac vehicles to manage their bills, services, and redeem rewards points.

Credential stuffing

Credential stuffing is a special type of brute force attack where the attacker uses existing username and password combinations, usually ones that were stolen in a data breach on another service.

The intention of such an attack is not to take over the website or platform, but merely to get as many valid user account credentials and use that access to commit fraud, or sell the valid credentials to other criminals.

To stop a target from just blocking their IP address, an attacker will typically use rotating proxies. A rotating proxy is a proxy server that assigns a new IP address from the proxy pool for every connection.

The attack

GM disclosed that it detected the malicious login activity between April 11 and April 29, 2022, and confirmed that the threat actors exchanged customer reward bonuses of some customers for gift certificates.

The My GM Rewards program allows members to earn and redeem points toward buying or leasing a new GM vehicle, as well as for parts, accessories, paid Certified Service, and select OnStar and Connected Services plans.

GM says it immediately investigated the issue and notified affected customers of the issues.

Victims

GM contacted victims of the breach, advising them to follow instructions to recover their GM account. GM is also forcing affected users to reset their passwords before logging in to their accounts again. In the notification for affected customers, GM said it will be restoring rewards points for all customers affected by this breach.

GM specifically pointed out that the credentials used in the attack did not come from GM itself.

“Based on the investigation to date, there is no evidence that the log in information was obtained from GM itself. We believe that unauthorized parties gained access to customer login credentials that were previously compromised on other non-GM sites and then reused those credentials on the customer’s GM account.”

Stolen information

Attackers could have accessed the following Personally Identifiable Information (PII) of a compromised user:

  • First and last name
  • Email address
  • Physical address
  • Username and phone number for registered family members tied to the account
  • Last known and saved favorite location information
  • Search and destination information

Other information that was available was car mileage history, service history, emergency contacts, Wi-Fi hotspot settings (including passwords), and currently subscribed OnStar package (if applicable).

GM is offering credit monitoring for a year.

Mitigation

What could GM have done to prevent the attack? It doesn’t currently offer multi-factor authentication (MFA)which would have stopped the attackers from gaining access to the accounts. GM does ask customers to add a PIN for all purchases.

This incident demonstrates how dangerous it is to re-use your passwords for sites, services and platforms. Even if the account doesn’t seem that important to you, the information obtainable by accessing the account could very well be something you wish to keep private.

Always use a different password for every service you use, and consider using a password manager to store them all. You can read some more of our tips on passwords in our blog dedicated to World Password Day.

Stay safe, everyone!

Source :
https://blog.malwarebytes.com/reports/2022/05/general-motors-suffers-credential-stuffing-attack/

Zero trust network access (ZTNA) versus remote access VPN

Remote access VPN has long served us well, but the recent increase in remote working has cast a spotlight on the limitations of this aging technology.Written by Tejas KashyapMAY 20, 2022PRODUCTS & SERVICESZTNA

Remote access VPN has been a staple of most networks for decades, providing a secure method to remotely access systems and resources on the network. However, VPN was developed to mimic the experience of being in the office. Once you’re in, you’ve got broad access to everything.

Zero trust network access (ZTNA), on the other hand, can be summed up in four words: trust nothing, verify everything. It’s based on the principle that any connection to your network should be treated as hostile until it’s been authenticated, authorized, and granted access to resources.

Simply put: with virtual private networking (VPN), you’re providing broad network access. With ZTNA, you’re providing specific application access.

Traditional remote access VPN vs. ZTNA

There are several differences between traditional remote access VPN and ZTNA. Here are some important ones, covering trust, device health, administration, and more.

Trust

With remote access VPN, users are implicitly trusted with broad access to resources, which can create serious security risks.

ZTNA treats each user and device individually so that only the resources that user and device are allowed to access are made available. Instead of granting users complete freedom of movement on the network, individual tunnels are established between the user and the specific gateway for the application they’re authorized to access – and nothing more.

Device health

Remote access VPN has no awareness of the health state of a connecting device. If a compromised device connects via VPN, it could affect the rest of the network.

ZTNA integrates device compliance and health into access policies, giving you the option to exclude non-compliant, infected, or compromised systems from accessing corporate applications and data. This greatly reduces the risk of data theft or leakage.

Remote connections

Remote access VPN provides a single point-of-presence on the network, which means a potentially inefficient backhauling of traffic from multiple locations, datacenters, or applications through the remote access VPN tunnel.

ZTNA functions equally well and securely from any connection point, be it home, hotel, coffee shop, or office. Connection management is secure and transparent regardless of where the user and device are located, making it a seamless experience no matter where the user is working.

ZTNA is also a great way to ensure greater security controls during Remote Desktop Protocol (RDP) sessions. Known challenges with RDP include exposed default ports, no support for multi-factor authentication (MFA), broad network access, and of course security vulnerabilities. RDP server vulnerabilities and mistakenly-open RDP connections can be directly exploited by attackers, who leverage such exploits to identify themselves as trusted RDP users. With ZTNA, such users would be treated as hostile by ZTNA authentication features.

Visibility

Remote access VPN is unaware of the traffic and usage patterns it is facilitating, making visibility into user activity and application usage more challenging.

Since ZTNA access is micro-segmented, it can offer increased visibility into application activity. This makes monitoring application status, capacity planning, and licensing management and auditing much easier.

User experience

Remote access VPN clients are notorious for offering a poor user experience, adding latency or negatively impacting performance, suffering from connectivity issues, and generally being a burden on the helpdesk.

ZTNA provides a frictionless, seamless end-user experience by automatically establishing secure connections on demand. This is all done behind the scenes, so most users won’t even be aware of the ZTNA solution that’s helping protect their data.

Administration

Remote access VPN clients are difficult to set up, deploy, enroll new users, and decommission departing users. VPN is also challenging to administer on the firewall or gateway side, especially with multiple nodes, firewall access rules, IP management, traffic flows, and routing. It quickly becomes a full-time job.

ZTNA solutions are often much leaner, cleaner, and easier to deploy and manage. They’re also more agile in quickly changing environments with users, apps, and devices coming and going – making day-to-day administration quick and painless.

What to look for in a ZTNA solution

Be sure to consider these important capabilities when comparing ZTNA solutions from different vendors:

Cloud-delivered, cloud-managed

Cloud management offers tremendous benefits: being able to get up and running quickly, reduced management infrastructure, easy deployment and enrollment, and instant, secure access from anywhere on any device.

Integration with your other cybersecurity solutions

While most ZTNA solutions can work perfectly fine as standalone products, there are significant benefits from having a solution that is tightly integrated with your other cybersecurity products, such as your firewalls and endpoints. A common, integrated cloud management console can be a force multiplier for reducing training time and day-to-day management overhead.

It can also provide unique insights across your various IT security products, especially if they share telemetry. This can dramatically bolster security and offer real-time response when a compromised device or threat gets on the network.

User and management experience

Make sure the solution you’re considering offers both an excellent end-user experience as well as easy administration and management. With more users working remotely, enrollment and efficient device setup is critical when it comes to getting new users productive as quickly as possible.

Be sure to pay attention to how the ZTNA agent is deployed and how easy it is to add new users to policies. Also ensure the solution you’re investing in offers a smooth, frictionless experience for end users. It should also provide visibility into application activity to help you be proactive in identifying peak load, capacity, license usage, and even application issues.

Sophos ZTNA

Sophos ZTNA has been designed from the start to make zero trust network access easy, integrated, and secure.

It’s cloud-delivered, cloud-managed, and integrated into Sophos Central, the world’s most trusted cybersecurity platform. From Sophos Central, you can not only manage ZTNA, but also your Sophos firewalls, endpoints, server protection, mobile devices, cloud security, email protection, much more.

Sophos ZTNA is also unique in that it integrates tightly with both Sophos Firewall and Sophos Intercept X-protected endpoints to share real-time device health between the firewall, device, ZTNA, and Sophos Central to automatically respond to threats or non-compliant devices. It acts like a round-the-clock administrator, automatically limiting access and isolating compromised systems until they’re cleaned up.

Sophos customers agree that the time saving benefits of a fully integrated Sophos cybersecurity solution are enormous. They say that using the Sophos suite of products together for automatic threat identification and response is like doubling the size of their IT team. Of course, Sophos ZTNA will work with any other vendor’s security products, but it’s unique in working better together with the rest of the Sophos ecosystem to provide tangible real-world benefits to visibility, protection, and response.

Visit Sophos.com/ZTNA to learn more or try it for yourself.

Source :
https://news.sophos.com/en-us/2022/05/20/zero-trust-network-access-ztna-versus-remote-access-vpn/

New in SecureX: Device Insights

Since its release, Cisco SecureX has helped over 10,000 customers gain better visibility into their infrastructure. As the number of devices in many customer environments continues to increase, so does the number of products with information about those devices. Between mobile device managers (MDM), posture agents, and other security products, a wealth of data is being collected but is not necessarily being shared or, more importantly, correlated. With the new device insights feature in Cisco SecureX, now available for all SecureX customers, we’re changing that.

Introducing Device Insights

Device insights, which is now generally available, extends our open, platform approach to SecureX by allowing you to discover, normalize, and consolidate information about the devices in your environment. But this isn’t just another dashboard pulling data from multiple sources. Device insights fetches data from sources you might expect, like your mobile device manager, but also leverages the wealth of data available in your Cisco Secure products such as Cisco Secure Endpoint, Orbital, Duo, and Umbrella. Combining these sources of data allows you to discover devices that may be sneaking through gaps in your normal device management controls and gain a comprehensive view into each device’s security posture and management status. With device insights, you’ll be able to answer these all-important questions:

  • What types of devices are connected in our environment?
  • What users have been accessing those devices?
  • Where are those devices located?
  • What vulnerabilities are associated with each device?
  • Which security agents are installed?
  • Is the security software is up to date?
  • What context do we have from technologies beyond the endpoint?

Supported Data Sources

Now, you might ask: what types of data can I bring into device insights? When we created SecureX, we built a flexible architecture based on modules that anyone can create. Device insights extends this architecture by adding a new capability to our module framework. Here’s a look at what data sources will be supported at launch:

Bringing Everything Together

Once you’ve enabled your data sources, device insights will periodically retrieve data from each source and get to work. Some sources can also publish data in real time to device insights using webhooks. We normalize all of the data and then correlate it between sources so you have one view into each of your devices, not a mess of duplicate information. This results in a single, unified dashboard with easy filtering, a high level view into your environment, and a customizable table of devices (which you can export too!). To see more information about a device, just click on one and you’ll see everything device insights knows, including which source provided which data.

screenshot: SecureX device status dashboard
screenshot: SecureX device detail view

Getting Started

To get started with device insights, simply log into Cisco SecureX and click the new Insights tab! For more information about device insights, check out these resources:

High-Severity Bug Reported in Google’s OAuth Client Library for Java

Google last month addressed a high-severity flaw in its OAuth client library for Java that could be abused by a malicious actor with a compromised token to deploy arbitrary payloads.

Tracked as CVE-2021-22573, the vulnerability is rated 8.7 out of 10 for severity and relates to an authentication bypass in the library that stems from an improper verification of the cryptographic signature.

Credited with discovering and reporting the flaw on March 12 is Tamjid Al Rahat, a fourth-year Ph.D. student of Computer Science at the University of Virginia, who has been awarded $5,000 as part of Google’s bug bounty program.

“The vulnerability is that the IDToken verifier does not verify if the token is properly signed,” an advisory for the flaw reads.

“Signature verification makes sure that the token’s payload comes from a valid provider, not from someone else. An attacker can provide a compromised token with custom payload. The token will pass the validation on the client side.”

The open-source Java library, built on the Google HTTP Client Library for Java, makes it possible to obtain access tokens to any service on the web that supports the OAuth authorization standard.

Google, in its README file for the project on GitHub, notes that the library is supported in maintenance mode and that it’s only fixing necessary bugs, indicative of the severity of the vulnerability.

Users of the google-oauth-java-client library are recommended to update to version 1.33.3, released on April 13, to mitigate any potential risk.

Source :
https://thehackernews.com/2022/05/high-severity-bug-reported-in-googles.html

Researchers Find Potential Way to Run Malware on iPhone Even When it’s OFF

A first-of-its-kind security analysis of iOS Find My function has identified a novel attack surface that makes it possible to tamper with the firmware and load malware onto a Bluetooth chip that’s executed while an iPhone is “off.”

The mechanism takes advantage of the fact that wireless chips related to Bluetooth, Near-field communication (NFC), and ultra-wideband (UWB) continue to operate while iOS is shut down when entering a “power reserve” Low Power Mode (LPM).

While this is done so as to enable features like Find My and facilitate Express Card transactions, all the three wireless chips have direct access to the secure element, academics from the Secure Mobile Networking Lab (SEEMOO) at the Technical University of Darmstadt said in a paper entitled “Evil Never Sleeps.”

“The Bluetooth and UWB chips are hardwired to the Secure Element (SE) in the NFC chip, storing secrets that should be available in LPM,” the researchers said.

“Since LPM support is implemented in hardware, it cannot be removed by changing software components. As a result, on modern iPhones, wireless chips can no longer be trusted to be turned off after shutdown. This poses a new threat model.”

The findings are set to be presented at the ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec 2022) this week.

The LPM features, newly introduced last year with iOS 15, make it possible to track lost devices using the Find My network even when run out of battery power or have been shut off. Current devices with Ultra-wideband support include iPhone 11, iPhone 12, and iPhone 13.

A message displayed when turning off iPhones reads thus: “iPhone remains findable after power off. Find My helps you locate this iPhone when it is lost or stolen, even when it is in power reserve mode or when powered off.”

Malware

Calling the current LPM implementation “opaque,” the researchers not only sometimes observed failures when initializing Find My advertisements during power off, effectively contradicting the aforementioned message, they also found that the Bluetooth firmware is neither signed nor encrypted.

By taking advantage of this loophole, an adversary with privileged access can create malware that’s capable of being executed on an iPhone Bluetooth chip even when it’s powered off.

However, for such a firmware compromise to happen, the attacker must be able to communicate to the firmware via the operating system, modify the firmware image, or gain code execution on an LPM-enabled chip over-the-air by exploiting flaws such as BrakTooth.

Put differently, the idea is to alter the LPM application thread to embed malware, such as those that could alert the malicious actor of a victim’s Find My Bluetooth broadcasts, enabling the threat actor to keep remote tabs on the target.

“Instead of changing existing functionality, they could also add completely new features,” SEEMOO researchers pointed out, adding they responsibly disclosed all the issues to Apple, but that the tech giant “had no feedback.”

With LPM-related features taking a more stealthier approach to carrying out its intended use cases, SEEMOO called on Apple to include a hardware-based switch to disconnect the battery so as to alleviate any surveillance concerns that could arise out of firmware-level attacks.

“Since LPM support is based on the iPhone’s hardware, it cannot be removed with system updates,” the researchers said. “Thus, it has a long-lasting effect on the overall iOS security model.”

“Design of LPM features seems to be mostly driven by functionality, without considering threats outside of the intended applications. Find My after power off turns shutdown iPhones into tracking devices by design, and the implementation within the Bluetooth firmware is not secured against manipulation.”

Source :
https://thehackernews.com/2022/05/researchers-find-way-to-run-malware-on.html

Portless iPhones will be the future for most, but USB-C iPhones still make sense

Apple has long been expected to transition to fully portless iPhones at some point, and for most users that makes perfect sense. But we’re seeing growing reports that the iPhone maker is first going to switch from Lightning to USB-C, and that raises a key question.

Is USB-C just a brief interim stage before iPhones go fully wireless, or do USB-C iPhones have a longer future … ?

Recent reports

Two recent reports suggest that Apple plans to switch to a USB-C iPhone port next year. Ming-Chi Kuo made the initial report, before Bloomberg corroborated.

Note that neither report means this is definitely happening. Kuo based his on supply-chain reports, and we noted at the time the uncertainties regarding these.

Apple likes to have multiple suppliers wherever possible, to allow it to negotiate better prices, and to reduce risk. If, for example, a major supplier of Lightning ports were to report Apple was planning to cut orders next year, that could mean nothing more than a rejigging of competing suppliers.

Similarly, USB-C suppliers talking about expecting a major boost in orders next year might again simply be Apple or other companies increasing orders with some suppliers while reducing them with others.

Bloomberg’s report was instead based on internal testing of a USB-C iPhone. I’m sure that report is accurate, but again, it doesn’t amount to proof. There is precisely a 100% chance that there have been USB-C iPhone prototypes within Apple’s labs for years now. Does ‘testing’ mean simply experimenting with these, or something on a more formal and larger scale?

However, both sources seem reasonably confident in their predictions, so let’s assume for now that they are correct. What does this mean for the future of iPhone ports? Here are my brief thoughts.

It would be an overdue move

I’m a big fan of port standardization in general, and of USB-C in particular. My ideal is a day when absolutely all wired connections are USB-C to USB-C, and I can finally ditch five of the six trays of cables I have, not to mention the additional one with assorted adapters.

I was a bit skeptical of Kuo’s report for this reason. While I’d welcome it, my immediate question was ‘why now?’. Apple started the switched to USB-C in the Mac back in 2016, and the iPad in 2018, so why wait another four years before the iPhone belatedly follows suit?

In particular, if Apple is heading toward portless iPhones, why go through the disruption now of a wired port change that would last for perhaps two or three years before a fully wireless iPhone?

If the reports are accurate, this is a very overdue move.

Most will be happy with portless iPhones

One possible explanation for the latter point is simply that the portless reports aren’t true, and Apple plans to stick with a wired charging and data-transfer connection option for the foreseeable future. However, I don’t buy that, for several reasons.

First, a portless iPhone is absolutely in line with Apple’s design direction. Sure, things have changed a little since Jony Ive left, but I do believe that his “single slab of glass” vision is Apple’s ultimate goal.

Second, eliminating a port reduces manufacturing cost and complexity. This, too, is absolutely in line with the company’s ethos – as the removal of the headphone jack demonstrated.

Third, removing the port improves reliability. It takes away the biggest entry point for dust and water, which will likely significantly boost the waterproofing standard. Additionally, it ends the fraying Lightning cable issue!

Finally, most iPhone owners don’t need a port – and even fewer will do so in the future. Few iPhone owners ever do any wired data-transfer, and most people can get their charging needs met through overnight wireless charging. For top-up charges, we’re seeing a growing number of wireless charging pads in cars, coffee shops, hotels, airports, offices … you name it. This trend will only continue. Same for power banks with MagSafe charging capabilities.

But there are still people who need a wired port

Apple cannot have things both ways: argue that the iPhone is a suitable camera for professional video use (albeit mostly as a B-cam or C-cam) while at the same time removing the only practical way to transfer significant amounts of 4K (and later 8K) video footage.

If you’re using an iPhone for pro video shoots, a wired port is a necessity, and USB-C is much better than Lightning.

Similarly, there will be a minority of people for whom wireless charging isn’t practical. If you are a really heavy iPhone user, and need to go significant periods between charges, then the faster speed of wireless charging may be a necessity rather than a luxury.

So there will always be some who need a wired connection (at least until wireless charging and wireless data transfer offer speed much closer to wired connections), even if they are a minority.

What’s my best guess?

I can see one of two things happening, at the point where Apple feels ready to make the change to portless iPhones.

First, the standard iPhone model(s) go portless, while the Pro models retain a wired port. This would make for a worthwhile point of differentiation for more serious iPhone users, while the vast majority of consumers will remain happy with wireless charging and AirDrop.

Or second, have the iPhone Pro Max be the only model to continue to offer a USB-C port. This would again be consistent with certain features being exclusive to the largest and most expensive model – like sensor shift and 2.5x optional zoom being exclusive to the iPhone 12 Pro Max.

I think Apple could probably take the second approach without upsetting too many people. Videographers are likely to appreciate the larger screen of the Pro Max, while anyone needing to push battery usage to the limits will obviously be buying the Pro Max for its longer battery life. So the two groups who most benefit from a wired port are already likely to choose the top-end model.

So that’s my bet. Sometime within the next few years, all but the iPhone Pro Max go portless, while the Pro Max gets or keeps a USB-C port. What’s your view? Please take our poll and share your thoughts in the comments.

Source :
https://9to5mac.com/2022/05/16/portless-iphones-usb-c-iphones/

Apple releases iOS 15.5 with enhancements to Apple Cash and Podcasts app

Apple on Monday released iOS 15.5 and iPadOS 15.5 to the public following the release of the RC build last week. The update doesn’t bring significant changes, but it does improve the Apple Cash and Podcasts app.

iOS 15.5 new features

Apple says that iOS 15.5 makes enhancements to Apple Cash, with support for more easily requesting and sending money from the Apple Cash card in the Wallet app. There’s also a new feature in Apple Podcasts to help preserve your iPhone’s storage space and some bug fixes for HomeKit. 

Here are the full release notes for iOS 15.5 according to Apple: 

iOS 15.5 includes the following improvements and bug fixes:

  • Wallet now enables Apple Cash customers to send and request money from their Apple Cash card
  • Apple Podcasts includes a new setting to limit episodes stored on your iPhone and automatically delete older ones
  • Fixes an issue where home automations, triggered by people arriving or leaving, may fail

Here are some other changes in iOS 15.5 we’ve spotted so far, not mentioned in Apple’s release notes: 

You can update your devices by going to the Settings app, then General > Software Update. Check out Apple’s website for more details about the security patches included with iOS 15.5.

It’s unclear whether this update will be the last before the first iOS 16 beta, which should arrive shortly after WWDC 2022 in June.

Source :
https://9to5mac.com/2022/05/16/apple-releases-ios-15-5-with-enhancements-to-the-apple-cash-and-podcasts-app/

USB-C iPhone 15 in the works, claims Kuo, following supply-chain survey

The only examples of a USB-C iPhone we’ve seen to date have been DIY versions, but Ming-Chi Kuo claims that Apple will make the switch from Lightning to USB-C next year, in the iPhone 15.

The report comes as something of a surprise, as although Apple has adopted USB-C for Mac and iPad, it had seemed the company planned to stick with Lightning until it switches to a completely portless phone …

Background

Apple began its adoption of USB-C for Macs back in 2015, with the 12-inch MacBook. It then went all-in with the 2016 MacBook Pro, before backtracking a little last year by restoring MagSafe, HDMI and SD card slots.

The iPad made the switch from Lightning to USB-C in 2018, with the 11-inch and 12.9-inch iPad Pro models.

That left the iPhone as the sole core Apple product with a Lightning socket. Since the iPhone retained the older connector for years after the Mac and iPad adoption of USB-C, the consensus view appeared to be that it would continue to do so until the first portless model.

USB-C iPhone 15 report

Apple analyst Ming-Chi Kuo tweeted today that Apple will make the switch to USB-C for iPhone in the second half of next year, which is to say the iPhone 15.

My latest survey indicates that 2H23 new iPhone will abandon Lightning port and switch to USB-C port. USB-C could improve iPhone’s transfer and charging speed in hardware designs, but the final spec details still depend on iOS support.

It’s expected to see existing USB-C-related suppliers of Apple’s ecosystem (e.g., IC controller, connector) become the market’s focus in the next 1-2 years, thanks to vast orders from iPhones and accessories’ adoption of USB-C ports.

The reference to USB-C suppliers benefiting for ‘1-2 years’ may indicate that Kuo then anticipates Apple will drop the port altogether.

9to5Mac’s Take

This is a somewhat odd report. Apple made the switch to USB-C iPads in back 2018, so if it planned to do with the iPhone too, we would have expected that to have happened by now.

It should be noted that although Kuo has a decent track record, he has more recently taken to tweeting simply thoughts or opinions about what Apple might do, rather than anything based on evidence. However, this tweet does specifically say that it’s based on his ‘latest survey,’ which means talking to suppliers.

Supply-chain reports can be of varying reliability. Apple likes to have multiple suppliers wherever possible, to allow it to negotiate better prices, and to reduce risk. If, for example, a major supplier of Lightning ports were to report Apple was planning to cut orders next year, that could mean nothing more than a rejigging of competing suppliers.

Similarly, USB-C suppliers talking about expecting a major boost in orders next year might again simply be Apple or other companies increasing orders with some suppliers while reducing them with others.

Kuo does seem confident in his interpretation of what he’s hearing from suppliers. It’s entirely possible that he’s right, but we wouldn’t count on it yet.

Source :
https://9to5mac.com/2022/05/11/usb-c-iphone-15/

Android and Chrome Users Can Soon Generate Virtual Credit Cards to Protect Real Ones

Google on Wednesday took to its annual developer conference to announce a host of privacy and security updates, including support for virtual credit cards on Android and Chrome.

“When you use autofill to enter your payment details at checkout, virtual cards will add an additional layer of security by replacing your actual card number with a distinct, virtual number,” Google’s Jen Fitzpatrick said in a statement.

The goal, the search giant, said to keep payment information safe and secure during online shopping and protect users from skimming attacks wherein threat actors inject malicious JavaScript code to plunder credit card numbers and sell them on the black market.

The feature is expected to roll out in the U.S. for Visa, American Express, Mastercard, and Capital One cards starting this summer.

Interestingly, while Apple offers an option to mask email addresses via Hide My Email, which enables users to create unique, random email addresses to use with apps and websites, it’s yet to offer a similar option for creating virtual credit cards.

The development comes a week after Google, Apple, and Microsoft banded together to accelerate support for a common passwordless sign-in standard that allows “websites and apps to offer consistent, secure, and easy passwordless sign-ins to consumers across devices and platforms.”

Additionally, Google said it’s expanding phishing protections in Google Workspace to Docs, Slides and Sheets, and that it plans to debut a new “My Ad Center” later this year to give users more control over personalized ads on YouTube, Search, and Discover feed.

What’s more, users would be able to request personally identifiable information such as email, phone number, or home address to be removed from search results through a new tool that will be accessible from the Google App.

Also coming is a new Account Safety Status setting that will “feature a simple yellow alert icon on your profile picture that will flag actions you should take to secure your account.”

Other key privacy and security features unveiled at Google I/O 2022 include support for end-to-end encryption for group conversations in the Messages app for Android and the availability of on-device encryption for Google Password Manager.

Source :
https://thehackernews.com/2022/05/blog-post.html

Exit mobile version