Categories
Computing

How to make your Mac private and secure

Mac OS is an inherently secure and private operating system, but that doesn’t mean there’s nothing you can do to ensure that it’s as safe and private as possible. Here’s how to make your Mac private and secure in a few different ways.

Lock down administrator accounts

MacOS allows multiple user accounts to be set up on a single Mac. That’s a real convenience, especially if you share a machine with family members or colleagues.

However, all user accounts aren’t the same, and there’s one step you should take to limit access to your Mac’s settings: Make sure you only have one administrator account. Administrator accounts, as opposed to regular accounts, can do anything on a Mac. They can manage other user accounts, including changing their passwords. They can install software and change all system settings, including security and privacy settings.

You only need one account with that level of control. In fact, it’s not a bad idea to create a separate account just for administrative purposes. That account should have some name other than “admin” or “administrator” to make it more difficult for a hacker to guess the username, too.

Step 1: To change an account’s security level, open System preferences > Users and groups.


Mark Coppock/Digital Trends

Step 2: To make any changes to an account, you will first need to unlock the account. Select Click the lock to make changes and then enter the password for the current account. Note that you’ll need to be using an administrator account to make these changes.

Unlocking the account settings in MacOS.

Mark Coppock/Digital Trends

Step 3: Select the account that you want to enable or disable administrator privileges for. To enable administrator privileges, select Allow user to administer this computer. If the account already has administrator privileges and you want to remove them, then uncheck this setting.

Once you’ve finished, select Click the lock to prevent further changes.

Enable or disable administrator rights in MacOS.

Mark Coppock/Digital Trends

Manage your Mac’s idle time

Leaving your Mac unattended and logged in can present a security problem. That’s why it’s a good idea to make sure that your Mac locks itself after a period of time and requires logging in from sleep or when the screen saver is running.

Note that you can use MacOS Hot Corners feature to immediately lock your Mac. Check out our guide on how to use MacOS Hot Corners to learn more.

Step 1: To set your Mac to log out after some time, select System Preferences, Security & Privacy, then the General tab. Unlock the page using Click the lock to make changes. Select Advanced… in the lower right corner.

On the following screen, you can select Log out after and specify how many minutes of activity to wait before logging out.

Log out MacOS after specified time.

Mark Coppock/Digital Trends

Step 2: Another option to increase security is to require a password after the laptop goes to sleep or after the screen saver runs. You can choose a timeframe from immediately up to eight hours later.

In System Preferences > Security & Privacy > General, you’ll find the option to configure this security setting. You can also set a lock message from the same screen.

Require login after sleep or screen saver in MacOS.

Mark Coppock/Digital Trends

Turn on the MacOS firewall

MacOS has a firewall that can be turned on to protect incoming connections. The firewall is turned off by default.

Step 1: To turn on the firewall, open System Preferences then Security & Privacy. Select the Firewall tab and unlock the settings. Select Turn on Firewall.

Turn on MacOS firewall.

Mark Coppock/Digital Trends

Step 2: Select Firewall Options… to configure the firewall. You can disable all incoming connections except for basic internet services, automatically allow the built-in software to receive connections, automatically allow downloaded signed software to receive connections, and enable stealth mode to hide the Mac from test applications.

Configure MacOS firewall settings.

Mark Coppock/Digital Trends

Turn on the FileVault

MacOS has built-in disk encryption, called FileVault, that makes it nearly impossible for someone to access your data without logging in to your Mac. If it’s not enabled by default, you should turn FileVault on as one of your first tasks when setting up your Mac.

Step 1: To turn FileVault on, open System Preferences and then Security & Privacy and select the FileVault tab. Select Turn on FileVault…

You will be presented with the option to either use your iCloud account to unlock your disk or create a recovery key. Using your iCloud account is more convenient and helps avoid the possibility of losing your recovery key.

Once you’ve set your options, select Continue.

Turn on MacOS FileVault.

Mark Coppock/Digital Trends

Step 2: The disk will be encrypted and the progress reported in the window. Once it’s completed, you’ll receive a notification that a recovery key has been set and that encryption has finished.

MacOS FileVault encryption finished.

Mark Coppock/Digital Trends

Configure access to built-in services

You can allow various applications and services to access the built-in features and services in MacOS or disallow them for added privacy.

To configure your privacy settings, open System Preferences and Security and Privacy. Select the Privacy tab. Unlock the settings to make changes.

You’ll see a list of services on the left, and then a list of applications and services that can access each one on the right. You can allow or disallow access to each service as required.

Configure MacOS privacy settings.

Mark Coppock/Digital Trends

Control which apps can be installed

You can install apps on your Mac from both the App Store and from third-party developers. MacOS lets you control whether third-party apps can be installed.

To allow or disallow third-party apps, open System Preferences and Security and Privacy. Unlock the settings to allow changes.

Under Allow apps downloaded from:, select either just the App Store or both the App Store and identified developers.

Allow third-party apps in MacOS.

Mark Coppock/Digital Trends

Automatically update your Mac

MacOS can automatically install various application and system updates, but that’s not enabled by default. Turning on automatic updates, particularly for security updates, helps keep your Mac protected from malicious actors.

Step 1: To turn on automatic updates, open System Preferences, then Software Update. Check Automatically keep my Mac up to date to turn on automatic updates. You will need to authenticate to make the change.

Turn on MacOS automatic updates.

Mark Coppock/Digital Trends

Step 2: You can specify which updates to automatically install by selecting Advanced…. You can configure MacOS to automatically check for updates, download new updates when available so that they’re ready to install, automatically install MacOS updates, automatically update apps installed from the App Store, and automatically install system data files and security updates.

At the very least, you should turn on automatic updates of system data files and security updates. These can arrive at any time and need to be installed as quickly as possible. Letting MacOS install them automatically means that they’ll be installed as soon as Apple makes them available.

Configure MacOS automatic updates.

Mark Coppock/Digital Trends

Editors’ Choice




Repost: Original Source and Author Link

Categories
Security

Researchers say your GPU could expose private info online

In an age of increased online privacy awareness, many of us are conscious of our digital fingerprints and prefer not to be tracked. However, it may not be as simple as it previously seemed.

An international team of researchers has found that users can be tracked down by their graphics cards. This is done through a new technique referred to as “GPU fingerprinting.”

An example of the GPU fingerprinting technique showcasing two identical GPUs that still produce different results.

This new technology, named DrawnApart by the researchers and first reported by Bleeping Computer, relies on the tiny differences between each piece of hardware in order to make a distinction that ties it to a certain user. Through a series of identifiers, researchers find that they are able to track down individual users, as well as their online activity, just by implementing this new technique.

The team spans several countries and universities, including researchers from Israel, France, and Australia, who published their findings online in a paper on Arxiv.org. They showcased examples of the GPU fingerprinting technique, which relies on the fact that no components are exactly the same — even if they are all part of the same model and were made by the same manufacturer.

There are tiny differences in the performance, power consumption, and processing capabilities of every graphics card. DrawnApart takes advantage of that by using fixed workloads based on the Web Graphics Library (WebGL). This is a cross-platform JavaScript-based application programming interface (API) responsible for rendering graphics within any compatible web browser.

Using WebGL, DrawnApart targets the GPU’s shaders with a special sequence of graphic operations that were made specifically for this task. The drawing operations are ultra-precise and make it easier for the researchers to tell the graphics cards apart, and this includes cards of the same make and model.

Once the task is complete, the technique produces an accurate trace with timing measurements that includes how long it takes the card to handle stall functions, complete vertex renders, and more. As the timing is individual to each GPU, this results in making the unit trackable.

DrawnApart tracking duration diagram.
DrawnApart: Average tracking time by collection period graph.

The research team finds that this technique provides a high degree of accuracy and is an improvement over existing tracking methods. The algorithm was tested on a large sample of more than 2,500 unique devices and 371,000 fingerprints, and the researchers noted a 67% improvement compared to using only current fingerprinting methods without DrawnApart. In its current state, DrawnApart can fingerprint a graphics card in just eight seconds.

Eight seconds is ultrafast as it is, but there is potential for even more accurate and quicker tracking through the use of newer, faster APIs. The team tested using compute shader operations instead and found that the results were now up to 98% accurate and only took 150 milliseconds to achieve.

Although the findings are impressive, it’s impossible to deny that they’re also terrifying. We’ve all grown used to declining cookies on various websites, but DrawnApart proves that may soon not be enough. The research team is also keenly aware of the potential for misuse that the GPU fingerprint poses.

“This is a substantial improvement to stateless tracking, obtained through the use of our new fingerprinting method. […] We believe it raises practical concerns about the privacy of users being subjected to fingerprinting,” said the researchers in their paper.

As the GPU fingerprinting technique may not require additional permissions, users could be subjected to it by simply browsing the internet. Khronos, the organization in charge of the WebGL library, is already exploring ways in which to prevent the technique from being used maliciously.

Editors’ Choice




Repost: Original Source and Author Link

Categories
Security

Missouri governor threatens reporter who discovered state site spilling private info

Missouri Governor Mike Parson is threatening legal action against a reporter and newspaper that found and responsibly disclosed a security vulnerability that left teacher and educational staffs’ social security numbers exposed and easily accessible.

The St. Louis Post-Dispatch reports that it notified the Missouri Department of Elementary and Secondary Education (DESE) that one of its tools was returning HTML pages that contained employee SSNs, potentially putting the information of over 100,000 employees at risk. Despite the fact that the outlet waited until the tool was taken down by the state to publish its story, the reporter has been called a “hacker” by Governor Parson, who says he’ll be getting the county prosecutor and investigators involved.

According to the Post-Dispatch, the tool that contained the vulnerability was designed to let the public see teachers’ credentials. However, it reportedly also included the employee’s SSN in the page it returned — while it apparently didn’t appear as visible text on the screen, KrebsOnSecurity reports that accessing it would be as easy as right-clicking on the page and clicking Inspect Element or View Source.

While the reporter followed standard protocols for disclosing and reporting on the vulnerability, the governor is treating him as if he attacked the site or was trying to access the teacher’s private information for nefarious purposes.

In a press conference, Governor Parson described the reporter’s actions as “decoding the HTML source code,” which makes it seem suspicious and clandestine. He is, however, literally describing how viewing a website works — it’s the server’s job to send an HTML file to your computer so you can view it, and anything included in that file isn’t secret (even if it’s not physically visible on your screen when viewing that webpage). Governor Parson says that nothing on DESE’s website gave users permission to access the SSN data, but it was being freely provided.

You can view the governor’s full press conference below.

The Verge has reached out to Missouri DESE to clarify whether the tool was publicly accessible or required logging in, and in response, the DESE says its only comment (due to the ongoing investigation) is that the data is now protected. Of course, it being accessible at all is an issue, regardless of whether it was behind a login.

Missouri’s response is, to put it lightly, the exact opposite of standard practice. Many organizations have bug or security bounties worth hundreds of thousands of dollars, which they’ll pay to hackers who find and responsibly disclose flaws like these. The reason these exist is that they’ll make your systems safer — yes, people will look for and find vulnerabilities, but there was likely already somebody doing that anyways. With a bug bounty, they’re telling you so you can fix it rather than selling that info on the dark web or using it for personal gain. Obviously, those kinds of sums aren’t reasonable for school districts, which often have underfunded IT departments due to shrinking budgets, but there’re a lot of options between paying out large sums of money and threatening legal action.

Governor Parson says that the incident could cost the state’s taxpayers $50 million. If a malicious hacker had found the treasure trove of SSNs, it likely would’ve been even more expensive: the state still would’ve had to fix the system, and it’d have teachers who would have solid claims against it if they needed identity protection services.

Governor Parson (along with a press release by the Office of Administration) clarifies that the SSNs were only accessible one at a time — a list of all employees’ private info wasn’t included in the HTML files. But as anyone who’s watched the opening scene of The Social Network knows, it can be trivial for hackers to download all the pages from an application and strip specific pieces of information out of them. Just because the reporter didn’t do it (it would’ve arguably been irresponsible if he had) doesn’t mean that it wasn’t possible and doesn’t speak to good security practices.

To be clear: prosecuting the reporter, news outlet, and anyone involved will only serve to put people in Missouri at risk because no one will want to report security flaws they’ve found in public systems if the state’s response will be sending law enforcement after them. Security flaws like this are extremely unfortunate, but they will inevitably happen (the Post-Dispatch reports that the DESE was found to have been storing student SSNs by an audit in 2015). With public entities and companies alike, the real test isn’t whether it happens but how you respond to it. Unfortunately, it seems like Governor Parson is failing that test.

Updated October 14th, 5:52PM ET: Updated to reflect comment from the DESE.



Repost: Original Source and Author Link

Categories
Game

PS5 VR details leak from private developers conference

It’s arguable that Facebook’s Oculus now takes up the majority of the attention in the virtual reality market, but it is hardly the only major player. HTC is still actively working on Vive, and Microsoft’s Windows Mixed Reality also dips into that field. And then there’s PlayStation VR, the only console-based system among the VR giants. With the new PlayStation 5 console, however, the interest in a VR system to match has also grown. Fortunately, Sony does seem to have big plans for what the PS5 VR will offer, both in hardware and content.

The Next-Gen VR or NGVR, the alleged codename for the PS5 VR, will come with a headset that will boast significant upgrades over its predecessor. Considering the PSVR pictured above hasn’t exactly gotten major upgrades since it launched in 2016, that’s not exactly a surprising revelation.

According to the details reported by PSVR Without Parole, the headset will feature a new HDR OLED screen with a combined 4000×2040 resolution and 110 field-of-view. Eye-tracking will be used to implement foveated rendering, and a new flexible scaling resolution will supposedly improve performance. The new controllers will also allegedly have capacitive touch sensors for the thumb, index, and middle finger, probably for finger tracking.

An upgraded VR system, however, also needs upgraded VR experiences, and Sony is looking into bringing AAA titles to its VR ecosystem. That might mean requiring new titles to support a hybrid VR version alongside the regular flat screen game. There is no word yet on backward compatibility, though.

This PS5 VR upgrade could take Sony’s VR system to the next level and help it catch up with its peers. Unfortunately, it seems that fans will have to wait next year for that to happen.

Repost: Original Source and Author Link

Categories
Security

WhatsApp starts a private beta test of multi-device support

Until now, using WhatsApp web on your desktop or any other device has required having a phone that’s powered on and connected, but a new beta test is trying out support for multiple devices without needing a phone in the mix. In a June interview, WhatsApp head Will Cathcart and his boss, Facebook CEO Mark Zuckerberg, commented on the technical challenge of maintaining end-to-end encryption. With a blog post today, Cathcart explains more about what has been done behind the scenes to maintain security.

WhatsApp’s message architecture.
Image: Facebook

As the image comparing the legacy and new systems (above) tries to explain, previously, a user’s phone managed the key determining their identity and ability to encrypt/decrypt messages. The encrypted synchronization also applies to message history, contact names, and other data, with keys maintained on the individual devices.

To start, the beta is going out to a limited group of testers who are already in WhatsApp’s beta program, while the team says it’s working on improving performance and adding more features.



Repost: Original Source and Author Link

Categories
Tech News

Get Private Internet Access VPN for almost 70% off — and get a $15 credit too

TLDR: Protect your information and all your online activity with a subscription to Private Internet Access, now at nearly 70 percent off.

If you’re worried about being watched while online, it’s because you already are. Internet service providers (ISPs) can log everything you do. Online destinations from retail giants to social media platforms harvest information about you and can sell that data to virtually anyone. And yeah, getting emails or Facebook ads about the book you just did a Google search for are more than a little creepy.

A VPN is your first and best initial line of defense against constant surveillance. As one of the industry leaders, a subscription to Private Internet Access ($39.95 for 1 year, 69 percent off, from TNW Deals) can go a long way to erecting a staunch barrier against becoming an online privacy victim or, even worse, a victim of cybercrime.

With over a decade as a top VPN option, PIA remains one of the most respected names in data security, including a spot among CNET’s Best VPN Services of 2021 and a cumulative 4.6 out of 5 star rating from over 100,000 reviews among Apple App Store and Google Play users.

With one of the biggest service networks in the business, PIA allows users to log into a network of over 34,000 servers in 77 countries worldwide, shielding you and your vital information from online schemes, thieves and prying eyes. With a PIA connection cloaking a user’s location and IP address, they can do all their online business secure in the knowledge their information won’t be stolen or misused.  PIA also uses powerful Blowfish CBC encryption technology to protect all your data, even while ensuring unlimited bandwidth so browsing speeds always remain lightning quick.

And as an industry veteran, PIA is constantly adding new features to further safeguard connections and improve service, including free email breach monitoring, an advanced firewall for blocking unwanted connections, and their MACE feature with knocks out ads, trackers and malware as you surf the web. 

Unlike other services that usually only protect 2, 3 or even 5 devices, PIA allows coverage for up to 10 devices simultaneously, all while also bypassing censored and geographically blocked websites, apps and services you could never otherwise access.

Right now, new members can enjoy a year of Private Internet Access protection for almost 70 percent off its regular price at just $39.99; or get two years of coverage for an even more cost effective $69.95. And with both offers, shoppers will also receive a $15 store credit for their next purchase through TNW Deals. 

Prices are subject to change.

Repost: Original Source and Author Link

Categories
Security

Some Accounts Had Private Messages Stolen in Twitter Hack

Twitter has shared more details about how dozens of high-profile accounts were accessed and used to promote a cryptocurrency scam this week.

Twitter has already revealed that around 130 accounts were targeted in the hack, including accounts of prominent political figures like Barack Obama and Joe Biden as well as cryptocurrency enthusiasts Elon Musk and other celebrities like Kanye West.

The company announced that the attack had been made possible due to “a social engineering scheme” in which cybercriminals targeted Twitter employees using “intentional manipulation of people into performing certain actions and divulging confidential information.”

Describing the scheme in more detail, Twitter said that attackers managed to trick or manipulate employees into handing over their credentials. The attackers then used these credentials to get inside Twitter’s systems, getting past the two-factor authentication protections and using an internal management tool for resetting passwords.

Of the 130 targeted accounts, the attackers were able to reset the passwords and log in to 45 accounts. This resulted in the sending of the cryptocurrency scam tweets. But many are worried that the attackers may have done even more damage, as they had full access to these accounts. A particular worry was whether the attackers would have been able to access private content such as direct messages.

It seems that, for at least some of the targets, that fear was well-founded. Twitter announced that, “For up to eight of the Twitter accounts involved, the attackers took the additional step of downloading the account’s information through our ‘Your Twitter Data’ tool. This is a tool that is meant to provide an account owner with a summary of their Twitter account details and activity.”

The Your Twitter Data tool gives a complete list of account activity which, according to The Verge, includes an archive of direct messages. This data may even include deleted direct messages, which is an extra worry. The concern is that these personal messages could be used for blackmail or spread around maliciously.

Twitter did confirm that, of the eight accounts who had their data downloaded, none were verified, and that it has reached out to all eight people to let them know. The company has said it will not be announcing the identity of these accounts publicly.

Twitter is conducting an investigation into what happened and how it can improve the security of its systems. The company acknowledges the huge loss of trust the public has in its services, saying, “We’re embarrassed, we’re disappointed, and more than anything, we’re sorry. We know that we must work to regain your trust, and we will support all efforts to bring the perpetrators to justice.”

Editors’ Choice






Repost: Original Source and Author Link

Categories
Tech News

Hushed offers a second private phone line for talking or texting for under $20

TLDR: You can organize your life on the phone with a second private number from Hushed that’s a whole lot cheaper than getting a second costly phone service plan.

In 2004, more than 90 percent of American adults lived in a household with a landline. By last year, that number had tumbled to just under 37 percent. Increasingly, users are deciding that the smartphone is the one and only device they need, often with one single phone number as that primary point of contact.

If you’re conducting business by phone, you need that number to be available and accessible for promoting and growing that business. But a phone number is also an easy key for hackers and scammers to uncover your personal data or for spammers to unleash a steady barrage of sales calls and texts that you don’t need.

The answer: one number for the world, another one just for you and your nearest and dearest. With a Hushed Private Phone Line second number ($19.99, 86 percent off, from TNW Deals), you can achieve that separation of church and state so your business line can reach far and wide, while your private line stays protected and available only to those you really trust.

Hushed has quickly become one of the most reliable phone safeguards around, amassing a 4.6 out of 5 star rating from more than 5,600 Apple App Store reviewers.

With a Hushed second phone number, you can keep business and personal separate. You can choose from hundreds of possible area codes, so your new number can look just like any other in your area, but without committing to another expensive phone plan. 

Send all their business calls, Craigslist offers, and more there, making it easy to maintain distance between work time and free time. Or use it to field personal calls like Tinder or Bumble contacts without exposing your business to the world. You can even manage multiple numbers, all from Hushed’s easy to use and navigate app.

Users can make calls or send texts with up to 1,000 call minutes and 6,000 SMS minutes for texting each year. So long as the Hushed number gets used at least once every six months, it’ll remain active and ready forever.

You can streamline all your communications now with a lifetime subscription to a Hushed Private Phone Line, a $150 value now on sale at almost 90 percent off that price, down to only $19.99.

Prices are subject to change.

Repost: Original Source and Author Link

Categories
Tech News

Make Amazon dropshipping and private labels your ultimate business launch pad with this training

TLDR: The 2021 Complete Amazon Dropshipping and Private Label Master Class Bundle can help you launch a new side hustle with Amazon that you can grow into thousands a month.

Kate was a journalist and salesperson who’d never considered starting her own business before. But after learning about dropshipping, Kate launched an anime-themed online storefront – and soon was making $32,000 a month. Meanwhile, Zach went from being an ecommerce newbie to making $23,000 in Amazon sales in just 5 months after launching his own stable of private label products.

No road to riches is easy, but understanding how successful entrepreneurs have turned the concepts of dropshipping and private label brands via Amazon into serious moneymakers should be enough to get the attention of anyone with business aspirations.

With the training in The 2021 Complete Amazon Dropshipping and Private Label Master Class Bundle ($34.99, over 90 percent off, from TNW Deals), interested self-starters with the talent and eye for opportunity can follow a path to a quickly self-sustaining business turning reliable profits every month.

This collection covers everything, 11 courses including nearly 100 hours of training in all the steps for launching successful Fulfilled by Amazon (FBA) business operations.

Even if this is your first time starting a business, courses like Amazon FBA Course 2021 and Launch a Successful Amazon FBA Brand paint a realistic picture. Students get schooled in the right processes and procedures for running a digital storefront in the Amazon environment before finding the right products, sourcing suppliers who won’t rip you off or underdeliver, and marketing your new brand into bestseller status.

Meanwhile, further coursework plunges into more detail in several of those key business areas, covering topics like how to find winning products time and time again, how to properly advertise your business online, and how to make sure your account never runs afoul of Amazon’s strict seller code of conduct or intellectual property and copyright laws. There’s even a step-by-step model here for launching your own book reselling business with profits of 100 percent.

While selling other people’s products can certainly make you money, selling your own is even better. That’s why this package also features three courses dedicated to creating your own Amazon private label line, from sourcing and creating products you’d be proud to put your brand name on, to understanding the software to oversee that operation. There are even five reasons your Amazon private label business might fail so you can short circuit any trap doors before they become a problem.

The 2021 Complete Amazon Dropshipping and Private Label Master Class Bundle includes nearly $2,200 worth of intensive training, but right now, you can launch your new Amazon business future for just over $3 per course at $34.99.

Prices are subject to change.

Repost: Original Source and Author Link

Categories
Tech News

Venmo is finally adding a private friend list feature following Biden report

Venmo, the PayPal-owned financial app that makes it easy to send money to your friends, is rolling out an important update that adds a major new privacy option. Going forward, Venmo users will have the option to hide their friend lists, making it harder for other people to identify their social circle. The change follows the discovery of President Biden’s Venmo account and the people he was linked to through it.

Earlier this month, The New York Times published an article that included a brief mention about Joe Biden’s use of Venmo — and that quickly led to a report from BuzzFeed announcing that it had discovered the president’s account. Though the report didn’t reveal his associates, it did detail the number of people in his social circle the writers were able to find, renewing talk about the financial app and related privacy concerns.

Though Venmo users have had the option of hiding their transactions from public view, the app has never offered a way for users to hide their friend lists. Many have pointed out the potential privacy issues this can cause, including making it possible for someone to stalk an ex, get an idea about a person’s life and routines, and even shed light on whistleblowers.

Only days after the report detailing Biden’s Venmo account, the company has revealed that it will enable users to hide their friend lists — though these lists will be made public by default. As well, users will be able to set their list to ‘friends-only,’ Venmo told BuzzFeed News, offering a compromise between privacy and the app’s social network foundation.

This is a win for privacy advocates who have spent years highlighting the issue public friend lists pose to users. The ability to make transactions private only offered a certain degree of protection, particularly if friends on their public list made their own transactions public. Everyone from scammers to stalkers could leverage this information, and that’s a big concern when it comes to public figures like the president.

Repost: Original Source and Author Link