AutoFill in Safari Not Working? Set “My Card” in Contacts

/in , , , , , /by

We heard from a client that AutoFill in Safari suddenly stopped entering her name and address in Web forms when she chose Edit > AutoFill Form or pressed Command-Shift-A, forcing her to enter her contact information manually, like an animal. (And yes, the “Using information from my contacts” checkbox was selected in Safari’s AutoFill preferences.) Although we have no idea what caused the problem, the solution turned out to be simple. She went into Contacts, found her personal contact card, and chose Card > Make This My Card. Give this a try if you’re having trouble with AutoFill or haven’t yet started using it in Safari.

(Featured image by Adam Engst)

Protect Your Hidden and Recently Deleted Albums in Photos

/in , , , , , /by

Photos has long provided a hidden album you could use to hold images you wanted to keep a little more private. Until this year, however, it was security through obscurity: anyone who knew to reveal the album in Settings > Photos on an iPhone or iPad or by choosing View > Show Hidden Album on the Mac could see its contents. Now you can protect it—and the Recently Deleted album—with Face ID or Touch ID on an iPhone or iPad, or Touch ID or your password on a Mac. You can enable this feature in iOS 16 or iPadOS 16 using Settings > Photos > Use Face ID/Touch ID; in macOS 13 Ventura, choose Photos > Settings > General and select “Use Touch ID or password.” From then on, opening those albums will require authentication.

(Featured image by iStock.com/Kenishirotie)

If Your Holiday Gift Was a Tech Device, It’s Time to Change the Password!

/in , , , , , /by

Whatever consumer electronics product you can name, there’s probably a “smart” version that you configure via an app or Internet-connected interface once you’ve connected it to your Wi-Fi network. For ease of setup and to keep costs down, many such devices come pre-configured with not just a default username and password, but the same default username and password as all other units. That’s bad enough, but worse, most people never change those defaults, which is just asking hackers and malicious bots to break in and take over. This risk is real—it has happened to security cameras, baby monitors, light bulbs, DVRs, toasters, refrigerators, and even fish tanks. So, if you received any so-called “Internet of Things” devices for the holidays—or have one or more already installed on your home network—immediately change the usernames (if possible) and passwords to something more secure. Store the new usernames and passwords in your password manager for future reference.

(Featured image by iStock.com/EvgeniyShkolenko)

Copy Gigabytes of Data Between Macs with Target Disk Mode

/in , , , , , /by

Apple makes it easy to move data between Macs. You can send files via AirDrop, attach them to an email message, put them in a Messages conversation, turn on and connect via File Sharing, or use a file-sharing service like iCloud Drive, Dropbox, or Google Drive as an intermediary, to name just a few of the more obvious approaches.

But what if you have a lot of data—say tens or even hundreds of gigabytes—to transfer from one Mac to another? The techniques listed above might work, but we wouldn’t bet on it. If you had an external drive with sufficient free space handy, you could copy all the data to it from one Mac and then copy the data from it to another Mac. To cut the copy time in half, try Target Disk Mode instead. You may even be able to use Target Disk Mode on an older Mac to transfer an account with Migration Assistant when setting up a new Mac.

What Is Target Disk Mode?

Target Disk Mode is a special boot mode for Intel-based Macs and an option in macOS Recovery on Macs with Apple silicon that enables one Mac to behave like an external drive for another Mac. Target Disk Mode is nearly universal, easy to set up, and one of the fastest methods of moving files between Macs. Let’s unpack that statement:

  • Nearly universal: Every Mac sold in the last decade supports Target Disk Mode, so you can be sure it will work with any modern Mac. That’s true of both Intel-based Macs and Macs with Apple silicon.
  • Easy setup: Because Apple has baked Target Disk Mode into the Mac firmware, the version of macOS is irrelevant beyond the Thunderbolt cable requirement discussed below. There’s no software to configure nor any permissions to worry about. Putting a Mac into Target Disk Mode is particularly simple on Intel-based Macs, but it’s also easy on Macs with Apple silicon.
  • Speed: Because you’re connecting one Mac directly to another using Thunderbolt, you’ll get the fastest transfer speeds available.

If either Mac has macOS 11 Big Sur or later installed, you’ll need to connect them with a Thunderbolt cable—it’s fine to use Apple’s Thunderbolt 3 to Thunderbolt 2 adapter for connecting newer and older Thunderbolt-capable Macs. If both Macs are running an earlier version of macOS, you can use Thunderbolt, USB, or FireWire, depending on the available ports. (Note that the Apple USB-C Charge Cable that comes with the Apple power adapter doesn’t support Target Disk Mode, so if that’s the cable you were planning to use, sorry, but you’ll need to buy a real Thunderbolt cable.)

Step-by-Step Instructions for Intel-based Macs

To put an Intel-based Mac into Target Disk Mode for copying data, follow these steps:

  1. Connect the source Mac to the destination Mac with an appropriate cable.
  2. On the source Mac, either:
    • Restart the Mac, and once it starts booting, hold down the T key until you see the Target Disk Mode screen with a bouncing Thunderbolt logo.
    • Open System Settings/Preferences > Startup Disk, click Target Disk Mode, and then click Restart.
  3. The source Mac’s data and applications volume appears on the destination Mac’s Desktop like an external drive; if the source Mac is encrypted with FileVault, give it a minute to appear on the destination Mac, after which you’ll need to enter its password.
  4. Transfer the files as you would normally.
  5. When you’re done, unmount the source Mac’s drive by dragging it to the Trash in the Dock. Then press and hold the power button on the source Mac for a few seconds to shut it down.

Step-by-Step Instructions for Macs with Apple Silicon

The process is somewhat more involved for Macs with Apple silicon, where the shared drive or volume appears like a network volume:

  1. Connect the source Mac to the destination Mac with an appropriate cable.
  2. On the Mac with Apple silicon, choose Shut Down from the Apple menu to turn it off.
  3. Press and hold the power button until “Loading startup options” appears.
  4. Click Options, and then click Continue to enter macOS Recovery.
  5. Select a user, click Next, enter the user’s password, and click Continue.
  6. Choose Utilities > Share Disk.
  7. Select the drive or volume you want to share, and click Start Sharing. (If the drive is encrypted using FileVault, click Unlock and enter the FileVault password first.)
  8. On the destination Mac, open a Finder window and click Network (under Locations) at the bottom of the sidebar.
  9. In the Network window, double-click the Mac with the shared drive or volume, click Connect As, select Guest in the Connect As window, and then click Connect. The shared drive or volume becomes available like any other external hard drive.
  10. Transfer the files as you would normally.
  11. When you’re done, unmount the shared drive or volume by dragging it to the Trash, then click Stop Sharing on the source Mac.

Although it’s not something you’ll use every day, Target Disk Mode is one of the unsung innovations that has made Macs easier to use for decades, and it’s well worth keeping in mind whenever you need to move lots of data between machines.

(Featured image by Adam Engst)

LastPass Security Breach: Here’s What to Do

/in , , , , , /by

Password management company LastPass has announced that it suffered a security breach in which attackers stole both encrypted customer account data (which is bad) and customer vaults containing encrypted usernames and passwords (which is much, much worse). On the positive side, the data of users who abided by LastPass’s defaults and created master passwords of at least 12 characters in length will likely resist cracking attempts.

Although 1Password is the most popular password manager for Apple users, we’ve mentioned LastPass as an alternative in previous articles, so here’s what happened and how LastPass users should react. For those who don’t use LastPass, we also discuss ways your organization can improve its online security by learning from LastPass’s mistakes and misfortunes.

The Breach

According to LastPass, the breach started in August 2022 when an attacker compromised a developer’s account. The attacker then leveraged information and credentials from that initial breach to target another LastPass employee’s account, where they were able to steal data from cloud-based storage that LastPass used for backup.

The main lesson here is that a dedicated attacker will probe all points of access into a company’s digital infrastructure—everyone must be mindful of security at all times. It also seems that LastPass may have been paying more attention to its on-premises production systems than its cloud-based backup storage. Any organization can learn from that error—if backups contain sensitive data, they should be equally protected.

What Was Stolen

LastPass says that the stolen data included unencrypted customer account information such as names, addresses, and phone numbers, but not credit card details. In the customer vaults, LastPass did secure usernames, passwords, secure notes, and form-filled data using 256-bit AES encryption, so they can be decrypted only with a unique encryption key derived from each user’s master password. However, for inexplicable reasons, LastPass failed to encrypt website URLs associated with password entries.

Because LastPass left this information unencrypted, it’s now available for the attacker to use (or sell for others to use) in targeted phishing attacks. A forged password reset request from an unusual website you regularly use has a better chance of fooling you than a generic one for a big site that millions of people use. It’s even possible that the unencrypted website URLs could lead to extortion attempts, as in the infamous Ashley Madison data breach.

The larger lesson is that a high-value attack target like LastPass should never have stored customer data in unencrypted form. If your company handles customer data along these lines, ensure that it’s always stored in encrypted form. You may not be able to prevent attackers from accessing your network, but if all the data they can steal is encrypted, that limits the overall damage that can ensue.

Potential Problems

By default, LastPass requires master passwords to be at least 12 characters in length. Plus, LastPass applies 100,100 iterations of the PBKDF2 password-strengthening algorithm to make it harder for brute-force attacks to crack passwords. The company says:

If you use the default settings above, it would take millions of years to guess your master password using generally-available password-cracking technology. Your sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass’ Zero Knowledge architecture. There are no recommended actions that you need to take at this time.

Unfortunately, LastPass increased the master password minimum length only in 2018 and did not require users with shorter master passwords to reset them at that time. Similarly, the PBKDF2 setting now uses 100,100 iterations, but it previously used 5000, and some long-time users report it being set to 500.

LastPass was correct to increase the default level of security for new accounts as hardware cracking capabilities became faster. However, allowing users to continue using insecure master passwords that were too short and not forcing higher PBKDF2 iteration counts was a major mistake. If your organization steps up its security policies, bite the bullet and ensure that no accounts or users are grandfathered in with old, insecure options.

By not recommending any actions, LastPass missed an opportunity to encourage users to increase their security through multifactor authentication. LastPass also downplayed the concern over phishing attacks. That was likely a decision made by PR (and possibly Legal), but the company could have served users better. Should your organization ever be involved in a breach, make sure that someone involved in the transparency discussions represents the users’ best interests alongside those of the organization. And consider requiring multifactor authentication!

Finally, it’s worth noting that other companies significantly increase the security of their systems by mixing passwords with additional device-based keys. Apple does this by entangling device passcodes and passwords with the device’s unique ID, and 1Password strengthens your passwords with a secret key. LastPass has no such additional protection.

What LastPass Users Should Do

There are two types of LastPass users in this situation: those who had long, secure master passwords and 100,1000 iterations of PBKDF2 and those who didn’t:

  • Strong master password users: Despite LastPass’s claim that you don’t need to do anything, we recommend enabling multifactor authentication. (For instructions, click Features & Tools and then Multifactor Authentication in the LastPass support portal.) You could change your master password too, but that won’t affect the data that was already stolen. That horse has already left the barn, whereas enabling multifactor authentication would prevent even a cracked master password from being used in the future.
  • Weak master password users: Sorry, but you have work to do. Immediately change your master password and increase your PBKDF2 iterations to at least 100,100. We also recommend enabling multifactor authentication because LastPass is such an important account. Next, go through all your passwords and change at least those for important websites. Start with the critical accounts that could be used to impersonate you, like email, cell phone, and social media, plus those that contain financial data.

Regardless of the strength of your master password, be on high alert for phishing attacks conducted through email and text messages. Because the stolen data included both personal information and URLs to websites where you have accounts, phishing attacks may be personalized to you, making them harder to detect. In short, don’t follow links in email or texts to any website where you have to log in. Instead, navigate to the website directly in your browser and log in using links on the site. Don’t trust URL previews—it’s too easy to fake domain names in ways that are nearly impossible to identify.

Should you switch from LastPass to another service, like 1Password? It comes down to whether you believe LastPass has both a sufficiently secure architecture despite not entangling the master password with some device-based key and sufficiently robust security practices despite having been breached. It would not be irrational to switch, and we would recommend switching to 1Password. Other password managers like Bitwarden and Dashlane may be fine too. If you have to change numerous passwords and choose to switch, it may be easier to change the passwords after switching—see how the process of updating a password compares between LastPass and 1Password or whatever tool you end up using.

We realize this is an extremely worrying situation for LastPass users, particularly those with weak master passwords or too-few PBKDF2 iterations set. Only you can reset your passwords, but if you need assistance switching to another password manager, don’t hesitate to contact us.

(Featured image by LastPass)