Low Volume In Car: Bluetooth or USB audio with iOS 8 on iPhone

If you have noticed that the volume levels have dropped drastically when using your iPhone in your car, requiring you to crank up the volume in the car, leading you to inevitably destroy your eardrums when you accidentally switch back to FM, try this:

  • Go to Settings
  • Go to Music
  • If Sound Check is on, turn it off
Sound Check

Sound Check OFF

Sound Check is a feature that normalizes the volume levels of your songs so they all play at a similar volume. I’ve noticed recently that it seems to become too aggressive, perhaps if a few offending songs are way too loud in your library, ruining the volume levels for everything else.

Turning it off allowed me to go back to using my car’s system at a normal level.

Posted in Apple, Cars | Leave a comment

BSidesLV Talk on iOS URL Schemes

Seeing as “RTFM 0Days” are popular for iOS today, if you are looking for those, I highly recommend watching my BSidesLV presentation. Examples start at around 10minutes in.

Posted in Apple, Security | Leave a comment

RTFM 0day in iOS apps – Algorithm.dk

RTFM 0day in iOS apps: G+, Gmail, FB Messenger, etc. – Algorithm.dk.

I’ve been talking and writing about this for about a year, and this is another GREAT set of examples and techniques.
If you want to see examples as well as help on how to find these, I highly recommend that you watch my presentation, which I have just posted as well.

Posted in Apple, Privacy, Security | Leave a comment

Trolling as a Service (TaaS)

We live in a world of services. From infrastructure to software, everything is a service. Even pizza.

Today, I officially introduce the concept of TaaS (Trolling as a Service). The goal of TaaS is to allow you to troll a person while leveraging economies of scale.

First of all, you will need the “aaS” part. I used Fancyhands (yes, this is a referral link that gives me some credit with them and half a month off to new TaaS users). The amazing thing about TaaS is that you can prank a person perfectly as the person pranking does not even know that the whole thing is a prank. If you are not telling the truth but you aren’t aware of that fact, you are the best liar in the world.

My first and only attempt (yet) at using TaaS was to prank Andreas Lindh, a world renowned information security researcher. I had seen him endorse other people for “Unicorns” on LinkedIn, obviously as a joke. I got in touch with my TaaS.

Find a way to get in touch on the phone or voicemail with Andreas Lindh at work and ask him if his Unicorn endorsements are for sale, and if so, for how much.

Note that I do not mention that this is a prank. For sure, the person reading this might have guessed so, but does not know for sure. Asking me might’ve been awkward too. What if unicorns were real?

Then, I received two of the greatest emails I ever received:

I would be happy to assist you with this request.
I shall give him a call tomorrow during Sweden’s business hours and find out if these are for sale for you and if so, how much they are priced at. I thank you for your patience.

So professional.

I called them a couple of times and they are not answering. Their message was in Swedish so I was unable to understand what it said. I wanted to ask, are you open to me sending them an email?

Email was obviously out of the picture very fast. I insisted on a phone Troll payload delivery, even if it meant waiting a few more days. I then received this.

I called and was able to reach Andreas. He was wondering why I was calling, because he said that a friend put that in his LinkedIn page and that the Unicorn endorsements are just a joke. He also thought that perhaps I was a person calling for a friend of his to play upon this joke. He was in no way upset about the call and had a good laugh and apologized for any misunderstanding. I thanked him kindly for his time and wished him a wonderful rest of his day. I hope this helps. But, if you should need anything else in regards to this task, please do not hesitate to contact me. Please be well and enjoy your week ahead. Take care.

I was almost dying of laughter when I saw this show up in my Twitter Timeline.

@addelindh reacts

TaaS Reaction

Posted in Internet | Leave a comment

Using Little Snitch to save your mobile data plan when tethering

OS X is not really aware of your network situation. This can become expensive when tethering, especially if you are roaming or if your data plan is relatively small. Until OS X has a way for applications to detect usage of “expensive” connectivity, a user without third party applications must simply “be careful”.

In a world of cloud services, cloud backups, automatic updates and automated file synchronization, this can be extremely difficult. Who hasn’t downloaded a bunch of App Store updates by opening iTunes by mistake while tethering?

In your Little Snitch 3 rules, create a profile called Tethering (or anything you want, really). This profile will contain mostly Deny rules.

Ensure rules that are “Effective in all profiles” are sufficient for your basic on the road usage, and then, in the Tethering profile, completely block network access from any application or daemon that is only used for network updates, and block the access to the update server of other applications. Doing this for applications such as Dropbox can also be useful.

Some definite must haves:

  • App Store – Deny All
  • bookstoreagent – Deny All
  • Crashplan / Backblaze / Other Cloud backup services – Deny All (Yeah, I know Crashplan can block itself on certain networks. Better safe than sorry,)
  • Google Software Update – Deny All
  • GoogleSoftwareUpdateDaemon – Deny All
  • GPG Keychain Access – Deny to gpgtools.org (If you want to be able to look keys up on servers).
  • HazelHelper – Deny to update.noodlesoft.com
  • helpd – Deny All
  • iTunes – Deny All. You might want to do something more granular here, but you need to ensure no iOS App Store apps get updated, no music gets automatically downloaded, and especially no movies or TV shows. It’s easier and safer to Deny All.
  • Microsoft AU Daemon – Deny All
  • Omnifocus – Deny to www.omnigroup.com
  • softwareupdated – Deny All
  • TextMate – Deny All

This list will of course vary a lot depending on the software you use, but some are almost universal (OS, Browsers, etc).

Edit: As seen in the comments below, it is always better to DENY by default. This is actually what I do. I have 3 profiles. One with the bare minimum functionality I need, which always applies, one for home and one for tethering. The only reason I have these explicit denies in the tethering profile is so I do not get bugged by apps requesting access. That way, anything I have not explicitly granted access to will not destroy my data plan. The Home profile is where I allow bandwidth intensive or privacy/risky applications to run.

Little Snitch Profiles

Little Snitch Profiles

Mail.app tip: Ensure you only allow access to the secured protocols (SMTPTLS, IMAPSSL, etc). This will prevent a misconfiguration from resulting in a leaked password.

Once your profile is ready, disconnect from your real network and enable tethering on your phone. Do this over Bluetooth, then WiFi, then USB, to ensure Little Snitch associates all of these with Tethering. When using slow or untrustworthy WiFi networks when you should definitely not be updating software, you can also tag them as Tethering.

I’ve been doing this for 2–3 months now, and it has helped me not be stuck without data for a few days before the end of the month!

Posted in Apple | 8 Comments

My Quick Analysis and Understanding of the Trustwave Zero Malware Guarantee

Trustwave announced a Zero Malware Guarantee for their Managed Anti-Malware solution.

As any responsible consumer probably does, such claims typically trigger my “What’s the catch?” behavior. As the full terms are available easily, I figured I would try to understand what it really means. If any of my assumptions are wrong, please get in touch with me and let me know why, or why you think so.

Disclaimer: I am not a lawyer. I have not use the product. I am not affiliated with Trustwave.

Definition of malware

If someone promises complete protection against something, that something must be defined. From point 1.a in the terms:

Malware is defined as any client side exploit which is triggered during web browsing, including exploits of vulnerabilities in popular browsers and 3rd party browser plug-ins. This includes the most popular plugins such as Adobe Flash, Adobe Acrobat Reader and Oracle Java. For embedded content such as Java, PDF and Flash, the malware definition includes the page that has embedded the content. Client side exploits don’t include categories such as XSS, CSRF and other server side vulnerabilities.

My understanding is that regular malicious code contained in a normal executable file of any type are not covered by this. Only malware that can exploit vulnerabilities on the client software used to browse the web are included. To me, this means that a user downloading a malicious EXE, Jar or ZIP and subsequently running the code would not trigger a “Guarantee reimbursement” event.

Some minimum requirements

Points 4 and 5 look to enforce a minimum level of configuration that is expected for the guarantee to be applicable. The list of settings is quite clear, and is provided in the same document. A good example is this one:

HTTPS scanning must be enabled. If disabled, Managed Anti-Malware Service cannot inspect HTTPS traffic (i.e., traffic encrypted with SSL).

Obviously, any exceptions made by the customer resulting in a malware infection are not covered either.

How do you claim?

Let’s assume you get infected by a technique that is covered within their malware definition, and you detect it using different methods.

Not only do you need to provide the URLs, but you also need to provide the sample files, and most of all, the malware must still be available at the previously mentionned URLs.

The original infection URL(s) (up to 10 URLs for each claim), and the date they were browsed. If the URL is no longer malicious at the time of investigation, the claim will be determined to be invalid.

So if you wait until the source is cleaned before filing your claim, you will not get anything. Even if you do not wait, it has to still be there when they perform the investigation.

Performing analysis to obtain the original source URL is one thing, but you also must provide the embedding page, which could be challenging if it has been taken down, or if you are a SMB with low levels of information security skills or maturity. Don’t get infected twice…

In the case of embedded content (Java, PDF, Flash, Silverlight), the embedding page must also be provided.

How much free service will you get?

From Terms and Conditions 6:

You are limited to one (1) warranty claim per calendar quarter.

From Making a Warranty Claim 5:

If your claim is validated and approved, you will receive a new license key for your additional free month of service.

What I understand from this is that you are therefore limited to a rebate of 33%, no matter what the amount or frequency of malware detection are.

Bottom Line

This is a splashy way to offer a a rebate of up to 33% to companies who will most probably not have the skills or resources to prove that what is defined as malware got through. And those who do might consider that the time needed to do that, combined with the odds that the source server will be cleaned “too fast”, are not worth spending.

If it helps prevent some clients from disabling security features that are enabled by default, that will be a net gain for security.

Posted in Security | Leave a comment

Security OPML Sharing Webring

After a few exchanges with Joseph Sokoly and James Arlen I realized that sharing lists of RSS subscriptions is useful. I try to strike a balance between useful content while avoiding redundancy.

This OPML includes my security related RSS subscription, as well as some Apple related ones in a different category.

Feel free to post yours elsewhere and link to it from a comment.
OPML File

My current RSS setup:

  • Feedly as the sync back-end. I don’t like their site, and I don’t like the stuff they pulled on sites by rewriting URLs and so on in the past.
  • Unread by Jared Sinclair on iPhone. It is the cleanest looking RSS reader for iPhone, it’s fast and it supports Feedly
  • Reeder 2 on iPad. It’s great on iPhone too, but I prefer unread. On iPad, nothing beats it.
  • Readkit on Mac. It is not great but it’s been pretty stable for a few months now. It works well with Feedly. Reeder 2 for Mac is in beta and will probably replace it.
Posted in Apple, Internet, Security | Leave a comment

Panic Blog » Coda 2.5 and the Mac App Store

Panic Blog » Coda 2.5 and the Mac App Store.

One of the best Mac developers around has decided to pull out of the App Store due to concerns related with sandboxing. I would love to know what could not work in their app due to sandboxing requirements.

Because they are pulling out of the App Store, they had to create some workarounds to allow existing users to upgrade and create their own sync service, as iCloud sync is restricted to App Store applications.

While Coda is definitely a power-user application, from a security perspective, I would really like the Mac App Store to succeed. Sandboxing, centrally managed updates and the ability to tell Gatekeeper to only run executables from the App Store are very good first-line protections for a casual Mac user.

But if every good app has to be installed separately and sync with a completely different service, everything falls apart.

Posted in Apple, Security | Leave a comment

The Dangers of Automation: Emory Windows 7 incident

Emory LITS: Information Technology | Windows 7 incident.

Facts as we know them:

  • A Windows 7 deployment image was accidently sent to all Windows machines, including laptops, desktops, and even servers. This image started with a repartition / reformat set of tasks.
  • As soon as the accident was discovered, the SCCM server was powered off – however, by that time, the SCCM server itself had been repartitioned and reformatted.

While it certainly makes for a fun read, I have a few thoughts on this incident.

  • They seem to be communicating the issue to their end-users really well.
  • I am quite certain a majority of enterprises using tools such as SCCM to deploy images could make such a mistake. I highly recommend at least forcing the manual entry of a MAC address before even allowing PXE boot (though I have no idea if the incident involved PXE booting, it’s a good thing to do), and to consider SCCM servers as weapons of mass destruction.
  • You would think SCCM would not terminate itself. Even a T-800 knows not to do that.

I expect to see similar incidents in the future related to large server deployments using a lot of automation.

Posted in Active Directory, Security | Leave a comment

[CVE-2014-2584] – 1Password Launching external apps automatically through use of iframe

[CVE-2014-2584] – 1Password Launching external apps automatically through use of iframe

  • Affected Vendor: agilebits.com
  • Affected Software: 1Password for iOS
  • Affected Version: 4.x prior to 4.5.0
  • Issue Type: Lack of user confirmation leading to execution of external app
  • Release Date: April 23, 2014
  • Discovered by: Guillaume Ross / @gepeto42
  • CVE Identifier: CVE-2014-2584
  • Issue Status: Vendor has published version 4.5 which corrects this issue by prompting the user before executing another application.

Summary

1Password is a password manager for iOS which includes a web browser. The browser has features such as automatic username and password completion. Some apps, such as Facetime, provide URL Scheme functionality that could reveal the user’s identity. Apple protects some of these built-in applications by prompting the user before launching the app. As this protection is built into Safari and not into Facetime itself, 3rd party apps that include a browser are often vulnerable to this, or more precisely, enable other vulnerabilities.

Description

The 1Password browser in versions prior to 4.5.0 executed external URL Schemes automatically when they were placed in an inline frame. This could lead to issues identical to CVE-2013-6835. Applications should not trust the browser to prompt the user before triggering an action, however, as built-in apps like Facetime do so, browser vendors should include some protection. The same iframe code as for CVE-2013-6835 would trigger a Facetime-Voice call automatically, leaking the user’s “caller ID” information (phone number or registered email address).

See CWE-939 – Improper Authorization in Handler for Custom URL Scheme for more information.

Impact

A user browsing the web could click a malicious link or load a page containing a malicious link within an inline frame. The attacker can use this to trigger applications with URL Schemes that perform automatic actions, such as Facetime, and leverage those actions against the user.

Proof of Concept

<iframe src="facetime-audio:[email protected]" ></iframe>

Response Timeline

  • March 19 2014 – Vendor notified
  • March 20 2014 – Vendor acknowledges vulnerability
  • April 22 2014 – 1Password 4.5 for iOS is released and resolves the issue
  • April 23 2014 – Vulnerability Disclosed

The fix

Here is how 1Password 4.5+ behaves when opening such links.

 

1Password Prompt

1Password now prompts before launching external applications.

Posted in Apple, Privacy, Security | Leave a comment

Swedish Greys - a WordPress theme from Nordic Themepark.