Low Volume In Car: Bluetooth or USB audio with iOS 8 on iPhone

If you have noticed that the volume levels have dropped drastically when using your iPhone in your car, requiring you to crank up the volume in the car, leading you to inevitably destroy your eardrums when you accidentally switch back to FM, try this:

  • Go to Settings
  • Go to Music
  • If Sound Check is on, turn it off
Sound Check

Sound Check OFF

Sound Check is a feature that normalizes the volume levels of your songs so they all play at a similar volume. I’ve noticed recently that it seems to become too aggressive, perhaps if a few offending songs are way too loud in your library, ruining the volume levels for everything else.

Turning it off allowed me to go back to using my car’s system at a normal level.

Posted in Apple, Cars | Leave a comment

Why Apple’s Two-step Verification would not have kept these celebrity privates private

When a breach occurs, especially when compromised user accounts are suspected or confirmed to be the source of the data being leaked, we information security pros, amateurs and enthusiasts are the first to scream:

TWO FACTOR AUTHENTICATION!!!11

While 2FA (Two-Factor Authentication, also called Multi Factor Authentication, orTwo-Step Verification – see Mark Stanislav’s presentation for more details on the atrocious naming “convention”) has multiple advantages over a simple password, in the case of the “iCloud Celebrity Nudes Breach/#TheFappening”, it would only have helped a little bit.

Here is why.

iCloud is not Apple ID and Apple ID is not iCloud

Apple’s Two-Step Verification, as they call it, is an Apple ID feature.
Apple’s knowledge base calls it two-step verification for Apple ID.

Once you enable it, further management of your Apple ID will require you to enter a code that is sent to one of your trusted devices, or as an SMS to a verified phone number.

A recovery key is provided, to help you gain access to your account in the event of a forgotten password and/or lost device.

The main advantages of Two-Step verification are:

  • No more recovery questions. These are usually easy to break when people use them with real data.
  • It makes resetting your password or changing any of your Apple ID authentication settings much harder.
  • Purchases made using your Apple ID will have to be authenticated to using Two-Step verification on each device at least once.

That being said, the feature is not called iCloud Two-Step verification, and while the password and usernames are used on both services, Apple’s 2FA is not used on iCloud.

To demonstrate this issue in the context of celebrities being “hacked” in order to steal compromising photos, I performed the following:

Configured a blank iPhone 4 to use my iCloud account

I logged in with my iCloud/Apple ID username and password.

Only a username and password has been entered at this point.

Only a username and password has been entered at this point.

Instantly, most iCloud services were enabled by default. This means that at this point, if my Contacts, Calendar or worse, Mail was in iCloud, the attacker with a stolen/guessed password would have access to it.

I checked my shared photostreams

I had some shared photostreams in my iCloud account. Sure enough, they were there.

A shared photo of a device some might recognize.

A shared photo of a device some might recognize.

I took a suggestive photo of bananas

Well, I actually Googled for suggestive bananas and saved one of the photos to my camera roll. Do not repeat this Google search.

Do not Google for this.

Do not Google for this.

I backed up the phone

The phone has been backed up.

The phone has been backed up.

I wiped the phone

I was asked for my iCloud username and password again, as Find my iPhone/Activation Lock were enabled. I wiped the device.

At this moment, I received a notification saying that Find my iPhone was disabled. This is not a step an attacker would normally proceed with, as the attacker is not in physical possession of a device in this scenario.

I restored the backup on the device

 

The device has been restored. No Two-Step prompt.

The device has been restored. No Two-Step prompt.

Sure enough, the suggestive bananas were there in the restored camera roll, and shared photo streams were being synched.

B-a-n-a-n-a-s

B-a-n-a-n-a-s

 

Photos Downloading

Notifications

The only notifications I received during this process were related to me enabling/disabling Find my iPhone on my test device.

I did not get a single push notification or email telling me that a new device was linked to my iCloud account. You receive one when iMessage is enabled on a new device, but as long as the attacker doesn’t enable it, this is quite a quiet process.

Caveats

The phone I used to restore is the same phone I used to take the backup. I do not believe it makes a difference, but if someone knows for a fact that restoring from a different phone would trigger Two-Step Verification, let me know.

So what should we do?

  • Never trust a single security measure to protect you.

Having 2FA, 2SV, MFA or whatever they’ll call it next week is never a replacement for a good password.

  • Enable Two-Step Verification.

It might not be perfect, but it will protect you against password recovery based attacks and will make it easier for you to prevent changes made to your Apple ID without your consent. In fact, you should use Two-Factor Authentication almost everywhere, and if security questions are still necessary, make things up or use random strings saved in a password manager.

  • Be very wary of having your email in the same iCloud account as the rest of your stuff, and do not use it as the recovery email for other services.

Once someone has gained access to your main email account, getting into your Dropbox account, Facebook account and more becomes trivial.

  • Be careful when blaming users for using weak passwords.

I know for a fact that very old Apple IDs with very weak passwords were not forced to change it to a more secure one, as the minimum password complexity policy was updated but there is no password maximum age. Educate people, but realize that people do not have to know how injection works to safely drive a car.

  • Be careful when you recommend things to the less technically savvy. In this case, Two-Step Verification would not have been a silver bullet. Is there ever one?

We know about this because there were nude pictures of attractive celebrities. The amount of people compromised due to a similar attack but where the interesting data is more boring to the common public and media are probably extremely common.

What should celebrities do?

Be aware that you are way more at risk than regular users/normal people. Most regular users are at risk of automated attacks, but not targeted attacks.

Follow good password hygiene, store the bare minimum in cloud services, and obtain the services of an information security professional to give you basic training.

What should Apple do?

We’ve seen companies such as Amazon looking actively for leaked credentials on sites like GitHub.

Apple should be more proactive towards weak passwords and failed login attempts, and should especially try to detect passwords that were leaked in other breaches and force a password change on those. Some services like Box even offer to warn you any time you login. Services like Google Apps detect and notify you on suspicious logins, and provide you with more information to see how and from where your data was accessed.

Apple should make it easier to change iCloud / Apple ID passwords without receiving an insane amount of password prompts on every device. It is currently mind boggling. I expect that Touch ID being available on more and more Apple devices soon will help Apple redefine their iCloud / Password management strategy.

Apple should also improve their 2SV to cover iCloud services. It is not an easy thing to fix, especially in cases where the user only has one trusted device, but if someone can pull it off, it would have to be a company that’s very good at user experience and has roughly unlimited money.

Oh, and they should call it something else than Two-Step Verification.

 

More Reading on the Subject

Mark Stanislav / Duo Security:  End User Authentication Security on the Internet

Rich Mogull: iCloud Flaw Not Source of Celebrity Photo Theft

Jonathan Zdziarski: TL;DR: Hacked Celebrity iCloud Accounts

Posted in Apple, Internet, Privacy, Security | 1 Comment

BSidesLV Talk on iOS URL Schemes

Seeing as “RTFM 0Days” are popular for iOS today, if you are looking for those, I highly recommend watching my BSidesLV presentation. Examples start at around 10minutes in.

Posted in Apple, Security | Leave a comment

RTFM 0day in iOS apps – Algorithm.dk

RTFM 0day in iOS apps: G+, Gmail, FB Messenger, etc. – Algorithm.dk.

I’ve been talking and writing about this for about a year, and this is another GREAT set of examples and techniques.
If you want to see examples as well as help on how to find these, I highly recommend that you watch my presentation, which I have just posted as well.

Posted in Apple, Privacy, Security | Leave a comment

Trolling as a Service (TaaS)

We live in a world of services. From infrastructure to software, everything is a service. Even pizza.

Today, I officially introduce the concept of TaaS (Trolling as a Service). The goal of TaaS is to allow you to troll a person while leveraging economies of scale.

First of all, you will need the “aaS” part. I used Fancyhands (yes, this is a referral link that gives me some credit with them and half a month off to new TaaS users). The amazing thing about TaaS is that you can prank a person perfectly as the person pranking does not even know that the whole thing is a prank. If you are not telling the truth but you aren’t aware of that fact, you are the best liar in the world.

My first and only attempt (yet) at using TaaS was to prank Andreas Lindh, a world renowned information security researcher. I had seen him endorse other people for “Unicorns” on LinkedIn, obviously as a joke. I got in touch with my TaaS.

Find a way to get in touch on the phone or voicemail with Andreas Lindh at work and ask him if his Unicorn endorsements are for sale, and if so, for how much.

Note that I do not mention that this is a prank. For sure, the person reading this might have guessed so, but does not know for sure. Asking me might’ve been awkward too. What if unicorns were real?

Then, I received two of the greatest emails I ever received:

I would be happy to assist you with this request.
I shall give him a call tomorrow during Sweden’s business hours and find out if these are for sale for you and if so, how much they are priced at. I thank you for your patience.

So professional.

I called them a couple of times and they are not answering. Their message was in Swedish so I was unable to understand what it said. I wanted to ask, are you open to me sending them an email?

Email was obviously out of the picture very fast. I insisted on a phone Troll payload delivery, even if it meant waiting a few more days. I then received this.

I called and was able to reach Andreas. He was wondering why I was calling, because he said that a friend put that in his LinkedIn page and that the Unicorn endorsements are just a joke. He also thought that perhaps I was a person calling for a friend of his to play upon this joke. He was in no way upset about the call and had a good laugh and apologized for any misunderstanding. I thanked him kindly for his time and wished him a wonderful rest of his day. I hope this helps. But, if you should need anything else in regards to this task, please do not hesitate to contact me. Please be well and enjoy your week ahead. Take care.

I was almost dying of laughter when I saw this show up in my Twitter Timeline.

@addelindh reacts

TaaS Reaction

Posted in Internet | Leave a comment

Using Little Snitch to save your mobile data plan when tethering

OS X is not really aware of your network situation. This can become expensive when tethering, especially if you are roaming or if your data plan is relatively small. Until OS X has a way for applications to detect usage of “expensive” connectivity, a user without third party applications must simply “be careful”.

In a world of cloud services, cloud backups, automatic updates and automated file synchronization, this can be extremely difficult. Who hasn’t downloaded a bunch of App Store updates by opening iTunes by mistake while tethering?

In your Little Snitch 3 rules, create a profile called Tethering (or anything you want, really). This profile will contain mostly Deny rules.

Ensure rules that are “Effective in all profiles” are sufficient for your basic on the road usage, and then, in the Tethering profile, completely block network access from any application or daemon that is only used for network updates, and block the access to the update server of other applications. Doing this for applications such as Dropbox can also be useful.

Some definite must haves:

  • App Store – Deny All
  • bookstoreagent – Deny All
  • Crashplan / Backblaze / Other Cloud backup services – Deny All (Yeah, I know Crashplan can block itself on certain networks. Better safe than sorry,)
  • Google Software Update – Deny All
  • GoogleSoftwareUpdateDaemon – Deny All
  • GPG Keychain Access – Deny to gpgtools.org (If you want to be able to look keys up on servers).
  • HazelHelper – Deny to update.noodlesoft.com
  • helpd – Deny All
  • iTunes – Deny All. You might want to do something more granular here, but you need to ensure no iOS App Store apps get updated, no music gets automatically downloaded, and especially no movies or TV shows. It’s easier and safer to Deny All.
  • Microsoft AU Daemon – Deny All
  • Omnifocus – Deny to www.omnigroup.com
  • softwareupdated – Deny All
  • TextMate – Deny All

This list will of course vary a lot depending on the software you use, but some are almost universal (OS, Browsers, etc).

Edit: As seen in the comments below, it is always better to DENY by default. This is actually what I do. I have 3 profiles. One with the bare minimum functionality I need, which always applies, one for home and one for tethering. The only reason I have these explicit denies in the tethering profile is so I do not get bugged by apps requesting access. That way, anything I have not explicitly granted access to will not destroy my data plan. The Home profile is where I allow bandwidth intensive or privacy/risky applications to run.

Little Snitch Profiles

Little Snitch Profiles

Mail.app tip: Ensure you only allow access to the secured protocols (SMTPTLS, IMAPSSL, etc). This will prevent a misconfiguration from resulting in a leaked password.

Once your profile is ready, disconnect from your real network and enable tethering on your phone. Do this over Bluetooth, then WiFi, then USB, to ensure Little Snitch associates all of these with Tethering. When using slow or untrustworthy WiFi networks when you should definitely not be updating software, you can also tag them as Tethering.

I’ve been doing this for 2–3 months now, and it has helped me not be stuck without data for a few days before the end of the month!

Posted in Apple | 7 Comments

Uninstalling Aviator Browser for Mac

After removing Aviator, I noticed a background process trying to reach the update server.

Obviously, I had not properly uninstalled it. I could not find authoritative information on how to do so on Aviator’s website, so after getting in touch with them, they’ve provided this list. They want to make an application to do that automatically, but it is simple enough to do by hand. I feel like this information should at least be easily Google-able right now, so here is what they sent me:

  1. Quit out from the Aviator process
  2. Delete Aviator.app from /Applications folder (install path).
  3. Delete Aviator folder from/Users//Library/ApplicationSupport folder.
  4. Delete Aviator folder from /Users//Library/
  5. Delete Aviator folder from /User//Library/Caches
  6. Delete com.aviator.agent.plist file from
  7. /Users//Library/LaunchAgents.
  8. Restart the machine to remove the in-memory process

And now it seems cleaner.

Posted in Apple, Security | 2 Comments

My Quick Analysis and Understanding of the Trustwave Zero Malware Guarantee

Trustwave announced a Zero Malware Guarantee for their Managed Anti-Malware solution.

As any responsible consumer probably does, such claims typically trigger my “What’s the catch?” behavior. As the full terms are available easily, I figured I would try to understand what it really means. If any of my assumptions are wrong, please get in touch with me and let me know why, or why you think so.

Disclaimer: I am not a lawyer. I have not use the product. I am not affiliated with Trustwave.

Definition of malware

If someone promises complete protection against something, that something must be defined. From point 1.a in the terms:

Malware is defined as any client side exploit which is triggered during web browsing, including exploits of vulnerabilities in popular browsers and 3rd party browser plug-ins. This includes the most popular plugins such as Adobe Flash, Adobe Acrobat Reader and Oracle Java. For embedded content such as Java, PDF and Flash, the malware definition includes the page that has embedded the content. Client side exploits don’t include categories such as XSS, CSRF and other server side vulnerabilities.

My understanding is that regular malicious code contained in a normal executable file of any type are not covered by this. Only malware that can exploit vulnerabilities on the client software used to browse the web are included. To me, this means that a user downloading a malicious EXE, Jar or ZIP and subsequently running the code would not trigger a “Guarantee reimbursement” event.

Some minimum requirements

Points 4 and 5 look to enforce a minimum level of configuration that is expected for the guarantee to be applicable. The list of settings is quite clear, and is provided in the same document. A good example is this one:

HTTPS scanning must be enabled. If disabled, Managed Anti-Malware Service cannot inspect HTTPS traffic (i.e., traffic encrypted with SSL).

Obviously, any exceptions made by the customer resulting in a malware infection are not covered either.

How do you claim?

Let’s assume you get infected by a technique that is covered within their malware definition, and you detect it using different methods.

Not only do you need to provide the URLs, but you also need to provide the sample files, and most of all, the malware must still be available at the previously mentionned URLs.

The original infection URL(s) (up to 10 URLs for each claim), and the date they were browsed. If the URL is no longer malicious at the time of investigation, the claim will be determined to be invalid.

So if you wait until the source is cleaned before filing your claim, you will not get anything. Even if you do not wait, it has to still be there when they perform the investigation.

Performing analysis to obtain the original source URL is one thing, but you also must provide the embedding page, which could be challenging if it has been taken down, or if you are a SMB with low levels of information security skills or maturity. Don’t get infected twice…

In the case of embedded content (Java, PDF, Flash, Silverlight), the embedding page must also be provided.

How much free service will you get?

From Terms and Conditions 6:

You are limited to one (1) warranty claim per calendar quarter.

From Making a Warranty Claim 5:

If your claim is validated and approved, you will receive a new license key for your additional free month of service.

What I understand from this is that you are therefore limited to a rebate of 33%, no matter what the amount or frequency of malware detection are.

Bottom Line

This is a splashy way to offer a a rebate of up to 33% to companies who will most probably not have the skills or resources to prove that what is defined as malware got through. And those who do might consider that the time needed to do that, combined with the odds that the source server will be cleaned “too fast”, are not worth spending.

If it helps prevent some clients from disabling security features that are enabled by default, that will be a net gain for security.

Posted in Security | Leave a comment

Security OPML Sharing Webring

After a few exchanges with Joseph Sokoly and James Arlen I realized that sharing lists of RSS subscriptions is useful. I try to strike a balance between useful content while avoiding redundancy.

This OPML includes my security related RSS subscription, as well as some Apple related ones in a different category.

Feel free to post yours elsewhere and link to it from a comment.
OPML File

My current RSS setup:

  • Feedly as the sync back-end. I don’t like their site, and I don’t like the stuff they pulled on sites by rewriting URLs and so on in the past.
  • Unread by Jared Sinclair on iPhone. It is the cleanest looking RSS reader for iPhone, it’s fast and it supports Feedly
  • Reeder 2 on iPad. It’s great on iPhone too, but I prefer unread. On iPad, nothing beats it.
  • Readkit on Mac. It is not great but it’s been pretty stable for a few months now. It works well with Feedly. Reeder 2 for Mac is in beta and will probably replace it.
Posted in Apple, Internet, Security | Leave a comment

Panic Blog » Coda 2.5 and the Mac App Store

Panic Blog » Coda 2.5 and the Mac App Store.

One of the best Mac developers around has decided to pull out of the App Store due to concerns related with sandboxing. I would love to know what could not work in their app due to sandboxing requirements.

Because they are pulling out of the App Store, they had to create some workarounds to allow existing users to upgrade and create their own sync service, as iCloud sync is restricted to App Store applications.

While Coda is definitely a power-user application, from a security perspective, I would really like the Mac App Store to succeed. Sandboxing, centrally managed updates and the ability to tell Gatekeeper to only run executables from the App Store are very good first-line protections for a casual Mac user.

But if every good app has to be installed separately and sync with a completely different service, everything falls apart.

Posted in Apple, Security | Leave a comment

Swedish Greys - a WordPress theme from Nordic Themepark.