Security and usability are contradictory forces. Ultimate usability means less security and ultimate security mean less usability. It is a fine balancing act tat every user must perform themselves.

The iPhone is a well designed and fairly safe device out of the box but there are some settings you can change to reduce your odds of getting attacked. Each setting that you change will make your device a bit more secure but will limit a useful functionality.

This article will walk you through some of the settings that will reduce your susceptibility to software exploitation.

Install patches

Your iPhone should be configured (out of the box) to periodically download software and OS patches but you should check manually every day (to ensure you get the patches as quickly as possible)..

Don’t open that attachment or that link

Although the iPhone has a very mature and sophisticated security model (including sandboxing), we have seen advanced threat actors use zero-day attacks sold by vulnerability merchants to attack freedom fighters, journalists and other people of interest.

Like on a traditional computer:

never open an attachment from an unknown person
never open an unexpected attachment from a known contact
never click through on a link (SMS, Whatsapp, Telegram, Twitter, Facebook, Instagram, etc) from an unknown person
never click through on a link from a known contact but an unexpected message

Reboot your device

We have seen many sophisticated and advanced attacks performed against iOS devices that leverage unknown (therefore unpatched) vulnerabilities but many of them are not persistent. This means that the attacker has to re-compromise your phone if they want control, after a reboot. Think of the reboot as a cleanse or detox.

This has become a standard ritual for me and I regularly restart my phone throughout the day.

Pay attention to the dots

Apple has implemented an ingenious feature to quickly show you if an app is using your camera or your microphone. When in use, an orange or green dot will appear on your top menu bar next to the battery indicator.

An orange indicator means the microphone is being used by an app on your iPhone. Remember that if you are legitimately using this for features like Siri, it is normal that this will show up but it should disappear when you are done or it means something is still listening in (legitimate or not).

A green indicator means either the camera or the camera and the microphone are being used

If you swipe Control Center open, on the top, it will show you the last app that triggered the microphone or the camera

Disable Airdrop

Airdrop is an Apple technology that allows you to quickly and easily share content (files, videos, music, links, etc) between IOS and macOS devices. AirDrop itself could have vulnerabilities that could allow an attacker to send a malicious attack file to your device without your knowledge or they can perform social engineering attack to trick you to click on a malicious file.

Swipe up (on older phones) or down from the right-hand side of the screen (on modern devices) to show the control center
3d touch or long-press the network settings card (in the upper left-hand corner, then click on AirDrop)
Choose Receiving Off to disable AirDrop

Disable Bluetooth

Bluetooth has had many easily exploitable vulnerabilities in the past. Although Apple quickly patches vulnerabilities, there may be unknown vulnerabilities being sold by vulnerability merchants to threat actors or nation-state attackers. Additionally many organizations (from law enforcement to shopping mall managers) are known to track users with their Bluetooth ID.

If you are not actively using Bluetooth (aka connected to headphones for example) then you should consider disabling it. Disabling it will cut off the connection between your phone and Apple Watch (until you turn it on again).

Swipe up (on older phones) or down from the right-hand side of the screen (on modern devices) to show the control center
Click on the Bluetooth icon to turn it off

Disable JavaScript in Safari

JavaScript powers the modern web but has been used in a significant number of web attacks. Disabling JavaScript will significantly improve the security of your device but will likely break many modern websites (rendering them unusable).

If you are a higher-risk individual (politician, journalist, dissent, etc, then you may want to turn JavaScript off. Otherwise, you may want to ignore this change (aka leave it on). Changing this setting only applies to JavaScript inside of the Apple Safari web browser.

Open the Settings App
Find Safari
Scroll to the bottom until you see Advanced
Turn of JavaScript by tapping the toggle switch.

Disable WIFI Hotspot

The WIFI Hotspot is a setting that is normally set to off. I am specifying it here in case you turned it on.

WIFI hotspot allows other WIFI devices to connect to your smartphone and share its LTE connection (3G, 4G or 5G). Obviously, those devices need to have the WIFI Hotspot password that is configured on your smartphone, but it is possible iOS contains a vulnerability not yet known by Apple that could be exploited, this allowing a threat actor to connect to your device and push malware.

Open the Settings App
Open Personal Hotspot
Turn off Allow Others to Join

OSINT - Disposable contact sites

February 6, 2021GeneralEdward Kiledjian

The purpose of this blog article is to share some useful sites that will allow you to create temporary contact mechanisms for OSINT, SIGINT or other cyber activities.

This is not an exhaustive list and I am simply listing these here to help you. This listing should not be considered a personal endorsement by me. Do your own research ;-)

Disposable email

10 minute email offers a quick way to receive email with an email address that disappears in 10 minutes. This free service can be useful if a site requires registration with email verification but you don’t want to give away your real email address and this is a one time use activity.

Screen Shot 2021-02-06 at 7.46.28 PM.png

Email forwarding service

There may be times where you want to protect your email address but need to regularly receive emails from an untrusted source or from a service you need to hide from. This is here AnonAddy comes in. They have a free plan for casual use and paid plans if you need a bit more functionality,

If you are technically inclined an require additional security or privacy, the service is based on an open source project so you can host this solution yourself as well.

Screen Shot 2021-02-06 at 7.50.43 PM.png

Send faxes anonymously for free

FaxZero is a fax service that allows you to send faxes for free. They do require that you click on an email confirmation link before they process your fax. Hence why I listed the other email services above. FaxZero does offer a paid service if you need priority faxing of higher volumes. The best recommendation is to use the free service during times when you believe they should be less busy therefore your faxes will go our sooner. In my testing (over 3 months), 95% of all my faxes (with the free fax service) were sent within 20 minutes.

Screen Shot 2021-02-06 at 7.54.38 PM.png

Send a Free anonymous text message (SMS)

Globfone is a free web based service that allows you to send SMS messages to almost any smartphone on any network anywhere in the world. it is anonymous and does not require a registration. It adds a small ad at the end of your SMS that reads “/try Globfone”.

The other services listed on their site seem much less reliable but the SMS one has worked every time.

Screen Shot 2021-02-06 at 8.00.26 PM.png

Receive SMS messages

There may be times when you need a temporary disposable inbound SMS number. This is where SMStoMe shines. It is a free service and requires no registration to use. Remember that inbound numbers are shared. Numbers are refreshed every 30 days and are capable of receiving SMS messages from any network in the world.

Screen Shot 2021-02-06 at 8.08.16 PM.png

Free WIFI cellphone number

There are many free WIFI calling and SMS services out there but the one I have found to be the most reliable is TextNow. You can buy an add free service with number protection for about $40 a year but the basic service (that should meet your OSINT needs) is free.

Screen Shot 2021-02-06 at 8.12.49 PM.png

My view of the TikTok risk

July 16, 2020GeneralEdward Kiledjian

This is an opinion piece.

TikTok is a Chinese social media network that allows creators to publish short videos. It started with a ton of slapstick comedy and karaoke but has since matured with much more diverse content. It has become one of the most popular social media platforms because of its powerful video pairing algorithm. It has an incredible ability to show you a continuous stream of content you will find interesting, and it is usually correct.

You can see samples on their trending webpage without needing an account.

TikTok belongs to a large Chinese company called ByteDance. This is problematic for western politicians because (it is suspected) Chinese corporations have been stealing IP from their western counterparts for decades.

But why is the USA talking about banning TikTok (a rare censorship move by the US government)?

It is important to remember that China has banned most western social media apps within its borders. Without working around the great firewall of China, a citizen cannot access Facebook, Twitter, Reddit, or any Google property. It banned them to stifle conversation, to censor free speech and to monitor its citizens.

You can use a website like Blocked In China or Comparitech to check if a site is accessible from China

I have lived in Hong Kong and worked in China for a considerable amount of time. So I hope that I can bring some interesting perspectives about China and this TikTok discussion.

The first thing to remember is that you cannot evaluate this matter through an American lens.

Every medium-sized company or larger (think larger than 50-75 employees) is beholden to the Chinese government. This means that the Chinese government can seize, capture or use any information held by any Chinese company. Unlike US authorities, they do not need a court order to undertake any of these activities). Even though the Chinese government has allowed companies to operate with a semi capitalistic model, they theoretically own all Chinese companies operating in China.

A more risky point is (it is said) the fact that the Chinese government incentives Chinese companies and citizens to expand internationally and sign partnerships with western organizations to steal IP. The goal (it is said) is to use this knowledge to build a Chinese variant. Once perfected, the end-goal is to export this Chinese version overseas and take over that market (this works in every vertical from clothing to aerospace).

Read about their 14th five year plan here. Think of the five-year plan as a master blueprint for their economy. It lists the industries they want to lead in during that five year period. The next one (2021-2026 will cover the environment and green tech). During those five years, they want to become industry leaders at any cost (remember the IP theft claim above).

If you watched Silicon Valley on HBO, they alluded to this characteristic when Jìan-Yáng "borrowed" American company ideas to start copies in China (time-code 0:44).

Sometimes patriotic hackers could also attack foreign companies to aid China. The US Department of Justice pinned the Equifax hack on 4 Chinese hackers. This hack gave hackers ,and (it is said) the Chinese government, access to the credit records of millions of Americans. They also had access to confidential Equifax business processes.

So what?

Let's summarise

every Chinese company is owned by the Chinese government
The Chinese government has access to all the data these Chinese companies have

So considering the above, prima facie, Tiktok should be a national security threat. Last year American senators "woke up" and asked their national intelligence agencies for analysis.

Obviously, Tiktok pushed back by saying that they use American servers running in the USA. TikTok also appointed an American CEO.

Think of all the data these companies collect about you (name, location, social graph, habits, likes, etc.). Used "properly" it can generate a ton of obviously useful and some less obviously useful data points.

Read my 2014 article about how Target predicted its’ customers were pregnant before they knew it by data-mining their buying habits. Now imagine what could be done with a ton more information.

Regardless of where the data sits, the company that owns TikTok is ByteDance, a large, fully Chinese organization. Even if the data sits in the USA, ByteDance (it is believed) cannot refuse a request from the Chinese government (regardless of where the data sits).

Remember that Chinese employees have access to the American servers and data. It is claimed that ByteDance has ties to the communist party back home. All of these simply bring TikTok closer to the Chinese government and make obtaining information that much simpler.

In addition to concerns about China gaining access to traditional social media users’ data, there is the concern of TikTok being a tool to exercise soft power.

A popular tool used in cyber offensive activities is Psychological Operations (PsyOps). The goal of a psyops program is to secretly fuel the fire in a foreign country's population to take actions desirable to you.

We heard about TikTok users coordinating on the platform to troll Trump's Tulsa rally.

Was this truly a grassroots movement, or was a foreign adversary secretly working in the background to encourage actions aligned with its interests? Remember that a good psyops program is secret and almost impossible to identify.

Americans see TikTok as a bastion of free speech, but it isn't. Many have claimed Tiktok removes other types of videos that would not normally be considered bad in the west:

TikTok Is Reportedly Removing Videos of People with "Abnormal Body Shapes"
TikTok 'tried to filter out videos from ugly, poor or disabled users'

We have heard other complaints about videos critical of China also were removed. I don't know if this is true, but it would be consistent with how we believe China operates. Don't forget China uses TikTok to flex its soft power by encouraging creators to publish pro Chinese content.

This goes back to the original point of not evaluating TikTok with your American lens. Whereas the removal rules for videos on Youtube, Facebook or Twitter are relatively well accepted (harmful, child abuse, exploitation, promoting hate, etc.), Chinese rules for removal of content are very different. China has an ambiguous law that aims to “prevent the spread of rumours”, What constitutes a rumour is purposefully vague and this law has been used to shut down dissenting voices. When watching online complaints about the types of videos actually being taken down, it seems more aligned with enforcing this law to protect the Chinese “face”.

My assessment is that the Chinese government doesn't care about users discussing American politics. They want to ensure no one criticizes China, the Chinese system or the government's authoritarian rule. This is exemplified by TikTok deleting a video by a makeup channel. She talked about the plight of the Uyghur while doing her makeup and had her video deleted.

China believes in free speech as long as it doesn't impact them or their narrative of the world. Try searching TikTok for videos discussing Hong Kong independence, Taiwan independence, or anything else criticizing China.

Here is a shocking trend for you. Teens in the US and Europe that believe they may have been shadowbanned will publish videos with the Chinese national anthem playing in the background, with pictures of Xi Jinping and professing their love for China. Even though this is being done mockingly, doing this enough could have unintended psychological consequences and start creating positive associations in these teens about China.

Conclusion

I am anxious to see if the USA will ban TikTok and on what grounds. Will they conduct a full and impartial review, or will it simply be a decision of political convenience. Don't get me wrong, as a security professional; I don't trust any company based in China that is beholden to the Chinese government. The general public making dance videos may not care that their data could be used to build a profile of each user.

That if the Chinese government wanted, they could use the videos to create a sizeable facial recognition database with a robust social graph.

That this data, merged with other data from other breaches and leaks, could help build a reasonably reliable profile of hundreds of millions of people.

That the platform could be used to sway younger voters in a particular political direction more aligned with Chinese interests.

I am curious about how the US would implement a ban? Even if they mandated the appstores remove the apps, Android users could sideload it, or TikTok could build a Progressive Web App (a web page that looks and acts like an app). We simply don’t have the same censorship tools as China.

I don't know if the platform IS a risk to national security, but I personally don’t trust it.

If I start seeing more "Chinese contraband" content on TikTok, then I will be inclined to believe they are independent of the Chinese government. I want to see

videos about the Muslim minorities being sent to re-education camps
videos asking for freedom to be restored in Hong Kong
videos talking about Taiwanese independence
videos criticizing the communist government
videos discussing he persecution of Falun Gong members (even imprisonment)

Until then, I hope users understand what could happen with their data. Particularly parents of younger children. Once something is uploaded to the internet, it can never really be removed.

Want to be a cyber super spy, try the Shin Bet intelligence challenge

December 11, 2018GeneralEdward Kiledjian

Shin Bet (also known as Shabak) is the Israeli Security Agency, and they are looking for technologically savvy intelligence agents. To discover these rough diamonds, they have created a new online challenge website called the "Shabak Challenge."

You can access this challenge website here. Visitors are challenged to identify a group of terrorists known as “White September”. The introduction on the page says

“White September (WS) is a group of arch-terrorists. They are connected to the global Jihadist movement, and are funded by Iran and Hezbollah. Several weeks ago, they used the darknet to declare their intentions of carrying out a mega terror attack in Israel. They nicknamed the operation “Israeli September 11th”. These people are highly sophisticated and utterly merciless.”

According to Channel 2, 150,000 would be analysts (from Russia, France, USA, the UK, Turkey, Iraq, etc) have already visited the site but only 2 have successfully completed the challenge. The challenge requires familiarity with advanced hardware and software technologies.

Here is a Youtube ad for the Security Service

Chinese developer charged with espionage

June 19, 2016GeneralEdward Kiledjian

Image by Katy Levinson used under Creative Commons License

American federal authorities have charged a Chinese developer (believed to be an ex-IBM employee) with stealing source code from big blue. The defendant, Xu Jianqiang was arrested by the FBI in December and since they have raised the indictment to 6 charges (from the original one): 3 x economic espionage and 3 x theft of trade secrets.

The prosecutor claims the source code was stolen to benefit Chinese authorities and are "a product of decades of work". He was caught while trying to sell his stollen assets to 2 undercover law enforcement agents. The american claim is that he also intended to sell it to the National Health and Planning Commission of the People's Republic of China.

If he is found guilty of all charges, he could end up in prison for 75 years.

How to limit software exploits on your iPhone