Insights For Success

Strategy, Innovation, Leadership and Security

OPSEC

How to limit software exploits on your iPhone

GeneralEdward Kiledjian
camera-1842202.jpg

Security and usability are contradictory forces. Ultimate usability means less security and ultimate security mean less usability. It is a fine balancing act tat every user must perform themselves.

The iPhone is a well designed and fairly safe device out of the box but there are some settings you can change to reduce your odds of getting attacked. Each setting that you change will make your device a bit more secure but will limit a useful functionality.

This article will walk you through some of the settings that will reduce your susceptibility to software exploitation.

Install patches

Your iPhone should be configured (out of the box) to periodically download software and OS patches but you should check manually every day (to ensure you get the patches as quickly as possible)..

Don’t open that attachment or that link

Although the iPhone has a very mature and sophisticated security model (including sandboxing), we have seen advanced threat actors use zero-day attacks sold by vulnerability merchants to attack freedom fighters, journalists and other people of interest.

Like on a traditional computer:

  • never open an attachment from an unknown person

  • never open an unexpected attachment from a known contact

  • never click through on a link (SMS, Whatsapp, Telegram, Twitter, Facebook, Instagram, etc) from an unknown person

  • never click through on a link from a known contact but an unexpected message

Reboot your device

We have seen many sophisticated and advanced attacks performed against iOS devices that leverage unknown (therefore unpatched) vulnerabilities but many of them are not persistent. This means that the attacker has to re-compromise your phone if they want control, after a reboot. Think of the reboot as a cleanse or detox.

This has become a standard ritual for me and I regularly restart my phone throughout the day.

Pay attention to the dots

Apple has implemented an ingenious feature to quickly show you if an app is using your camera or your microphone. When in use, an orange or green dot will appear on your top menu bar next to the battery indicator.

Untitled.png

An orange indicator means the microphone is being used by an app on your iPhone. Remember that if you are legitimately using this for features like Siri, it is normal that this will show up but it should disappear when you are done or it means something is still listening in (legitimate or not).

A green indicator means either the camera or the camera and the microphone are being used

If you swipe Control Center open, on the top, it will show you the last app that triggered the microphone or the camera

IMG_2967.jpeg

Disable Airdrop

IMG_2987.jpeg

Airdrop is an Apple technology that allows you to quickly and easily share content (files, videos, music, links, etc) between IOS and macOS devices. AirDrop itself could have vulnerabilities that could allow an attacker to send a malicious attack file to your device without your knowledge or they can perform social engineering attack to trick you to click on a malicious file.

  1. Swipe up (on older phones) or down from the right-hand side of the screen (on modern devices) to show the control center

  2. 3d touch or long-press the network settings card (in the upper left-hand corner, then click on AirDrop)

  3. Choose Receiving Off to disable AirDrop

Disable Bluetooth

IMG_2988.jpeg

Bluetooth has had many easily exploitable vulnerabilities in the past. Although Apple quickly patches vulnerabilities, there may be unknown vulnerabilities being sold by vulnerability merchants to threat actors or nation-state attackers. Additionally many organizations (from law enforcement to shopping mall managers) are known to track users with their Bluetooth ID.

If you are not actively using Bluetooth (aka connected to headphones for example) then you should consider disabling it. Disabling it will cut off the connection between your phone and Apple Watch (until you turn it on again).

  1. Swipe up (on older phones) or down from the right-hand side of the screen (on modern devices) to show the control center

  2. Click on the Bluetooth icon to turn it off


Disable JavaScript in Safari

IMG_2989.jpeg

JavaScript powers the modern web but has been used in a significant number of web attacks. Disabling JavaScript will significantly improve the security of your device but will likely break many modern websites (rendering them unusable).

If you are a higher-risk individual (politician, journalist, dissent, etc, then you may want to turn JavaScript off. Otherwise, you may want to ignore this change (aka leave it on). Changing this setting only applies to JavaScript inside of the Apple Safari web browser.

  1. Open the Settings App

  2. Find Safari

  3. Scroll to the bottom until you see Advanced

  4. Turn of JavaScript by tapping the toggle switch.

Disable WIFI Hotspot

IMG_2990.jpeg

The WIFI Hotspot is a setting that is normally set to off. I am specifying it here in case you turned it on.

WIFI hotspot allows other WIFI devices to connect to your smartphone and share its LTE connection (3G, 4G or 5G). Obviously, those devices need to have the WIFI Hotspot password that is configured on your smartphone, but it is possible iOS contains a vulnerability not yet known by Apple that could be exploited, this allowing a threat actor to connect to your device and push malware.

  1. Open the Settings App

  2. Open Personal Hotspot

  3. Turn off Allow Others to Join

Operational security tips to safeguard your privacy when crossing a border

GeneralEdward Kiledjian

Every week I read about another traveller that is hassled at the border to turn over his laptop, tablet or smartphone and their associated passwords. Knowing that a stranger has gone through your personal “stuff” feels dirty (similar to being robbed).

A question I get asked often by readers, friends and colleagues is “How do I travel through international borders without worrying that my life will be put on show for some stranger with a badge?”. You don’t believe that this can happen; here are some interesting articles:

Operational Security 101

The work of physical security and digital (cyber) security are merging fast and you cannot have one without the other. So what is a traveler to do?

  1. Identify your sensitive data. Before travelling, conduct an extensive analysis of the data you will be crossing the border with. This doesn’t just include intellectual property or employee information but remember that once authorities have access to your email, without you present, they can figure out what social media accounts you have, they can reset your password for any site, they can build a social graph of all your contacts (using your email, instant messages and contacts), etc.

  2. Prepare a lists of vulnerabilities you are subject to? You should consider everything from device theft to authorities riffling through your personal data with no regard for privacy.

  3. Determine your risk level for each vulnerability. As long as you back up your data and your device is encrypted, then your risk after a theft is limited to the cost of replacing your device or scrambling to buy a new one while in transit. You will realize your risk level quickly rises when you consider the exponentially increasing risk of having your device analyzed at the border.

  4. Design your countermeasure plan. For each vulnerability, design a mitigation or risk minimization plan. This is what the rest of the article will talk about.

Countermeasures

Like a broken record, I will now extol the virtues of the Chromebooks and why many security professionals rely solely on these devices when security is essential. I know many of you will email me to explain why Google is evil and shouldn’t be trusted. I respect everyone’s opinion, and if you believe using Google products and services doesn’t meet your security requirements, then, by all means, choose something else.

A Chromebook is designed to be reinitialized anytime and to restore its state very quickly. Log into a device connected to a respectable network, and within minutes, you are back up and running with your apps, extensions, bookmarks and settings. Your data is stored in the cloud, and local device storage is encrypted.

Theft

If some numskull steals your device, you will have to buy a new one but at least your data is safely stored in the cloud, and there is no unencrypted data locally to expose you. I have had my device stolen on a train in Europe (on my way to speak at a conference). At my destination, I bought a Chromebook, used the store's WIFI to restore my device, and I was up and running within 30 minutes.

Border inspection

Border inspection is a different beast because they have the authority to force you to turn over your passwords. In this case, the only protection strategy is trickery.

For people crossing the border with sensitive information, I recommend that you use a Chromebook and sync everything to the cloud. Before travelling, you Powerwash the Chromebook (aka set it back to factory default) and then log into it with a dummy Google account.

This Google account should have some emails, contacts, favourites, files stored on your Google drive, etc. It should look like it is an authentic and genuine account. When your device is inspected, it will have nothing of interest, and you will not endanger your “real” data.

Once you cross the border, find a WIFI network, Powerwash your device and log in with your “real” account.

What about your smartphone

I trust the Chromebook Powerwash process enough to reuse a Chromebook that was inspected by border security but not a smartphone. Smartphones (iPhone or Android) do not have the excellent backup and recovery properties of the Chromebook. In most cases, I travel with a real fully loaded smartphone and will destroy it if it is ever taken from me. I will immediately change all my passwords and implement honeypot style detection tools to see if they attempt to exploit me.

What are these detection techniques I am talking about? Well one example is to use the Free Canary Tokens to generate different honeypots in your work environment.

As an example, you create an easy to find (weaponized) Word or PDF file (stored in your Google drive) and phone that sends out a beacon when it is opened. Think of these tools as motion sensors warning you that your digital being is at risk and that you need to take extraordinary measures to protect yourself.

Conclusion

An article about traveller airport border crossing security (OPSEC) can be very long, but I wanted to give you a gentle introduction. If you are a journalist, politician or senior executive at risk, hire a good security consultant to guide you. The most expensive advice is free advice.

If you are a journalist with a reputable organization working on high-risk reporting and need security advice, I am always available to provide free guidance. I believe free and open journalism is a pillar of our modern democracy.


OPSEC - Security when making calls

GeneralEdward Kiledjian

RELATED: OPSEC - Introduction to Malware

RELATED: OPSEC - How to securely delete files

If you are making calls using a cellphone or landline phone then you should assume that your conversation can easily be intercepted by the carrier (providing the service or a government agency that has control over that carrier). Security researchers have even proven that with $1,500 in parts, they can build a cell phone call interception device by pretending they are a cell tower.

Regular phone calls on your cell phone (including SMS and MMS messages) are easily intercepted and should be considered insecure.

What about VOIP?

VOIP stands for Voice Over IP and any app that allows you to make voice calls is typically using VOIP (Whatsapp, Skype, DUO, etc). Many carriers have started offering Voice Over WIFI and Voice Over LTE. VOWIFI and VoLTE have the same security (or insecurity) as making a regular call using your carrier's normal cell network.

Some VOIP software offers decent or good end-to-end encryption. These require both parties to have the same software and typically callout that they use encryption in their literature. But be careful, not all encryption is created equal. Telegram Messenger advertises that it is secure but a deep dive into its model shows it uses "bad" (my opinion) encryption and shouldn't be trusted. 

RELATED: Telegram Messenger isn't as secure as you think

So some VOIP services offer good reliable encryption and others don't. Here are the ones you can rely on.

Signal

I have written about the free open-source Signal messaging app for years. Signal is the defacto reference on how to build solid end-to-end encryption. Their model was so good, they helped Whatsapp when it wanted to improve its security. 

RELATED: Whatsapp to become more secure than Apple Messages

Signal is cross-platform (Windows, Mac, ChromeOS, Chrome Browser). Signal offers a simple encrypted text messaging service and secure encrypted calling service. 

Signal uses your existing number and address book to simplify your authentication and connection with other users. Therefore there is no separate username or password to remember.

I have to highlight the fact that a motivated attacker can still collect metadata from signal calls because the central management servers are still owned by Whisper Systems. Whisper Systems does not have a way to listen in on calls or read messages but they do know who you spoke to, when and for how long. Having said this though, they still offer the most secure and best build encrypted messaging app around, and it is all offered for free.

Jitsi for encrypted video chats

If you want a free open-source tool for encrypted video chats (does audio too) then take a look at Jitsi. It also supports group chats. There is no requirement to sign-up for anything and therefore your personal information isn't sitting on some third-party server, 

You visit the site, enter a meeting name (without spaces and difficult to guess) and share that link with the other participants. It's really all there is to it. Safe, Easy and Secure.

What about Skype or Google Hangouts?

Most VOIP solutions offer transport encryption (which means a third-party like your carrier can't eavesdrop) but the data is managed unencrypted once it reaches the provider's network. In most cases, I discourage the use of these services for situations where security is the utmost priority. One caveat is that Skype has announced that it will work with the Signal team to implement end-to-end encryption (like Whatsapp did) but that is still many months away.  

There are dozens of products that use security to differentiate themselves and most have not been independently reviewed. I recommend you stick to the 2 products mentioned above.

Conclusion

Good security requires some planning but is well worth the effort. Hopefully, this article helps

OPSEC - How to securely delete files

GeneralEdward Kiledjian

You should also read my previous article "OPSEC - Introduction to Malware". 

Most computer (or smartphone/tablet) users believe that when you use the delete function in your operating system, you have securely destroyed the file beyond recovery, but that simply isn't the case. In most cases, the entry to the file was removed from the index but unless that disk space is needed by the operating system, the file is most likely still on the disk (just isn't normally accessible anymore).  The only sure way to ensure that the information is permanently deleted is by using a special process or tool that overwrites the drive. 

Let's talk about solid state drives

Note :  Deleting files from flash drives is very hard (Solid State Disks, USB keys, SD Cards, etc) The information in this post applies only to traditional spinning disks (what we call hard drives). 

The best recommendation I can make for these types of media is to use encryption as soon as you unpack the medium. 

What about Windows

The most widely recommended tool to securely delete a file or write over empty space to ensure previously deleted files aren't recoverable is a freeware tool called Eraser. Once installed, you can right-click a file or folder and choose Eraser > Erase from the right-click menu. 

You can also delete all the previously delete data from your computer by overwriting the empty space. 

What about Mac OS?

On MacOS 10.4 running on a computer with a normal hard drive, you can

  • open the Trash folder
  • Go to Finder > Secure Empty Trash

Unfortunately, in the El Capitan update, Apple removed this option because it could no longer guarantee that the new SSD disks in its devices would overwrite the files. Their comment can be found here and reads:

An issue existed in guaranteeing secure deletion of Trash files on some systems, such as those with flash storage. This issue was addressed by removing the “Secure Empty Trash” option.
— Apple blog

Apple's mitigating control is that they encrypt the entire disk using FileVault and thus without your password, the data would look like jibberish anyway. 

What do I do before selling my computer?

Regardless if you use a Windows or Mac machine, or if you use a hard disk or more modern SSD, the key is to remove the storage medium from the machine before you sell it. Then physically destroy the disk. In the commercial space, we use specialized disk shedders but you can drill holes in it then bank the daylights out of it with a hammer. Just remember to be safe.

How do I dispose of CD-ROMs or DVDs?

Most office supply stores sell inexpensive paper shedders that also shred (or in most cases physically destroy the storage medium) of CD-ROMs and DVDs. I recommend you invest in one of those or physically break the disk into hundreds of pieces using pliers.

OPSEC - Introduction to Malware

GeneralEdward Kiledjian

What is malware

Malware is shorthand for Malicious Software and has been around almost from the start of computing. Its main purpose is to harm the computer or the user. Malware has been known to steal login credentials, monitor the user, tamper with information (breaking integrity), steal information or just making the system unusable. 

Malware can be designed by a nefarious teenager in his mother's basement looking to make a name for himself or by a state-sponsored threat actor against activists or journalists.

How can I tell if my computer is infected

The first rule of thumb is to use the Antivirus product that came with your operating system. As an example, all modern Windows systems are shipped with a self-updating antivirus supported by Microsoft. Third party products have been known to cause issues (here, here, etc).

To be transparent, antivirus will detect standard run of the mill type of malware but anything more sophisticated will easily get through. Larger companies with well-funded security teams typically eschew antivirus for more advanced malware detection tools based on a series of technologies like application behaviour monitoring, machine learning, artificial intelligence and system baselining. Unfortunately, these are not yet available for small operations but expect them to eventually make their way there.

So the question of detecting malware on your computer is a difficult one and often requires a highly skilled technician with precise tools that knows what he/she is looking for.  At the very least, use the tools available to you now:

warning I received when someone in Sao Paulo tried to log into my Lastpass account.

  • Sign up for services that offer 2-factor authentication (so malware can't log into your account by simply stealing a password) and that will notify you of unusual behaviour (Google, LastPass, etc). 
  • Notice subtle indicators. Pay attention to your computer and look for subtle inconsistencies. Does your webcam light turn on when you are not using it? Does it look like you sent an email you don't remember sending? Does an online service show a login time you know you weren't working?  Pay attention to subtle cues.

How did I get infected?

The most common technique used by threat actors is to trick the user into installing malware pretending to be something else. It can pretend to be a system update. It can pretend to be a holiday card from a family member. It can pretend to be a work file from your boss. It can be a drive-by download where your system is exploited simply by being vulnerable and you visiting a carefully crafted webpage. 

  • Link to a malware site can be disguised as a link to a popular internet site (Apple, Amazon, Microsoft), shared content (a document, holiday card, music file, etc) or a fake system update (flash update, etc).
  • You may be targetted via email. It is common for highly skilled threat actors to compromise the systems of people you trust and use that trust to trick you into running malware, visiting a malware site or performing an action you otherwise would not. Remeber that these are often highly skilled practitioners that understand human psychology and will exploit it as needed. This includes chat apps, email, messages on forums, web pages, etc.
  • You can get infected by connecting purpose-built attack hardware to your computer. We have devices that look normal (like the USB Rubber Ducky from Hak5) but that can run attack code without your knowledge as soon as they are connected to your computer. 
  • Someone can gain physical access to your computer and plant malware without your knowledge. In security we consider it game over if anyone has access to your equipment, This is why companies spend large sums of money physically protecting their servers in isolated access controlled cages inside heavily guarded and secured datacenters. 

The more valuable you are as a target the less likely you are to notice the attack. 

How can I protect myself from malware?

  • Make sure you are running legally registered versions of all the products you use daily. Using legal versions entitles you to the latest updates and every security person will recommend keeping all of your software and operating systems updates regularly. Threat actors will often exploit vulnerabilities that have been patched (aka if you update you are protected). 
  • Only install the software you absolutely need. Remember that every software is a potential attack vector. Install only what you need and only download it from the manufacturer never from a download site like CNET, Download.com, etc (to prevent supply chain attacks like CCleaner.) Many of these download sites make money by bundling garbage apps that get silently installed and these can also be used to attack you.
  • Remember that anything you open or click on can compromise your security. Call a sender before opening a file. Download and scan it first with something like VirusTotal before opening it. Never click on links in email or instant messaging. Always go to the URL yourself (obfuscating a malicious link to look 'good' is easy). If you use Gmail, open questionable attachments in Google docs or sheets as this will often strip the malicious content.
  • Remember that one second of forgetfulness is all it takes. Be extra vigilant when browsing the web. Never run anything on the web. Always know that the web can be faked. Even known sites can be compromised and used to inject malware.
  • When travelling to high-risk areas, I usually travel with a Google Chromebook. It auto updates itself. There are very few known attacks against it. Chromebooks have a feature called Powerwash that factory resets the device image to "like new" within 2 minutes. Often times I will powerwash my device before performing sensitive tasks. Also, data is stored in the Google cloud. Regardless of how you feel about their privacy policies, they have proven to be excellent at protecting their users from targeted attacks. Make sure you turn on 2-factor authentication.
  • Turn off your computer and unplug it from a physical network when not in use.

What can I do if I am infected?

  • The first rule is that if you are infected or even suspect that you are infected, forget about cleaning your device and have it completely reinstalled from scratch using known clean installation media. 
  • If you are infected, immediately unplug your computer from the internet (ethernet or WIFI) and shut down your computer.
  • Use a known clean computer to log into your web services and change all your passwords immediately.  
  • If one of your devices is compromised, and you are a high target, assume all your other devices could be compromised and reinstall everything from scratch including your smartphone.
  • If you have support from a government agency, reach out to them and ask them for support. If you are a journalist or activist, reach out to one of the public security support organizations like the Toronto Citizen Lab
  • If you know when you were infected, make sure you restore files from a date prior to the infection. It is critically important to use a backup service that provides version control (e.g. blackblaze version control).