Insights For Success

Strategy, Innovation, Leadership and Security

Opsec

How to limit software exploits on your iPhone

GeneralEdward Kiledjian
camera-1842202.jpg

Security and usability are contradictory forces. Ultimate usability means less security and ultimate security mean less usability. It is a fine balancing act tat every user must perform themselves.

The iPhone is a well designed and fairly safe device out of the box but there are some settings you can change to reduce your odds of getting attacked. Each setting that you change will make your device a bit more secure but will limit a useful functionality.

This article will walk you through some of the settings that will reduce your susceptibility to software exploitation.

Install patches

Your iPhone should be configured (out of the box) to periodically download software and OS patches but you should check manually every day (to ensure you get the patches as quickly as possible)..

Don’t open that attachment or that link

Although the iPhone has a very mature and sophisticated security model (including sandboxing), we have seen advanced threat actors use zero-day attacks sold by vulnerability merchants to attack freedom fighters, journalists and other people of interest.

Like on a traditional computer:

  • never open an attachment from an unknown person

  • never open an unexpected attachment from a known contact

  • never click through on a link (SMS, Whatsapp, Telegram, Twitter, Facebook, Instagram, etc) from an unknown person

  • never click through on a link from a known contact but an unexpected message

Reboot your device

We have seen many sophisticated and advanced attacks performed against iOS devices that leverage unknown (therefore unpatched) vulnerabilities but many of them are not persistent. This means that the attacker has to re-compromise your phone if they want control, after a reboot. Think of the reboot as a cleanse or detox.

This has become a standard ritual for me and I regularly restart my phone throughout the day.

Pay attention to the dots

Apple has implemented an ingenious feature to quickly show you if an app is using your camera or your microphone. When in use, an orange or green dot will appear on your top menu bar next to the battery indicator.

Untitled.png

An orange indicator means the microphone is being used by an app on your iPhone. Remember that if you are legitimately using this for features like Siri, it is normal that this will show up but it should disappear when you are done or it means something is still listening in (legitimate or not).

A green indicator means either the camera or the camera and the microphone are being used

If you swipe Control Center open, on the top, it will show you the last app that triggered the microphone or the camera

IMG_2967.jpeg

Disable Airdrop

IMG_2987.jpeg

Airdrop is an Apple technology that allows you to quickly and easily share content (files, videos, music, links, etc) between IOS and macOS devices. AirDrop itself could have vulnerabilities that could allow an attacker to send a malicious attack file to your device without your knowledge or they can perform social engineering attack to trick you to click on a malicious file.

  1. Swipe up (on older phones) or down from the right-hand side of the screen (on modern devices) to show the control center

  2. 3d touch or long-press the network settings card (in the upper left-hand corner, then click on AirDrop)

  3. Choose Receiving Off to disable AirDrop

Disable Bluetooth

IMG_2988.jpeg

Bluetooth has had many easily exploitable vulnerabilities in the past. Although Apple quickly patches vulnerabilities, there may be unknown vulnerabilities being sold by vulnerability merchants to threat actors or nation-state attackers. Additionally many organizations (from law enforcement to shopping mall managers) are known to track users with their Bluetooth ID.

If you are not actively using Bluetooth (aka connected to headphones for example) then you should consider disabling it. Disabling it will cut off the connection between your phone and Apple Watch (until you turn it on again).

  1. Swipe up (on older phones) or down from the right-hand side of the screen (on modern devices) to show the control center

  2. Click on the Bluetooth icon to turn it off


Disable JavaScript in Safari

IMG_2989.jpeg

JavaScript powers the modern web but has been used in a significant number of web attacks. Disabling JavaScript will significantly improve the security of your device but will likely break many modern websites (rendering them unusable).

If you are a higher-risk individual (politician, journalist, dissent, etc, then you may want to turn JavaScript off. Otherwise, you may want to ignore this change (aka leave it on). Changing this setting only applies to JavaScript inside of the Apple Safari web browser.

  1. Open the Settings App

  2. Find Safari

  3. Scroll to the bottom until you see Advanced

  4. Turn of JavaScript by tapping the toggle switch.

Disable WIFI Hotspot

IMG_2990.jpeg

The WIFI Hotspot is a setting that is normally set to off. I am specifying it here in case you turned it on.

WIFI hotspot allows other WIFI devices to connect to your smartphone and share its LTE connection (3G, 4G or 5G). Obviously, those devices need to have the WIFI Hotspot password that is configured on your smartphone, but it is possible iOS contains a vulnerability not yet known by Apple that could be exploited, this allowing a threat actor to connect to your device and push malware.

  1. Open the Settings App

  2. Open Personal Hotspot

  3. Turn off Allow Others to Join

OPSEC : What should I include in my bug-out bag

GeneralEdward Kiledjian

Search Google for "Bug-out bag," and you will get 137M results. YouTube has a 144K videos discussing it. A Bug-out bag (also called Go Bag, BOB, 72-hour kit, grab bag, a battle box, personal emergency relocation kit) is a small personal maintenance kit that would allow you to survive 72-hours when faced with an emergency. 

Most emergency agencies reconnect you prepare some kind of emergency kit. Emergency Preparedness Canada has a website dedicated to building basic bug-out kits. The US Department of Homeland security offers similar suggestions on their website

Without going overboard, the purpose of this article is to provide general guidelines for the average Joe interested in being better prepared (not for a survivalist or extreme prepper).

Where should I keep it?

Location, location, location... You Bug-out bag is useless if you cannot quickly grab it during an emergency and quickly leave the risk region. 

Your bug-out bag should be kept close to the main exit for your dwelling so you can grab it and go. 

An operational security expert will typically run several scenarios to evaluate possible calamities and what the best exits would be (it isn't always your front door). Spent some time thinking about this and place your bug-out bag close to the exit you are most likely to use (garage, front door, back door, bedroom windows, etc).

Basic bug-out bag items

In security, you can spend a little or a lot, it really depends on your level of paranoia. Most people don't need a 200lb bug-out bag that contains $500 of survival items. So here are the basic everyone should have in their kit:

Documents

  1. National identification documents (originals or copies). These can include drivers licenses, passports, medical identification cards, etc
  2. Keep a couple hundred dollars of cash money in different denominations (assume the electronic payment networks may be unavailable)
  3. A printed list of emergency contacts (local hospitals, police stations, family members, friends, etc) 

Personal Items

  1. A basic $20 first aid kit (from the pharmacy or Costco)
  2. A couple of litres of drinking water in sealed containers
  3. High calorie easy to eat snacks (that do not require preparation)
  4. Head covering (in case you have to walk in the sun, rain or snow), I keep a buff multiuse scarf
  5. Bug repellent
  6. Sunblock
  7. Prescription medication, glasses and contact lenses

Communication Gear

  1. A mobile phone (if possible an extra pre-paid SIM on a different network)
  2. Hand crank powered emergency radio 
  3. Small notebook, pen and pencil
  4. Printed local maps (street and topographic)
  5. A large (at least 20,000 mAh) external battery to charge your electronic gear. My battery of choice right now is the OmniChage Pro

General Gear

  1. A multipurpose knife (my choice is the Victorinox SwissChamp)
  2. Flashlight (ideally something that can be charged with your external battery via USB).
  3. "Normal" candle and weather resistant matches
  4. 550-lb paracord
  5. Handheld mirror
  6. Phrasebook if travelling abroad

The Pack

Talking about Bug-out bags is like discussing religion. Everyone has strong opinions about that the "best" bag is. My recommendation is to choose a backpack (since these balance the weight better and are easier to carry over long distances). 

My only recommendation is to choose something that is as light as possible while being resistant.

Find phishing and malware with a simple search

GeneralEdward Kiledjian

A very important function of any information security team is threat intelligence. Threat Intel can be a complicated and costly service in some cases but can be as simple a running a simple search in other cases. Here is a trick to get you started with the simple and cheap function.

Did you know you can find lots of "fun" phishing and malware links using nothing more than a simple VirusTotal search? Search VirusTotal for Google Storage API (precooked link). 

Go down midway on the results page and voila.

The one I highlighted above takes you to a dropbox phishing site

Some may not be fully formed yet. Some may already be taken down but you can find some interesting opportunities for research. 

Simple "script kiddy" level Threat Intel for you.