Apple’s Safari browser on IOS is a a solid browser but there are others that provide more privacy and tracker blocking. One of those browsers is Firefox focus.

“In IOS15, Apple added support for Safari extensions on IOS. Firefox can now be used as a standalone browser or as a plugin for Safari. ”

What does Firefox Focus in Safari do?

Privacy

It blocks known trackers such as

ads, analytics and social trackers
Other content trackers – this category includes embedded videos, photo slideshows, and news article embeds that could track you.

Speed

Because part of the website is being blocked, pages will load faster and you will consume less bandwidth (especially important when on LTE).

Unobtrusive

Once you enable it, you will forget about it, use Safari as you would normally do and will gain all of the benefit without having to do anything else.

How to enable in Safari

Step 1

Tap on Settings
Scroll to Safari
Tap Content Blockers
Tap the switch to enable Firefox Focus

Step 2

Open Firefox Focus
Click on the cogwheel to open the settings menu
Tap the switch next to Safari to enable it

How to limit software exploits on your iPhone

February 19, 2021GeneralEdward Kiledjian

Security and usability are contradictory forces. Ultimate usability means less security and ultimate security mean less usability. It is a fine balancing act tat every user must perform themselves.

The iPhone is a well designed and fairly safe device out of the box but there are some settings you can change to reduce your odds of getting attacked. Each setting that you change will make your device a bit more secure but will limit a useful functionality.

This article will walk you through some of the settings that will reduce your susceptibility to software exploitation.

Install patches

Your iPhone should be configured (out of the box) to periodically download software and OS patches but you should check manually every day (to ensure you get the patches as quickly as possible)..

Don’t open that attachment or that link

Although the iPhone has a very mature and sophisticated security model (including sandboxing), we have seen advanced threat actors use zero-day attacks sold by vulnerability merchants to attack freedom fighters, journalists and other people of interest.

Like on a traditional computer:

never open an attachment from an unknown person
never open an unexpected attachment from a known contact
never click through on a link (SMS, Whatsapp, Telegram, Twitter, Facebook, Instagram, etc) from an unknown person
never click through on a link from a known contact but an unexpected message

Reboot your device

We have seen many sophisticated and advanced attacks performed against iOS devices that leverage unknown (therefore unpatched) vulnerabilities but many of them are not persistent. This means that the attacker has to re-compromise your phone if they want control, after a reboot. Think of the reboot as a cleanse or detox.

This has become a standard ritual for me and I regularly restart my phone throughout the day.

Pay attention to the dots

Apple has implemented an ingenious feature to quickly show you if an app is using your camera or your microphone. When in use, an orange or green dot will appear on your top menu bar next to the battery indicator.

An orange indicator means the microphone is being used by an app on your iPhone. Remember that if you are legitimately using this for features like Siri, it is normal that this will show up but it should disappear when you are done or it means something is still listening in (legitimate or not).

A green indicator means either the camera or the camera and the microphone are being used

If you swipe Control Center open, on the top, it will show you the last app that triggered the microphone or the camera

Disable Airdrop

Airdrop is an Apple technology that allows you to quickly and easily share content (files, videos, music, links, etc) between IOS and macOS devices. AirDrop itself could have vulnerabilities that could allow an attacker to send a malicious attack file to your device without your knowledge or they can perform social engineering attack to trick you to click on a malicious file.

Swipe up (on older phones) or down from the right-hand side of the screen (on modern devices) to show the control center
3d touch or long-press the network settings card (in the upper left-hand corner, then click on AirDrop)
Choose Receiving Off to disable AirDrop

Disable Bluetooth

Bluetooth has had many easily exploitable vulnerabilities in the past. Although Apple quickly patches vulnerabilities, there may be unknown vulnerabilities being sold by vulnerability merchants to threat actors or nation-state attackers. Additionally many organizations (from law enforcement to shopping mall managers) are known to track users with their Bluetooth ID.

If you are not actively using Bluetooth (aka connected to headphones for example) then you should consider disabling it. Disabling it will cut off the connection between your phone and Apple Watch (until you turn it on again).

Swipe up (on older phones) or down from the right-hand side of the screen (on modern devices) to show the control center
Click on the Bluetooth icon to turn it off

Disable JavaScript in Safari

JavaScript powers the modern web but has been used in a significant number of web attacks. Disabling JavaScript will significantly improve the security of your device but will likely break many modern websites (rendering them unusable).

If you are a higher-risk individual (politician, journalist, dissent, etc, then you may want to turn JavaScript off. Otherwise, you may want to ignore this change (aka leave it on). Changing this setting only applies to JavaScript inside of the Apple Safari web browser.

Open the Settings App
Find Safari
Scroll to the bottom until you see Advanced
Turn of JavaScript by tapping the toggle switch.

Disable WIFI Hotspot

The WIFI Hotspot is a setting that is normally set to off. I am specifying it here in case you turned it on.

WIFI hotspot allows other WIFI devices to connect to your smartphone and share its LTE connection (3G, 4G or 5G). Obviously, those devices need to have the WIFI Hotspot password that is configured on your smartphone, but it is possible iOS contains a vulnerability not yet known by Apple that could be exploited, this allowing a threat actor to connect to your device and push malware.

Open the Settings App
Open Personal Hotspot
Turn off Allow Others to Join

Ed's favourite things - Best Password Manager

June 26, 2020GeneralEdward Kiledjian

There is no shortage of password managers. Anytime you listen to a podcast or read an online blog post, you will probably be bombarded with ads for tools like Lastpass, Dashlane or 1Password. Add to that list the neverending supply of free password managers (Keepass, BitWarden, RoboForm, etc.)

Free isn’t bad

The truth is there are a lot of very good free password managers. These are great options for users that can't or don't want to spend money. I'll mention my favourite free pic later in the article.

Favourite paid password manager

Before jumping to 1Password a couple of years ago, I had been a paid Lastpass customer for about ten years. I started looking for an alternative because of irritants and an issue I experienced when I needed support, and Lastpass was unresponsive. Plus Lastpass is unrefined and a little clunky. After testing 10 of the best rated paid password managers, I chose 1Password.

Here is why I chose it and why it may be a good fit for you. It supports all the platforms I use, such as Windows, Macs, Chromebooks, iOS devices and Android devices. WatchTower is a great feature Lastpass didn't offer that ensures you aren't reusing passwords, that you are using strong passwords and that you aren't using passwords that are part of a site breach (therefore would already be on a list of passwords hackers would use first to break accounts).

Tell me more, please

1PasswordX for easier browser integration

As a ChromeOS user, 1Password was off-limits for many years because it did not have a self-contained browser extension. The original version of 1Password required that you install the full client on Mac and Windows to support their light browser plug-in. This changed with the release of a product called 1Password X. 1PasswordX works in Google Chrome, Microsoft Edge (Chromium version), Firefox and Opera (Chromium version). 1PasswordX offers all of the password management functionality without requiring any client installation so it also works on ChromeOS.

1Password uses multiple Vaults

1Password has implemented a password grouping concept called a Vault. A Vault is a container that stores all of your 1Password information. During installation, you create a default vault and everything is stored there automatically. But if you are also storing business information, you can create a separate Vault for those.

Another interesting use of Vaults is to improve travel security. We live in a world where our personal privacy is constantly under attack. Nowhere is this more true than when crossing an international border. Border agents can order you to unlock your device and your password vaults. Which would give them access to all of your sites and personal information. You can mark certain Vaults as safe for travel and store the less sensitive passwords here. If your device is inspected at a border crossing, only the vaults marked as safe for travel will appear.

Biometric support

All versions of 1Password support biometric authentication (depending on the features available on the platform of use). Since your main unlock password should be painfully long, this is a wonderful feature to enable on smartphones and tablets.

1Password for the security-conscious

Security is a balancing act competing with usability. My default, 1Password encrypted all of your information (on device) using AES256 before the blob is sent to their servers. This means that if their servers are ever compromised, your passwords are safe, as long as you are using a good strong, long password. You can and should read about their security model here.

If you want, you can be extra paranoid and configure 1Password not to sync the vaults to their servers. This means you can manually copy the encrypted vaults to your devices using whatever mechanism you want. For users that want this standalone model, 1Password does sell a standalone license for Windows and MacOS. Know that the standalone license does not include 1PasswordX. Most users should opt for the “normal” subscription model.

1Password for files

1Password (like Lastpass) gives you 1GB of encrypted cloud storage to store sensitive information you may need while out (think scans of passports, credit cards, health cards, tax papers, etc).

Support

1Password is a Canadian company with Canadian support. Believe it or not, getting in touch with a real human is very easy, not buried 32 levels deep like other products. Their online support site is clean, has well-written articles with nice screenshots and video walkthroughs. This one item sets them apart from many of their competitors.

1Password isn’t perfect

Perfection doesn’t exist in nature or the computer world. By default, the Vaults lock after 1o minutes of inactivity to protect your information. I think this is a desirable feature, but some may find it slightly annoying. You can change this setting but.. should you? I say keep it as is.

A little annoyance is acceptable in exchange for better security. Lastpass has a forever free version that meets the requirements of “normal” users. 1Password does not offer a free version (only a 30-day trial). I believe in paying for good products to encourage the developers and ensure the product survives.

What is the best free password manager?

I tested about ten free password managers while investigating what product I should be using daily. And after reading privacy policies, reading the security model documentation, I tested about ten free password managers while investigating what product I should be using on a daily basis. And after reading privacy policies, reading security whitepapers and testing the products, the winner is…. Bitwarden.

There are three features 1Password offers that differentiate it from Bitwarden. If you don’t need these features, then BitWarden may be a better option for you. The three features are:

WatchTower’s password checkup features
physical hardware security key support (e.g. Yubico)
1GB of encrypted storage

BitwarDen has the essential features every password manager should offer, such as the ability to manually synchronize your data on as many devices as you want, the ability to store an unlimited number of passwords. The free version of BitWarden allows you to share select passwords with one other person (e.g. spouse or partner).

Bitwarden supports a wide range of devices such as Windows, macOS and Linux. It supports all major browsers with a plug-in (Chrome, Firefox, Opera, Microsoft Edge, Safari, Brace). On mobile, it supports both IOS and Android. If you are an uber-geek, BitWarden supports Command Line Interface to its vaults (CLI).

BitWarden uses similar vault security as 1Password but… it does not submit itself to independent security auditing as 1Password does.

BitWarden apps and plug-ins aren’t as polished as 1Password but they are highly functional.

Anytime we talk about free products, I am reminded of the saying “If you aren’t paying for the product, you are the product”. I read the BitWarden privacy policy, Nothing glaringly bad popped out. They don’t sell or share your data for commercial purposes. Although they do have the right to share some anonymized data.

You will get ads for their premium version in their free products, which is understandable. Remember that if you decide to pay, take a look at 1Password first.

How to secure a smartphone

December 28, 2019GeneralEdward Kiledjian

Smartphone hacking is a very lucrative business “threat actors”. Vulnerability broker Zerodium is now paying as much as $2,500,000.00 for an Android full chain (Zero-Click) with persistence.

The increased payouts and interest in smartphone hacking isn’t because they are easy targets but because they are valuable. For most users, the smartphone is like a second brain. It contains personal data and insights like nothing ever has in the past. Access into your smartphone is almost like gaining access into your brain, your thoughts, your beliefs and your habits.

There is this misguided belief in the market than an iPhone is more secure than an Android device. That is not the case. An adequately secured Android can be as (or more) secure than a normally configured iPhone. And Android offers more options to heighten your security where you may need it (whereas iPhone is one size fits all).

As you read through this article, I will try to explain some of the differences.

Who is this tutorial for?

As a security professional, my recommendations are designed based on the threat model of the customer I am advising. This article aims to help a general consumer or business user, that is trying to mitigate the most common and general types of risks. This means that their typical attacker will be a low-resource individual using conventional attack techniques such a stalkerware, scams, social engineering and easily accessible hacking tools.

This article is not for an individual that is targeted by a nation-state or well-funded criminal organization. This last category requires custom attention that cannot be addressed via an article.

What is the goal of strong security?

Total, complete and unbreakable security does not exist. The goal of this article is to set up enough roadblocks that the type of adversary you are dealing with will likely give up and move on to another target. The best analogy is to think of this in terms of a door lock. A good door lock will keep out common criminals but won’t deter a determined, skilled and well-funded adversary.

Is Security the same as privacy?

Privacy is becoming more and more talked about because of very public breaches (Marriott, Equifax, etc.) and new regulations like GDPR or CCPA. Security often will support privacy but not always. There are times when you have to choose one of the other. Where such a choice is required in this article, know that I have chosen the secure option.

Encryption

Most modern devices are encrypted during the initial setup but you should double-check just to be sure.

The EFF published an article explaining how to encrypt IOS devices (from version 4-11).

To maximize the protection encryption offers, you should choose a long (but memorable) alphanumeric password or a 6-8 digit passcode.

An example of a long memorable alphanumeric passphrase is: I3at@ppl3sAtMidn1ght
An example of an 8 digit secure passcode is: 72046290

You should also configure your device to erase all contents after a certain number of failed login attempts. This will protect you from a brute force attack.

Device encryption is a tool to secure your data when someone has physical access to your device but does not have the password (loss or theft of your device). It offers no protection from malware, viruses, or other related nasties.

Find my device

The iPhone and Android offer free tools to find a lost or stolen device. More importantly, they offer the option to remotely wipe your device if you are sure it is lost (not misplaced). For this remote feature to work, you have to ensure that the option is enabled on your device.

Here is the Apple article explaining how to enable Find My Phone on IOS devices.
Here is the Google article explaining how to enable Find My Phone on Android devices.

Remember that this option needs to be enabled before you lose your device (it cannot be done afterwards).

Both IOS and Android require that the phone be powered on and connected to the internet for this feature to work. If you want to remotely wipe your device, do it before you report your phone lost to your carrier (they will immediately deactivate your line and remote wiping won’t work).

Enable two-factor authentication

A chain is only as strong as its weakest link. Today’s smartphone is a powerful network-connected computer. Most smartphones connect back to either an Apple or Apple account. Any compromise of these accounts can lead to a compromise of your smartphone.

Two-factor authentication may sound scary but it is very simple to implement with Apple and Google. By doing this you secure your online presence by making your account more difficult to compromise and more resilient to unauthorized access.

Here is a Google article on how to enable two-factor authentication for a Google account.
Here is an Apple article on how to enable two-factor authentication for an Apple ID.

The modern implementation of this system is that your phone will be pinged by the service (when you are logging in from a computer) or another device connected to your account (when logging in from a mobile device).

When setting up, you will be asked to choose a backup authentication mechanism and you should choose a Time Based One Time Password (TOTP) option. Never choose SMS or email (as those are very easy to compromise).

You will be asked to download a TOTP application and scan the barcode they show during the setup of two-factor authentication. This barcode is a one-time thing and will never be shown again. A good cross-platform TOTP app that synchronize your codes across multiple devices is Authy. Authy is a trusted well-designed app and is completely free.

You can download Authy from the Google Play store (for Android) here
You can download Authy from the iTunes store (for IOS) here

Another good app (that is available on both platforms) is the Google Authenticator app. The Google app does not sync TOTP tokens across devices so if you change your smartphone, you have to revisit each site and reset the two-factor authentication process to get a new seed (aka the barcode).

Another good backup option is using a USB security token. The best option right now is the Yubikey product. It does cost money but is solid and unbroken (as I write this). I am not recommending the Google Titan key because many third party sites that allow two-factor authentication (see the list here) do not support the Google Titan but do support the Yubikey products.

Update, Update, Update

I had to write update three times because it is critically important. Make sure you configure your phone to download and install updates automatically for both the operating system AND the applications.

95% of hacks are made possible because people use insecure passwords, don’t enable two-factor authentication and don’t update their applications & operating systems.

Reboot regularly

We have seen a healthy number of non-persistent malware in the wild. This means that the hack used does not persist after a reboot (aka a reboot get’s rid of the hack). This isn’t always the case but nevertheless, it is a good idea to regularly reboot your device.

Application firewalls

Know that hackers that crack software are not benevolent and that cracked app probably contains malware. Unless you know what you are doing, never download applications from third-party app stores or web sites (this is a problem on Android but not on IOS since Apple does not allow users to side-load applications).

Even apps on the app stores can sometimes become malicious when the original developer sells the app and the new owners push a change containing malware. Apple and Google work hard to prevent this but we have seen examples of this in the real world on both platforms.

Application firewalls are an easy way to control which apps can have access to mobile or WIFI data.

On Android, you can use the NetGuard application available on the Google Play store.
On IOS, you can use the Lockdown application available on the Apple AppStore.

There are other apps available but these are the easiest for the general user. Here is a quick tutorial and overview of NetGuard

Take the time to install and configure one of those apps. Remember that attackers love using loose application permissions to steal information from your device.

As you set this up, take the time to review all of your installed apps and uninstall any that you no longer require (we call this reducing your attack vector). If you use an app once a quarter, install it and use it, then uninstall it.

Some apps request a lot of permissions but will still work if you restrict some of the more worrisome ones (think about access to your location, photos, microphone, etc). As an example, read this article documenting the time Uber switched when it collected user location data and started collecting it all the time.

The app update (it’s 3.222.4, for those keeping track) changes the way Uber collects location data from its users. Previously, Uber only collected location information while a user had the app open – now, Uber asks users to always share their location with the ride-hailing company. - TechCrunch

Android 10 and IOS 13 both allow you to choose when an app can access your location so ensure you make the right choice and don’t just share your location (or other data) all the time when it may not be required).

Public WIFI is evil

Many companies and venues use WIFI and Bluetooth to track you as you walk around their establishments. Many malls use tools from companies like AisleLabs to track you thus enabling them to target you more accurately. Attackers can use WIFI or Bluetooth to compromise your device as well.

The easiest approach is to assume that all public WIFI is evil.

When not absolutely required, turn off WIFI and Bluetooth.

Do not automatically connect to WIFI networks. I won’t get into the details here (because this is a more general article) but hackers can find out what your home network is called and trick your device into connecting to them (thinking it is that trusted home network).

Anytime you connect to a public (aka not your own WIFI) network, use a VPN to protect your traffic.I won’t discuss which VPN to choose here but stay away from free or very cheap VPNs.

If you aren’t paying for the product, you are the product.

Chose a solid well known provider whose policies and practices have somehow been reviewed.

You can run TOR to secure your traffic but that will be too slow and cumbersome for most users.

Secure backup and cloud

August 31, 2014, hackers released tones of celebrity personal photos and videos (many naked and pornographic in nature). This event was called the fapening and this was made possible because the icloud accounts, used to back up those photos from the smartphones, had been compromised. We don’t believe Apple was compromised but the attackers somehow managed to find the usernames and passwords for these users. Another reason you should enable two-factor authentication now.

Beyond 2 FA, most users may not realize that their information is being backed up to the cloud. Remember that cloud backup is an easy way for attackers to steal your data. Once you have two-factor authentication enabled on your accounts, ask yourself what you should be backing up to the cloud and where it should be backed up.

Remember that if you choose to trust the backup of your default provider (Apple or Google), you are not in control of your data. In most cases, we now the data is saved unencrypted on those services.

Apple has given police data backed up from an iPhone to icloud
Google, Dropbox and others routinely scan your content looking for malware or copyrighted material

I recommend choosing a secure end-to-end encrypted cloud backup service (if you want to use one). Although there are a bunch in the market, I recommend looking at Sync.com. They offer an end to end encrypted product (using the Trust No One Model). This means that as long as you use two-factor authentication and a long passphrase, your content should be relatively secure.

Your Browser

So your browser is one of the most dangerous apps on your smartphone because it is designed to run code from a remote server (aka a webpage). In the worst-case scenarios, a browser can load a malicious zero-click compromise that would take over your phone without you having to do anything and without you even realizing it. Most of these are non-persistent which is why I recommended regularly rebooting your device earlier.

On Android, I recommend you take a look at a browser called Bromite. Unfortunately due to app store rules, they do not offer a version on the Google Play store and you have to sideload it if you want it. Bromite supports ad-blocking natively and it uses the Ublock Origin model.

It also supports DNS over HTTPS (DOH). You can also enable HTTPS Everywhere and configure it to block unencrypted traffic. You should also disable Javascript and sparingly re-enable it for some sites that you absolutely need but that break without Javascript.

On IOS, I recommend the Brave browser (which is also available on Android but Bromite is more secure). You can download Brave from the Apple AppStore here.

Stalkerware

Stalkerware is a category of badware installed on your device by a third party to spy on you and often to track you.

The EFF is spearheading an initiative to fight Stalkerware (read this) because it is often used to victimize you. Think of it as commercial spyware that covertly steals your data and sends it to the stalker. In some cases, the stalker can be an ex but remember that many companies use Mobile Device Management software that often can perform the same function (normally if the device is owned or is allowed to access the corporate network.) In the case of companies, it is most often done for security reasons. Otherwise (in the private space), it is used to victimize or control someone.

If you are not using a corporate phone and suspect something may be going on (in most cases you won’t realize it), the only way to secure your device is to perform a factory reset and restart the set up from scratch.

Remember that the threat actor (partner, ex, etc.) has to access your device to install the stalkerware so never leave your device unlocked, never leave it unattended and choose a long and complicated passphrase.

Other settings

On IOS, choose to Limit Ad Tracking, instructions can be found here. Choose to reset your Advertising ID (instructions here) periodically.

On Android, choose Opt-Out of Interest-based Ads, instructions can be found here.

Conclusion

I know this was probably a dry and long article for most of you but I needed to get it out. This is a question I receive regularly and I wanted to write about it rather than respond individually to each of you. If you have questions or want to send me a note, do it on twitter (my handle is @ekiledjian).

Hope you found this article interesting and useful.

Google launches New Tasks App (Mobile & Web)

April 25, 2018GeneralEdward Kiledjian

In a blog post entitled "With new security and intelligent features, the new Gmail means business", David Thacker (Google VP Product Management, G Suite) announced, "We’re also introducing a new way to manage work on the go with Tasks."

The new refreshed Tasks system will be available on the web and have accompanying mobile apps (Android and IOS). The new updated Tasks system will allow you to create tasks & subtasks with due dates and notifications.

The current tasks was an anemic stand-alone product that barely worked. The new one will integrate into the G Suite and allow you to drag & drop emails from GMAIL, files from Google Drive and more.

“Now you can quickly reference, create or edit Calendar invites, capture ideas in Keep or manage to-dos in Tasks all from a side panel in your inbox.”

— David Thacker

The announcement is happening in the G Suite (Enterprise blog), but this update will flow to the free consumer-friendly version as well.

The Google help centre provides additional information about how all of this will work.

Download the new Android version here and the IOS one here