Insights For Success

Strategy, Innovation, Leadership and Security

iphone

Audit the security of your IOS apps

GeneralEdward Kiledjian

Checkup on your IOS APPs

In iOS15, IOS applications' security posture became more visible. Apple introduced a powerful tool that you may not be familiar with.

  • Go to Settings > Privacy

  • Click on Record App Activity at the bottom of the page

  • The toggle should be enabled.

It will record a 7-day summary of how often your apps have requested sensitive access (such as microphone, camera, domains they access, etc.).

Once you have enabled it, come back a week later and be amazed. If you are a more technical user, you can export the report as a JSON file.

KeepSolid VPN Unlimited Review

GeneralEdward Kiledjian

VPN Unlimited is one of the most popular VPN services available and for good reason. It is fast, reliable and competitively priced (deal below).

VPN Unlimited is a USA based provider and offers termination in more than 30 countries (with multiple locations in most countries). VPN Unlimited has good platform support (Windows, Mac, iPhone, iPad, Android) and very well written clients.

Above is a screenshot of the protection menu option on their IOS client. When set to High security, they (in addition to VPN protection) automatically add anti-malware, tracking blocking and ad blocking.) All of this extra security is done at the network layer without the need to configure any additional applications or pay additional fees.

Like most VPN service providers, VPN Unlimited specifically mentions that they do not allow illegal torrenting via their service. They recognise that not all torrents are illegal and allow the use of the BitTorrent protocol on these VPN termination points: US-California 1, Canada-Ontario, Romania, Luxembourg, and France servers.

A question I get asked often is "Does VPN Unlimited support OpenVPN on iOS, iPhone or iPad?" The answer is Yes! As shown in the above screenshot. Additionally, they support a protocol they call KeepSolid Wise (similar to the Chameleon protocol on VyprVPN). KeepSolid Wise uses common ports (TCP 443/USP 33434) which help bypass firewall restrictions and packet shaping control for most environments. KeepSolid Wise is available on iOS, Android, MacOS, Linux and Windows clients.

I setup VPN Unlimited on a Windows machine configured for maximum privacy. I then ran a battery of tests to determine how well it protected my privacy.

  • does not leak DNS queries when in VPN mode (go here to test)
  • does hide your actual IP address (go here to test)
  • does not leak IP or DNS information via JAVA or Flash ( Go here to test)
  • protecting P2P traffic. Although I do not condone or encourage the use of P2P tools to steal protected media, there are dozens of legitimate uses for P2P technology. It is important to ensure your VPN product protects you while using P2P and VyprVPN did. You go to this site and the find the Torrent Address Detection. You download their magnet link into your P2P client of choice then activate the test. If it shows your real IP or DNS, you are not protected. You should only see your VPN address here.
  • VPN Unlimited is not subject to WebRTC leaks when in VPN mode (go here to test

VPN Unlimited seems well written and does offer good protection.

Deal

VPN Unlimited is currently running a couple of specials that are worth considering (I bought the unlimited plan):

  • KeepSolid VPN Unlimited lifetime subscription for only $49.99 (for 5 devices)
  • KeepSolid VPN Unlimited 3-year subscription for only $29.99 (for 5 devices)
  • Add their Infinity Plan (aka 5 additional device licenses) for $14.99  but you must own one of the above subscriptions

Conclusion

The best summary I can give you is that VPN Unlimited has a permanent stop on the first page of my iPhone and I use it regularly. 

VPN Unlimited has decent privacy policies but isn't the super secret spy-proof identity protection service. If you want to protect your connection while out and about, VPN Unlimited is cheap, fast and reliable. If you want a super secret identity protecting connection then create your own VPN service on AWS or Azure using one of the pre-made scripts.

Questions

Does KeepSolid Wise work in China?

China severely controls encryption and in some cases slows down encrypted connections making them barely usable. A friend recently travelled to mainland China and reported that VPN Unlimited (with KeepSolid Wise UDP) worked flawlessly.

Does KeepSolid VPN Unlimited support video streaming?

Some of the cheaper VPN providers limit the quality of video from streaming sites because these stress the technical infrastructure of the provider. VPN Unlimited supports streaming video on all termination points but also makes available streaming optimized termination points which are specifically designed to work "better" with sites like Youtube, Dailymotion, Vimeo and more.

Does KeepSolid VPN limit connection speed?

There are dozens of factors that contribute to your overall internet speed but VPN Unlimited does not have tiered pricing based on speed and does not limit connection speed in any way. On most clients, they even show the workload on each termination point which means you can choose one with the least amount of current load (which should lead to better performance).

Does VPN Unlimited support Chromebooks?

VPN Unlimited has a Google Chrome plugin (which works on Chromebooks) and allows you to protect your web browsing only. Obviously as a proxy, it is less secure and missing many of the additional features you expect from VPN Unlimited but it is a great way to browse quickly (securely) and a great option on a Chromebook that doesn't require Jedi level knowledge to implement. 

What the CIA Vault7 Wikileak really means for consumers

GeneralEdward Kiledjian
Wikileaks Unveils ‘Vault 7’: “The Largest Ever Publication Of Confidential CIA Documents”; Another Snowden Emerges
— Zerohedge
It includes software that could allow people to take control of the most popular consumer electronics products used today, claimed WikiLeaks.
— independent.co.uk
Surprise, everyone, the US Central Intelligence Agency (CIA) allegedly has the means to hack everyday electronics.
— techradar.com

Yes Wikileaks released a very large chunk of CIA information dubbed Vault7 that explains some of the hacking capabilities of the US intelligence service vis-a-vis consumer electronics. Obviously this "isn't good" from a privacy perspective because if the US intelligence community has these capabilities, other nation-states may also have them. 

After going through some of the information, I want to dispel some of the FUD (Fear Uncertainty and Doubt).

Are Whatsapp or Signal hacked?

I have written about Whatsapp security and professed my love for Signal . Many readers messaged me in a panic asking if these apps had "weak" security and had been breached by the CIA. 

Signal and Whatsapp encryption was not broken. 

The CIA would compromise the smartphone (iphone or Android) and then would install malware that would record audio, text or video before the Whatsapp/Signal encryption. 

The Wikileaks statement reads like this:

These techniques permit the CIA to bypass the encryption of WhatsApp, Signal, Telegram, Wiebo, Confide and Cloackman by hacking the ‘smart’ phones that they run on and collecting audio and message traffic before encryption is applied.
— Wikileaks

So the short answer is no, these messaging apps were not compromised and their security is still good. Every security researcher know you must must must secure the endpoint because it is normally the weakest link in the chain. Here is proof. 

The security of Signal protocol was recently reviewed during a security audit and it passed with glowing colors. The EFF also rates Signal as an "all green" messaging app. 

Is the CIA hoarding 0 zero vulnerabilities?

We don't know what the CIA is really doing but based on the Vault7 Wikileak, I would say no. Very few 0 day attacks seem to be mentioned in the dump and any that were are being actively used. Nothing in the leak seems to indicate a hoarding of 0 zero vulnerabilities for emergency use.

The attacks mentioned in the leaks may be worrisome to John or Jane Doe but they are nothing new for anyone working in security. They seem to be leveraging "stuff" we already know about the Information Security circles. Yes they sometimes buy advanced attacks from brokers or researchers but most of what I read, I expected them to have.

Nothing I read would indicate that the CIA digital attack toolkit is better than that of the NSA. It is safe to assume the NSA has much stealthier and more powerful tools.

Do I break my Smart TV?

Don't throw away your Smart TV just yet. We learned that the CIA can hack your Smart TV and turn it into an espionage tool by running hacking software via USB port on the TV. Let me say that again, via USB port

Nothing in the document indicates that they can do this remotely via the internet. In security, we always assume that it is impossible to protect an asset if a bad actor can gain physical access to it. Nothing new here. 

Attribution

There are 2 pieces of malware in the wild that were thought to have come from China and Russia but can now likely be attributed to the CIA. These leaks provide enough information for security companies to now make educated assumptions about malware sources they know about and are trying to identify the source of. 

A colleagues working for a US security company said that they can now attribute 2 malware to the CIA previously thought to have come from China or Russia. He said his company will now use the info in these leaks to built signatures to detect and remediate some of the vulnerabilities mentioned here. 

Does this hurt the CIA. I would say no. There are enough vulnerability brokers in the dark market and the CIA has enough money to quickly rebuild a new toolkit.

Are these advanced hacking techniques?

No. They may seem advanced for the average Joe but there wasn't anything monumental or earth shattering for a security researcher. Funny enough, I've been chatting with one of my employees about a new tool from Hak5 called Bash Bunny. The Bash Bunny seems to be more advanced than many of the techniques revealed in this document. 

Is my tech safe?

The BBC published a good article documenting the reaction from major consumer tech manufacturers. 

As expected, Apple provided a lengthy response and committed to working with its security team to plug as many of the holes as quickly as possible.

While our initial analysis indicates that many of the issues leaked today were already patched in the latest iOS, we will continue work to rapidly address any identified vulnerabilities
— Apple PR

Samsung provided this response

We are aware of the report in question and are urgently looking into the matter.
— Samsung PR
We are aware of the report and are looking into it
— Microsoft PR

Notably absent (at least while I write this) is a response from Google about the vulnerabilities in Android that were actively exploited. As we know, not all Android phones receive timely updates and even those that do have some worrisome vulnerabilities. 

For the general consumer that is not being targeted by a nation-state intelligence agency, as long as you adhere to good security practices, an a Google branded Android phone will be just as safe as an Apple iPhone. I cannot recommend buying an Android phone from any other manufacturer as updates may be slow or non-existent. 

If you are in a job were security is critical, i would still contend that the iPhone is likely more secure because of the way Apple locks everything down.

Conclusion

I won't lose any sleep over the CIA leak. Yes it confirms that the US intelligence apparatus is actively targeting consumer hardware but we all assumed they were doing this anyway. Nothing in this leak revealed anything new and I would assume the NSA Signals Intelligence team is still the king of the hill. Sure the CIA seems to have a couple pocket knives but the NSA still has that 10" Rambo knife strapped to its belt.

 Also assume anything the US is doing can be easily replicated by other nation state actors. Do you really want foreign governments to have these abilities and your own (Canada, US, UK, Australia, etc) not to?

The best lightning cable for your IOS products

GeneralEdward Kiledjian

Like it or hate it, one thing we can all agree on is that Apple's in-package lightning cables are horrible. They are weak and usually become frayed and unusable within months. 

First stay away from the cheap Chinese knockoff cables. Every MFI (Made For Iphone) certified cable comes with a special (in cable) authentication chip. Chipworks has a good write up about this secret chip. This is why many of the cheaper lightning accessories and cables you buy on Amazon, eBay and AliExpress, turn out to be useless junk.

Over the years, I have found that certain higher quality cables (micro USB style) are able to transfer data more reliably or support faster charging. Not so with lightning. It turns out that all MFI certified cables I have tested have been about the same as it relates to data transfer speed and charging speed.

So the real deciding factor is the durability of the cable. So over the last several months, I have been real world testing dozens of lightning cables from name brand companies. I wanted to see how they would hold up to the rigours of rough use:

  • threw them in my work bag
  • used them to charge via battery while in the pocket of my winter jacket
  • user them to charge while in the car
  • swung them with the phone attached
  • crunched them and tightly packed them in jeans pockets
  • etc

You get the idea.

The one cable that came out on top was the Anker PowerLine lightning cable. It is competitively prices, MFI certified, it can charge all IOS devices at full speed (except the ipad pro) and it super durable. 

The tips are encased in a solid plastic housing and a nice rubbering joint between the cable and the connectors. 

Anker claims the cable is reinforces with kevlar fibers which is impossible to prove but the cables do feel solid and very sturdy (compared particularly to the Apple, Monoprice and Amazon basics ones). Now before anyone emails me, there are other more durable cables but these typically cost so much, they are not even being considered by the average consumer. Remember that this is a review for a consumer and not one for a product used in an industrial setting where $50-75 is considered acceptable.

The Anker Powerline lightning cables fit comfortable through the opening of various cases including the original Apple ones, LifeProof, Rhinoshield and any other one I threw at it. This is an important consideration and a major win for Anker.

As a sanity check, I read reviews on major online retail sites and comments were overwhelmingly positive. 

You can find these lightning cables almost everywhere so grab a couple. You'll be glad you did.

 

You should download the latest IOS upgrade now

GeneralEdward Kiledjian

There is no such thing as bulletproof security. If a well funded, technically competent and determined adversary is targeting you, they will get in. Your job is to make their life as difficult as possible by using passwords that are complex (difficult to guess) and by keeping your software up to date.

Apple has been a good steward of IOS security and regularly releases patches to protect its user base. Today we were gifted IOS 10.2.1 which is an out of plan upgrade I recommend you download asap.

IOS 10.2.1 includes some important security protection that you definitely want to get. These security fixes touch WebKit (the rendering engine for Safari) and protect against arbitrary code execution using kernel privilege (aka an exploit using this flaw could take complete control of your device).

This complete control thing is why you need to download it now. A skilled threat actor could use this to install/delete apps, copy files and spy on you. The Webkit flaws also allow an attacker to run arbitrary code. 

Looks like many of the vulnerabilities were discovered by Google's Project Zero security research team. Obviously finding these required extremely skilled professionals but these high grade specialists work on both sides of the fence (some are white hats and others black hats). Due to the nature and complexity of the vulnerabilities, anyone exploiting them would be a nation state actor but an ounce of protection is worth a pound of cure.

To upgrade IOS, open the Settings applet and choose General > Software Update