Dome9 just introduced the ability to set a time-to-live (TTL) option for blacklisted IPs, something I may have bugged them for about once or twice! This is nice as it allows items on your blacklist to expire after a pre-determined amount of time instead of living on in perpetuity. It’s particularly beneficial when you run something like my Honeyport that can end up blacklisting over 400 unique IPs in about two months — it saves having to go in and manually remove blacklisted IPs periodically.
I’ve updated my Honeyport script to include the option to set a TTL on blacklisted IPs when using Dome9. Note this doesn’t yet work when using IPtables as it doesn’t have an easy TTL-style option for rules. This functionality for IPtables is on my TODO list.
Check out honeyport-0.2.sh here!
After securing systems by hiding them completely from the network/internet using Single Packet Authorization, I’ve recently been interested in doing more so-called ‘active’ defense, by implementing solutions to delay, confuse, or thwart attackers. Completely hiding one’s system is not always feasible (ie. in the case of an internet-facing server), and monitoring, apart from being purely reactive, is not always easy and requires the involvement of a human. An alternative to these is to do some automated active defense. One simple tool in the bag of active defense tricks is the honeyport. Read more
A new version of iOS, a new lockscreen/passcode bypass! Luckily this one was caught early in the first Beta of iOS 7 released to developers at WWDC 2013. Although this lockscreen bypass is simpler than some of the previous ones that required some tricky steps to pull off, it’s probably worth pointing out that it will only allow access to the phone’s photos, and the ability to delete, email, tweet or upload the stored image files. It does not allow access to any other apps.
I should point out that I played with iOS 7 for a day, and it was so buggy that I had to downgrade back to iOS 6. Luckily Apple has plenty of time to fix all these issues come the release date this fall.
To bypass the lockscreen simply follow these easy steps:
- Pull up the Control Center
- Tap the Calculator icon to open it
- Pull up the Control Center again
- Tap the Camera icon to open it
- Tap the photos icon in the bottom-left corner to get full access to the photos
Check out the video below to see it in action.
Those of you who have been diligent in securing your iOS devices with passcodes, wiping and Find My iPhone, just to have a thief restore your device and keep on going – well – your prayers have been answered. Coming in iOS 7 is a great feature called ‘Activation Lock’.
With Activation Lock enabled, even if your iPhone or iPad is restored to its factory settings, the user will need to activate the device using the Apple ID of the previous user. Also, if the device was put into Lost Mode in Find My iPhone, the lock screen will continue to display the fact that it is lost until the device is activated.
This is a hugely useful feature that, if used properly, will make iPhones and iPads a significantly less attractive target to thieves, as the stolen devices would be rendered useless to them. It was nice to see Apple address one of the main concerns that users have been expressing about the bypass-ability of Find My iPhone. Check out Protecting and Recovering Your iPhone and iPad from Loss and Theft (will be updated soon with this new feature).
The first thing people think when you tell them you’re a Penetration Tester:
What people think when you tell them you’re a Pen Tester:
Protip: Go with the first one.
In a vulnerability that’s quite similar to one in iOS 4.1 a couple years ago, another lockscreen bypass has been discovered in iOS 6.1 which allows someone with physical access to your iPhone to make calls, view and modify your contacts, send an email to your contacts, listen to your voicemail, and access your photos (by attempting to add one of these to a contact).
The method for this bypass is fairly simple (see the video below for it in action):
- Swipe to unlock and then tap Emergency Call
- Make an emergency call (eg. 112/911) and immediately cancel it (please don’t unnecessarily call the emergency services ;)
- Press the power button twice
- Slide to unlock
- Hold down the power button for a couple seconds and then tap Emergency Call again.
I should point out that this doesn’t seem to work on my iPhone 4 for some reason. Something does happen, but I just get a black screen until I press something whereupon I’m booted back to the lock screen.
There’s a piece of Mac malware, known as ‘Flashback’, that’s going around and takes advantage of a Java vulnerability in order to compromise and infect Macs online. Although the vulnerability isn’t Mac-specific, and was patched back in February, Apple has yet to distribute that update to everyone via Software Update, leaving everyone vulnerable.
Apparently the team behind this malware is quite efficient at updating it, and so they have been successful in spreading it around. Lion doesn’t come with Java by default, so unless you’ve manually installed it, you’re safe. If you have installed Java on Lion however, I don’t know yet whether Lion’s built-in anti-malware is being updated quickly enough to keep up with the new malware variants (although I highly doubt it).
If you are running Snow Leopard (or earlier), or Lion with a manually-installed Java, then the best thing to do is disable it. The majority of web users do not need Java on a regular basis. I recommend disabling Java system-wide by going to Applications > Utilities > Java Preferences and then unchecking all the checkboxes in the General tab. If you use Safari to browse, you can disable Java by going to Safari > Preferences > Security and unchecking ‘Enable Java‘.
Keep an eye out for an upcoming Java update from Apple.
[Updated] Seems all the talk about this has nudged Apple to act! They’ve released Java for OS X Lion 2012-001 and Java for Mac OS X 10.6 Update 7. F-Secure have released a free Flashback remover tool, and Apple have announced they are also working on software to detect and remove Flashback malware.
There have been reports (and here) of iOS 5.1 containing a camera bypass tied to the new camera shortcut on the lock screen. The people who have reported this are sadly confused about the security timeout enforced by iOS’s Require Passcode setting (Settings > General > Passcode Lock > Require Passcode). If your Require Passcode setting is set to anything other than Immediately, then your device (and the camera roll from the camera shortcut) will be accessible for the entire duration of time specified (ie. 1 minute or 5 minutes).
As always, the best setting for Require Passcode is Immediately. That way you know that when you lock your device, it is actually locked, and will prevent someone from gaining access to it without the passcode within the minutes following the ‘lock’.
Sadly people seem all too eager to rush and report on iOS vulns before actually verifying them.
TDLR; There is no lock screen bypass in iOS 5.1 using the new camera shortcut. They were wrong.
Security researcher Charlie Miller (@0xcharlie) has discovered a significant flaw in iOS which may allow a malicious app on the App Store to download and execute arbitrary unsigned code. What this means for iPhone, iPad and iPod Touch users is that installing a malicious app may allow an attacker to obtain shell access to your device, and download contacts or images.
Apple reviews every app submitted to the App Store, which has meant that iOS users have not had to worry about outright malware. Since this vulnerability allows the apps to fetch code remotely, they can perform actions not reviewed by the App Store staff. Charlie had submitted a proof-of-concept app that was approved (see video below), but has since been removed by Apple.
Charlie will be presenting the vulnerability in detail at the SysCan conference in Taiwan next week. Apple has already released a developer beta of iOS 5.0.1 which patches the recent iPad Smart Cover lock screen bypass, but I would not be at all surprised if they release another beta which includes a fix for this bug. Until then, be careful to only install apps from developers you trust.
[Update] Apple has kicked Charlie out of the Developer program. At first I felt that this was an extremely bad reaction on Apple’s part. That said, Apple is probably most upset that Charlie’s proof-of-concept app could have been installed by legitimate users. Regardless of Charlie’s intentions, this could constitute malware, and he should have removed the app as soon as he saw the flaw existed. The posting of his video above probably didn’t help matters either.