What people think when you tell them you’re a Pen Tester:

Protip: Go with the first one.

The method for this bypass is fairly simple (see the video below for it in action):

1. Swipe to unlock and then tap Emergency Call
2. Make an emergency call (eg. 112/911) and immediately cancel it (please don’t unnecessarily call the emergency services ;)
3. Press the power button twice
4. Slide to unlock
5. Hold down the power button for a couple seconds and then tap Emergency Call again.
6. …
7. Profit!

I should point out that this doesn’t seem to work on my iPhone 4 for some reason. Something does happen, but I just get a black screen until I press something whereupon I’m booted back to the lock screen.

http://www.youtube.com/watch?v=MP-w436CfvQ

To perform the jailbreak, simply download the software for your OS, plug in your device, launch the evasi0n app and click Jailbreak. It’s pretty much as simple as that! Cult of Mac has a good summary of this process.

Quick warning: I know that many people are eager to jailbreak their devices – sometimes I also get annoyed at the restrictions Apple places on their devices – but remember that when you jailbreak you’re not only running exploit code and trusting a third party not to do anything malicious, but you also make your device less secure in the process!

With that in mind, check out the latest jailbreak at evasi0n.com.

I know I’ve been pretty bad with posting recently, but I’m hoping to rectify that soon. It’s been a hectic year, and haven’t had as much time to blog as before. Got a couple reviews and articles in the pipeline, and will soon be updating my guide on Security Mac OS X for Mountain Lion.

Watch this space! :)

The new user interface is largely similar to the old one, with a couple of minor improvements to the device box which is now in the top right corner. I’ve circled two of the new elements in red, the first one on the left is used for status information (in this case stating that this is an old location), and on the right side showing the charge/battery level of the device. At the bottom of the box are the same Play Sound and Erase iPhone (Remote Wipe), and the new Lost Most which replaces the Remote Lock and “Play Sound or Send Message” buttons from the previous Find My iPhone.

Clicking on the Lost Mode button brings up the first step (above) which allows you to enter an optional phone number where you can be reached. This number will be displayed on your device’s screen, and can be called. Clicking next brings up the following step (below), where you can enter a message that will be shown on the screen of your device (together with the phone number if you entered one).

 Once you click Done, if your phone is online it will be put into Lost Mode (see below). This will automatically lock the device (using the current passcode), and display your message and phone number. You will receive an email to inform you that your device has been put into Lost Mode, and if your device is located, you will see it in Find My iPhone and receive an email. 

The screenshot below is what your iPhone’s screen would look like in Lost Mode.

If you click on Lost Mode again, you have the option of changing the phone number and the message, as well as choosing whether to receive email updates. If you find your phone, you can stop Lost Mode here too (or just enter the passcode on your phone).

In Lost Mode, the dropped pins that indicate the phone’s location are persistent, meaning that every time the phone’s location is refreshed, a new pin appears (instead of moving the old one). This allows you to track where your lost (or stolen) device is going throughout the day.

All in all this feels like a decent improvement to Find My iPhone, as it definitely simplifies the process of tracking and recovering a lost device. For those of you hoping to play around with the new iCloud updates before iOS 6 is released, check out beta.icloud.com. You can also read my Frequently Asked Questions About Find My iPhone (and iPad).

So I came up with the idea of being able to use a USB stick to carry a command ‘payload’ that would get automatically executed upon being plugged into the Pwn Plug. Now I can run commands such as ifconfig, kick off an nmap scan, whatever I need; and all the results are output back onto the USB stick.

Note that I chose to do this on my Pwn Plug, but it should work equally well on other embedded devices such as the MiniPwner with a bit of tweaking.

How it works

1. This hack uses autofs to perform auto-mounting of the USB drive, and udev to launch an execution script when the USB drive is plugged in.

2. Configure udev to run my auto-execution script.

2. Format a USB drive which contains three files (one optional):

• command.sh: This file is a simple bash script containing all the commands to be run on the Pwn Plug.
• secret (optional): This file contains a secret value (password) that must match the one configured on the Pwn Plug for command.sh to be executed.
• log.txt: This file will be automatically created, and will contain the output of all the commands executed in command.sh. The log file is appended each time, delimited by a timestamped line.

3. Plug your prepared USB drive into your Pwn Plug, wait at least 10 seconds (plus however long you expect your commands to run), and unplug it. If you want to see the output of the commands, you can plug the USB drive into your computer to read log.txt.

4. ????

5. Profit!

Setting up the Pwn Plug

Format your USB stick using the ext3 filesystem. Note, format the entire device (sda, sdb) and not just a partition (sda1, sdb1):

1

mkfs.ext3 /dev/sda (change this to your correct device)

mkfs.ext3 /dev/sda (change this to your correct device)

Run apt-get update and install udev and autofs:

1

apt-get update && apt-get install udev autofs

apt-get update && apt-get install udev autofs

Edit /etc/auto.master and append the following line:

1

/var/autofs/removable /etc/auto.removable --timeout=2

/var/autofs/removable /etc/auto.removable --timeout=2

Create /etc/auto.removable and copy in the following line:

1

cmdusb -fstype=ext3 :/dev/cmdusb

cmdusb -fstype=ext3 :/dev/cmdusb

Create /etc/udev/rules.d/custom.rules and add the following line:

1

KERNEL=="sd?", SUBYSTEM=="usb", ATTRS{model}=="*", SYMLINK+="cmdusb%n", RUN+="/bin/sh /usr/local/bin/cmdusb.sh"

KERNEL=="sd?", SUBYSTEM=="usb", ATTRS{model}=="*", SYMLINK+="cmdusb%n", RUN+="/bin/sh /usr/local/bin/cmdusb.sh"

Side note: If you want to only allow one specific USB drive to be used to run commands, enter your USB device’s model into the ATTRS{model} value above (instead of the wildcard). You can obtain your USB stick’s ID by running the following command, make sure your correct device is used (sda or sdb):

udevadm info -a -p /sys/block/sda | grep model 

It’ll look something like: ATTRS{model}==”Flash Disk “

Create /usr/local/bin/cmdusb.sh, copy in the code below and set a custom secret value (if required). Setting a secret will require that secret value to be present in a file called ‘secret’ in the root of the USB drive, otherwise commands will not be executed.

1
2
3
4
5
6
7
8
9
10
11
1213
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38

#!/bin/sh
# This script executes commands on a USB stick and outputs the results to a logfile.
# --------------------------------------------------------------------------
# Copyright (c) 2011 Security Generation <http://www.securitygeneration.com>
# This script is licensed under GNU GPL version 2.0
# --------------------------------------------------------------------------
# Visit http://www.securitygeneration.com/security/pwn-plug-command-execution-using-usb-sticks
# for more information.
# --------------------------------------------------------------------------
 
# Enter a secret or leave blank (ie. "").
secret="changeme"; 
# first wait for drive to be automounted
/bin/sleep 3;
 
# add separator to log
/bin/echo "--------- $(date) ---------" >> /var/autofs/removable/cmdusb/log.txt; 
 
# is a secret required?
if [ "$secret" != "" ]; then
        # check secret file exists on drive
        if [ -f /var/autofs/removable/cmdusb/secret ]; then
                # check secret in file matches secret above
                if [ "$secret" = $(/usr/bin/head -n 1 /var/autofs/removable/cmdusb/secret) ]; then
                        /bin/sh /var/autofs/removable/cmdusb/command.sh >> /var/autofs/removable/cmdusb/log.txt;
                else
                        /bin/echo "Incorrect secret!" >> /var/autofs/removable/cmdusb/log.txt;
                fi
        else
                /bin/echo "Missing secret file!" >> /var/autofs/removable/cmdusb/log.txt;
        fi
else
 
# no secret
/bin/sh /var/autofs/removable/cmdusb/command.sh >> /var/autofs/removable/cmdusb/log.txt;
 
fi

#!/bin/sh
# This script executes commands on a USB stick and outputs the results to a logfile.
# --------------------------------------------------------------------------
# Copyright (c) 2011 Security Generation <http://www.securitygeneration.com>
# This script is licensed under GNU GPL version 2.0
# --------------------------------------------------------------------------
# Visit http://www.securitygeneration.com/security/pwn-plug-command-execution-using-usb-sticks
# for more information.
# --------------------------------------------------------------------------

# Enter a secret or leave blank (ie. "").
secret="changeme";

# first wait for drive to be automounted
/bin/sleep 3;

# add separator to log
/bin/echo "--------- $(date) ---------" >> /var/autofs/removable/cmdusb/log.txt; 

# is a secret required?
if [ "$secret" != "" ]; then
        # check secret file exists on drive
        if [ -f /var/autofs/removable/cmdusb/secret ]; then
                # check secret in file matches secret above
                if [ "$secret" = $(/usr/bin/head -n 1 /var/autofs/removable/cmdusb/secret) ]; then
                        /bin/sh /var/autofs/removable/cmdusb/command.sh >> /var/autofs/removable/cmdusb/log.txt;
                else
                        /bin/echo "Incorrect secret!" >> /var/autofs/removable/cmdusb/log.txt;
                fi
        else
                /bin/echo "Missing secret file!" >> /var/autofs/removable/cmdusb/log.txt;
        fi
else

# no secret
/bin/sh /var/autofs/removable/cmdusb/command.sh >> /var/autofs/removable/cmdusb/log.txt;

fi

Remember to set the correct permissions on cmdusb.sh:

1

chmod a+x /usr/local/bin/cmdusb.sh

chmod a+x /usr/local/bin/cmdusb.sh

And finally restart autofs and udev:

1

/etc/init.d/autofs restart && /etc/init.d/udev restart

/etc/init.d/autofs restart && /etc/init.d/udev restart

Important note: the path to your USB drive will always be /var/autofs/removable/usbcmd.

Setting up the USB stick

Commands to be executed must be placed in a bash file called ‘command.sh’ in the root of the USB drive. Make sure that command.sh begins with “#!/bin/sh”, and then place one command on each line (also best to end each line with a semicolon). You must use the full path to executables and files in command.sh, so for ifconfig you would have to enter /sbin/ifconfig. If you don’t know the full path for a particular command you can type which <command> to find it. You may need to ‘chmod a+x command.sh’ as well.

If you set a secret in cmdusb.sh above (“changeme” by default), then you will need to place the same value in a file called ‘secret’ in the root of the USB drive.

Once you’re all set, just plug the USB stick in, wait 10 seconds or so (plus however long you expect your commands to take), then unplug it. Any output from the command(s) will be piped into a file called ‘log.txt’, which you can read by plugging it into your computer. Note your computer will need to be able to read the ext3 filesystem to mount the USB drive, so use Linux or install OSXFuse and fuse-ext2 on Mac OS X as described here.

Appendix

I should point out at this point that this was only tested on version 1.1 and 1.1.1 of the Pwn Plug software. udev can be quite finicky, but I’ve tested these instructions on two Pwn Plugs and it works great. The following link may come in handy if you get stuck:

http://www.reactivated.net/writing_udev_rules.html

Please post any questions, feedback, ideas or improvements in the comments if you have any!

Apparently the team behind this malware is quite efficient at updating it, and so they have been successful in spreading it around. Lion doesn’t come with Java by default, so unless you’ve manually installed it, you’re safe. If you have installed Java on Lion however, I don’t know yet whether Lion’s built-in anti-malware is being updated quickly enough to keep up with the new malware variants (although I highly doubt it).

If you are running Snow Leopard (or earlier), or Lion with a manually-installed Java, then the best thing to do is disable it. The majority of web users do not need Java on a regular basis. I recommend disabling Java system-wide by going to Applications > Utilities > Java Preferences and then unchecking all the checkboxes in the General tab. If you use Safari to browse, you can disable Java by going to Safari > Preferences > Security and unchecking ‘Enable Java‘.

Keep an eye out for an upcoming Java update from Apple.

[Updated] Seems all the talk about this has nudged Apple to act! They’ve released Java for OS X Lion 2012-001 and Java for Mac OS X 10.6 Update 7. F-Secure have released a free Flashback remover tool, and Apple have announced they are also working on software to detect and remove Flashback malware.

Source: F-Secure

As always, the best setting for Require Passcode is Immediately. That way you know that when you lock your device, it is actually locked, and will prevent someone from gaining access to it without the passcode within the minutes following the ‘lock’.

Sadly people seem all too eager to rush and report on iOS vulns before actually verifying them.

TDLR; There is no lock screen bypass in iOS 5.1 using the new camera shortcut. They were wrong.

If you’re only interested in my recommended security apps, they’re at the bottom! Feel free to post in the comments if you have any you think are worth mentioning.

Last updated: 27/10/2012

Communications

Adium   This is by far the best instant messaging app out there, on any platform. It supports all of the different IM networks (as well as other stuff like IRC), and is extremely customisable with a variety of plugins and themes.

Colloquy  Out of the IRC apps I’ve tested, Colloquy is definitely the better one. It’s not as versatile as some others out there, but it’s stable and works well.

Multimedia

 VLC  Again, this is the best media player on any platform. Plays a wide variety of audio and video formats, and has a large number of great features. Must have.

 Perian (and Flip4Mac)  Perian is a great plugin that gives QuickTime the ability to natively read a whole bunch of additional audio and video formats. If you really need to read Windows Media format (who does these days?), then Flip4Mac brings that functionality. You probably don’t need this if you use VLC.

 HandBrake  Need to rip a DVD (legally of course ;)? Then this is your tool. Simple interface, with options to export for iPhone, iPad etc.

 ScreenFlow ($99): Although Lion’s built-in QuickTime Player can do audio and screen recording, if you want to make proper little screencast videos with transitions and zooming, nothing beats ScreenFlow. So easy to use too.

Text Editors

TextWrangler  While OS X’s built-in TextEdit is decent, it’s not great when you’re editing code. The best free solution that I’ve found is TextWrangler (essentially the free version of BBEdit). It’ll do syntax colouring for a variety of languages, and has quite a few powerful features. That said, I’ve personally found one of the two paid-for apps below to be slightly better.

TextMate ($53): Just a powerful lightweight code editor. Usually my favourite. Pretty expensive though.

SubEthaEdit ($38): Powerful code editor with collaborative capabilities and live rendering of HTML. Better priced than TextMate.

Network File Transfer

Cyberduck  This free app will meet most of your file transfer needs with its support for FTP/SFTP, WebDAV, Amazon S3, Google Cloud Storage, Google Docs, Windows Azure, and Rackspace Cloud Files. You can directly edit remote files, and have them automatically re-uploaded when the file is saved.

Transmit ($34): Although Transmit doesn’t offer that much more functionality over Cyberduck, the guys over at Panic have spent a lot of time thinking about a few key features and UI design that make Transmit a more comfortable client to use. The interface is cleaner and more intuitive, and one nice feature is the ability to mount any of your remote file stores as an actual local disk.

Transmission  A clean and easy-to-use BitTorrent client. It’s got a remote web interface that you can connect to in order to manage your torrents.

News/Social Media

 NetNewsWire  Clean user interface, and the ability to manage your subscriptions into folders. You can also sync all of your RSS feeds with Google Reader for easy reading on the go. There’s also an iPhone and iPad client.

 Twitter  Nowhere near as polished as TweetBot (below), but Twitter’s own OS X client is a good all-rounder.

TweetBot ($ 20): Although ridiculously overpriced due to recent limitations set by Twitter, TweetBot is still the best desktop Twitter client on any platform. Its features and user interface are by far the most usable I’ve come across. I also recommend their iOS app.

Security

Firewalls

Although the Mac’s built-in firewall does a pretty good job for the majority of users, it doesn’t allow granular control of inbound traffic, and doesn’t do any outbound connection filtering. This is one area where a free app isn’t quite as good as the paid-for alternatives.

 Little Snitch ($29.95): Since Little Snitch came out several years ago, it’s been a must-have for anyone who wants to be able to control outbound connections from their Mac. Whenever an app tried to make a connection to a non-whitelisted destination, you’ll get a warning where you can allow/deny.

 Hands Off! ($24.95): This is a fairly recent competitor to Little Snitch, but it seems like they’ve done a pretty good job. It offers the same outbound connection filtering capabilities as Little Snitch, but it also does disk access filtering, which allows you to control which apps can write to disk. Hands Off is also cheaper!

NetBarrier (VirusBarrier) ($49.95): Intego are a great supplier of Mac security software. Out of all their apps, their NetBarrier firewall is by far my favourite. Although its UI is a bit over-done, it offers a great granular firewall and has a very basic built-in Intrusion Detection System that can detect some network-based attacks. Note that NetBarrier has been integrated into VirusBarrier, so you now get a dual package of anti-virus and firewall!

TCPBlock  The only free app in this category, TCPBlock offers basic outbound filtering capabilities. Although not as advanced as Little Snitch or Hands Off, it allows you to whitelist/blacklist which apps are allowed to access the internet.

Encryption

 GPGTools  If you are interested in sending or receiving encrypted  or digitally-signed email, then the great GPGTools suite is for you. It can also do file encryption using public/private keys.

 TrueCrypt  Although OS X’s built-in AES-encrypted disk images are good, they only work on OS X. The cross-platform TrueCrypt allows you to create encrypted disk images that will work on any computer.

Passwords

 KeePassX  If you have a lot of passwords and really want a place to store them securely, then a password manager like KeePassX is the way to go.

 1Password ($49.99): Out of all the password managers, 1Password is definitely the best, although I do find it a bit pricey. Its sleek UI and unique touches make it a great app to have. It has clients for Mac, Windows, iPhone, iPad and Android, so you can take your password with you everywhere!

Utilities

 Carbon Copy Cloner  This is a great tool for creating copies of your disks for backup purposes. You can either mirror one disk onto another, or just clone a disk into a disk image. I’ve relied on CCC many times throughout the years.

 MenuMeters  A neat little utility that allows you to add some useful graphs to your OS X menu bar, to display bandwidth, disk usage, CPU usage, etc.

 iStat Menus ($16): Similar to MenuMeters, but with a nicer interface, and more options. If you want a nice system monitor tool, and are willing to pay

Vine VNC Server  This VNC server is in some ways better than OSX’s built in one, as it allows VNC clients to select lower image quality, making VNC connections over the internet a lot snappier. This now works with Mountain Lion.

 Lion DiskMaker  This free tool is great if you need to create a bootable USB or DVD of your Mac OS X install.

Update 2 (5 July 2012): ACTA rejected by EU :)

Anyone who follows Security Generation will know that I’m a big advocate of civil liberties and freedom in general. The internet is currently a multicultural and multimedia hub of information, ideas, creativity and innovation, and there is a risk this could be irrevocably changed. Granted there is also a lot of crap on the internet, but freedom works both ways. Whilst the Stop Online Piracy Act (SOPA) and Protect IP Act (PIPA) intend to reduce piracy on the net, in reality they would hand vast amounts of power over to industry copyright holders, who would then have the ability to have sites blocked and content taken down, inhibit free speech and bring . For more information about all of this, check out this good summary article.

Due to the threat that these acts would pose to the open internet, many large internet companies have stated their opposition including Google, Yahoo!, Twitter, eBay, and Wikimedia, as well as civil liberties groups such as the ACLU and the EFF. On January 18, these and countless other blogs and sites, including Security Generation, will be protesting this legislation by blacking out (read: censor) parts of their sites and educating users about the danger of american censorship.

If you have a blog or website, you’re encouraged to add your voice to the cause. CloudFlare users will be able to easily participate just by enabling the new Stop Censorship app, which will black out large chunks of text on your site, and inform your users about the dangers presented by this type of legislation. WordPress users without CloudFlare can also join in by installing one of the many Stop SOPA/PIPA plugins.

This is my favorite anti-SOPA song so far:

http://www.youtube.com/watch?v=hi4kfTah7yI

This one is also good.