Dome9 just introduced the ability to set a time-to-live (TTL) option for blacklisted IPs, something I may have bugged them for about once or twice! This is nice as it allows items on your blacklist to expire after a pre-determined amount of time instead of living on in perpetuity. It’s particularly beneficial when you run something like my Honeyport that can end up blacklisting over 400 unique IPs in about two months — it saves having to go in and manually remove blacklisted IPs periodically.
I’ve updated my Honeyport script to include the option to set a TTL on blacklisted IPs when using Dome9. Note this doesn’t yet work when using IPtables as it doesn’t have an easy TTL-style option for rules. This functionality for IPtables is on my TODO list.
Check out honeyport-0.2.sh here!
There have been reports (and here) of iOS 5.1 containing a camera bypass tied to the new camera shortcut on the lock screen. The people who have reported this are sadly confused about the security timeout enforced by iOS’s Require Passcode setting (Settings > General > Passcode Lock > Require Passcode). If your Require Passcode setting is set to anything other than Immediately, then your device (and the camera roll from the camera shortcut) will be accessible for the entire duration of time specified (ie. 1 minute or 5 minutes).
As always, the best setting for Require Passcode is Immediately. That way you know that when you lock your device, it is actually locked, and will prevent someone from gaining access to it without the passcode within the minutes following the ‘lock’.
Sadly people seem all too eager to rush and report on iOS vulns before actually verifying them.
TDLR; There is no lock screen bypass in iOS 5.1 using the new camera shortcut. They were wrong.
I wasn’t going to post about last week’s fairly significant iTunes update, but then Apple went and patched a whole bunch of vulnerabilities across the board. Some of these are fairly significant so I thought I would provide a short breakdown of the changes. Either way, you should definitely be patching all of your Apple devices and software tonight.
Hit the jump for a summary of the key vulnerabilities patched in Apple’s security updates.
Before making the switch from MobileMe to iCloud last week, I was looking around for posts about iCloud’s new webmail and didn’t find any. As I’d just installed the iOS 5 GM on my iPhone, I was eager to get iCloud going as well to get a head start, but wanted to investigate the iCloud services first. I didn’t find any useful posts, but made the switch anyway. Seeing as iCloud will be free to all users now, I thought I’d give you a heads up into what you can expect!
The Defence in Depth blog has a post about a flaw in Lion’s redesigned authentication mechanisms and Directory Services. In short, it is possible to change the password of the currently logged in user by simply running the following command in the terminal, and it won’t ask you for the user’s current password:
$ dscl localhost -passwd /Search/Users/<username>
In Lion it is also easy to dump a user’s SHA-512 password hash using the following command:
$ dscl localhost -read /Search/Users/<username>
Then look for the dsAttrTypeNative:ShadowHashData chunk in the output (sample below). The hex string in red is the salt, and the green is the hash.
62706c69 73743030 d101025d 53414c54 45442d53 48413531 324f1044 74911f72 3bd2f66a 3255e0af 4b85c639 776d510b 63f0b939 c432ab6e 082286c4 7586f19b 4e2f3aab 74229ae1 24ccb11e 916a7a1c 9b29c64b d6b0fd6c bd22e7b1 f0ba1673 080b1900 00000000 00010100 00000000 00000300 00000000 00000000 00000000 000060
Cracking password hashes can be done using his custom Python script, or John the Ripper (with the Jumbo patch). Note that even if someone manages to obtain your password hash, if you’re using a strong password it will be extremely difficult for them to recover it. Seems like both of these are important but fairly low-risk flaws introduced into Lion. Hopefully Apple will look into these for the next update.
[Update 1] While waiting for an Apple-supplied security update, it is possible to protect yourself from this vulnerability by adjusting the permissions on dscl:
sudo chmod go-x /usr/bin/dscl
This makes it so that only root can execute dscl. To revert this simply run:
sudo chmod go+x /usr/bin/dscl
[Update 2] This vulnerability was patched in Mac OS X 10.7.2.
The two latest iOS updates are fairly significant in that they patch two critical vulnerabilities. iOS update 4.3.4 patched a number of bugs including comex’s PDF/FreeType vulnerability used to create the latest JailbreakMe exploit. If you’re a jailbreaker, it’s essential that you run comex’s ‘PDF Patcher 2’ within Cydia, in order to patch the underlying vulnerability. iOS update 4.3.5 released a couple days ago, patches a fairly significant bug in the way iOS validates SSL/TLS certificates. This vulnerability can allow an attacker to intercept and/or modify data protected within an SSL session without the user knowing it. This was possible to due the fact that iOS didn’t validate the basicContstrains parameter of SSL certificates in the chain.
If you’re only an occasional patcher – now is the time.
What iOS 5 feature are you most looking forward to?
- iMessage (31%)
- Notification Center (23%)
- iCloud Integration (21%)
- Wifi Sync and Backup (19%)
- Twitter Integration (4%)
- Location-based Reminders (2%)
If your preferred option isn’t available, I’d be interested to hear what it is in the comments!
Apple has released an update to their free Find My iPhone offering, which greatly improves the support for tracking devices that are offline at the time. Note that this doesn’t mean you can track an iPhone or iPad that is turned off, or out of signal range (not possible). Instead, if a device is offline when you try to locate it, Apple will later send you an email with its location the next time that device gets back online. Thanks to this, it’s no longer necessary to constantly be checking the Find My iPhone app/webpage. Here is Apple’s summary of the changes:
- When you are unable to locate a device because it is offline, you will receive an email if the device comes online and is located.
- Ability to remove an offline device from the list using the app.
Note, it appears this updated feature is only available using the Find My iPhone app (version 1.2) available in the App Store – it is not yet available in the MobileMe web interface. I assume it won’t be updated until the new iCloud Find My iPhone web interface is launched. [Update: I was right.]
For more information on how to use this great free service to recover your iOS devices, check out Protecting and Recovering Your iPhone and iPad from Loss and Theft.