Chris Pepper, Master Editor, pointed out something I missed. If you memorize an encrypted network, your iPhone won’t connect to an unencrypted one with the same name, or one with a different password. Thus unless the bad guy knows your WPA passphrase (you’re not dumb enough to use WEP, are you?), you can memorize your home network and not worry about accidently connecting while wandering around, even if it’s still called “tsunami”.
Update: See Update To The iPhone Security Tip. Encrypted networks are safe to remember.
The other day I was wandering around San Francisco on a work trip, and I freaked out when I noticed the WiFi indicator on my iPhone was showing an active connection to some random network. I never have my phone set to connect to unknown networks, so I quickly jumped into the settings to see what the heck was going on.
Turns out I was connected to “tsunami” which is a common default name on Cisco wireless gear. Like the Cisco gear in our community center, which just a week or so before I was playing with. And that got me thinking.
Many of you probably connect to wireless networks with common names- like Linksys, 2WIRExx, tsunami, or whatever. In other words, either default networks, or names (like those used at conferences and airports) that are in common use or easy to find. But when you remember those on your iPhone (or computer for that sake), it only remembers the network ID (SSID), not that actual network!
Your iPhone doesn’t know the difference between “tsunami” in your community center, “tsunami” in an office building, and “tsunami” running on some bad guy’s laptop to see what naive fools will connect to it. When you trust a network you’re just trusting a name anyone can use, not something really unique to that network. Your iPhone will then connect to any network using that name.
Why is that bad? Go read this article I wrote at Dark Reading. An attacker can set up his or her laptop to broadcast that name, then perform a man in the middle attack to anyone who connects. They can sniff and modify any traffic going to your iPhone. Why is this more serious on an iPhone than your laptop? Because you walk around with your phone all the time, often checking things like email in the background.
Another problem with the iPhone is that its VPN doesn’t automatically reconnect if the connection drops. Thus, even if you connect via a secure VPN, you might find your connection got dropped and your phone happily continues, sending all your traffic unencrypted.
Here are my best practices for iPhone wireless security:
On my phone I only have it set to connect at home (a weird name), and I use AT&T EDGE when I’m out of my house. I have a VPN server set up at home for those rare occasions I connect from a conference network.
The good news is that your iPhone doesn’t send out “probes” for known networks. This would be an easy way for a bad guy to know even those obscure SSIDs you use at home. Good move on Apple’s part- now I just want them to make the VPN connections persistent.
I just published an article on TidBITS on this very issue.
Basically, I don’t think the average Mac user needs it yet. AV comes at a performance cost that isn’t justified by the risks it addresses. It isn’t that Macs are more secure than Windows- it’s that they aren’t as big a target yet, and I’m not convinced that desktop antivirus will help much once Mac malware really starts proliferating.
If you are a lone Mac in a Windows environment you might need to install it to protect your Windows brethren (don’t be the vector that infects them — sending viruses you don’t even notice is not nice), and if you go to a lot of risky places you should consider it.
For the record, I don’t use AV on Mac or Vista, but I do use it on XP.
And if Apple is smart, they can finish off the Leopard security features and harden the platform enough that it won’t be as easy a target even as market share rises.
(I was amused reading the Slashdot comments, which I usually ignore. I don’t mind the criticism, but at least read the fricking article, guys).
This week, our question is courtesy of Allen:
… As a long time Mac user and an inspiring security professional (i am in the process of completing my CISSP certification), I found this article on Macworld’s web site to be very fascinating. If you could please comment on this on your web site and/or on your podcast would be very grateful.
The article in question, located here, is a very odd interview with Michael Barrett, PayPal’s chief information security officer.
Michael argues that the main reason Safari is less secure is its lack of anti-phishing features or support for Extended Validation SSL certificates. For you non-geeks, those are extra, higher cost, digital certificates that highly trusted websites can buy to prove they are who they say they are. A few snippets:
“Apple, unfortunately, is lagging behind what they need to do, to protect their customers,” Barrett said in an interview. “Our recommendation at this point, to our customers, is use Internet Explorer 7 or 8 when it comes out, or Firefox 2 or Firefox 3, or indeed Opera.”
…
Unlike its competitors, Safari has no built-in phishing filter to warn users when they are visiting suspicious Web sites, Barrett said. Another problem is Safari’s lack of support for another anti-phishing technology, called Extended Validation (EV) certificates. This is a secure Web browsing technology that turns the address bar green when the browser is visiting a legitimate Web site.When it comes to fighting phishing, “Safari has got nothing in terms of security support, only SSL (Secure Sockets Layer encryption), that’s it,” he said.
…
Still, Barrett says data compiled on PayPal’s Web site show that the EV certificates are having an effect. He says IE 7 users are more likely to sign on to PayPal’s Web site than users who don’t have EV certificate technology, presumably because they’re confident that they’re visiting a legitimate site.Over the past few months, IE 7 users have been less likely to drop out and abandon the process of signing on to PayPal, he said. “It’s a several percentage-point drop in abandonment rates,” he said. “That number is… measurably lower for IE 7 users.”
This is complete and utter bunk. I’d like to reference an article at Dark Reading, on anti-phishing, and this one about a Harvard/MIT study:
APRIL 13, 2007 | The lock-and-key icon was broken. The site-authentication image was not there. A security message popped up, warning that the site was not properly certified.
And still, more than half of them entered a password and tried to log in.
That’s the bottom-line finding of a new study from researchers at Harvard University and MIT, who conducted a live test of banking users to measure the effectiveness of browser-based authentication and anti-phishing features earlier this year. The research is scheduled to be presented at the IEEE Symposium on Security and Privacy next month.
PayPal is completely off base- I highly doubt the lack of anti-phishing features correlates in any material way to Safari users dropping out of the sign in process. The level of assumptions in those statements is ridiculous.
Now, let’s look at Safari. The truth is, based on talking with security researchers. that IE7 on Vista is more fundamentally secure than Safari. I’m not sure about Firefox, but suspect it is also probably more fundamentally secure. But that almost doesn’t matter- the real world risk, today, of using Safari is extremely low. That could change instantly, at any given time, and probably will, but until then I feel comfortable using it for most of my browsing needs.
A bigger hole with Mac (or PC) browsing is QuickTime, which is in the midst of some rough times from a security perspective. But QuickTime runs in any browser, not just Safari.
My overall take? Most users don’t understand or care about anti-phishing notifications built into their browsers. Safari does lack security features available in competitors, and has had a few vulnerabilities this year, but real-world risk is low for now. Support for extended validation certificates is a nice to have feature, but probably won’t improve Safari security for the average user in any material way.
Not that we shouldn’t keep the pressure on Apple to keep strengthening the OS and browser, but I’d prefer they put more effort into sandboxing and other anti-exploitation defenses than little green borders when I visit someone willing to cough up an insane amount of cash to Verisign.
Each of these applications has plugin architectures and inadequate security models. Actually, IE 7 + Vista is a good model, but it will take 3 years for it to hit wide enough deployment.
Technorati Tags: Adobe Acrobat, Apple, Internet Explorer, Microsoft, Adobe, QuickTIme
Security professionals seem to have a strained relationship with Apple these days. Any trip to a security conference shows that more and more security professionals are using Macs on a regular basis. A not-insignificant percentage of the high-end industry types I know shows they all use Macs and iPhones; at home if not at work, often against corporate policy.
Yet Apple’s view on security is very… 2001. They do not follow a security development lifecycle. Marketing seems to play too strong a role in security decisions, especially when dealing with researchers. They never finished most of the security features of Leopard, and some products (especially QuickTime) are running at very high vulnerability rates.
The first thing we need to get out of the way is that Macs are currently safer to use than Windows XP, even if they aren’t as secure. There just aren’t as many exploits out there in the wild. Vista is more secure, but I find it unusable. This can, and will, change over time as Macs continue to rise in popularity and become a bigger target.
Thus, as a security professional I have mixed feelings about Apple. I feel somewhat hypocritical about supporting a company that doesn’t prioritize my bread and butter, but I’m not overly pleased with Window’s UI failings or Linux’s peculiarities. I’ve made the decision to pick the OS that best fits my work and productivity needs, then do what I can to improve the security of the platform.
Which gives me three options:
Apple is far from perfect and their security needs a ton of work, but I’m taking a reasoned approach and hoping that by engaging and educating their customers (and thus Apple, indirectly), we can spur change.
On that note, I’m off to the Macworld Expo show floor to meet with various vendors (including security vendors) and to play with my new iPhone (yes, I’m weak).
Technorati Tags: Apple
Remember the good old days when vulnerabilities would just affect one platform? Back when there was NO WAY my Commodore 64 could be infected by your TRS-80?
It looks like there is a targeted attack going on (where a virus is created and only sent to specific targets so the antivirus companies don’t notice it). It takes advantage of a flaw in older versions of Microsoft Excel. Microsoft’s advisory is here.
It’s not the kind of thing most of you will have to worry about unless you become the target, but I’m always interested in 0day attacks and cross-platform vulnerabilities.
More from Brian Krebs and the Microsoft Advisory:
According to Microsoft’s security advisory, this vulnerability affects Microsoft Excel 2003 Service Pack 2, Microsoft Office Excel Viewer 2003, Microsoft Office Excel 2002, Microsoft Office Excel 2000, and Microsoft Excel 2004 for Mac. People who are using Microsoft Office Excel 2007, Microsoft Excel 2008 for Mac or have installed Microsoft Office Excel 2003 Service Pack 3 are not affected.
Technorati Tags: 0day, Apple, Excel, Microsoft, Vulnerability, Targeted attack
Just finished up attending the Steve Jobs keynote for the first time. From a security perspective, as expected there wasn’t anything worth noting. Being a product-launch event we really weren’t planning on seeing any discussion of security, and the other updates don’t seem to have many obvious security ramifications.
One potential area of interest is the new location based service, which appears to be a combination of Google’s location (which I use on my BlackBerry), and a WiFi based service by Skyhook Wireless that’s been around for a few years. Google’s location based on cell towers is only accurate to about 800 meters so it will be interesting to see what Skyhook provides in urban areas. Being WiFi based I’m looking forward to getting my hands on it and doing a little WiFi sniffing. It will be interesting to see if it leaks too much information about you.
The other iPhone updates are interesting enough that I might make the leap. I was waiting for the 3G version but that’s probably still 6 months away. I’d really like a better web browser for mobile blogging, and even the Opera browser on the BlackBerry isn’t cutting it. We’ll see what I end up flying home with after I take some time outside the Reality Distortion Field of Jobs.
As for the other product announcements my impression is they’re solid, but overall a little disappointing. The MacBook Air looks absolutely amazing with excellent performance for the size. Hopefully some of the power-friendly technologies like LED backlit display and SSD drive will make their way into the rest of the product line.
iTunes movie and TV rentals were surprising only for the studio support- every single major studio. Pricing is in-line with Unbox and other services, but you get better quality. A lot better if you pay $1 more for the HD version, which might be worth it since you don’t have to buy a Blu-ray or HD DVD player to watch them.
I was mostly looking forward to attending the keynote to watch Jobs present, and that’s one area where I wasn’t disappointed. I love his use of simple slides, basic animations, and smooth style. it’s not something that will necessarily translate into the more information-laden presentations we industry pundits tend to have to give, but his overall quality is far better than anyone else in the industry I’ve seen.
Most of my Macworld coverage will be over at TidBITS, but I’ll post my less formal impressions here as the week goes on.
I have to admit, although Apple’s handling of security issues is often a train wreck, I’m still a big fan of Macs and other Apple products.
I covered a lot of the firewall issues on this blog and over at TidBITS, but I was still excited when MacWorld asked me to write an article on using the Leopard Firewall.
I really try to walk the middle ground when discussing Mac issues, which can tend to get a little emotional for some people. Some of my security friends accuse me of selling out when I write an article like this, while Mac zealots cry havoc at any criticism of their favorite platform. As with everything, the truth is somewhere in the middle. Apple has a long way to go with security, but we do see them taking some baby steps in the right direction. Trying to beat Apple over the head clearly doesn’t work, so I try and take a reasoned approach to criticism; giving them credit for the work they’ve done while offering specific suggestions for improvements where they fail. The truth is, even with all their faults and the critical vulnerabilities (including 0days) we’ve seen, the average Mac user is safer than the average Windows XP user as they go through their computing days.
But we also need to recognize that this won’t hold true as the popularity of the platform continues to grow. We’re seeing the early signs that the bad guys are gaining interest in Macs, and there are flaws in the platform they can eventually use to cause some damage. I suspect that once this starts occurring on a large enough scale, Apple will have to respond and start adopting some of the development processes and security features we see at Microsoft.
If only Microsoft would learn a little about usability from Apple… then we’d have a serious fight.
Anyway, you can check it out here.
Looks like the ipfw rules project that Chris is leading is pretty popular. We’ve set up a permanent link that we’ll redirect to the latest version as we keep refining this thing.
Thanks again to everyone who has helped on this project:
windexh8er: http://www.slash32.com/
Rob
Lee: http://thnetos.wordpress.com/
Josh
Chris Pepper http://www.extrapepperoni.com/
