Iphone

iPhone Security Updates

By Adrian Lane

Like many potential iPhone buyers, I have been checking the news releases from the Apple WWDC every hour or so. Faster speed, better camera, better OS, new apps. What's not to like? From a security standpoint, the two features that were intriguing for me and (probably) many IT organizations are the data encryption and automatic remote data wipe options. From MacWorld:

For IT, Apple has added on-device encryption for data (backups are encrypted as well), plus a remote wipe-and-kill feature for Exchange 2007 users. Non-Exchange users can get remote wpe-and-kill if they subcribe to Apple's consumer-oriented MobileMe service. In either case, the wiped information and settings can be restored if you find the missing iPhone.

Much in line with what I was thinking in the Friday Post, it appears that Apple developers are way ahead of me. This clears a couple major security hurdles for corporate adoption of the iPhone, and helps the iPhone to continue its viral penetration of corporate IT environments. Very smart moves on their part to fill these gaps. The "Find my iPhone" feature is a neat bit of gimmickry, and helpful for distinguishing whether your iPhone went missing or was stolen. I have trouble believing it would be very effective for recovery, but it is enough information to decide whether or not to remotely wipe the device. And with the ability to recover wiped data through MobileMe, there is little penalty for being safe.

Then, leave it to AT&T to kill my happy iPhone buzz. Tethering? Nope. Any product vendor will tell you that that if a customer asks you when they get some cool new feature, you talk about what a wonderful advancement it will be and then set realistic expectations about when it will be available. Your response is not "Well, that will cost you more". No wonder AT&T was booed on stage. It looks like by the time tethering is available, AT&T will no longer have its US exclusive arrangement with Apple, and no one will care that they don't seem to care about customers. Or timely feature enhancements. Or that they are denying loyal Apple/AT&T customers a discount to buy a new phone and give the old phone to someone else who will need to use AT&T. You see the logic in that, right?

–Adrian Lane

Get the iPhone or Not?

By Adrian Lane

It's kind of Apple Day here. Rich has been stuck in a 'Genius Bar' time warp all morning with a handful of dead Mac minis (Probably died from processor envy when the new Mac Pro arrived). Despite the recession, if you lose your appointment slot, you are going to be waiting a long time, as the AZ Apple stores are always packed. I would gladly have switched places with him, as I have spent all morning trying to decipher alien runes AT&T iPhone pricing plans. My cell phone provider, QuestQwest, is dropping all its cellular services and I now need two new phones. I thought this would be an easy decision as everyone I know seems to have an iPhone. Most people I know in the security profession have had their iPhones for a year or more and they love them. They really like to show off their eye-candy apps and what a powerful mobile computer the iPhone really is. But if 95% of your use is going to be phone calls, is it worth it?

As bad as the AT&T pricing is, the real issue is service. AT&T coverage and clarity sucks, or SUCKS, depending upon where in the country you live. I get phone calls from from friends and associates, usually someone I know who has some comment about how my recent blog post demonstrated a complete lack of knowledge, and I should really have done my homework prior to posting. And that person is really smart and is probably making really compelling arguments, but it comes across as a small child making motorboat noises while facing away from the phone. I can't help myself and laugh out loud. My laughter and saying "Dude!" really pisse them off, but the it is really hard to hear! And this is just the Securosis side of things. My wife and I drive lots of places where a clear connection is critical, and might have a life-threatening need to reach out and speak to someone who can help. In cases like this, a cool gadget loses every time to a reliable call.

I love all the Apple products I have purchased and will seriously consider the iPhone. But AT&T is not Apple, and when it comes down to it, service is the bulk of what I am paying for. I was really hoping the rumored Verizon branded iPhone Nano would happen as I could get the Apple product and have good coverage. I have been cruising Mac Rumors every day to see what's new. We'll see. There is a rumor that AT&T is dropping prices, which is nice, but Verizon is running a 2 for 1 sale on Blackberrys, which is even more compelling. I have another month or two of service before I have to make a decision, by which time the new iPhones should be out, and then I will make the decision.

–Adrian Lane

Dark Reading Column: Attack Of The Consumers (And Those Pesky iPhones)

By Rich

I have a sneaking suspicion my hosting provider secretly hates me after getting Slashdotted twice this week. But I don't care, because in less than 48 hours it's iPhone Day!!!

Okay, so I already have one and all the new one adds is a little more speed, and a GPS that probably isn't good enough for what I need. But I use the friggen thing so darn much I can definitely use that speed.

It's been up for a few days, but with everything else going on I'm just now getting back to my latest Dark Reading column. This month I take a look at what may be one of the most disruptive trends in enterprise technology- the consumerization of IT. Here's an excerpt:

That's the essence of the consumerization of IT. Be it laptops, cellphones, or Web services, we're watching the walls crumble between business and consumer technology. IT expands from the workplace and permeates our entire lives. From home broadband and remote access, to cellphones, connected cars, TiVos, and game consoles with Web browsers. Employees are starting to adapt technology to their own individual work styles to increase personal productivity. The more valued the knowledge worker, the more likely they are to personalize their technology — work provided or not. Some companies are already reporting difficulties in getting highly qualified knowledge workers and locking them into strict IT environments. No, it's not like the call center will be running off their own laptops, but they'll probably be browsing the Web, sending IMs, and updating their blogs off their phones as they sit in front of their terminals. This is far from the end of the world. While we need to change some of our approaches, we're gaining technology tools and experience in running looser environments without increasing our risk. There are strategies we can adopt to loosen the environment, without increasing risks:

–Rich

Formatting An iPhone To Wipe Data

By Rich

It appears people are recovering data off old iPhones. Whoops- looks like you can pull data out of memory using forensics tools, just like any other platform. While your Mac includes the ability to overwrite old data when formatting your hard drive to prevent recovery (very cool that this is included in a consumer operating system), there is no equivalent mechanism to clear off that "ancient" original iPhone when you trade up to the 3G version next month.

For those of you who aren't just convincing your spousees to take your "old" iPhone off your hands to justify that new toy, Securosis presents a simple process to minimize the chances of recovery. It's not perfect, but it's easy and should offer enough protection for those of you forced to eBay your once-precious-but-now-obsolete device:

1. Restore the iPhone from within iTunes.
2. On the "Info" tab, un-check all options so you don't synchronize calendars, email, bookmarks, and contacts.
3. On the Photos, Podcasts, and Video tabs, uncheck "Sync ...".
4. Create 3 big playlists at large as the storage capacity of your iPhone.
5. On the Music tab, select the first of your 3 playlists to sync. Make sure the storage bar at the bottom looks full after syncing.
6. Sync your iPhone, change to the next playlist, sync again, and repeat one last time.

This will hopefully overwrite any of the free space on your phone, helping prevent recovery of any of those love letters and bad jokes lingering from old emails. I won't have a chance to test this anytime soon, and odds are high some fragments will survive depending on how the iPhone allocates at the file system level, but this should be more than sufficient to prevent casual recovery of sensitive stuff if you'd like to hock your "old" phone.

–Rich

Update To The iPhone Security Tip

By Rich

Chris Pepper, Master Editor, pointed out something I missed. If you memorize an encrypted network, your iPhone won't connect to an unencrypted one with the same name, or one with a different password. Thus unless the bad guy knows your WPA passphrase (you're not dumb enough to use WEP, are you?), you can memorize your home network and not worry about accidentally connecting while wandering around, even if it's still called "tsunami".

–Rich

iPhone Security Tip: Never Memorize Wireless Networks

By Rich

Update: See Update To The iPhone Security Tip. Encrypted networks are safe to remember.

The other day I was wandering around San Francisco on a work trip, and I freaked out when I noticed the WiFi indicator on my iPhone was showing an active connection to some random network. I never have my phone set to connect to unknown networks, so I quickly jumped into the settings to see what the heck was going on.

Turns out I was connected to "tsunami" which is a common default name on Cisco wireless gear. Like the Cisco gear in our community center, which just a week or so before I was playing with. And that got me thinking.

Many of you probably connect to wireless networks with common names- like Linksys, 2WIRExx, tsunami, or whatever. In other words, either default networks, or names (like those used at conferences and airports) that are in common use or easy to find. But when you remember those on your iPhone (or computer for that sake), it only remembers the network ID (SSID), not that actual network!

Your iPhone doesn't know the difference between "tsunami" in your community center, "tsunami" in an office building, and "tsunami" running on some bad guy's laptop to see what naive fools will connect to it. When you trust a network you're just trusting a name anyone can use, not something really unique to that network. Your iPhone will then connect to any network using that name.

Why is that bad? Go read this article I wrote at Dark Reading. An attacker can set up his or her laptop to broadcast that name, then perform a man in the middle attack to anyone who connects. They can sniff and modify any traffic going to your iPhone. Why is this more serious on an iPhone than your laptop? Because you walk around with your phone all the time, often checking things like email in the background.

Another problem with the iPhone is that its VPN doesn't automatically reconnect if the connection drops. Thus, even if you connect via a secure VPN, you might find your connection got dropped and your phone happily continues, sending all your traffic unencrypted.

Here are my best practices for iPhone wireless security:

1. Turn on "Ask to join networks".
2. If you have a home wireless network, use an obscure name with some random numbers in it. This reduces the odds you'll ever hit another one with the same name unless someone specifically targets you.
3. On your home network, don't broadcast the SSID (sure, easy to figure out, but we're just trying to reduce our risks).
4. If you need to connect to a public wireless network, use a VPN to protect your traffic. In the VPN settings, after you configure your connection, turn on the "Send all traffic" option.
5. When you're done with the network, click on the "Forget this network" button in your WiFi settings.

On my phone I only have it set to connect at home (a weird name), and I use AT&T EDGE when I'm out of my house. I have a VPN server set up at home for those rare occasions I connect from a conference network.

The good news is that your iPhone doesn't send out "probes" for known networks. This would be an easy way for a bad guy to know even those obscure SSIDs you use at home. Good move on Apple's part- now I just want them to make the VPN connections persistent.

–Rich