Attacking the Phishing Epidemic

As long as people can be tricked, there will always be phishing (or social engineering) on some level or another, but there’s a lot more that we can do with technology to reduce the effectiveness of phishing, and the number of people falling victim to common theft. Making phishing less effective ultimately increases the cost to the criminal, and reduces the total payoff. Few will argue that our existing authentication technologies are stuck in a time warp, with some websites still using standards that date back to the 1990s. Browser design hasn’t changed very much since the Netscape days either, so it’s no wonder many people are so easily fooled by website counterfeits.

You may have heard of a term called the line of death. This is used to describe the separation between the trusted components of a web browser (such as the address bar and toolbars) and the untrusted components of a browser, namely the browser window. Phishing is easy because this is a farce. We allow untrusted elements in the trusted windows (such as a favicon, which can display a fake lock icon), tolerate financial institutions that teach users to accept any variation of their domain, and use a tiny monochrome font that can make URLs easily mistakable, even if users were paying attention to them. Worse even, it’s the untrusted space that we’re telling users to conduct the trusted operations of authentication and credit card transactions – the untrusted website portion of the web browser!.

Our browsers are so awful today that the very best advice we can offer everyday people is to try and memorize all the domains their bank uses, and get a pair of glasses to look at the address bar. We’re teaching users to perform trusted transactions in a piece of software that has no clear demarcation of trust.

The authentication systems we use these days were designed to be able to conduct secure transactions with anyone online, not knowing who they are, but most users today know exactly who they’re doing business with; they do business with the same organizations over and over; yet to the average user, a URL or an SSL certificate with a slightly different name or fingerprint means nothing. The average user relies on the one thing we have no control over: What the content looks like.

I propose we flip this on its head.

Continue reading “Attacking the Phishing Epidemic”

Confide: A Quick Look

My inbox has been lighting up with questions about Confide, after it was allegedly found to have been used by staffers at the White House. I wish I had all of the free time that reporters think I have (I’d be so happy, living life as a broke beach bum). I did spend a little bit of time, however reverse engineering the binary and doing a simple forensic examination of it. Here’s my “literature in a rush” version.

Note: When I first wrote this blog post, I apparently had run into some corruption or some other strangeness going on with the framework; I suspect one of the tools I normally use might have decrypted it for me, and done a shoddy job without even telling me, so I have decrypted it by hand dumping memory from a debugger, and have updated my findings accordingly.

Continue reading “Confide: A Quick Look”

Protecting Your Data at a Border Crossing

With the current US administration pondering the possibility of forcing foreign travelers to give up their social media passwords at the border, a lot of recent and justifiable concern has been raised about data privacy. The first mistake you could make is presuming that such a policy won’t affect US citizens.  For decades, JTTFs (Joint Terrorism Task Forces) have engaged in intelligence sharing around the world, allowing foreign governments to spy on you on behalf of your home country, passing that information along through various databases. What few protections citizens have in their home countries end at the border, and when an ally spies on you, that data is usually fair game to share back to your home country. Think of it as a backdoor built into your constitutional rights. To underscore the significance of this, consider that the president signed an executive order just today stepping up efforts at fighting international crime, which will likely result in the strengthening of resources to a JTTFs to expand this practice of “spying on my brother’s brother for him”. With this, the president also counted the most common crimes – drugs, gangs, racketeering, etc – as matters of “national security”.

Once policies that require surrendering passwords (I’ll call them password policies from now on) are adopted, the obvious intelligence benefit will no doubt inspire other countries to establish reciprocity in order to leverage receiving better intelligence about their own citizens traveling abroad. It’s likely the US will inspire many countries, including oppressive nations, to institute the same password policies at the border. This will ultimately be used to skirt search and seizure laws by opening up your data to forensic collection. In other words, you don’t need Microsoft to service a warrant, nor will the soil your data sits on matter, because it will be a border agent connecting directly your account with special software throug the front door.

I am not a lawyer, and I can’t provide you with legal advice about your rights, or what you can do at a border crossing to protect yourself legally, but I can explain the technical implications of this, as well as provide some steps you can take to protect your data regardless of what country you’re entering. Disclaimer: You accept full responsibility and liability for taking any of this information and using it.

Continue reading “Protecting Your Data at a Border Crossing”

Slides: Crafting macOS Root Kits

Here are the slides from my talk at Dartmouth College this week; this was a basic introduction / overview of the macOS kernel and how root kits often have fun with the kernel. There’s not much new here, but the deck might be a good introduction for anyone looking to get into develop security tools or conduct security research in macOS. Note: Root kits aren’t exploits; there’s no exploit code in this deck. Sorry!

Crafting macOS Root Kits

Resolving Kernel Symbols in a Post-ASLR macOS World

There are some 21,000 symbols in the macOS kernel, but all but around 3,500 are opaque even to kernel developers. The reasoning behind this was likely twofold: first, Apple is continually making changes and improvements in the kernel, and they probably don’t want kernel developers mucking around with unstable portions of the code. Secondly, kernel dev used to be the wild wild west, especially before you needed a special code signing cert to load a kext, and there were a lot of bad devs who wrote awful code making macOS completely unstable. Customers running such software probably blamed Apple for it, instead of the developer. Apple now has tighter control over who can write kernel code, but it doesn’t mean developers have gotten any better at it. Looking at some commercial products out there, there’s unsurprisingly still terrible code to do things in the kernel that should never be done.

So most of the kernel is opaque to kernel developers for good reason, and this has reduced the amount of rope they have to hang themselves with. For some doing really advanced work though (especially in security), the kernel can sometimes feel like a Fisher Price steering wheel because of this, and so many have found ways around privatized functions by resolving these symbols and using them anyway. After all, if you’re going to combat root kits, you have to act like a root kit in many ways, and if you’re going to combat ransomware, you have to dig your claws into many of the routines that ransomware would use – some of which are privatized.

Today, there are many awful implementations of both malware and anti-malware code out there that resolve these private kernel symbols. Many of them do idiotic things like open and read the kernel from a file, scan memory looking for magic headers, and other very non-portable techniques that risk destabilizing macOS even more. So I thought I’d take a look at one of the good examples that particularly stood out to me. Some years back, Nemo and Snare wrote some good in-memory symbol resolving code that walked the LC_SYMTAB without having to read the kernel from disk, scan memory, or do any other disgusting things, and did it in a portable way that worked on whatever new versions of macOS came out. 

Continue reading “Resolving Kernel Symbols in a Post-ASLR macOS World”

Open Letter to the Law Enforcement Community

To my friends in law enforcement, and many whom I don’t know serving our country:

First, thank you. You do an incredibly difficult job that often goes unseen, and you put your life at risk to make this great country safer. For that, I am deeply grateful.

Many of you have suddenly found yourselves on the wrong side of history. Our country has what, by many appearances, seems to be an illegitimate president who may be the product of the Russian intelligence community, and possibly even the head of the FBI, both of whom played a role in defrauding or manipulating our election system. Within one week of taking office, Trump has shown himself a madman who uses racism and personal prejudice to fill in the gaps that his incompetence affords. Seemingly overnight, our country has been transformed from what many had considered a free country struggling to overcome their indifferences, now into a place of fear for basic human rights. Racist extremist minority groups, deeply rooted in our country, have suddenly become empowered to hate, igniting hostility against anyone who is different from the majority in skin tone, religion, or sexual orientation.

With the stroke of a pen, livelihoods and families have been discarded by the government, as many who have lived legally in our country for years now have had to fight against illegal deportation orders, or have been banned from re-entering the country they call home. These men, women, and children are considered among enemies of the state not for committing a crime, but for merely existing. Meanwhile, science, technology, and even the arts are being harmed through this disgraceful practice, as many of these human beings are scientists, engineers, movie directors, and other productive human beings working for large technology innovators, defense contractors, or even in Hollywood. All of them went through several layers of vetting far beyond what the president has ever been subject to, just to be in this country and get the jobs they have. We’re in very troubling times – times that frighten everyone, except those in power.

Continue reading “Open Letter to the Law Enforcement Community”

Technical Analysis: Meitu is Junkware, but not Malicious

Last week, I live tweeted some reverse engineering of the Meitu iOS app, after it got a lot of attention on Android for some awful things, like scraping the IMEI of the phone. To summarize my own findings, the iOS version of Meitu is, in my opinion, one of thousands of types of crapware that you’ll find on any mobile platform, but does not appear to be malicious. In this context, I looked for exfiltration or destruction of personal data to be a key indicator of malicious behavior, as well as performing any kind of unauthorized code execution on the device or performing nefarious tasks… but Meitu does not appear to go beyond basic advertiser tracking. The application comes with several ad trackers and data mining packages compiled into it – which appear to be primarily responsible for the app’s suspicious behavior. While it’s unusually overloaded with tracking software, it also doesn’t seem to be performing any kind of exfiltration of personal data, with some possible exceptions to location tracking. One of the reasons the iOS app is likely less disgusting than the Android app is because it can’t get away with most of that kind of behavior on the iOS platform.

Continue reading “Technical Analysis: Meitu is Junkware, but not Malicious”

Configuring the Touch Bar for System Lockdown

The new Touch Bar is often marketed as a gimmick, but one powerful capability it has is to function as a lockdown mechanism for your machine in the event of a physical breach. By changing a few power management settings and customizing the Touch Bar, you can add a button that will instantly lock the machine’s screen and then begin a countdown (that’s configurable, e.g. 5 minutes) to lock down the entire system, which will disable the fingerprint reader, remove power to the RAM, and discard your FileVault keys, effectively locking the encryption, protecting you from cold boot attacks, and prevent the system from being unlocked by a fingerprint.

One of the reasons you may want to do this is to allow the system to remain live while you step away, answer the door, or run to the bathroom, but in the event that you don’t come back within a few minutes, lock things down. It can be ideal for the office, hotels, or anywhere you feel that you feel your system may become physically compromised. This technique offers the convenience of being able to unlock the system with your fingerprint if you come back quickly, but the safety of having the system secure itself if you don’t.

Continue reading “Configuring the Touch Bar for System Lockdown”

Backdoor: A Technical Definition

Original Date: April, 2016

A clear technical definition of the term backdoor has never reached wide consensus in the computing community. In this paper, I present a three-prong test to determine if a mechanism is a backdoor: “intent”, “consent”, and “access”; all three tests must be satisfied in order for a mechanism to meet the definition of a backdoor. This three-prong test may be applied to software, firmware, and even hardware mechanisms in any computing environment that establish a security boundary, either explicitly or implicitly. These tests, as I will explain, take more complex issues such as disclosure and authorization into account.

The technical definition I present is rigid enough to identify the taxonomy that backdoors share in common, but is also flexible enough to allow for valid arguments and discussion.

Continue reading “Backdoor: A Technical Definition”

On Christianity

I’ve often been asked why an intellectual type guy such as myself would believe in God – a figure most Americans equate to a good bedtime story, or a religious symbol for people who need that sort of thing. Quite the contrary, what I’ve discovered in my years of being a Christian is that it is highly intellectually stimulating to strive to understand God, and that my faith has been a thought-provoking and captivating journey.  I wasn’t raised in a Christian home, nor did I have any real preconceived notions about concepts such as church or the Bible. Like most, I didn’t really understand Christianity with anything other than an outside perception for the first part of my life – all I had surmised was that he was a religious symbol for religious people.

Today’s perception of Christianity is that of a hate-filled, bigoted group of racists, a title that many so-called Christians have rightfully earned for themselves. This doesn’t represent Christianity any more than the other stereotypes do, and even atheists know enough about the Bible to know that such a position is hypocritical. Since 1993, I’ve been walking in the conviction that God is more than just a story, that he’s nothing like the stereotypes, and that it takes looking outside of typical American culture to really get an idea of what God is about. In this country, I’ve seen all of the different notions of what a church should be; I think most people already know in their heart who God is, and that’s why they’re so averse to the church.

Continue reading “On Christianity”

On NCCIC/FBI Joint Report JAR-16-20296

Social media is ripe with analysis of an FBI joint report on Russian malicious cyber activity, and whether or not it provides sufficient evidence to tie Russia to election hacking. What most people are missing is that the JAR was not intended as a presentation of evidence, but rather a statement about the Russian compromises, followed by a detailed scavenger hunt for administrators to identify the possibility of a compromise on their systems. The data included indicators of compromise, not the evidentiary artifacts that tie Russia to the DNC hack.

One thing that’s been made clear by recent statements by James Clapper and Admiral Rogers is that they don’t know how deep inside American computing infrastructure Russia has been able to get a foothold. Rogers cited his biggest fear as the possibility of Russian interference by injection of false data into existing computer systems. Imagine the financial systems that drive the stock market, criminal databases, driver’s license databases, and other infrastructure being subject to malicious records injection (or deletion) by a nation state. The FBI is clearly scared that Russia has penetrated more systems than we know about, and has put out pages of information to help admins go on the equivalent of a bug bounty.

Continue reading “On NCCIC/FBI Joint Report JAR-16-20296”

Three Recommendations to Harden iOS Against Jailbreaks and Malware

Apple has been fighting for a secure iPhone since 2007, when the first jailbreaks came out about two weeks after the phone was released. Since then, they’ve gotten quite good at keeping the jailbreak community on the defensive side of this cat and mouse game, and hardened their OS to an impressive degree. Nonetheless, as we see every release, there are still vulnerabilities and tomhackery to be had. Among the most notable recent exploits, iOS 9 was patched for a WebKit memory corruption vulnerability that was used to deploy the Trident / Pegasus surveillance kit on selected nation state targets, and Google Project Zero recently announced plans to release a jailbreak for iOS 10.1 after submitting an impressive number of critical vulnerabilities to Apple (props to Ian Beer, who should be promoted to wizard).

I’ve been thinking about ways to harden iOS against jailbreaks, and came up with three recommendations that would up the game considerably for attackers. Two of them involve leveraging the Secure Enclave, and one is an OS hardening technique.

Security is about increasing the cost and time it takes to penetrate a target. These recommendations are designed to do just that: They’d greatly frustrate and upset current ongoing jailbreak and malware efforts.

Continue reading “Three Recommendations to Harden iOS Against Jailbreaks and Malware”

Putting the 16GB “Pro” Myth to Rest

Apple’s latest MacBook Pro line is limited to 16GB due to energy (and likely heat) constraints, and that’s gotten a lot of people complaining that it simply isn’t enough for “real pros”. Ironically, many of the people saying that don’t quite fall into what many others would consider a “real pro” themselves; at least based on the target demographic of Apple’s “pro” line, which has traditionally been geared toward working professionals such as photographers, producers, engineers, and the like (not managers and bloggers). But even so, let’s take a look at what it takes to really pin your MacBook Pro’s memory, from a “professional’s” perspective.

I fired up a bunch of apps and projects (more than I’d ever work on at one time) in every app I could possibly think of on my MacBook Pro. These included apps you’d find professional photographers, designers, software engineers, penetration testers, reverse engineers, and other types running – and I ran them all at once, and switched between them, making “professionally-type-stuff” happen as I go.

Here’s a list of everything I ran at once:

Continue reading “Putting the 16GB “Pro” Myth to Rest”

San Bernardino: Behind the Scenes

I wasn’t originally going to dig into some of the ugly details about San Bernardino, but with FBI Director Comey’s latest actions to publicly embarrass Hillary Clinton (who I don’t support), or to possibly tip the election towards Donald Trump (who I also don’t support), I am getting to learn more about James Comey and from what I’ve learned, a pattern of pushing a private agenda seems to be emerging. This is relevant because the San Bernardino iPhone matter saw numerous accusations of pushing a private agenda by Comey as well; that it was a power grab for the bureau and an attempt to get a court precedent to force private business to backdoor encryption, while lying to the public and possibly misleading the courts under the guise of terrorism.

Continue reading “San Bernardino: Behind the Scenes”

On the State of Open Source

screen-shot-2016-10-03-at-11-40-10-amI was just a teenager when I got involved in the open source community. I remember talking with an old bearded guy once about how this new organization, GNU, is going to change everything. Over the years, I mucked around with a number of different OSS tools and operating systems, got excited when symmetric multiprocessing came to BSD, screwed around with Linux boot and root disks, and had become both engaged and enthralled with the new community that had developed around Unix over the years. That same spirit was simultaneously shared outside of the Unix world, too. Apple user groups met frequently to share new programs we were working on with our ][c’s, and later our ][gs’s and Macs, exchange new shareware (which we actually paid for, because the authors deserved it), and to buy stacks of floppies of the latest fonts or system disks. We often demoed our new inventions, shared and exchanged the source code to our BBS systems, games, or anything else we were working on, and made the agendas of our user groups community efforts to teach and understand the awful protocols, APIs, and compilers we had at the time. This was my first experience with open source. Maybe it was not yours, although I hope yours was just as positive.

It wasn’t open source that people were excited about, and we didn’t really even call it open source at first. It was computer science in general. Computer science was a brand new world of discovery for many of us, and open source was merely the bi-product of natural curiosity and the desire to share knowledge and collaborate. You could call it hacking, but at the time we didn’t know what the hell we were doing, or what to call it. The environment, at the time, was positive, open, and supportive; words that, unfortunately, you probably wouldn’t associate with open source today. You could split hairs and call this the “computing” or “hacking” community, but at the time all of these things were intertwined, and you couldn’t tease them apart without destroying them all: perhaps that’s what went wrong, eventually we did.

Continue reading “On the State of Open Source”

WhatsApp Forensic Artifacts: Chats Aren’t Being Deleted

Sorry, folks, while experts are saying the encryption checks out in WhatsApp, it looks like the latest version of the app tested leaves forensic trace of all of your chats, even after you’ve deleted, cleared, or archived them… even if you “Clear All Chats”. In fact, the only way to get rid of them appears to be to delete the app entirely.

To test, I installed the app and started a few different threads. I then archived some, cleared, some, and deleted some threads. I made a second backup after running the “Clear All Chats” function in WhatsApp. None of these deletion or archival options made any difference in how deleted records were preserved. In all cases, the deleted SQLite records remained intact in the database.

Just to be clear, WhatsApp is deleting the record (they don’t appear to be trying to intentionally preserve data), however the record itself is not being purged or erased from the database, leaving a forensic artifact that can be recovered and reconstructed back into its original form.

Continue reading “WhatsApp Forensic Artifacts: Chats Aren’t Being Deleted”

Moving Semi-Auto Rifles Into the National Firearms Act

I’m a long time responsible gun owner and enthusiast who, like many, would like to see more controls on semi-automatic weapons; particularly, what many refer to as “assault rifles”. Indeed, I’m well aware of all the Kool-Aid on both sides surrounding assault weapons, and I think both sides have some ridiculous notions about them. The extreme left seems to have developed an irrational fear and hatred of all guns and the right believes the only solution to guns are more guns. I used to drink the gun rights Kool-Aid. I’ve shot and smithed guns for over 15 years now, gotten the NRA certifications to supervise ranges and to carry concealed weapons, and have been an avid long range shooter. Up until a few years ago, when I sold the rights to it, I produced the #1 ballistics computer in the App Store, and made a very comfortable revenue off of the gun community with just a few hours a month of coding.

I’ve spent over 15 years in the gun community, listened to all of the political arguments surrounding “assault weapons”, and have met some intelligent people. I’ve met more wildly ignorant people, who don’t even know how their AR-15s work let alone have any sense of the world. The political dogma surrounding assault weapons is downright embarrassing on the gun rights side. If we really believe that guns are keeping the government in check, then they’ve quite failed at that task. If guns supposedly make for a more peaceful society, then why is our country’s gun violence worse than most third world countries, and why are virtually all other first world countries statistically safer on a high order of magnitude? Perhaps if more gun owners traveled and saw how other societies lived – many without the distrust and predisposition to violence that we hold even towards our own neighbors – they might see how sorely mistaken their mindset has been all this time. Instead, many choose to live ignorantly believing that the rest of the world is as vicious and violent as many are in the US. It’s simply not true.

Continue reading “Moving Semi-Auto Rifles Into the National Firearms Act”

General Motors 2015-2016 Safety Issue w/Cruise Control [Ignored by Chevrolet]

I’ve filed the following safety issue with the NHTSA, after spending considerable time attempting to explain this safety issue to Chevrolet only to get incoherent answers by people who don’t appear competent enough to understand the problem. If you’ve been in an accident caused by GM’s speed control, it’s possible that this may potentially have come into play. I’ve been able to reproduce this glitch in 2015-2016 Silverado models, however it’s likely to affect any vehicles with the same speed control. It most likely affects the GMC Sierra, as well as other trucks and vehicles using the same speed control system (possibly Yukon, Suburban, Escalade, and Tahoe).

In the case below, speed control acts directly contrary to the way it is stated in the user manual, and how the driver expects it to behave. Chevrolet doesn’t appear to either understand or has dismissed the safety implications below. If you’ve been affected by this, I recommend you contact your attorney.

The final response I received from Chevrolet is to hold the “set” button in rather than press it multiple times – in spite of the fact that their own owner’s manual specifically states that pressing it briefly multiple times will lower the speed:

“To slow down in small increments, briefly press the SET– button. For each press, the vehicle goes about 1.6 km/h (1 mph) slower”

So Chevrolet’s “solution” is, rather than fix cruise control so that it behaves the way it’s documented in the manual, instead to have me change my driving habits to use cruise control in a way that is counter-intuitive and not standard to other vehicles, including other Chevrolet models. It is sad that software bugs like this are among the easiest to fix and issue a recall for, yet also appear to often be the most likely types of problems to be dismissed or rationalized by Chevrolet. In the event this costs someone their life, I wanted this to be documented publicly since Chevrolet has expressed no interest in correcting the problem or issuing a recall.

A CONDITION EXISTS WHERE, AFTER THE DRIVER HAS USED THE GAS PEDAL TO ACCELERATE, THEN HAS REMOVED THEIR FOOT FROM THE PEDAL, THEN PRESSES THE CRUISE “SET” BUTTON IMMEDIATELY OR A BRIEF MOMENT LATER, AND THEN IMMEDIATELY ATTEMPTS TO DECELERATE BY REPEATEDLY PRESSING MINUS “-” ON THE CRUISE CONTROL, THAT THE SPEED CONTROL BECOMES CONFUSED AND DISPLAYS MULTIPLE DIFFERENT SPEEDS, WHILE MAINTAINING THE ORIGINAL SPEED, EVEN THOUGH THE DRIVER BELIEVES THEY ARE DECELERATING. THIS CAN BE REPRODUCED ON ANY 2015-2016 SILVERADO MODEL BY FOLLOWING THESE STEPS: THROTTLE UP AND ACCELERATE (TO PASS, FOR EXAMPLE), REMOVE FOOT FROM ACCELERATOR, THEN IMMEDIATELY PRESS THE “SET” BUTTON, FOLLOWED BY 5-10 PRESSES ON THE DECELERATE “-” BUTTON; THE SPEED WILL SET AT 65, FOR EXAMPLE, THEN FLIP BETWEEN 64, 65, 63, 65, 62, 65, 61, 65, 60, 65, AND SO ON, MAINTAINING SPEED AT 65 EVEN THOUGH THE DRIVER IS INSTRUCTING THE VEHICLE TO DECELERATE AND THE REDUCED SPEED IS TEMPORARILY DISPLAYED. IT MAY TAKE 5-10 SECONDS FOR THE SPEED CONTROL TO CLEAR ALLOWING THE DRIVER TO MAKE CHANGES, HOWEVER THEY WILL STILL BE CRUISING AT 65. DURING THIS PERIOD, THE DRIVER DOES NOT REALIZE THAT THEY WERE NOT DECELERATING AT WHICH POINT THEY MAY TAP THE BRAKES TO DISENGAGE CRUISE, BUT HAVE LOST 5-10 SECONDS OF REFLEX TIME. THIS HAS PRESENTED A DANGEROUS CONDITION WHERE THE DRIVER BELIEVES THEY’RE DECELERATING WHEN TOO QUICKLY APPROACHING ANOTHER VEHICLE, RISKING COLLISION.

WSJ Describes Reckless Behavior by FBI in Terrorism Case

The Wall Street Journal published an article today citing a source at the FBI is planning to tell the White House that “it knows so little about the hacking tool that was used to open terrorist’s iPhone that it doesn’t make sense to launch an internal government review”. If true, this should be taken as an act of recklessness by the FBI with regards to the Syed Farook case: The FBI apparently allowed an undocumented tool to run on a piece of high profile, terrorism-related evidence without having adequate knowledge of the specific function or the forensic soundness of the tool.

Best practices in forensic science would dictate that any type of forensics instrument needs to be tested and validated. It must be accepted as forensically sound before it can be put to live evidence. Such a tool must yield predictable, repeatable results and an examiner must be able to explain its process in a court of law. Our court system expects this, and allows for tools (and examiners) to face numerous challenges based on the credibility of the tool, which can only be determined by a rigorous analysis. The FBI’s admission that they have such little knowledge about how the tool works is an admission of failure to evaluate the science behind the tool; it’s core functionality to have been evaluated in any meaningful way. Knowing how the tool managed to get into the device should be the bare minimum I would expect anyone to know before shelling out over a million dollars for a solution, especially one that was going to be used on high-profile evidence.

A tool should not make changes to a device, and any changes should be documented and repeatable. There are several other variables to consider in such an effort, especially when imaging an iOS device. Apart from changes made directly by the tool (such as overwriting unallocated space, or portions of the file system journal), simply unlocking the device can cause the operating system to make a number of changes, start background tasks which could lead to destruction of data, or cause other changes unintentionally. Without knowing how the tool works, or what portions of the operating system it affects, what vulnerabilities are exploited, what the payload looks like, where the payload is written, what parts of the operating system are disabled by the tool, or a host of other important things – there is no way to effectively measure whether or not the tool is forensically sound. Simply running it against a dozen other devices to “see if it works” is not sufficient to evaluate a forensics tool – especially one that originated from a grey hat hacking group, potentially with very little actual in-house forensics expertise.

Continue reading “WSJ Describes Reckless Behavior by FBI in Terrorism Case”

Hardware-Entangled APIs and Sessions in iOS

Apple has long enjoyed a security architecture whose security, in part, rests on the entanglement of their encryption to a device’s physical hardware. This pairing has demonstrated to be highly effective at thwarting a number of different types of attacks, allowing for mobile payments processing, secure encryption, and a host of other secure services running on an iPhone. One security feature that iOS lacks for third party developers is the ability to validate the hardware a user is on, preventing third party applications from taking advantage of such a great mechanism. APIs can be easily spoofed, as a result, and sessions and services are often susceptible to a number of different forms of abuse. Hardware validation can be particularly important when dealing with crowd-sourced data and APIs, as was the case a couple years ago when a group of students hacked Waze’s traffic intelligence. These types of Sybil attacks allow for thousands of phantom users to be created off of one single instance of an application, or even spoof an API altogether without a connection to the hardware. Other types of MiTM attacks are also a threat to applications running under iOS, for example by stealing session keys or OAuth tokens to access a user’s account from a different device or API. What can Apple do to thwart these types of attacks? Hardware entanglement through the Secure Enclave.

Continue reading “Hardware-Entangled APIs and Sessions in iOS”