Working From Home Security Checklist

If you’re like me then you’ve probably spent most (all) of the last year working from home. The UK Government stance went from “Work from home if you can” to “go back to the office” then back to the original advice. I think most people however just stayed WFH.

Working from home can be a very positive experience – no more commuting, no more interruptions when you’re trying to get work done, wearing your onesie all day. Your work’s IT department however has a bit of a nightmare on their hands as they can’t exactly control all of your internet traffic like they can when you’re behind the work firewall.

If you’re not provided with a work laptop then you’re going to have to use your personal computer and you’ll be responsible for its security. So here’s some general security advice which you should be applying when stuck in your home office:

Be wary of phishing campaigns

You need to know how to identify if an e-mail or a text message has come from a legitimate source. E-mails and SMS are the two most common avenues that hackers will look to exploit to ‘phish’ you.

Phishing involves an element of social engineering, tricking you into revealing login credentials, personal information, or payment details.

If you’re unsure about the sender of an e-mail – perhaps you got an e-mail that looks like it came from your employer but you’re not quite convinced – then always check with the supposed person. Don’t click on any links in the e-mail. Get them on the phone or get them on a Teams/Zoom/FaceTime/other call, and ask them “Did you send me this e-mail?” – it could just save you your job, your savings, and your privacy.

You need to check the ‘From’ address and make sure you know the domain that the e-mail was sent from. This is a high-level tip, many more detailed guides exist online.

If you don’t recognise the phone number of a text message, or worse, it contains a link too, never tap on any links.

Verify, verify, verify.

Windows/macOS Updates

Ensure that your operating system has all of the latest updates installed. The vendors (Microsoft, Apple, etc.) regularly release security patches for OS vulnerabilities, and Microsoft uses Windows Update to download the latest virus/malware definition files for Microsoft Defender.

Antivirus

Windows has a decent firewall and antivirus installed by the name of Microsoft Defender (formerly Windows Defender).

Make sure these settings are all enabled

These Microsoft Defender settings should be enabled by default. If they’re not, turn them on. If you can’t turn them on, you may have an issue. Contact your company’s IT Support team.

macOS is not immune to viruses and other malware but macOS is a much smaller target. macOS has a built-in system called Xprotect which works silently in the background to protect. Make sure you keep macOS up-to-date. If you would like to install a third-party antivirus for peace of mind then I recommend BitDefender.

Browser Updates

There were some recent major vulnerabilities found in browsers like Google Chrome. Google were relatively quick to release an update and patch those problems.

Most people use Chrome (63% as of November 2020) so it’s a big deal when vulnerabilities are found. However Chrome is great at notifying you when the browser is out of date. You’ll get a prompt at the top right of the browser windows when you need to install an update. If you want to check the browser version then click the ‘three dots’ icon, point to Help, and click About.

Version 87 and below have major vulnerabilities

You should also install updates for Microsoft Edge, Mozilla Firefox etc. as soon as they become available.

If you want to ask some general security questions about your home office setup I have created a little community on Facebook where you’ll be welcomed.

Stay safe,

James.

Recent iOS 14 Vulnerabilities

UPDATE YOUR APPLE DEVICES TO iOS 14.4 (or higher) NOW!

Luckily most people that will be interested in reading this will be fully aware of the importance in patching/updating your software but if you’re new here, you need to keep all of your devices up-to-date because the vendors release these very important things called SECURITY PATCHES. iOS 14.4 has patches for three major vulnerabilities which have already affected users. This means that those users may have had money in their bank accounts stolen, or may have had someone or some organisation spying on them, or their photos stolen, etc… so UPDATE NOW!

Apple recently released a new security alert about iOS 14 vulnerabilities. In the Security Support Document, Apple details a kernel exploit and two WebKit vulnerabilities that can allow attacks to execute arbitrary code on all iPhones and iPads running iOS/iPadOS 14. Apple says it is aware of a report that the issues may have been actively exploited.

CVE-2021-1782, authored by an anonymous researcher describes how a malicious application may be able to elevate privileges. Apple is aware of a report that this issue may have been actively exploited.
Affected devices: iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation)

CVE-2021-1871, and CVE-2021-1870 both by an anonymous researcher, or researchers, describes how a remote attacker can cause arbitrary code execution by sending a user a URL or other link which will load malicious code.

Affected devices: ‌iPhone‌ 6s and later, ‌iPad Air‌ 2 and later, ‌iPad mini‌ 4 and later, and ‌iPod touch‌ (7th generation)

Stay safe,

James.

Online Doctor App is Leaking Videos of Patient Consultations

A security researcher named Rory Glover tweeted today that he is able to access video recordings of medical consultations of other patients through the Online Doctor app, Babylon Health.

Rory claims that over 50 video recordings of private consultations are being leaked publicly.

If this claim is valid then Babylon Health may be liable for GDPR violations and massive fines.

Rory spoke to the BBC and said:

On Tuesday morning, when he went to check a prescription, he noticed he had about 50 videos in the Consultation Replays section of the app that did not belong to him.

Clicking on one revealed that the file contained footage of another person’s appointment.

“I was shocked,” he told the BBC.

“You don’t expect to see anything like that when you’re using a trusted app. It’s shocking to see such a monumental error has been made.”

Mr Glover said he alerted a work colleague to the fact, who used to work for Babylon. He in turn flagged the issue to the company’s compliance department.

Babylon, which has its headquarters in London, has since confirmed the breach.

“On the afternoon of Tuesday 9 June we identified and resolved an issue within two hours whereby one patient accessed the introduction of another patient’s consultation recording,” it said in statement.

“Our investigation showed that three patients, who had booked and had appointments today, were incorrectly presented with, but did not view, recordings of other patients’ consultations through a subsection of the user’s profile within the Babylon app.”

Babylon told the BBC it had already been in touch with everyone involved to inform them and apologise.

Apple Macs Transitioning to ARM in 2021

According to Bloomberg, Apple are going to announce at the upcoming Worldwide Developer Conference (WWDC20) a transition to ARM-based processors for all Macs. It will be interesting to see how Apple maintains compatibility for all of the x86 compiled apps which have been on macOS forever. This may also be another sign that we’re going to see a cross-platform play between Mac and iPad. Who knows but it’s going to be interesting!

Talk a look at what Bloomberg said today:

Apple Inc. is planning to start selling Mac computers with its own main processors by next year, relying on designs that helped popularize the iPhone and iPad, according to people familiar with the matter.

The Cupertino, California-based technology giant is working on three of its own Mac processors, known as systems-on-a-chip, based on the A14 processor in the next iPhone. The first of these will be much faster than the processors in the iPhone and iPad, the people said.

Apple is preparing to release at least one Mac with its own chip next year, according to the people. But the initiative to develop multiple chips, codenamed Kalamata, suggests the company will transition more of its Mac lineup away from current supplier Intel Corp.

Taiwan Semiconductor Manufacturing Co., Apple’s partner for iPhone and iPad processors, will build the new Mac chips, said the people, who asked not to be identified discussing private product plans. The components will be based on a 5-nanometer production technique, the same size Apple will use in the next iPhones and iPad Pros, one of the people said. An Apple spokesman declined to comment, as did Intel and TSMC.

Apple is designing more of its own chips to gain greater control over the performance of its devices and differentiate them from rivals. Getting Macs, iPhones and iPads running the same underlying technology should make it easier for Apple to unify its apps ecosystem and update its computers more often. The move would also reduce reliance on Intel, which has struggled to maintain the annual increases in performance it once offered.

“This news has negative longer-term implications for Intel, in-line with our concerns around Intel’s future market share,” Brad Gastwirth, chief technology strategist at Wedbush Securities, wrote in a note to investors. Shares of the chipmaker fell as much as 2.2% on Thursday while the rest of the market rose.

Current mobile device chips from Apple have multiple processing units, or cores, that handle different types of tasks. The latest iPad Pro has four cores for performance-intensive workloads and another four to handle low-power tasks to preserve battery life.

The first Mac processors will have eight high-performance cores, codenamed Firestorm, and at least four energy-efficient cores, known internally as Icestorm. Apple is exploring Mac processors with more than 12 cores for further in the future, the people said.

In some Macs, Apple’s designs will double or quadruple the number of cores that Intel provides. The current entry-level MacBook Air has two cores, for example.

Like Qualcomm Inc. and the rest of the mobile semiconductor industry, Apple designs its smartphone chips with technology from Arm Inc., owned by SoftBank Group Corp. These components often use less energy than Intel’s offerings. But it in recent years, Arm customers have tried to make processors that are also more powerful.

The transition to in-house Apple processor designs would likely begin with a new laptop because the company’s first custom Mac chips won’t be able to rival the performance Intel provides for high-end MacBook Pros, iMacs and the Mac Pro desktop computer.

The switch away from Intel is complex, requiring close collaboration between Apple’s software, hardware and component-sourcing teams. Given work-from-home orders and disruptions in the company’s Asia-based supply chain, the shift could be delayed, the people said.

Like with the iPhone, Apple’s Mac processors will include several components, including the main processor, known as a Central Processing Unit or CPU, and the GPU, the graphics chip. Apple’s lower-end computers currently use Intel for graphics, while it has partnered with Advanced Micro Devices Inc. for the graphics cards in its professional-focused offerings.

The Kalamata project has been going for several years. In 2018, Apple developed a Mac chip based on the iPad Pro’s A12X processor for internal testing. That gave the company’s engineers confidence they could begin replacing Intel in Macs as early as 2020, Bloomberg News reported.

Apple has already started designing a second generation of Mac processors that follows the architecture of chips planned for the 2021 iPhone. That indicates Apple wants to put its Macs, iPhones and iPads on the same processor development cycle.

Despite a unified chip design, Macs will still run the macOS operating system, rather than the iOS software of the iPhone and iPad. Apple is exploring tools that will ensure apps developed for older Intel-based Macs still work on the new machines. The company also has technology called Catalyst that lets software developers build an iPad app and run it on Mac computers.

Moving macOS from Intel’s chip architecture to an Arm-based design will be a technical challenge. Microsoft Corp. stumbled with a similar effort.

The changes will be a blow to Intel’s prestige. Apple Co-founder Steve Jobs and the late Intel Chief Executive Officer Paul Otellini stood on stage in 2005 to announce the first Macs with Intel processors. The decision was praised for several years, resulting in capable computers such as the original Mac Pro in 2006, the second-generation MacBook Air in 2010 and the thinner MacBook Pro in 2012.

But in recent years, the pace of Mac upgrades has declined, partly due to a slowdown in Intel’s chip advancements. That sometimes left years between Mac refreshes, upsetting some customers. Intel has also faced manufacturing challenges that Apple has blamed for some recent declines in Mac sales.

Kalamata is Apple’s most ambitious computer chip initiative to date. It currently offers specific chips for Mac features, such as security and power management, that work alongside the main Intel processors.

Apple also aims to stop using Intel cellular modems — chips that connect smartphones to the internet and support calls — after using them for only four years. The company plans to use 5G modems from Qualcomm in as many as four new iPhone models later this year. Apple last year acquired Intel’s modem business after striking the short-term supply deal with Qualcomm.

https://www.bloomberg.com/news/articles/2020-04-23/apple-aims-to-sell-macs-with-its-own-chips-starting-in-2021

FitBit Users Can’t Turn off Friend Requests

A UK-based web application security researcher today noticed that his FitBit account is subject to ‘Friend Requests’ from other FitBit owners.

The researcher known only as -Redacted- today tweeted about a Friend request he received. He proclaims that he bought a FitBit for his own personal usage and to track his exercise goals.

Friends on FitBit profiles can track each other’s exercise progress and message each other, and they also have a leaderboard which tracks who has done the most progress that week.

-Redacted- does not want to share his exercise data with other users so he investigated how to turn off friend requests and make his profile completely private. -Redacted- was shocked to find out about FitBit’s stance on this subject.

FitBit said: “You can make your profile private by setting the privacy of your data… but it’s not possible to make yourself entirely invisible. You can choose not to receive Notifications from friend requests but they will always reach you.”

FitBit was bought by Google in November 2019.

Romanian Cash Machine Skimming Gang Stole $1.2 Billion From Tourists in Mexico

The cash machine company “Intacash” installed sophisticated debit and credit card skimming devices on at least 100 machines, and distributed them throughout Mexico, including in many tourist spots.


Intacash is owned by Florian ‘The Shark’ Tudor, who is allegedly also the leader of Romanian mafia gang ‘Riviera Maya’.

It is alleged the skimming operation stole card details from an average 1000 cards per cash machine every month and siphoned an average of $200 from every card. This allowed the gang to steal approximately $20 million per month.

A three-part web series published in 2015 by Brian Krebs of KrebsOnSecurity.com detailed a discovery of around two dozen Intacash machines with Bluetooth-enabled skimming devices.


One of the Bluetooth-enabled PIN pads pulled from a compromised ATM in Mexico. Copyright KrebsOnSecurity.com

These devices are much more difficult to identify than the typical devices fitted on the exterior of a cash machine.

A report published yesterday by the Organized Crime and Corruption Reporting Project (OCCRP) fills out the whole picture. The OCCRP allege that Police investigator now believe “Intacash installed the same or similar skimming devices in its own ATMs prior to deploying them – despite advertising them as equipped with the latest security features and fraudulent device inhibitors.”


Watch the 2015 investigation on https://krebsonsecurity.com and read the OCCRP’s report at https://www.occrp.org/en

Penetration Testing and App Security Services

We are a growing information security startup in Scotland. James is our lead consultant and we have a small army of contractors. Our services include:

  • Complete application security reports, tailored as requested (black-box/white-box, threat modelling/full risk assessment, etc.)
  • Cloud, mobile, and web application penetration tests
  • Reviews and reports for US-compliance requirements, including
    • FIPS 140-2 – US Security Standard for Cryptographic Modules
    • FDA 510(k), Premarket Submissions for Medical Devices

Send an e-mail now to discuss your requirements.

The Only Way to Bypass SSL Pinning on iOS 13

Use Frida and Objection!

By now you should know how to install Burp Suite and set it up to proxy your iOS device. If this is all you do then you will come up against TLS errors.

You have to use Frida and Objection to inject an SSL bypass into the app you’re interested in. Only then will you be able to proxy all network traffic from that app.

Use a jailbroken device, and you can start frida-server after installing it on your device as well as the client tools on your laptop. There is no need to patch applications to embed the Frida gadget as Frida can simply inject into a target process.

With everything installed, run frida-ps -Uia to list all of the processes on the device.

$ frida-ps -Uia
PID  Name              Identifier
---  ----------------  ---------------------------
  -  App Store         com.apple.AppStore
  -  Calendar          com.apple.mobilecal
  -  Camera            com.apple.camera

Great. That is all the information you need. Each of those “Identifier”‘s are what we refer to as Gadgets in objection. So, to “connect” to one of those apps, specify the name with the --gadget flag after you launched the app on the device.

~ » objection --gadget "com.apple.AppStore" explore

     _     _         _   _
 ___| |_  |_|___ ___| |_|_|___ ___
| . | . | | | -_|  _|  _| | . |   |
|___|___|_| |___|___|_| |_|___|_|_|
        |___|(object)inject(ion)

     Runtime Mobile Exploration
        by: @leonjza from @sensepost

[tab] for command suggestions
com.apple.AppStore on (iPad: 8.1) [usb] # ios sslpinning disable

After injecting the process just call ios sslpinning disable

Objection should start telling you about calling SSL_CTX_set_custom_verify(), setting custom callback

etc. and at this point just go back to the Proxy tab in Burp and view all of that previous secure communication 🙂

As always, stay safe. James xx

p.s. I’m led to believe you can build SSL KillSwitch 2 with a modification that has been sitting in the repo’s pull requests for two months and it will then work. Just use my guide, much simpler!

p.p.s. Thanks for reading! Please Share this post with your friends and if you need cyber security advice and services for your business then talk to us now.

Most of the instructions above are from the Objection repo and written by Leon Jacobs.

How to Manipulate Riddle Votes

DISCLAIMER: Don’t do this!

Lots of websites like the BBC use riddle.com to poll their readers’ opinions. It doesn’t seem like Riddle creates a nonce or token for any new vote so it’s simple AF to game it. All you need is Chrome Dev Tools and a Bash terminal.

From today’s research I noticed a BBC page with a poll. The user could cast their opinion on a scale of -3 to 3 of whether they agree or not. So I opened Dev Tools and went to the Network tab. When I clicked on 3 I seen the two POST requests that the page made.

The body of the message we care about contains the riddleId which is the particular poll on the site, and the data which is the riddleId.sentiment.6 (6 is +3, or strongly agree).

I right-clicked the request and copied as cURL (bash):

I went to my Windows Terminal (which is awesome btw) and from my favourite DO droplet, in bash I started writing the for loop:

for i in {1..666}; do { *curl command here* ; } done

I’m not saying I pressed the return key but this WILL cast the vote 666 times, or however often you want.

As usual, stay home and stay safe. James xx

Digital Medical Device Security Assessments

Lately I’ve been heavily involved in assessments on a couple of different medical devices. I can’t lay down specifics on the types of device or the companies at the moment but you can use your imagine. The devices are of the ‘smart’ genre and the end-user is a patient with health concerns.

These assessments have been really interesting. When we get down to the nitty-gritty, studying the docs with a fine-toothed comb, applying the knowledge we’ve gained from years of mobile app development and hardware curiosity, it’s really satisfying. We’ve done threat modelling exercises and full risk assessments of these devices, discovering issues with things like the proprietary software design approaches and with lack of tamper detection.

One of the most important parts of my work on the initial assessments has been the literature review, especially when FDA regulations are involved. I’ve found the details of exactly what is required to get the products through the FDA approval process.

Of course the initial assessments are succeeded by the BEST part, the penetration test! Pentesting smart medical devices in my experience involves attempts at dumping firmware – usually from Android hardware, sniffing traffic, dumping memory, and lots more exciting stuff. In the future I hope I can do a write-up and a conference talk on something juicy.

If you are developing an IoT device, it doesn’t have to be a medical device, you need a cybersecurity assessment. Threat modelling, full risk assessment, regulatory compliance, and pentest. Drop me an e-mail and let’s talk!

Stay safe during this pandemic. James xx