If you’ve been following the Carrier IQ brouhaha and ensuing fallout, you might be interested to know that it’s very easy to disable the Carrier IQ service, logging, and reporting on iPhone or any other iOS device:

• Tap on “Settings”
• Go to “General” and tap on “About”
• Tap on “Diagnostics and Usage”
• Tap on “Don’t Send”

If this was already disabled for battery saving purposes or whatever other reason, you should have nothing to worry about, if not, then this should prevent Carrier IQ from sending any data over to Apple.

For some background here, Carrier IQ is network diagnostic software that some cellular carriers have been installing on smartphones and tablets. Going beyond just gathering network diagnostics, Carrier IQ was found on some Android phones to be gathering personal and private information, including phone call logs, text message content, and even encrypted web searches, or, put simply, it’s a substantial invasion of personal privacy. Later, renowned iOS hacker chpwn found references to Carrier IQ in some versions of iOS, but it isn’t nearly as nefarious as what was discovered on Android, doesn’t track nearly as much personal information, and thankfully, it’s much easier to disable.

Keep in mind that Apple also told WSJ’s AllThingsD that they stopped supporting the feature in iOS 5 for most of their products, saying the following:

“We stopped supporting CarrierIQ with iOS 5 in most of our products and will remove it completely in a future software update. With any diagnostic data sent to Apple, customers must actively opt-in to share this information, and if they do, the data is sent in an anonymous and encrypted form and does not include any personal information. We never recorded keystrokes, messages or any other personal information for diagnostic data and have no plans to ever do so.”

We should expect an update to iOS in the near future to address this on any remaining devices.

If you are using a public Mac or are just concerned about things like keyloggers and other potentially unauthorized access to your keystrokes, you can enable a feature in Mac OS X Terminal app that secures keyboard entry and input into the terminal. According to Apple, this feature “prevents other applications on your computer or the network from detecting and recording what is typed in into Terminal“, making it a good additional security measure when such precautions are needed. Enabling it is extremely easy:

• Pull down the “Terminal” menu and select “Secure Keyboard Entry

Using a personal Mac likely makes this an unnecessary precaution since the risk is very low, but it’s a helpful tip if you’re using another untrusted computer or in a situation where you’d be concerned about another application capturing keystrokes.

Be warned that enabling “Secure Keyboard Entry” will interfere with most password managers and anything else that attempts to automatically type and interact with the Terminal for you.

Private Eye is a free real-time network monitor app for Mac OS X 10.7+ that is extremely easy to use. Launching the app, you’ll start to see all open network connections, and you can then filter connections by app, monitor all open connections, or watch only incoming or outgoing transfer.

Connections are reported by application, the time of the connection, and arguably the most useful, the IP address that is being connected to by the app. If you have any interest in networking, security, or you just want to keep an eye on what apps are connecting to the internet and to where, you should download this app.

• Download Private Eye now (direct link) or visit the developers home

This is a simple yet powerful tool without the complexity or the learning curves related to compiling and using the command line tools lsof, watch, open_ports, or wireshark. Highly recommended.

Well here’s a security flaw in iOS 5 that will quickly get patched: anyone with a magnet (or a Smart Cover) can bypass the iPad 2′s locked passcode screen and access whatever app was previously left open. The passcode bypass was discovered by 9to5mac, who recorded a video demonstrating the security breach (embedded below).

From a locked iPad 2:

• Hold down the power button until the the slider appears across the top
• Close the iPad 2′s Smart Cover or swing a magnet over the magnetic points around the screen rim, then remove the Smart cover or magnet
• Click “Cancel” at the bottom of the lock screen

You’re now at the iOS 5 springboard, but the biggest security threat is when users have left an app open with sensitive data, since the lockscreen is bypassed directly to it. This could mean

Protection Against the iPad 2 Lock Screen Bypass:
For the time being, iPad 2 users are encouraged to disable the “Smart Cover unlocking” feature found in Settings > General.

Here’s the video showing the password bypass:

We recently wrote about the dscl utility and how it allows a Mac OS X Lion user to change a password without knowing the existing password. The lack of required admin authentication has since been widely reported as a bug, and a small Security Update will likely be issued by Apple sometime in the near future. Nonetheless, if you’re paranoid about someone getting ahold of your Mac and changing the user password without authorization, you can manually change the permissions of the dscl utility yourself, forcing it to require administrative privileges in order to be run.

• Launch Terminal (located at /Applications/Utilities/)
• Type the following command and hit return:

sudo chmod 100 /usr/bin/dscl

• You will be asked for the current administrative password to confirm the permissions change, enter it and hit return

This is a simple permissions fix that likely mimics what an official security update will do. Using sudo chmod 100 states that only the owner (root) is able to execute the dscl command, which effectively prevents other non-admin users from accessing the directory services utility without using the sudo command, and thus the administrator password.

There may be some unintended consequences of changing those permissions, but it’s unlikely to effect most users. If you do encounter some problems you can always change the permissions back, which look to be set as 755 by default.

A big thanks to “Tjb” who left this tip in the comments!

Update: Jim T left the following recommendation in the comments, suggesting another chmod command to change the permissions:

Instead, do this:

sudo chmod go-x /usr/bin/dscl

That will -only- remove the execute permission on group and other, leaving the other permissions (read & write, and root’s full permissions) completely as was before the change. To reverse, do:

sudo chmod go+x /usr/bin/dscl

Only touch the stuff you need to touch!

His reasoning is that chmod 100 is too restrictive in that it changes the command to execute only, where as before the root user could read, write, and execute.

Renowned jailbreaker i0n1c, aka Stefan Esser, has put together a rather extensive presentation titled “iOS Kernel Exploitation” that explains exactly how jailbreaks work, ranging from how the exploits are found, how new code is injected into the iOS devices, how untethers work, and so much more. It was presented live at last months Black Hat security conference, but now the slides are freely available on the web for all to see.

The 97 slide presentation includes the following main topics and dives into very specific details:

• Introduction
• Kernel Debugging
• Kernel Exploitation

• Stack Buffer Overflows
• Heap Buffer Overflows

This is a fairly technical read with plenty of code samples, making it an extremely interesting look into the world of jailbreaking and iOS security. It’s pretty much a must read for anyone interested in security, development, iOS, Mac OS X, or just jailbreaking in general.

Download the presentation slides in PDF format here (.pdf) or check out the embed below:
Read more »

FileVault 2 is the all new disk encryption method that comes with Lion, and it’s more secure than ever, using XTS-AES 128 encryption on your entire disk, as opposed to just the user directory as in past versions. The other huge change that came with FileVault 2 is the significant performance boost, where using full disk encryption barely makes a dent on system performance.

Just how fast is FileVault 2? See for yourself with these benchmark charts on a variety of SSD and traditional hard drive configurations.
Read more »

Think you have a secure iPhone password? Check this list, you might be using one of the freakishly common passcodes out there, and if so, it’s time to change it. These were compiled by an iOS developer who anonymously captured the passwords through his app:

• 1234
• 0000
• 2580
• 1111
• 5555
• 5683
• 0852
• 2222
• 1212
• 1998

If you find yours on this list, you should do yourself a favor and change it. Make your code unique enough that it’s more secure, just don’t make it so confusing that you forget it and have to reset the passcode – resetting means you’ll lose all the data on your iPhone.

Another good security idea; Set your iPhone to erase all data on 10 failed password attempts. What are the odds you’re going to enter your incorrect password 10 times in a row? Slim, even if you’re extremely inebriated.

The common password list comes from an iOS developer who anonymously captured 204,508 passwords through the app called BigBrother Camera Security. The developer describes the problem of using one of the 4 digit codes from the above list:

Formulaic passwords are never a good idea, yet 15% of all passcode sets were represented by only 10 different passcodes (out of a possible 10,000). The implication? A thief (or just a prankster) could safely try 10 different passcodes on your iPhone without initiating the data wipe. With a 15% success rate, about 1 in 7 iPhones would easily unlock–even more if the intruder knows the users’ years of birth, relationship status, etc.

Are you one of the 1/7 iPhones? I’ll admit, I used 0000 for a long time as my password. Not because I thought it was secure, but because it was a small barrier to prevent random gazers from creeping around my iPhone, yet easy enough that I could quickly bypass it.

Read more »

A recent anti-malware Mac OS X security update was released that defaults to automatically downloading and maintaining an active definitions list of known Mac OS X malware threats. This list comes from Apple and is likely a very small file that is transmitted to your Mac, imposing minimal bandwidth usage.

For 99.99% of users, you should keep this option enabled and get the definition list automatically, it helps secure your Mac.

How to Opt-Out of the Updated Malware Definitions List in Mac OS X

This is not recommended and could expose your Mac to security vulnerabilities. If for whatever reason you do not want to automatically download the daily updated Mac malware definitions list from Apple it’s very easy to disable. After the Security Update is installed, do the following:

• Launch System Preferences and click on the “Security” panel
• Under the “General” tab deselect the checkbox next to “Automatically update safe downloads list” – note this may leave you vulnerable to future variations of malware

Some of you are probably wondering why anyone would want to opt out of receiving the definition list. Maybe it’s to test the affects of malware on a crash box, maybe you have limited bandwidth or connectivity options and don’t want to use any unnecessary data, maybe you don’t like automatic communications with the outside world, maybe you don’t care about malware at all because it’s really not that big of a problem, who knows.

Again, this is not recommended to opt out of unless you know what you’re doing, but it’s nice to know you have the option to if necessary.

Apple has released a Mac OS X software update labeled “Security Update 2011-003″ for Mac OS X 10.6.7 that includes a native malware removal tool.

The focus of the update is on the MacDefender malware scam and its variants, now referred to as “OSX.MacDefender.A”. Once the update is installed your Mac will be scanned for instances of the malware, which will then be removed and prevented from running. From there after, a list of variants will be updated daily by Apple automatically, and if you encounter MacDefender or a variation of it, you will get a dialog warning you to move the afflicted file to the Trash.

Download Anti-Malware Security Update 2011-003

You have two options to get the anti-MacDefender update:

• Users can download the Security Update via Software Update from the Apple menu
• Download directly from Apple (2.36 MB DMG file)

Apple recommends all Snow Leopard users install the security update, and it does not require a restart to install unless an infection is found. An abbreviated description of the update is as follows:

Security Update 2011-003 provides additional protection by checking for the MacDefender malware and its known variants. If MacDefender malware is found, the system will quit this malware, delete any persistent files, and correct any modifications made to configuration or login files.

Even without this software update MacDefender is easy to remove and avoid completely. Furthermore, release notes in the latest Mac OS X 10.6.8 developer build indicate that the malware protection will also be baked into the upcoming 10.6.8 update.

You can read more about this update on Apple’s Support page.