princeton macintosh users groupsecure your iphone touchid - set up ... - photos via icloud library...

iOS Security

Princeton Macintosh Users Group June 13, 2017

Mike Inskeep Gentle Computer Helpers

https://www.gentlehelpers.com mike<at>gentlehelpers<dot>com

610 742 3927

Gentle Computer Helpers6/13/2017

Secure Your iPhone

About Mike

• Certified Support Pro

• Supported all things Apple for 25 years - Director of Microcomputer Support,

U Penn’s School of Arts & Sciences - Technology Teacher and Coordinator,

Friends School Haverford - Gentle Computer Helpers since 1999


Secure Your iPhone

This Is A *Brief Introduction*

• Quick and easy things you can do to make your iDevice more secure

• Principles of securing your iDevice

• For more, see Apple’s iOS Security Guide:

https://www.apple.com/business/docs/iOS_Security_Guide.pdf




Secure Your iPhone

Principles of Digital Security

• Establish layers of security

• Minimize your attack surface

• Use strong authentication

• Limit permissions

• Robust, redundant data storage

• Pay for what you use


Secure Your iPhone

Layers (Walls) of Security

• Cellular, Wi-Fi and Bluetooth

• Hardware

• iOS

• Apps

• Apple ID


Secure Your iPhone

Minimize Attack Surface (Doors)

• Enable only what you need or want.

• Disable (don’t install) what you don’t.

• Keep hardware, software up-to-date.


Secure Your iPhone

Strong Authentication (Lock Doors)

• Passcodes, Passwords

• Information used to verify your identity (security questions, birthday)

• Trust token (device, app)

• Trusted communication channel to reset


Secure Your iPhone

Basic Approach to Security

Identify threats -> how to prevent

• Change set up: hardware, apps, settings

• Change standard operating procedures

• Slow down, attend in risky situations

• Plan for worst-case scenarios


Secure Your iPhone

Wireless Communications

• Cellular service

• Wi-Fi networks

• Bluetooth


Secure Your iPhone

Your Phone Number Could Be Hijacked

• To make scam telephone calls

• To impersonate you when calling financial institutions, government agencies or stores

• To break 2-factor authentication

• To impersonate you and take over your online accounts or steal your identity


Secure Your iPhone

Phone Numbers Work on Other Devices

https://newsroom.t-mobile.com/news-and-blogs/digits-launch.htm

T-Mobile COO Mike Sievert




Secure Your iPhone

Protect Your Cellular Number

• Set a unique PIN for customer service

• Create a strong, unique password for access to your online cellular account

• Lock your phone number to your iDevice SIM card


Secure Your iPhone

Public Wi-Fi Is Not Secure

https://wifipineapple.com

https://wifipineapple.com


Secure Your iPhone

Impersonates Wi-Fi Networks

http://www.troyhunt.com/2013/04/the-beginners-guide-to-breaking-website.html




Secure Your iPhone

How The Wifi Pineapple Snoops





Secure Your iPhone

Public WiFi Remedies

Three alternatives:

• Turn off WiFi when leave trusted location

• Use WiFi for only non-private activities

• Use a virtual private network (VPN)

• Use cellular service instead


Secure Your iPhone

Turn Off Wi-Fi

• Put a note with your keys

• Set a location-based reminder

Gentle Computer Helpers Secure Your Mac 2017

Relatively Safe Use of Public Wi-Fi

• Compose or edit content

• View media (written, audio, video)

• Surf websites to read or view

-> Check SSID (network) you connect to


Unless VPN Is On, Do NOT

• Check email (unless SSL on)

• View sensitive or private cloud data

• Sign into accounts

• Make purchases


Secure Your iPhone

VPN Protects You

Virtual Private Network: • Encrypts your communications. • Verifies the identity of your host. • Cloaks your location.


Subscribe to VPN

• Protects against Man-in-the Middle attack - Rogue WiFi access points - ISP monitoring

• For reviews of VPN services, see:

- https://thatoneprivacysite.net

- https://www.pcmag.com/article2/0,2817,2403388,00.asp

• Expect to pay $40-80/year

https://thatoneprivacysite.net

https://www.pcmag.com/article2/0,2817,2403388,00.asp

https://www.pcmag.com/article2/0,2817,2403388,00.asp


Secure Your iPhone

Bluetooth

• When it’s on, it’s a door into your iDevice.

• Turn it off when you’re not using it.


Secure Your iPhone

Wireless Communications

• Secure your telephone number

• Use a VPN on public Wi-Fi networks (if not all the time!) or use cellular

• Turn off Bluetooth when not using it


Secure Your iPhone

Hardware

• Keep it up-to-date.

• Get a case for it.

• Keep it in your possession.

• Set a strong passcode.

• Lockdown the Lockscreen.

• Be prepared if it’s lost or stolen.


Secure Your iPhone

Use iDevices Apple Supports

• Include improved security components - Touch ID sensor, “secure enclave” - NFC antenna, “secure element” for

Apple Pay

• Can install the latest version of iOS - patches security vulnerabilities - includes features that improve security,

e.g. native encryption of APFS


Secure Your iPhone

Security Content of iOS 10.3.2

“Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation”

• Can’t install iOS 10.3.2 on earlier iDevices

• 55 vulnerabilities patched in iOS 10.3.2

https://support.apple.com/en-us/HT207798



Secure Your iPhone

Can’t Secure Vintage iDevices

It is not possible to protect iDevices which can’t install the current version of iOS from known attacks.


Secure Your iPhone

Hardware Threats

• Physical damage

• Stolen or lost


Secure Your iPhone

Protect Hardware

• Get a good case

• Strong passcode (and Touch ID)

• Lockdown the lock screen

• Loss/theft plan


Secure Your iPhone

Get A Protective Case

• Dramatically reduces the risk of physical damage.

• Highly protective cases aren’t more unattractive, bulky or expensive.

• For comprehensive, unbiased reviews and comparisons, see:

https://www.mobilereviews-eh.ca

https://www.mobilereviews-eh.ca


Secure Your iPhone

iOS Passcode

• Essential protection whenever iDevice not in your possession.

• Encrypts data so can’t be read.

• Write it down, store in password manager.

• Give it to executor.


Secure Your iPhone

Poor Passcodes

• Many pick a poor passcode:

http://danielamitay.com/blog/2011/6/13/most-common-iphone-passcodes

Don’t use: • Sequence of numbers (0000, 123456) • Dates (1948, 011998) • Numbers corresponding to words (5368 =

LOVE) • A geometric pattern (1397, 147852) • Only four digits




iPhone Security

Generate a Random Passcode

• Go to: https://www.random.org/integers

https://www.random.org/integers


Secure Your iPhone

TouchID - Pros & Cons

• Must still remember the passcode!

• More convenient, faster.

• Harder to steal (peeking or surveillance cameras don’t work).

• Easier to compel entry (physically and legally).


Secure Your iPhone

Other Touch ID Uses

• Approve purchases from iTunes, App Store, iBooks (instead of your Apple ID password)

• Apple Pay

• Authenticate apps, e.g. 1Password


Secure Your iPhone

TouchID - Set Up

• Use 3rd or 4th finger of the hand you don’t usually use to tap icons

• To increase reliability, create several fingerprints of that single finger in slightly different positions


Secure Your iPhone

Lockdown the Lock Screen

Settings > Touch ID & Passcode

• Disable (nearly) all access when locked

• Enable Erase Data to automatically wipe it after 10 failed passcode attempts

Settings > General > Auto-Lock > 1 Minute


Secure Your iPhone

Prepare for Lost or Stolen iDevice

• Record model, serial #, IMEI #

• Enable Find My iPhone

• Enable erase data after 10 passcode fails

• Keep a list of accounts using the iDevice for 2-Factor Authentication, with rescue codes

• Practice finding using Find My iPhone app and icloud.com

http://icloud.com


Secure Your iPhone

Find my iPhone

Protects you if your iDevice is misplaced, lost or stolen:

• Locate it on a map.

• Play a sound from your iDevice.

• Display a message on the lock screen.

• Remotely lock it and erase your data.

You’ll need your Apple ID and password to unlock and restore your apps, data.


Secure Your iPhone

Lost or Stolen Procedure

1. Try locating using icloud.com.

2. If nearby, play sound to help locate.

3. Turn on lost mode. Lock it with a passcode that you write down. IF ERASED, IT’S NO LONGER TRACKABLE.

4. Report to police, AppleCare 800-275-2273, cellular provider.

5. Change device for 2-Factor Authentication.

http://iCloud.com


Secure Your iPhone

If Stolen, Beware of Phishing

• Criminals attempt to steal your Apple ID credentials to recover device’s functionality.

• If you receive a text or email claiming to be from Apple, DO NOT RESPOND!

• Call AppleCare 800-275-2273

https://krebsonsecurity.com/2017/03/if-your-iphone-is-stolen-these-guys-may-try-to-iphish-you/





Secure Your iPhone

Threats to Your Data

• Hardware damage, failure, or loss

• Switching to another device

• Update fails

• Software corruption


Secure Your iPhone

Robust, Redundant Data Storage

• Backup to iCloud or computer via iTunes.

• Sync data to iCloud, other services.


Secure Your iPhone

Backup To Computer Via iTunes

• Apple cannot access • Enable Encrypt backup to copy all data • Use same password as your Apple ID

password to make it easy to remember)

For more info and directions go to: https://support.apple.com/en-us/HT203977



iPhone Security

Backup Via WiFi to iCloud

• To set up: - iTunes >

• To Initiate Daily Backup - Plug in to power - Connect to Wi-Fi - Lock the screen

For more info and directions go to: https://support.apple.com/en-us/HT203977



iCloud Sync

• Files/folders between Mac(s) and iCloud disk - Desktop and Documents - Files for iCloud enabled applications - Photos via iCloud Library or Photo Stream - Music via Apple Music

• Contacts, Calendars, Reminders, Notes, Safari Bookmarks

• Keychain secrets


iCloud Sync Characteristics

• Like backup, duplicates data

• But sync goes both ways

• Accessible via icloud.com

• Syncs between Macs, iPhones, iPads

• No versioning

http://icloud.com


Secure Your iPhone

Wipe iPhone Before Return, Repair, Resale

1. Back up. (To ensure you don’t lose data…)

2. Remove as a trusted device - Apple ID - Accounts using 2-Step Authentication

3. Then wipe: Settings > General > Reset > Erase all content and settings

• Erases cryptographic keys, making all user data on the device inaccessible.


Secure Your iPhone

Keep iOS Up-To-Date

Why?

• Fixes bugs (things that don’t work due to programming errors)

• Addresses security vulnerabilities

Let’s look at some security vulnerabilities iOS 10.3.2 fixed…


Secure Your iPhone

The Security Content of iOS 10.3.2

Apple maintains a list of recent security updates with links to their content here:


The security content of iOS 10.3.2 is here:


• Each entry lists the CVE ID = the Common Vulnerabilities and Exposures ID




Secure Your iPhone

Cross Site Scripting

• WebKit

Impact: Processing maliciously crafted web content may lead to universal cross site scripting

Description: A logic issue existed in the handling of WebKit Editor commands. This issue was addressed with improved state management.

CVE-2017-2504 : lokihardt of Google Project Zero


Secure Your iPhone

CVE-2-17-2404 Listing

National Institute of Standard & Technology Computer Security Resource Center National Vulnerability Database

https://nvd.nist.gov/vuln/detail/CVE-2017-2404

“iOS before 10.3 is affected. The issue involves the ‘Quick Look’ component. It allows remote attackers to trigger telephone call to arbitrary numbers via a tel:URL in a PDF document as exploited in the wild in October 2016.”

https://nvd.nist.gov/vuln/detail/CVE-2017-2404


Secure Your iPhone

Vulnerabilities Addressed by iOS 10.3.2

Web content may execute arbitrary code 22Web content may lead to cross site scripting 4Application may execute arbitrary code 10App may execute code with root/kernel privileges 3Application may gain kernel privileges 8Application may cause denial of service 2Others 6 Total 55


Secure Your iPhone

Why Update Quickly?

• Some vulnerabilities may already be exploited

• Once Apple issues an update, the vulnerabilities are public.

• Malicious individuals or organizations can determine what Apple fixed.

• They can develop exploits to attack devices which are not yet updated.


Secure Your iPhone

How Soon is Quickly?

• Install incremental updates (e.g. 10.3.x) immediately — at least within 2 days

• For major releases (iOS 10 -> iOS 11), I still recommend you upgrade immediately

• If you want to be cautious, wait several days, then search for others’ experience

-> Backup before upgrading!


Secure Your iPhone

Make Update Alerts Visible

• Place Settings, App Store icons on Home Screen.

• Red circles with numbers on icons indicate available updates.


iPhone Security

Install Only Apps You Need/Want

• Each app is a door into your iPhone

• You must trust the developer

- Does only what they claim

- Well-written code

• Vet before installing

• Pay for good apps


Secure Your iPhone

Read App Reviews Before You Buy

Search the Internet: • “app name” or “type of app” iOS review • Look for reviews in MacWorld, Mac|Life,

CNet, Lifehacker, PC Magazine, etc.

iTunes reviews • Read bad and good


Secure Your iPhone

Check App Privacy, Settings

• If a new app asks to access contacts or other data, decline if you don’t need it.

• Once new app installed, check settings: Settings > Privacy > Location Services Settings > Privacy > Each built-in app Settings > [new app name]


Secure Your iPhone

Maintain Apps

Keep apps up-to-date • Fixes bugs, plugs security vulnerabilities • Place App Store icon on home screen

Delete unused apps • Each installed app makes you more

vulnerable


iPhone Security

No Anti-Virus Apps for iDevices!

• iOS is locked down so they wouldn’t work.

• Waste of money or worse!

• Most iOS “security” apps merely duplicate Find My iPhone functionality.


Secure Your iPhone

An iPad User


Secure Your iPhone

Her Password Manger


Secure Your iPhone

Her Credentials

• User Names similar to: m1ddleage

• Passwords similar to: s1LlibR0unee

• Security Questions similar to: First Car? a blue unaSSembledVW sedan


Secure Your iPhone

What’s Good

• Unique passwords for each site.

• Passwords not words with numbers and/or special characters before or after.

• Password of moderate length (~12 chars)

• Security question answer long (26 chars)


Secure Your iPhone

What Could Be Better

Passwords • Longer • Random characters • More special characters • Easier to enter

Security question answers • Unrelated to the question • Or even better -> random characters

Could be lost or stolen • Easily read by others • No back up


Secure Your iPhone

Password Manager

• Can generate truly random passwords, user names, answers, etc.

• Can save passwords of any length.

• Built-in web browser.

• Can copy and paste in passwords.

• Automatically backs up and syncs with other devices.

• Can’t be read or used without master password.


Secure Your iPhone

Why Not iCloud Keychain?

• Once you open iDevice, it’s active; not password or Touch ID protected.

• Stores only user names, passwords, credit card info (except CCV).

• Easy - automatically fills in


Secure Your iPhone

1Password

• Beautiful, clear, easy-to-use interface.

• Data encrypted on devices and in iCloud.

• Apps for iPhone, iPad, Mac, Windows.

• Can unlock with Touch ID!

• Good security track record.

-> Buy from App Store so syncs via iCloud.


Secure Your iPhone

Safer Web Browsing

• Safari

• Onion Browser (more privacy, but slower)

• 1Password (more security)

• Do NOT install a browser to view Flash (Flash is a security disaster!)

• Do install an ad blocker.


Secure Your iPhone

Use 1Blocker with Safari

• Blocks malware, malicious content delivered via ads.

• Privacy from tracking scripts.

• Will reduce data downloaded so pages load faster, battery lasts longer.

• Do NOT use Ad Block.

http://1blocker.com

http://1blocker.com


Secure Your iPhone

Use 1Password for Secure Browsing

• Any site where you need to sign in.

• Has its own built-in browser.

• Stores site addresses, user names, passwords, etc.


Secure Your iPhone

Monitor URL Bar

• Make sure the address shown matches your intended destination.

• Padlock indicates a secure connection. Only sign in, make purchases when displayed:


Surge of Phishing Emails

• With attachments: fake installers, Word documents, PDFs

• With links to malicious webpages

• With malicious JavaScript


Review Email Deliberately

-> Slow down, pay attention

• Tap on sender’s name to confirm email address


Secure Your iPhone

Links in Email

Confirm link address matches text by tapping and holding lightly on the link:


Secure Your iPhone

Be Skeptical of Email Attachments

• Not requested? Not expecting it?

-> Forward the message to the sender asking if they sent it. Do not use reply.

• Be especially leery of files ending in .zip, .doc, .docx, .xls, .xlsx, .ppt, .pptx


Secure Your iPhone

iOS makes you MORE secure!

1. Enter credit card in Wallet app.

2. Check for Wireless Pay or Pay.

3. Hold iPhone near terminal.

4. Place finger for Touch ID.

Apple Pay


Secure Your iPhone

Pay Terminal


Secure Your iPhone

iPhone Pay Screen


Secure Your iPhone

iCloud Account Compromised


Secure Your iPhone

Apple ID Account Vulnerabilities

“certain celebrity accounts were compro-mised by a very targeted attack on user names, passwords and security questions”

- Apple Media Advisory, Sept. 2, 2014

https://www.apple.com/pr/library/2014/09/02Apple-Media-Advisory.html




Secure Your iPhone

Apple ID Account

How your account is identified and verified: • Apple ID • Password • Birthday • Security questions • Rescue email • Trusted device (2-step authentication)

We need strategies to protect them.


Secure Your iPhone

Online Diceware Generator

• Go to this site to generate a diceware password (3-4 unrelated words):

https://entima.net/diceware/

• Add a capital letter or two in the middle of a word

• Add a special character or two in the middle of a word

https://entima.net/diceware/


Secure Your iPhone

Birthday, Security Questions

• Give wrong answers!

• For answers to security questions, use random unrelated words.

• Store in password manager.


Secure Your iPhone

2-Step Authentication

• Links a trusted device (iPhone, iPad, Mac) to your Apple ID.

• When you sign in for the first time from a new device, you must enter password and 6-digit code sent to the trusted device.

• Even if someone gets your password, they can’t take over your Apple ID.

• Replaces security questions.


Secure Your iPhone

2-Step Authentication in Action


Secure Your iPhone

More on 2-Step Authentication

Get more info and instructions from Apple:




Secure Your iPhone

No Phone While Driving

• Can’t control the vehicle while fiddling with your device.

• Hands-free “cell-phone drivers exhibited greater impairment than intoxicated drivers.”

http://psych.utah.edu/lab/appliedcognition/

http://psych.utah.edu/lab/appliedcognition/


Secure Your iPhone

Pedestrians, Too!

• Distracted pedestrians get injured.

• Stop in a safe location to talk on your cell phone.


Secure Your iPhone

Apple’s iOS Security Guide

• Authoritative reference for iOS 10

• Updated in March 2017

• Available at:


