princeton macintosh users groupsecure your iphone touchid - set up ... - photos via icloud library...
TRANSCRIPT
iOS Security
Princeton Macintosh Users Group June 13, 2017
Mike Inskeep Gentle Computer Helpers
https://www.gentlehelpers.com mike<at>gentlehelpers<dot>com
610 742 3927
Gentle Computer Helpers6/13/2017
Secure Your iPhone
About Mike
• Certified Support Pro
• Supported all things Apple for 25 years - Director of Microcomputer Support,
U Penn’s School of Arts & Sciences - Technology Teacher and Coordinator,
Friends School Haverford - Gentle Computer Helpers since 1999
Gentle Computer Helpers6/13/2017
Secure Your iPhone
This Is A *Brief Introduction*
• Quick and easy things you can do to make your iDevice more secure
• Principles of securing your iDevice
• For more, see Apple’s iOS Security Guide:
https://www.apple.com/business/docs/iOS_Security_Guide.pdf
Gentle Computer Helpers6/13/2017
Secure Your iPhone
Principles of Digital Security
• Establish layers of security
• Minimize your attack surface
• Use strong authentication
• Limit permissions
• Robust, redundant data storage
• Pay for what you use
Gentle Computer Helpers6/13/2017
Secure Your iPhone
Layers (Walls) of Security
• Cellular, Wi-Fi and Bluetooth
• Hardware
• iOS
• Apps
• Apple ID
Gentle Computer Helpers6/13/2017
Secure Your iPhone
Minimize Attack Surface (Doors)
• Enable only what you need or want.
• Disable (don’t install) what you don’t.
• Keep hardware, software up-to-date.
Gentle Computer Helpers6/13/2017
Secure Your iPhone
Strong Authentication (Lock Doors)
• Passcodes, Passwords
• Information used to verify your identity (security questions, birthday)
• Trust token (device, app)
• Trusted communication channel to reset
Gentle Computer Helpers6/13/2017
Secure Your iPhone
Basic Approach to Security
Identify threats -> how to prevent
• Change set up: hardware, apps, settings
• Change standard operating procedures
• Slow down, attend in risky situations
• Plan for worst-case scenarios
Gentle Computer Helpers6/13/2017
Secure Your iPhone
Wireless Communications
• Cellular service
• Wi-Fi networks
• Bluetooth
Gentle Computer Helpers6/13/2017
Secure Your iPhone
Your Phone Number Could Be Hijacked
• To make scam telephone calls
• To impersonate you when calling financial institutions, government agencies or stores
• To break 2-factor authentication
• To impersonate you and take over your online accounts or steal your identity
Gentle Computer Helpers6/13/2017
Secure Your iPhone
Phone Numbers Work on Other Devices
https://newsroom.t-mobile.com/news-and-blogs/digits-launch.htm
T-Mobile COO Mike Sievert
Gentle Computer Helpers6/13/2017
Secure Your iPhone
Protect Your Cellular Number
• Set a unique PIN for customer service
• Create a strong, unique password for access to your online cellular account
• Lock your phone number to your iDevice SIM card
Gentle Computer Helpers6/13/2017
Secure Your iPhone
Public Wi-Fi Is Not Secure
https://wifipineapple.com
Gentle Computer Helpers6/13/2017
Secure Your iPhone
Impersonates Wi-Fi Networks
http://www.troyhunt.com/2013/04/the-beginners-guide-to-breaking-website.html
Gentle Computer Helpers6/13/2017
Secure Your iPhone
How The Wifi Pineapple Snoops
http://www.troyhunt.com/2013/04/the-beginners-guide-to-breaking-website.html
Gentle Computer Helpers6/13/2017
Secure Your iPhone
Public WiFi Remedies
Three alternatives:
• Turn off WiFi when leave trusted location
• Use WiFi for only non-private activities
• Use a virtual private network (VPN)
• Use cellular service instead
Gentle Computer Helpers6/13/2017
Secure Your iPhone
Turn Off Wi-Fi
• Put a note with your keys
• Set a location-based reminder
Gentle Computer Helpers Secure Your Mac 2017
Relatively Safe Use of Public Wi-Fi
• Compose or edit content
• View media (written, audio, video)
• Surf websites to read or view
-> Check SSID (network) you connect to
Gentle Computer Helpers Secure Your Mac 2017
Unless VPN Is On, Do NOT
• Check email (unless SSL on)
• View sensitive or private cloud data
• Sign into accounts
• Make purchases
Gentle Computer Helpers6/13/2017
Secure Your iPhone
VPN Protects You
Virtual Private Network: • Encrypts your communications. • Verifies the identity of your host. • Cloaks your location.
Gentle Computer Helpers Secure Your Mac 2017
Subscribe to VPN
• Protects against Man-in-the Middle attack - Rogue WiFi access points - ISP monitoring
• For reviews of VPN services, see:
- https://thatoneprivacysite.net
- https://www.pcmag.com/article2/0,2817,2403388,00.asp
• Expect to pay $40-80/year
Gentle Computer Helpers6/13/2017
Secure Your iPhone
Bluetooth
• When it’s on, it’s a door into your iDevice.
• Turn it off when you’re not using it.
Gentle Computer Helpers6/13/2017
Secure Your iPhone
Wireless Communications
• Secure your telephone number
• Use a VPN on public Wi-Fi networks (if not all the time!) or use cellular
• Turn off Bluetooth when not using it
Gentle Computer Helpers6/13/2017
Secure Your iPhone
Hardware
• Keep it up-to-date.
• Get a case for it.
• Keep it in your possession.
• Set a strong passcode.
• Lockdown the Lockscreen.
• Be prepared if it’s lost or stolen.
Gentle Computer Helpers6/13/2017
Secure Your iPhone
Use iDevices Apple Supports
• Include improved security components - Touch ID sensor, “secure enclave” - NFC antenna, “secure element” for
Apple Pay
• Can install the latest version of iOS - patches security vulnerabilities - includes features that improve security,
e.g. native encryption of APFS
Gentle Computer Helpers6/13/2017
Secure Your iPhone
Security Content of iOS 10.3.2
“Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation”
• Can’t install iOS 10.3.2 on earlier iDevices
• 55 vulnerabilities patched in iOS 10.3.2
https://support.apple.com/en-us/HT207798
Gentle Computer Helpers6/13/2017
Secure Your iPhone
Can’t Secure Vintage iDevices
It is not possible to protect iDevices which can’t install the current version of iOS from known attacks.
Gentle Computer Helpers6/13/2017
Secure Your iPhone
Hardware Threats
• Physical damage
• Stolen or lost
Gentle Computer Helpers6/13/2017
Secure Your iPhone
Protect Hardware
• Get a good case
• Strong passcode (and Touch ID)
• Lockdown the lock screen
• Loss/theft plan
Gentle Computer Helpers6/13/2017
Secure Your iPhone
Get A Protective Case
• Dramatically reduces the risk of physical damage.
• Highly protective cases aren’t more unattractive, bulky or expensive.
• For comprehensive, unbiased reviews and comparisons, see:
https://www.mobilereviews-eh.ca
Gentle Computer Helpers6/13/2017
Secure Your iPhone
iOS Passcode
• Essential protection whenever iDevice not in your possession.
• Encrypts data so can’t be read.
• Write it down, store in password manager.
• Give it to executor.
Gentle Computer Helpers6/13/2017
Secure Your iPhone
Poor Passcodes
• Many pick a poor passcode:
http://danielamitay.com/blog/2011/6/13/most-common-iphone-passcodes
Don’t use: • Sequence of numbers (0000, 123456) • Dates (1948, 011998) • Numbers corresponding to words (5368 =
LOVE) • A geometric pattern (1397, 147852) • Only four digits
Gentle Computer Helpers1/12/2017
iPhone Security
Generate a Random Passcode
• Go to: https://www.random.org/integers
Gentle Computer Helpers6/13/2017
Secure Your iPhone
TouchID - Pros & Cons
• Must still remember the passcode!
• More convenient, faster.
• Harder to steal (peeking or surveillance cameras don’t work).
• Easier to compel entry (physically and legally).
Gentle Computer Helpers6/13/2017
Secure Your iPhone
Other Touch ID Uses
• Approve purchases from iTunes, App Store, iBooks (instead of your Apple ID password)
• Apple Pay
• Authenticate apps, e.g. 1Password
Gentle Computer Helpers6/13/2017
Secure Your iPhone
TouchID - Set Up
• Use 3rd or 4th finger of the hand you don’t usually use to tap icons
• To increase reliability, create several fingerprints of that single finger in slightly different positions
Gentle Computer Helpers6/13/2017
Secure Your iPhone
Lockdown the Lock Screen
Settings > Touch ID & Passcode
• Disable (nearly) all access when locked
• Enable Erase Data to automatically wipe it after 10 failed passcode attempts
Settings > General > Auto-Lock > 1 Minute
Gentle Computer Helpers6/13/2017
Secure Your iPhone
Prepare for Lost or Stolen iDevice
• Record model, serial #, IMEI #
• Enable Find My iPhone
• Enable erase data after 10 passcode fails
• Keep a list of accounts using the iDevice for 2-Factor Authentication, with rescue codes
• Practice finding using Find My iPhone app and icloud.com
Gentle Computer Helpers6/13/2017
Secure Your iPhone
Find my iPhone
Protects you if your iDevice is misplaced, lost or stolen:
• Locate it on a map.
• Play a sound from your iDevice.
• Display a message on the lock screen.
• Remotely lock it and erase your data.
You’ll need your Apple ID and password to unlock and restore your apps, data.
Gentle Computer Helpers6/13/2017
Secure Your iPhone
Lost or Stolen Procedure
1. Try locating using icloud.com.
2. If nearby, play sound to help locate.
3. Turn on lost mode. Lock it with a passcode that you write down. IF ERASED, IT’S NO LONGER TRACKABLE.
4. Report to police, AppleCare 800-275-2273, cellular provider.
5. Change device for 2-Factor Authentication.
Gentle Computer Helpers6/13/2017
Secure Your iPhone
If Stolen, Beware of Phishing
• Criminals attempt to steal your Apple ID credentials to recover device’s functionality.
• If you receive a text or email claiming to be from Apple, DO NOT RESPOND!
• Call AppleCare 800-275-2273
https://krebsonsecurity.com/2017/03/if-your-iphone-is-stolen-these-guys-may-try-to-iphish-you/
Gentle Computer Helpers6/13/2017
Secure Your iPhone
Threats to Your Data
• Hardware damage, failure, or loss
• Switching to another device
• Update fails
• Software corruption
Gentle Computer Helpers6/13/2017
Secure Your iPhone
Robust, Redundant Data Storage
• Backup to iCloud or computer via iTunes.
• Sync data to iCloud, other services.
Gentle Computer Helpers6/13/2017
Secure Your iPhone
Backup To Computer Via iTunes
• Apple cannot access • Enable Encrypt backup to copy all data • Use same password as your Apple ID
password to make it easy to remember)
For more info and directions go to: https://support.apple.com/en-us/HT203977
Gentle Computer Helpers1/12/2017
iPhone Security
Backup Via WiFi to iCloud
• To set up: - iTunes >
• To Initiate Daily Backup - Plug in to power - Connect to Wi-Fi - Lock the screen
For more info and directions go to: https://support.apple.com/en-us/HT203977
Gentle Computer Helpers Secure Your Mac 2017
iCloud Sync
• Files/folders between Mac(s) and iCloud disk - Desktop and Documents - Files for iCloud enabled applications - Photos via iCloud Library or Photo Stream - Music via Apple Music
• Contacts, Calendars, Reminders, Notes, Safari Bookmarks
• Keychain secrets
Gentle Computer Helpers Secure Your Mac 2017
iCloud Sync Characteristics
• Like backup, duplicates data
• But sync goes both ways
• Accessible via icloud.com
• Syncs between Macs, iPhones, iPads
• No versioning
Gentle Computer Helpers6/13/2017
Secure Your iPhone
Wipe iPhone Before Return, Repair, Resale
1. Back up. (To ensure you don’t lose data…)
2. Remove as a trusted device - Apple ID - Accounts using 2-Step Authentication
3. Then wipe: Settings > General > Reset > Erase all content and settings
• Erases cryptographic keys, making all user data on the device inaccessible.
Gentle Computer Helpers6/13/2017
Secure Your iPhone
Keep iOS Up-To-Date
Why?
• Fixes bugs (things that don’t work due to programming errors)
• Addresses security vulnerabilities
Let’s look at some security vulnerabilities iOS 10.3.2 fixed…
Gentle Computer Helpers6/13/2017
Secure Your iPhone
The Security Content of iOS 10.3.2
Apple maintains a list of recent security updates with links to their content here:
https://support.apple.com/en-us/HT201222
The security content of iOS 10.3.2 is here:
https://support.apple.com/en-us/HT207798
• Each entry lists the CVE ID = the Common Vulnerabilities and Exposures ID
Gentle Computer Helpers6/13/2017
Secure Your iPhone
Cross Site Scripting
• WebKit
Impact: Processing maliciously crafted web content may lead to universal cross site scripting
Description: A logic issue existed in the handling of WebKit Editor commands. This issue was addressed with improved state management.
CVE-2017-2504 : lokihardt of Google Project Zero
Gentle Computer Helpers6/13/2017
Secure Your iPhone
CVE-2-17-2404 Listing
National Institute of Standard & Technology Computer Security Resource Center National Vulnerability Database
https://nvd.nist.gov/vuln/detail/CVE-2017-2404
“iOS before 10.3 is affected. The issue involves the ‘Quick Look’ component. It allows remote attackers to trigger telephone call to arbitrary numbers via a tel:URL in a PDF document as exploited in the wild in October 2016.”
Gentle Computer Helpers6/13/2017
Secure Your iPhone
Vulnerabilities Addressed by iOS 10.3.2
Web content may execute arbitrary code 22Web content may lead to cross site scripting 4Application may execute arbitrary code 10App may execute code with root/kernel privileges 3Application may gain kernel privileges 8Application may cause denial of service 2Others 6 Total 55
Gentle Computer Helpers6/13/2017
Secure Your iPhone
Why Update Quickly?
• Some vulnerabilities may already be exploited
• Once Apple issues an update, the vulnerabilities are public.
• Malicious individuals or organizations can determine what Apple fixed.
• They can develop exploits to attack devices which are not yet updated.
Gentle Computer Helpers6/13/2017
Secure Your iPhone
How Soon is Quickly?
• Install incremental updates (e.g. 10.3.x) immediately — at least within 2 days
• For major releases (iOS 10 -> iOS 11), I still recommend you upgrade immediately
• If you want to be cautious, wait several days, then search for others’ experience
-> Backup before upgrading!
Gentle Computer Helpers6/13/2017
Secure Your iPhone
Make Update Alerts Visible
• Place Settings, App Store icons on Home Screen.
• Red circles with numbers on icons indicate available updates.
Gentle Computer Helpers1/12/2017
iPhone Security
Install Only Apps You Need/Want
• Each app is a door into your iPhone
• You must trust the developer
- Does only what they claim
- Well-written code
• Vet before installing
• Pay for good apps
Gentle Computer Helpers6/13/2017
Secure Your iPhone
Read App Reviews Before You Buy
Search the Internet: • “app name” or “type of app” iOS review • Look for reviews in MacWorld, Mac|Life,
CNet, Lifehacker, PC Magazine, etc.
iTunes reviews • Read bad and good
Gentle Computer Helpers6/13/2017
Secure Your iPhone
Check App Privacy, Settings
• If a new app asks to access contacts or other data, decline if you don’t need it.
• Once new app installed, check settings: Settings > Privacy > Location Services Settings > Privacy > Each built-in app Settings > [new app name]
Gentle Computer Helpers6/13/2017
Secure Your iPhone
Maintain Apps
Keep apps up-to-date • Fixes bugs, plugs security vulnerabilities • Place App Store icon on home screen
Delete unused apps • Each installed app makes you more
vulnerable
Gentle Computer Helpers1/12/2017
iPhone Security
No Anti-Virus Apps for iDevices!
• iOS is locked down so they wouldn’t work.
• Waste of money or worse!
• Most iOS “security” apps merely duplicate Find My iPhone functionality.
Gentle Computer Helpers6/13/2017
Secure Your iPhone
An iPad User
Gentle Computer Helpers6/13/2017
Secure Your iPhone
Her Password Manger
Gentle Computer Helpers6/13/2017
Secure Your iPhone
Her Credentials
• User Names similar to: m1ddleage
• Passwords similar to: s1LlibR0unee
• Security Questions similar to: First Car? a blue unaSSembledVW sedan
Gentle Computer Helpers6/13/2017
Secure Your iPhone
What’s Good
• Unique passwords for each site.
• Passwords not words with numbers and/or special characters before or after.
• Password of moderate length (~12 chars)
• Security question answer long (26 chars)
Gentle Computer Helpers6/13/2017
Secure Your iPhone
What Could Be Better
Passwords • Longer • Random characters • More special characters • Easier to enter
Security question answers • Unrelated to the question • Or even better -> random characters
Could be lost or stolen • Easily read by others • No back up
Gentle Computer Helpers6/13/2017
Secure Your iPhone
Password Manager
• Can generate truly random passwords, user names, answers, etc.
• Can save passwords of any length.
• Built-in web browser.
• Can copy and paste in passwords.
• Automatically backs up and syncs with other devices.
• Can’t be read or used without master password.
Gentle Computer Helpers6/13/2017
Secure Your iPhone
Why Not iCloud Keychain?
• Once you open iDevice, it’s active; not password or Touch ID protected.
• Stores only user names, passwords, credit card info (except CCV).
• Easy - automatically fills in
Gentle Computer Helpers6/13/2017
Secure Your iPhone
1Password
• Beautiful, clear, easy-to-use interface.
• Data encrypted on devices and in iCloud.
• Apps for iPhone, iPad, Mac, Windows.
• Can unlock with Touch ID!
• Good security track record.
-> Buy from App Store so syncs via iCloud.
Gentle Computer Helpers6/13/2017
Secure Your iPhone
Safer Web Browsing
• Safari
• Onion Browser (more privacy, but slower)
• 1Password (more security)
• Do NOT install a browser to view Flash (Flash is a security disaster!)
• Do install an ad blocker.
Gentle Computer Helpers6/13/2017
Secure Your iPhone
Use 1Blocker with Safari
• Blocks malware, malicious content delivered via ads.
• Privacy from tracking scripts.
• Will reduce data downloaded so pages load faster, battery lasts longer.
• Do NOT use Ad Block.
http://1blocker.com
Gentle Computer Helpers6/13/2017
Secure Your iPhone
Use 1Password for Secure Browsing
• Any site where you need to sign in.
• Has its own built-in browser.
• Stores site addresses, user names, passwords, etc.
Gentle Computer Helpers6/13/2017
Secure Your iPhone
Monitor URL Bar
• Make sure the address shown matches your intended destination.
• Padlock indicates a secure connection. Only sign in, make purchases when displayed:
Gentle Computer Helpers Secure Your Mac 2017
Surge of Phishing Emails
• With attachments: fake installers, Word documents, PDFs
• With links to malicious webpages
• With malicious JavaScript
Gentle Computer Helpers Secure Your Mac 2017
Review Email Deliberately
-> Slow down, pay attention
• Tap on sender’s name to confirm email address
Gentle Computer Helpers6/13/2017
Secure Your iPhone
Links in Email
Confirm link address matches text by tapping and holding lightly on the link:
Gentle Computer Helpers6/13/2017
Secure Your iPhone
Be Skeptical of Email Attachments
• Not requested? Not expecting it?
-> Forward the message to the sender asking if they sent it. Do not use reply.
• Be especially leery of files ending in .zip, .doc, .docx, .xls, .xlsx, .ppt, .pptx
Gentle Computer Helpers6/13/2017
Secure Your iPhone
iOS makes you MORE secure!
1. Enter credit card in Wallet app.
2. Check for Wireless Pay or Pay.
3. Hold iPhone near terminal.
4. Place finger for Touch ID.
Apple Pay
Gentle Computer Helpers6/13/2017
Secure Your iPhone
Pay Terminal
Gentle Computer Helpers6/13/2017
Secure Your iPhone
iPhone Pay Screen
Gentle Computer Helpers6/13/2017
Secure Your iPhone
iCloud Account Compromised
Gentle Computer Helpers6/13/2017
Secure Your iPhone
Apple ID Account Vulnerabilities
“certain celebrity accounts were compro-mised by a very targeted attack on user names, passwords and security questions”
- Apple Media Advisory, Sept. 2, 2014
https://www.apple.com/pr/library/2014/09/02Apple-Media-Advisory.html
Gentle Computer Helpers6/13/2017
Secure Your iPhone
Apple ID Account
How your account is identified and verified: • Apple ID • Password • Birthday • Security questions • Rescue email • Trusted device (2-step authentication)
We need strategies to protect them.
Gentle Computer Helpers6/13/2017
Secure Your iPhone
Online Diceware Generator
• Go to this site to generate a diceware password (3-4 unrelated words):
https://entima.net/diceware/
• Add a capital letter or two in the middle of a word
• Add a special character or two in the middle of a word
Gentle Computer Helpers6/13/2017
Secure Your iPhone
Birthday, Security Questions
• Give wrong answers!
• For answers to security questions, use random unrelated words.
• Store in password manager.
Gentle Computer Helpers6/13/2017
Secure Your iPhone
2-Step Authentication
• Links a trusted device (iPhone, iPad, Mac) to your Apple ID.
• When you sign in for the first time from a new device, you must enter password and 6-digit code sent to the trusted device.
• Even if someone gets your password, they can’t take over your Apple ID.
• Replaces security questions.
Gentle Computer Helpers6/13/2017
Secure Your iPhone
2-Step Authentication in Action
Gentle Computer Helpers6/13/2017
Secure Your iPhone
More on 2-Step Authentication
Get more info and instructions from Apple:
https://support.apple.com/en-us/HT204915
Gentle Computer Helpers6/13/2017
Secure Your iPhone
No Phone While Driving
• Can’t control the vehicle while fiddling with your device.
• Hands-free “cell-phone drivers exhibited greater impairment than intoxicated drivers.”
http://psych.utah.edu/lab/appliedcognition/
Gentle Computer Helpers6/13/2017
Secure Your iPhone
Pedestrians, Too!
• Distracted pedestrians get injured.
• Stop in a safe location to talk on your cell phone.
Gentle Computer Helpers6/13/2017
Secure Your iPhone
Apple’s iOS Security Guide
• Authoritative reference for iOS 10
• Updated in March 2017
• Available at:
https://www.apple.com/business/docs/iOS_Security_Guide.pdf