Princeton Macintosh Users GroupSecure Your iPhone TouchID - Set Up ... - Photos via iCloud Library...

iOS Security

Princeton Macintosh Users Group June 13, 2017

Mike Inskeep Gentle Computer Helpers

https://www.gentlehelpers.com mike<at>gentlehelpers<dot>com

610 742 3927

Gentle Computer Helpers6/13/2017

Secure Your iPhone

About Mike

• Certified Support Pro

• Supported all things Apple for 25 years - Director of Microcomputer Support,

U Penn’s School of Arts & Sciences - Technology Teacher and Coordinator,

Friends School Haverford - Gentle Computer Helpers since 1999

Secure Your iPhone

This Is A *Brief Introduction*

• Quick and easy things you can do to make your iDevice more secure

• Principles of securing your iDevice

• For more, see Apple’s iOS Security Guide:

https://www.apple.com/business/docs/iOS_Security_Guide.pdf

Secure Your iPhone

Principles of Digital Security

• Establish layers of security

• Minimize your attack surface

• Use strong authentication

• Limit permissions

• Robust, redundant data storage

• Pay for what you use

Secure Your iPhone

Layers (Walls) of Security

• Cellular, Wi-Fi and Bluetooth

• Hardware

• iOS

• Apps

• Apple ID

Secure Your iPhone

Minimize Attack Surface (Doors)

• Enable only what you need or want.

• Disable (don’t install) what you don’t.

• Keep hardware, software up-to-date.

Secure Your iPhone

Strong Authentication (Lock Doors)

• Passcodes, Passwords

• Information used to verify your identity (security questions, birthday)

• Trust token (device, app)

• Trusted communication channel to reset

Secure Your iPhone

Basic Approach to Security

Identify threats -> how to prevent

• Change set up: hardware, apps, settings

• Change standard operating procedures

• Slow down, attend in risky situations

• Plan for worst-case scenarios

Secure Your iPhone

Wireless Communications

• Cellular service

• Wi-Fi networks

• Bluetooth

Secure Your iPhone

Your Phone Number Could Be Hijacked

• To make scam telephone calls

• To impersonate you when calling financial institutions, government agencies or stores

• To break 2-factor authentication

• To impersonate you and take over your online accounts or steal your identity

Secure Your iPhone

Phone Numbers Work on Other Devices

https://newsroom.t-mobile.com/news-and-blogs/digits-launch.htm

T-Mobile COO Mike Sievert

Secure Your iPhone

Protect Your Cellular Number

• Set a unique PIN for customer service

• Create a strong, unique password for access to your online cellular account

• Lock your phone number to your iDevice SIM card

Secure Your iPhone

Public Wi-Fi Is Not Secure

https://wifipineapple.com

Secure Your iPhone

Impersonates Wi-Fi Networks

http://www.troyhunt.com/2013/04/the-beginners-guide-to-breaking-website.html

Secure Your iPhone

How The Wifi Pineapple Snoops

http://www.troyhunt.com/2013/04/the-beginners-guide-to-breaking-website.html

Secure Your iPhone

Public WiFi Remedies

Three alternatives:

• Turn off WiFi when leave trusted location

• Use WiFi for only non-private activities

• Use a virtual private network (VPN)

• Use cellular service instead

Secure Your iPhone

Turn Off Wi-Fi

• Put a note with your keys

• Set a location-based reminder

Gentle Computer Helpers Secure Your Mac 2017

Relatively Safe Use of Public Wi-Fi

• Compose or edit content

• View media (written, audio, video)

• Surf websites to read or view

-> Check SSID (network) you connect to

Unless VPN Is On, Do NOT

• Check email (unless SSL on)

• View sensitive or private cloud data

• Sign into accounts

• Make purchases

Secure Your iPhone

VPN Protects You

Virtual Private Network: • Encrypts your communications. • Verifies the identity of your host. • Cloaks your location.

Subscribe to VPN

• Protects against Man-in-the Middle attack - Rogue WiFi access points - ISP monitoring

• For reviews of VPN services, see:

- https://thatoneprivacysite.net

- https://www.pcmag.com/article2/0,2817,2403388,00.asp

• Expect to pay $40-80/year

Secure Your iPhone

Bluetooth

• When it’s on, it’s a door into your iDevice.

• Turn it off when you’re not using it.

Secure Your iPhone

Wireless Communications

• Secure your telephone number

• Use a VPN on public Wi-Fi networks (if not all the time!) or use cellular

• Turn off Bluetooth when not using it

Secure Your iPhone

Hardware

• Keep it up-to-date.

• Get a case for it.

• Keep it in your possession.

• Set a strong passcode.

• Lockdown the Lockscreen.

• Be prepared if it’s lost or stolen.

Secure Your iPhone

Use iDevices Apple Supports

• Include improved security components - Touch ID sensor, “secure enclave” - NFC antenna, “secure element” for

Apple Pay

• Can install the latest version of iOS - patches security vulnerabilities - includes features that improve security,

e.g. native encryption of APFS

Secure Your iPhone

Security Content of iOS 10.3.2

“Available for: iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation”

• Can’t install iOS 10.3.2 on earlier iDevices

• 55 vulnerabilities patched in iOS 10.3.2

https://support.apple.com/en-us/HT207798

Secure Your iPhone

Can’t Secure Vintage iDevices

It is not possible to protect iDevices which can’t install the current version of iOS from known attacks.

Secure Your iPhone

Hardware Threats

• Physical damage

• Stolen or lost

Secure Your iPhone

Protect Hardware

• Get a good case

• Strong passcode (and Touch ID)

• Lockdown the lock screen

• Loss/theft plan

Secure Your iPhone

Get A Protective Case

• Dramatically reduces the risk of physical damage.

• Highly protective cases aren’t more unattractive, bulky or expensive.

• For comprehensive, unbiased reviews and comparisons, see:

https://www.mobilereviews-eh.ca

Secure Your iPhone

iOS Passcode

• Essential protection whenever iDevice not in your possession.

• Encrypts data so can’t be read.

• Write it down, store in password manager.

• Give it to executor.

Secure Your iPhone

Poor Passcodes

• Many pick a poor passcode:

http://danielamitay.com/blog/2011/6/13/most-common-iphone-passcodes

Don’t use: • Sequence of numbers (0000, 123456) • Dates (1948, 011998) • Numbers corresponding to words (5368 =

LOVE) • A geometric pattern (1397, 147852) • Only four digits

iPhone Security

Generate a Random Passcode

• Go to: https://www.random.org/integers

Secure Your iPhone

TouchID - Pros & Cons

• Must still remember the passcode!

• More convenient, faster.

• Harder to steal (peeking or surveillance cameras don’t work).

• Easier to compel entry (physically and legally).

Secure Your iPhone

Other Touch ID Uses

• Approve purchases from iTunes, App Store, iBooks (instead of your Apple ID password)

• Apple Pay

• Authenticate apps, e.g. 1Password

Secure Your iPhone

TouchID - Set Up

• Use 3rd or 4th finger of the hand you don’t usually use to tap icons

• To increase reliability, create several fingerprints of that single finger in slightly different positions

Secure Your iPhone

Lockdown the Lock Screen

Settings > Touch ID & Passcode

• Disable (nearly) all access when locked

• Enable Erase Data to automatically wipe it after 10 failed passcode attempts

Settings > General > Auto-Lock > 1 Minute

Secure Your iPhone

Prepare for Lost or Stolen iDevice

• Record model, serial #, IMEI #

• Enable Find My iPhone

• Enable erase data after 10 passcode fails

• Keep a list of accounts using the iDevice for 2-Factor Authentication, with rescue codes

• Practice finding using Find My iPhone app and icloud.com

Secure Your iPhone

Find my iPhone

Protects you if your iDevice is misplaced, lost or stolen:

• Locate it on a map.

• Play a sound from your iDevice.

• Display a message on the lock screen.

• Remotely lock it and erase your data.

You’ll need your Apple ID and password to unlock and restore your apps, data.

Secure Your iPhone

Lost or Stolen Procedure

1. Try locating using icloud.com.

2. If nearby, play sound to help locate.

3. Turn on lost mode. Lock it with a passcode that you write down. IF ERASED, IT’S NO LONGER TRACKABLE.

4. Report to police, AppleCare 800-275-2273, cellular provider.

5. Change device for 2-Factor Authentication.

Secure Your iPhone

If Stolen, Beware of Phishing

• Criminals attempt to steal your Apple ID credentials to recover device’s functionality.

• If you receive a text or email claiming to be from Apple, DO NOT RESPOND!

• Call AppleCare 800-275-2273

https://krebsonsecurity.com/2017/03/if-your-iphone-is-stolen-these-guys-may-try-to-iphish-you/

Secure Your iPhone

Threats to Your Data

• Hardware damage, failure, or loss

• Switching to another device

• Update fails

• Software corruption

Secure Your iPhone

Robust, Redundant Data Storage

• Backup to iCloud or computer via iTunes.

• Sync data to iCloud, other services.

Secure Your iPhone

Backup To Computer Via iTunes

• Apple cannot access • Enable Encrypt backup to copy all data • Use same password as your Apple ID

password to make it easy to remember)

For more info and directions go to: https://support.apple.com/en-us/HT203977

iPhone Security

Backup Via WiFi to iCloud

• To set up: - iTunes >

• To Initiate Daily Backup - Plug in to power - Connect to Wi-Fi - Lock the screen

For more info and directions go to: https://support.apple.com/en-us/HT203977

iCloud Sync

• Files/folders between Mac(s) and iCloud disk - Desktop and Documents - Files for iCloud enabled applications - Photos via iCloud Library or Photo Stream - Music via Apple Music

• Contacts, Calendars, Reminders, Notes, Safari Bookmarks

• Keychain secrets

iCloud Sync Characteristics

• Like backup, duplicates data

• But sync goes both ways

• Accessible via icloud.com

• Syncs between Macs, iPhones, iPads

• No versioning

Secure Your iPhone

Wipe iPhone Before Return, Repair, Resale

1. Back up. (To ensure you don’t lose data…)

2. Remove as a trusted device - Apple ID - Accounts using 2-Step Authentication

3. Then wipe: Settings > General > Reset > Erase all content and settings

• Erases cryptographic keys, making all user data on the device inaccessible.

Secure Your iPhone

Keep iOS Up-To-Date

• Fixes bugs (things that don’t work due to programming errors)

• Addresses security vulnerabilities

Let’s look at some security vulnerabilities iOS 10.3.2 fixed…

Secure Your iPhone

The Security Content of iOS 10.3.2

Apple maintains a list of recent security updates with links to their content here:

The security content of iOS 10.3.2 is here:

• Each entry lists the CVE ID = the Common Vulnerabilities and Exposures ID

Secure Your iPhone

Cross Site Scripting

• WebKit

Impact: Processing maliciously crafted web content may lead to universal cross site scripting

Description: A logic issue existed in the handling of WebKit Editor commands. This issue was addressed with improved state management.

CVE-2017-2504 : lokihardt of Google Project Zero

Secure Your iPhone

CVE-2-17-2404 Listing

National Institute of Standard & Technology Computer Security Resource Center National Vulnerability Database

https://nvd.nist.gov/vuln/detail/CVE-2017-2404

“iOS before 10.3 is affected. The issue involves the ‘Quick Look’ component. It allows remote attackers to trigger telephone call to arbitrary numbers via a tel:URL in a PDF document as exploited in the wild in October 2016.”

Secure Your iPhone

Vulnerabilities Addressed by iOS 10.3.2

Web content may execute arbitrary code 22Web content may lead to cross site scripting 4Application may execute arbitrary code 10App may execute code with root/kernel privileges 3Application may gain kernel privileges 8Application may cause denial of service 2Others 6 Total 55

Secure Your iPhone

Why Update Quickly?

• Some vulnerabilities may already be exploited

• Once Apple issues an update, the vulnerabilities are public.

• Malicious individuals or organizations can determine what Apple fixed.

• They can develop exploits to attack devices which are not yet updated.

Secure Your iPhone

How Soon is Quickly?

• Install incremental updates (e.g. 10.3.x) immediately — at least within 2 days

• For major releases (iOS 10 -> iOS 11), I still recommend you upgrade immediately

• If you want to be cautious, wait several days, then search for others’ experience

-> Backup before upgrading!

Secure Your iPhone

Make Update Alerts Visible

• Place Settings, App Store icons on Home Screen.

• Red circles with numbers on icons indicate available updates.

iPhone Security

Install Only Apps You Need/Want

• Each app is a door into your iPhone

• You must trust the developer

- Does only what they claim

- Well-written code

• Vet before installing

• Pay for good apps

Secure Your iPhone

Read App Reviews Before You Buy

Search the Internet: • “app name” or “type of app” iOS review • Look for reviews in MacWorld, Mac|Life,

CNet, Lifehacker, PC Magazine, etc.

iTunes reviews • Read bad and good

Secure Your iPhone

Check App Privacy, Settings

• If a new app asks to access contacts or other data, decline if you don’t need it.

• Once new app installed, check settings: Settings > Privacy > Location Services Settings > Privacy > Each built-in app Settings > [new app name]

Secure Your iPhone

Maintain Apps

Keep apps up-to-date • Fixes bugs, plugs security vulnerabilities • Place App Store icon on home screen

Delete unused apps • Each installed app makes you more

vulnerable

iPhone Security

No Anti-Virus Apps for iDevices!

• iOS is locked down so they wouldn’t work.

• Waste of money or worse!

• Most iOS “security” apps merely duplicate Find My iPhone functionality.

Secure Your iPhone

An iPad User

Secure Your iPhone

Her Password Manger

Secure Your iPhone

Her Credentials

• User Names similar to: m1ddleage

• Passwords similar to: s1LlibR0unee

• Security Questions similar to: First Car? a blue unaSSembledVW sedan

Secure Your iPhone

What’s Good

• Unique passwords for each site.

• Passwords not words with numbers and/or special characters before or after.

• Password of moderate length (~12 chars)

• Security question answer long (26 chars)

Secure Your iPhone

What Could Be Better

Passwords • Longer • Random characters • More special characters • Easier to enter

Security question answers • Unrelated to the question • Or even better -> random characters

Could be lost or stolen • Easily read by others • No back up

Secure Your iPhone

Password Manager

• Can generate truly random passwords, user names, answers, etc.

• Can save passwords of any length.

• Built-in web browser.

• Can copy and paste in passwords.

• Automatically backs up and syncs with other devices.

• Can’t be read or used without master password.

Secure Your iPhone

Why Not iCloud Keychain?

• Once you open iDevice, it’s active; not password or Touch ID protected.

• Stores only user names, passwords, credit card info (except CCV).

• Easy - automatically fills in

Secure Your iPhone

1Password

• Beautiful, clear, easy-to-use interface.

• Data encrypted on devices and in iCloud.

• Apps for iPhone, iPad, Mac, Windows.

• Can unlock with Touch ID!

• Good security track record.

-> Buy from App Store so syncs via iCloud.

Secure Your iPhone

Safer Web Browsing

• Safari

• Onion Browser (more privacy, but slower)

• 1Password (more security)

• Do NOT install a browser to view Flash (Flash is a security disaster!)

• Do install an ad blocker.

Secure Your iPhone

Use 1Blocker with Safari

• Blocks malware, malicious content delivered via ads.

• Privacy from tracking scripts.

• Will reduce data downloaded so pages load faster, battery lasts longer.

• Do NOT use Ad Block.

http://1blocker.com

Secure Your iPhone

Use 1Password for Secure Browsing

• Any site where you need to sign in.

• Has its own built-in browser.

• Stores site addresses, user names, passwords, etc.

Secure Your iPhone

Monitor URL Bar

• Make sure the address shown matches your intended destination.

• Padlock indicates a secure connection. Only sign in, make purchases when displayed:

Surge of Phishing Emails

• With attachments: fake installers, Word documents, PDFs

• With links to malicious webpages

• With malicious JavaScript

Review Email Deliberately

-> Slow down, pay attention

• Tap on sender’s name to confirm email address

Secure Your iPhone

Links in Email

Confirm link address matches text by tapping and holding lightly on the link:

Secure Your iPhone

Be Skeptical of Email Attachments

• Not requested? Not expecting it?

-> Forward the message to the sender asking if they sent it. Do not use reply.

• Be especially leery of files ending in .zip, .doc, .docx, .xls, .xlsx, .ppt, .pptx

Secure Your iPhone

iOS makes you MORE secure!

1. Enter credit card in Wallet app.

2. Check for Wireless Pay or Pay.

3. Hold iPhone near terminal.

4. Place finger for Touch ID.

Apple Pay

Secure Your iPhone

Pay Terminal

Secure Your iPhone

iPhone Pay Screen

Secure Your iPhone

iCloud Account Compromised

Secure Your iPhone

Apple ID Account Vulnerabilities

“certain celebrity accounts were compro-mised by a very targeted attack on user names, passwords and security questions”

- Apple Media Advisory, Sept. 2, 2014

https://www.apple.com/pr/library/2014/09/02Apple-Media-Advisory.html

Secure Your iPhone

Apple ID Account

How your account is identified and verified: • Apple ID • Password • Birthday • Security questions • Rescue email • Trusted device (2-step authentication)

We need strategies to protect them.

Secure Your iPhone

Online Diceware Generator

• Go to this site to generate a diceware password (3-4 unrelated words):

https://entima.net/diceware/

• Add a capital letter or two in the middle of a word

• Add a special character or two in the middle of a word

Secure Your iPhone

Birthday, Security Questions

• Give wrong answers!

• For answers to security questions, use random unrelated words.

• Store in password manager.

Secure Your iPhone

2-Step Authentication

• Links a trusted device (iPhone, iPad, Mac) to your Apple ID.

• When you sign in for the first time from a new device, you must enter password and 6-digit code sent to the trusted device.

• Even if someone gets your password, they can’t take over your Apple ID.

• Replaces security questions.

Secure Your iPhone

2-Step Authentication in Action

Secure Your iPhone

Princeton Macintosh Users GroupSecure Your iPhone TouchID - Set Up ... - Photos via iCloud Library...

Documents

via Balasto vs via Placa

4 11 #Y 3 #Y 17 1 2 #Y 6 #Y Farmacie nn. 9 - 14 · via borgo santa cristina via padovani via grilli vicolo calderina fiume via resta via sbago via chiesa di pediano via del piovego

The Via product line: Via Graft, Via GraftM, Via Form and ...€¦ · cortical bone microparticulate scaffold offered in 2.5cc, 5cc, and 10cc sizes. Via Form bone particulate scaffold

ECO - parma2020.it · Comune di Parma MAPPA CITTÀ 3.0 Ufﬁcio informazioni accoglienza turistica + prenotazioni (i ... BEZZECCA F . BOCCHIALINI VIA VIA VIA VIA VIA ARO VIA ARO VIA

· Area via Isonzo — lato Ferrovia + 44 Area via Isonzo — Asilo (vedi n. 43) Area Via Don Minzoni Area Via Luini (fronte parcheggio Centro Sportivo) Aree via delle Industrie

GIVING APPLEPAY THE FINGER - Hack In The Box Security ...conference.hitb.org/hitbsecconf2014kul/materials... · 1. TouchID is great. Combined with Activation lock it makes Apple devices

Regulation via Insulin Regulation via Glucagon/ Epi

MUAC FRA Phase1 - eurocontrol.int · DEP EBOS Via EDYYBOLN Not available for traffic 1. Via EGTTCTA and then via EDYYUTA except via UL607 KOK 2. Via EDYYUTA and then via LFEEURMN

AUTORITA' PORTUALE DI LIVORNO...GIOVANNI MARRADI VIA FIRENZE VIA SALVATORE ORLANDO VIA PROVINCIALE PISANA VIA DELLA CINTA ESTERNA VIA MARCO MASTACCHI VIA FIRENZE …

MFA4Daimler User Guide MFA Mobile...For iOS: Version 11.2.2 and higher, or Android Version 6.x (Marshmallow) and higher. b) Every fingerprint scanner on iOS (TouchID) and Android is

SUB GERENCIA DE ORDENAMIENTO TERRITORIAL · com. huilcarpay com. pillao matao via paruro via paruro via ccorca via pisac - urubamba via ccorao via pisac - urubamba huaccoto via huaccoto

Via Sophiatown - Via Katlehong Dance

geoplan 2017...Ponte Nuovo Via C3 R Raviolo Via A1 Ripoira Via A1 Robert A. Via C3 Roma Via C4 S San Defendente Via A1 San Giovanni Piazza C3-C4 San Giuliano Via C5-D6 San Grato Via

PULIRE 2019 THE SMART SHOW - cleaningcommunity.net€¦ · Lucia, Via Golosine, Via Po, Largo don Giovanni Calabria, Via Industriale, via Monfalcone, via Centro, via Volturno, Via

Via BELFIORE, Via LAMARMORA e Via MONTELUNGOpgt.comunedilecco.it/doc/(P.a.G.) PA09 Livelli 01-02-03-04-05.pdf · comune di lecco via belfiore, via lamarmora e via montelungo variante

IATEFL POLAND COMPUTER SPECIAL INTEREST GROUPSecure Site 3/ISSUE 1/VOL 3... · English for Specific Purposes. Now, in January 2003, it will be a good idea to sum up the two ... core

WHY I HACKED TOUCHID - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2013kul/materials... · WHY I HACKED TOUCHID (AND STILL THINK IT’S AWESOME) Wednesday, October

prometeonlus.it...info@cifir.it info@formarepuglia.com info.enfas@gmail.com Organismo attuatore Sede VIA Via Umbria 162 Via Sorcinelli n. 48 Via Anfiteatro 5 via Temenide, 117 FORMEDIL

VIAS DE ADMINISTRAÇÃO DE MEDICAMENTOS Via oral Absorção intestinal Absorção sublingual Via Parenteral Via intradérmica Via sucutânea Via

Via - Via Cafe