Data loss incident news and data protection advice.

iOS 8.1.2 Update Results

The latest iOS release from Cupertino alerted me via my iPhone 5, on the evening of December 21st, 2014. I find that a bit odd, especially since it’s been out since December 9th, 2014. Possibly it’s a staggered release? For pure curiosity reasons, if you were alerted sooner, post in the comments when you were notified and your device type.

Whenever there is a new release or update I always feel compelled to checkout what’s new at KBA HT1222. There was nothing new regarding iOS security, not even a publicly documented anti-malware update. This is a small update so I decided to have a little fun comparing the duration it takes to get patched between an iPhone 5 Model MD636LL/A and iPad Air Model MD785LL/A.

The Update

This update is focused on restoring lost ringtones purchased from iTunes Store. Fortunately for me I don’t buy ringtones so I’m unaffected. If you or someone you know needs to restore their lost ringtones, they can do so by navigating to this link from the device itself. For the folks out there who like to use technology the way you want to, attempting to open that link from a non-iOS device will result in iTunes being requested to launch. At a minimum, you will be promoted for iTunes to be launched and you can cancel. Your experience may vary depending upon how you are configured. Click for yourself below.

Choosing to go further into the unknown, the locally installed iTunes app will launch revealing the image below.

restore tones imageFor fun, I surfed to the iTunes Restore Tones link from a Samsung Tab 3 I use for testing. The page redirected to the “Download iTunes Free” download page. Not surprisingly, there is no option to install iTunes on Android. Kind of a fruitless exercise, but it didn’t take long to enter into a mobile browser to see the behavior.

Update results

I used Online-Stopwatch from the Samsung Tab 3 to get an estimated duration to apply the patch untethered. The start point was from accepting the EULA bound to pressing “Download and Install”. The patch for an iPhone running 8.1.1 is 28.2MB in size, which is not very large. I began the update prior to catching the size of the total update to iOS 8.1.2 for this phone. I believe this iPhone 5 was at iOS 8.1. The total upgrade time took roughly 11 minutes and 30 seconds over a 802.11b/g/n wireless encrypted 2.4GHz WiFi network. Traffic encryption is configured for WPA2-PSK (AES). There were 2 restarts prior to the device returning to a usable state in sleep mode. Pressing the Home button woke the iPhone 5 up but the passcode entry response time was very sluggish. Resulting in an error during entry due to the slow confirmation of the masked characters. Clearly there won’t be any noticeable UX changes for me because I don’t purchase ringtones.

Performing the same 8.1.2 update on a test iPad Air, using the same network and method as described above, took 19 minutesiOS8.1.2Update-iPad and 33 seconds to complete past the “Preparing Update…” status. This would feel reasonable for a patch that’s 364MB in size. The restart to update the firmware (the Apple logo on a black background) took 25 minutes and 48 seconds, according to Online-Stopwatch. The iPad Air was usable after a total of  26 minutes and 51 seconds. Passcode entry was not sluggish. Again, no UX behavior changes.


While there still are many iOS users waiting for WiFi and battery drainage issues to be resolved, at least some of you got your ringtones back. Nonetheless, applying updates to any device you own/manage is one very important part of staying secure. Call it a best practice of risk reduction. While 8.1.2 doesn’t have any publicly documented security updates, if you have the time, always lean to the side of best practices. If you don’t have the time, find a gap and work patching into your holistic device security posture maintenance routine. I don’t consider the performance results described in this article to be the best results or even to be used as a benchmark, simply the results I experienced. Your mileage my vary, especially if you are not updating from iOS 8.1.1. Please share any variances you find within the comments below. TIA!

For a different review, I suggest reading GottaBe Mobile Adam Mill’s articles “iOS 8.1.2 Review: Is It Worth Installing?” and “iPad iOS 8.1.2 Update: What You Need to Know“.

No security, no privacy. Know security, know privacy.

Categories: Mobility, Support Tags: , , , , ,

Kippo Honeypot BotNet Takedown

February 16, 2014 1 comment

Kippo Honeypot BotNet Takedown

I wanted to post this over here as well for some folks who may have missed the Kippo Honeypot BotNet Takedown article released this past Friday at Barracuda Labs. This article has a lot of technical details for anyone looking to get down and dirty. You can also click the link to download the technical transcript I received from an unnamed source I called “Bob” for the article.

Please leave comments here or at the Barracuda Labs blog site.

Thanks again for stopping by.

My reaction to the Twitter white and gray color scheme. Looks too much like Apple.

twitter trolling

This was the surprise I got when I logged into Twitter today. Not the smut, the white and gray color scheme. Too much like the brand in the image above.

New twitter colors

Mobiwol: No-root Firewall for Android

December 16, 2013 2 comments

The question has generally come to every Android user as to whether or not to root their device. (See reasons for rooting and against.)

For our purposes in security, we would want to root our devices, right? What if, though, you have a phone you are not allowed to root? Company phone policies sometimes will restrict rooting. How do you exert control over the traffic your apps may generate?

Mobiwol Home Screen

Mobiwol Home Screen

Enter Mobiwol. A great thanks to David Schwartzberg (@DSchwartzberg), my esteemed host, for suggesting this app to me. My goal was simple: I wanted an app that could control traffic to and from my phone over the WiFi or 4G radios, but *NOT* root the phone. Not because I’m scared of voiding the warranty. I know I could easily fix that with a firmware flash.

I didn’t want to root my production phone.  I was merely seeking a way to monitor and further tighten it.

It’s not really a fair thing to call it a true firewall. When I think of a firewall, I think of NFTables or CheckPoint or some other firewall technology that gives you the ability to handcraft rules for incoming, outgoing, and forwarding in many ways such as ports, IP subnets, and traffic patterns, even. That would require root access, for sure.

Many apps have the ability to run in the background without your knowledge. Sometimes, though, it may be not so good especially if the app is doing things you don’t want it to do or that you know it shouldn’t do. Mobiwol controls when an app is allowed to use the radio interfaces of your device. HOW does it do this with out root? Glad you asked.



When Mobiwol starts up, it creates a VPN connection using the Vpnservice.builder packages in Android. That may seem odd to you, at first, but it’s quite genius.

When third party apps create VPN connections, they create a tunnel interface (tun0) that becomes the gateway for all network traffic on the phone. The gateway, essentially, connects to the app (Mobiwol, in this case) and then sends your traffic out to the connected VPN server out in the internet, but Mobiwol doesn’t go that far. It only creates the tun0. It then decides whether to forward the traffic on its merry way, or not.

When you have an app that transmits in the background, but you don’t think it should have\don’t want it to have that kind of capability, you tell Mobiwol that the app should only generate traffic in the foreground. You can even choose what radios apps are allowed to use. If you want a network intensive app to use the WiFi, but NOT the 4G radio, you just tell Mobiwol that that app only uses the WiFi radio.

Remember as well, that there are apps that have no purpose using the network or Internet. Flashlight apps, standalone games, or standalone apps that have advertisements, they can all be blocked from using the network with no issues, generally.

Some companies, beware, have started programming advertising dependency into their apps. This means if their ads don’t load on the app, because you are blocking it from pulling them from the InterWebs, then the app closes or refuses to load or function.

Mobiwol Rules

Mobiwol Rules

The other great thing about Mobiwol is logging and reporting. Mobiwol maintains a log of all activity or attempted activity. Not only this, but it also informs you in your information bar as to when an app was blocked or allowed.

If you are on Facebook messaging with someone, you will see the initial connection from the Facebook app is ACCEPTED. It won’t bug you anymore about the traffic because it’s still in the foreground. However, if you are still messaging, and you go to another app, thus leaving Facebook in the background, and you have Facebook background blocked, you will see a notification pop-up in the info bar telling you that Facebook was BLOCKED.

Also along the lines of reporting, it doubles as a data usage monitor\limiter\blocker all based on what apps you use. You can set billing period limits on all of your apps so that you can put budget your data plan.

Sounds Good… BUT….
So far, it seems like I have been a total fanboy\tool for Mobiwol, but I’m not. It has its drawbacks and issues.

I found my phone suffering performance reduction when using Facebook, Email, YouTube, and even Google Search. I blocked these apps from running in the background. For some reason, they were not being indicated as being blocked, but all that I received was loading wheels and hanging processes. Turning Mobiwol off and on again usually fixed this.

If you are looking for Mobiwol to act as your alternative solution to rooting your smart device for enhanced security, you might not be too terribly impressed. It’s an app traffic firewall, on a very basic level.

It allows or blocks apps to send traffic through the radios based on a few parameters such as: Is it background? Is it foreground? Is it trying to go over the WiFi? Is it trying to go over the 4G? Have you reached your data limit for the app? I think the best thing about the app is getting a really good picture as to what your device is doing when you aren’t watching, and how much your apps really communicate in the background.

We like to think our phones and devices are out of sight and mind until we need them, but they many times need to communicate when they are out of sight and mind. Whether it’s good or bad that those apps are doing that is something you will have to decide for yourself. Visit the Google Play store to download Mobiwol for your Android Device to try it.

Reboot Router

September 21, 2013 Leave a comment

I have been giving a talk on “ZeuS Command & Control for Tech Support” that whimsically uses a Trojan horse type of malware to solve commonly reported computer issues. The concept arose from regularly being asked to help friends, family and others fix their computers because I enjoy it.

There may have been a point much earlier in my career when that was true.

Time permitting, not that there is much time to spare, I still do get a warm and fuzzy feeling inside helping out friends. Family is a more complex matter, because it’s you. They know your flaws, secrets, and don’t give a fuck. “Just fix the thing!” “You’re not very patient!” “Why are you so rude!” And several other exclamatory explicatives would be apart of the typical “customer service” engagement.

I decided to share this in a blog because while on a business trip and dealing with delayed flights, resulting in missed connections, adding in a city not on the original itinerary and hours of delays due to “lovely” Chicago weather; my wonderful wife asked me to help her reboot the at&t gateway for U-verse to get back online.

Having noticed earlier in the day that the SSL VPN I run from my home, the gateway to SchwartzNet Labs, was down. I sent her a couple unanswered text messages to confirm that the unresponsive SSL VPN and Minecraft server were not on fire. Children were crying.

She eventually replied to the email I sent her on the same topic confirming…

the tubz were downz.

She called at&t where they confirmed that there was a network outage in the area due to harsh weather. She needed to reboot the router for everything to come back online. OK, simple enough.

Please keep in mind that my wife is self-admittedly “low tech.” I love her dearly and that this isn’t an insult to her, but rather a comedic tale of how even ZeuS Command & Control for Tech Support couldn’t have helped. She edited this article to her approval prior to publishing.

On this night of SchwartzNet Labs doomsday, she had to get online by midnight and of course…watch her DVR’ed shows. While I waited inside the Los Angeles airport for the air vessel to be ready to receive it’s new human cargo, this was the SMS exchange we had to reboot the router.

reboot router

After the final SMS in this exchange, I decided to call her and go old school using a smartphone to talk her through the process. By the time she answered her smartphone, the router was already powering up. Everything worked perfectly!

I hope you enjoyed this comedic glimpse into my personal life and how us “techies” can learn to be a bit more patient with our customers.

Especially when the customers are our loved ones.

No security, no privacy. Know security, know privacy.

Categories: Support Tags: , , , , ,

BSides Joint Task Force CTF – Detroit Office – Challenge 64 “Flipping Out”

This was an awesome challenge! One my favorite because it had the right amount of clues, pushed my ability to think through a problem and interpersonal collaboration with fellow InfoSec pros in the Midwest community. This is my first CTF so I don’t have any prior experience with this format and am looking at these challenges with “new eyes”.

The challenge was to find the secrets hidden in a JPEG image file by a rogue agent of the BSides Joint Task Force (BSJTS). The JPEG was named ‘hackers.jpg’ which is from the 1995 movie Hackers.

Flipping Out image

Flipping Out image

Based on past challenges from the BSJTF, I knew I needed to do a little recon about the movie. I heard of the movie “Hackers“, and can guess what it’s about, but I never saw it. That being the case, unless they seeded it with false data, Wikipedia is my friend.

In the challenge description there were vague references to the movie characters names, “Acid Burn”, “The Phantom Phreak”, “Cereal Killer”, and “Lord Nikon”. I kept this information in the back of my mind as possible clues for later on to use as passwords, assuming the file contained concealed writing in the form of steganography.

I ran the file through photo forensic tests, inverted the colors with GIMP, as well as a couple other tests. Where I got the best clue of what to do next was with Hex Fiend. With hex editors I look at the beginning and end of files to check for changes. The beginning of the ‘hackers.jpg’ file looked kosher because it contained the proper file header ‘JFIF’ on the first line which indicates it’s a JPEG file format.

The end of the file had more clues as you can see from the image below.

Hex Fiend

First clue found in Hex Fiend

As you can see from the screenshot, I was searching in the text strings of the file for the word ‘flag’, but I also searched for ‘key’, ‘hacker’, ‘hint’, ‘txt, ‘jpg’ and ‘==’ at different periods during the challenge. ‘jpg’ came up as a search result four times.

The bottom of the ‘hackers.jpg’ file has a reference to the file named ‘image1.jpg’ which usually (but not always) means another file was embedded inside the ‘hackers.jpg’ file. I opened ‘hackers.jpg, with Ez7z (7zip app for Mac OS X) and saw the following:


Sweet progress! Opening ‘image1.jpg’ revealed this:

embedded file image1.jpg

Embedded file removed using 7zip

Nothing better than a slap in the face when you think you done good. Opening ‘image1.jpg’ in Ez7z and Hex Fiend didn’t result in any discoveries. It looked like stego was the way to go. All tests were a bunch of dead ends. This is where I can say being nice to people and getting to know your fellow community members is important. You never know when you might need a helping hand.

Honorary mention: I met @DrBearSec at BSidesChicago 2013 for the first time. We’ve seen each others tweets on Twitter but that was about it. Since BSidesChicago, we have both been participating in the BSJTF CTF and as a result, we’ve tweeted to each other more frequently. While working on this challenge it was great to bounce ideas off of each other. @DrBearSec has never given me a flag and has acted more like a mentor providing hints. Because of his willingness to be a mentor, I have learned more and never gave up. During this challenge he gave me a hint about the ‘image1.jpg’ file being a red herring and indeed it was. Thank you Bear!

Turning focus back onto the ‘hackers.jpg’ file I ran it through all of the same tests as the ‘image1.jpg’ file. The description for this challenge used the word ‘flip’ twice, plus it’s in the title. Considering the possibility that the bits of the file were flipped, I turned back to Hex Fiend and saw that the last two characters are ‘KP’. ‘PK’ is the file header identifier for the ZIP file format. Now the search was one to flip the bits and open the ZIP file.

I’m not a developer and pretty weak at scripting so I had to turn to the web for help. I found a Python script that reads a file and flips the last line to the beginning of the file. The results were less than optimal. Hex Fiend showed the file header as

00 01 89 ED 00 01 7B F9 04 2F FA E2 42 B0 56 DB 00 08 00 00 00 14 04 03 4B 50     âÌ {˘ /˙‚B∞V€ KP

The letters ‘PK’ are not at the beginning of the file but further inward. It was Memorial Day weekend and I wanted to play with my kids. I got back to the file on Monday night after 11pm central time. The challenge was ending Tuesday morning at 8am central time and there was less than 9 hours left to finish, assuming no sleep. Pressure was on.

Hunting through search results I came across a tool that reverses the bytes of a file. Surprisingly it’s called ‘reverse.exe’. If you aren’t a coder and you like CTFs, you may want to find this tool. ;0)

Using a Mac, this means it’s time to fire up a Windows VM to flip the file around. The resulting file I opened with Ez7z and saw this:


Pay dirt! I like how the name of the image file was also flipped so it wasn’t obviously found when looking at the hex data. When this file was extracted it resulted in this goofy image.

CTF Flag

CTF Flag

Thank you BSJTF for such a fun and solvable challenge!!

Categories: CTF, Events

Cloud storage data risks and encryption

On March 8th, 2012 I submitted a blog titled “Cloud storage data risks and encryption” at Naked Security pointing out the risks associated with using cloud storage providers such as Dropbox. To be clear, I’m not suggesting to move away from such services, but to augment them with a layer of encryption which you can control. That is exactly how I use them.

For example using SafeGuard PrivateCrypto for standalone free file based encryption use or SafeGuard Encryption for Cloud Storage if you are looking for enterprise class software such as SafeGuard Enterprise.

I’m excited for mid-2012 when the smartphone encrypted file readers will be available. Definitely a sweet integration point there.

I hope you enjoy the blog article and please comment either here at DSPN or Naked Security. If you make a reasonable comment which invokes the need for me to reply, I will make every attempt to engage you in a conversation.

Until next time, keep it safe and secure online.

%d bloggers like this: