Tuesday, August 11, 2015

iOS Security Tools - OpenVPN Connect

OpenVPN Connect - Normally $2.99 but free at time of this article

Developer: OpenVPN Technologies

Whether you're connecting to the internet over WiFi at a hotel, airport, coffee shop etc. unless your app provides native encryption or you're browsing websites over HTTPS (HyperText Transfer Protocol Secure) then your data is wide open for someone on that same network to see. If you're googling for fuzzy kitten pictures, then it probably doesn't matter, but if you're transferring work files or logging into a website without encryption then you run the risk of a bad guy intercepting that data. You might even think that only highly skilled hackers can do this, but nothing is further from the truth. It could be the soccer mom sitting four tables away from you running Wireshark on her laptop just passively collecting packets until her filter for the text "password" flags and then she's got you.

But for a moment, let's get away from the hacker scenario. Who else could be monitoring your traffic? The provider of the wireless access point you're connected to? The ISP (Internet Service Provider) connecting you to the internet? The coffee shop? If you answered yes to all of these, then you are correct. It might be relatively benign, most likely they're monitoring which websites you go to and injecting ads they believe are relevant. Or they're just building on your profile of browsing habits because they can monetize that.

That's where a VPN (Virtual Private Network) comes in. Basically a VPN creates an encrypted tunnel between your device and a server out on the internet. This tunnel encrypts all your data making it unreadable to anyone except the server on the other end who decrypts the tunnel and passes your requests on to wherever you were trying to go. Let's say you are connected to your local cafe's free wireless on your iPad using a VPN and you launch the Chrome web browser to go to this blog at http://blog.saltedbrain.org. Your iPad is connected to a VPN server on the internet over an encrypted tunnel. The hacker soccer mom can see your packet data, but it's all securely encrypted and unreadable to her. Same for the cafe owner's wireless access point, the ISP and the interconnecting hops all the way to your VPN server. The VPN server decrypts the traffic and passes your web browser request for this blog to my server on your behalf. My blog server responds and sends everything back to the VPN server who then encrypts everything again over the VPN tunnel and sends it back to your iPad.

Now, the more tech savvy among you might have realized that if everything is decrypted at the VPN server, then they could potentially capture all that data right there. You are correct. That's why it's very important to do your research in finding a reputable VPN provider. Or, you can place your trust in me and my research and follow along below to get set up. But bear with me for another minute here so I can explain what you're looking for in a good reputable VPN provider.

  • They should support the latest encryption methods such as AES 256
  • They should state in very plain text and loudly that they do not store or read your internet traffic. You still have to take that on a leap of faith I suppose.
  • They should make mention of their speeds. In a world where you usually get what you pay for, free or cheap VPN providers typically have slow connections. The one I will be telling you about is an exception.
  • Look for bandwidth limits. Will they give you fast connectivity until you hit 1GB and then rate limit your connection (slow you down)? Will they cut you off after you hit 1GB of traffic?
  • Do they limit what sort of sites you can visit? Most will block P2P (torrents), but will they block gaming sites?

I've found a VPN provider who gives you unlimited bandwidth, doesn't block anything but P2P, doesn't store your internet traffic aside from your IP address and what time you connected (which they only keep for a week), support strong cryptography and they're FREE. You can find them at http://www.vpnbook.com.

Let's get into how to get set up.

  • Download the OpenVPN Connect app from the Apple App Store.
  • Download the Zip Viewer app from the Apple App Store. We need this to download and extract the OpenVPN profile from VPNBook. If you have another app that will let you download ZIP files, such as iDownloader already, then use that.
  • Go to http://www.vpnbook.com/freevpn in Safari and tap the link for US1 OpenVPN Certificate Bundle as shown in the screenshot. Take note of the username and password just below the various bundles. You'll need this later.
  • Choose Open In and scroll over till you find Open In Zip Viewer
  • When Zip Viewer opens, tap on VPNBook.com-OpenVPN-US1 on the left to open the ZIP file and then tap on vpnbook-us1-tcp80.ovpn on the right.
  • Next tap on the Send To icon at top right and choose Open in OpenVPN

  • When OpenVPN launches you'll see under the New Profiles Are Available section. Tap on the green plus sign and it will open that profile below like the screenshot (I had already added this when I took the screenshot.)
  • The username and password are listed on the VPNBook page where you downloaded the OpenVPN Certificate Bundle. At the time of writing this article, it was vpnbook:y6gaTRuv. Tap the save switch so you don't have to enter them again later. Now tap the Connection switch.

    And that's it. You can switch to another app and start browsing. You should see a VPN box next to your carrier and WiFi info at the very top. This lets you know you are using a VPN connection. When you're all done, just launch OpenVPN again and tap the Connection switch to turn it off. You can even run OpenVPN over your cell data connection. It's not limited to just WiFi.

Sunday, March 1, 2015

iOS Security Tools - Fing

Fing - FREE

Developer: Overlook Soft

Fing is a highly configurable network scanner which can be leveraged for private networks, but can also be used to scan external hosts. One of Fing's best features is that it will remember networks you've already scanned and retain the names and additional information you've put in for discovered hosts. Fing has a built in MAC vendor database to help identify targets of interest from the discovered hosts. When you first launch Fing, it will detect the network you're on with a scan button in the upper right corner. Depending upon the size of the network, the scan can be fairly quick for a /24 bit subnet, or fairly long for say, an airport running a /16 bit network.

In the above, I cancelled the scan on after a minute or two because it was a /16 bit network and I really didn't need a full scan. One limitation of Fing is that you have to wait till a scan is completed or cancel it to be able to do more detailed scans on discovered hosts. Once you have your list of discovered hosts, you can perform additional scans to determine which services are running on them. For this article, I'm going to choose the HP printer listed at the top as my target for a deeper dive.

After tapping on the host, you have a few options such as Scan Services, Ping Device, Delete from the List, Show Log and Wake on LAN. I'm going to Scan Services and show you that next.

You can see from the results above that there are a number of interesting services running on the host. Fing allows you to tap on the service and attempt to connect with an appropriate app. For http and https, that's your default browser for instance. If the host is a computer, you might see things like FTP or NETBIOS which will leverage your FTP app or file browser app. Let's check out port 8080 to see if we can get a live webpage.

Ouch, it looks like our printer is an HP LaserJet M1536dnf MFP and it doesn't have an admin password set. If I was a mean co-worker, I could change a few settings here and have a nice MFP all to myself. If you remember in the beginning of this article, I said Fing remembers networks you've scanned and additional information you put in about a discovered host. Let's go ahead and put in some info about this host.

Now we've got a more descriptive name than NPI23xxxx and I've annotated that the web interface on port 8080 is wide open and physically where the printer is located. One benny is that the information you type in is searchable from the main screen when you tap the search button on the bottom left. Below you can see the search result from the comment I put in about port 8080 being wide open.

If you'd like to scan an external host, you can do that from the main screen by tapping the pen and paper icon on the bottom row.

The ubiquitos send to icon in iOS allows you to send the information to other apps or via email which includes any additional info you put in about the host.

In the settings, you can modify things like what services to scan for and even add your own. You can also spoof your MAC address if need be.

Fing is a nicely put together network scanner to help locate potentially insecure devices on your network and the ability to remember previously scanned networks and any additional information you put in really sets this app apart from others. One last note, You can sign up for a free FingBox account which will sync and backup your customizations.


Friday, February 20, 2015

iOS Security Tools - RBL Status

RBL Status - $1.99

Developer: Pavel Ahafonau

One of the other hats I wear is as a web application developer predominately in the PHP / MySQL realm and I generally build, harden and deploy the web servers to run those applications on. Sometimes those servers also include a Mail Transfer Agent (MTA) / mail server depending upon the business need.

Whether you're troubleshooting an email issue or you're wanting to verify your mailform code is secure or that your mail server is properly hardened and not configured as an open-relay, Real-time Blackhole Lists (RBLs) can help you determine whether your server is listed as being a source of spam.

The efficacy of RBLs, also referred to as DNS blacklists or DNSRBLs, is debatable for a couple of reasons. One of the biggest problems it presents is the collateral damage that ensues when a single domain on a shared host is exploited to send spam. Because RBLs are IP based, an insecure mailform on a website sharing the same IP as you could cause the IP to be blacklisted. This is an extremely frustrating situation to be in because until they fix the problem you'll be punished right alongside them.

A similar situation can occur if you're running a server on a dynamic IP and you happen to one day pick up an IP that has been blacklisted.

To further complicate the matter, there are a number of RBL services and to effectively troubleshoot, you have to track down which one is being used by the mailserver denying your emails. Getting your IP delisted can sometimes be difficult and each RBL service has varying policies for automated or manual delisting.

If you'd like to learn more, take a look at Wikipedia's Comparison of DNS blacklists

The RBL Status app is an easy and quick tool to determine whether your IP address has been blacklisted. Currently it supports thirteen of the most popular RBLs, with seven selected by default for checking when you install the app. Based on your needs, you can select or deselect the RBLs that are most appropriate for you.

As an example, I took the IP for one of the top spam senders according to McAfee's Threat Intelligence site. In the below screenshot you can see that the IP is listed in two RBLs.

There are two downsides to the RBL Status app that I see. The first is that aside from the information it displays, you can not drill down to get more information. Based on the previous issue, the second is that the links it provides for further information where an IP is listed are not clickable and so you'll have to resort to typing the URLs in manually, or choosing the arrow button to the left of the Check button to send the info via email where you can then copy and paste the URL into a browser.

Visiting the URL listed for SORBS in the above screenshot will bring you to the below page where you can determine how fresh the listing is etc.

One nice benny RBL Status has is that you can perform a whois lookup on the domain, the IP, and the reverse hostname.

So, that's it in a nutshell. Hopefully you won't be on the wrong side of an RBL listing and have to deal with the headache of delisting.

Tuesday, February 10, 2015

iOS Security Tools - Netstat

Netstat - FREE with IAPs
Developer: James Devenish

Netstat, as you may be familiar with already on Linux and Windows, gives you live information such as protocol (http, https, imaps), remote address, connection duration, idle time, round-trip-time (rtt) and bytes received grouped by interface such as wifi, VPN or cellular.

Netstat on an iOS device is a useful tool for being able to see where an app is connecting to and over what protocols without having to packet sniff your device traffic. It's also handy for finding apps that might be sending your information across the internet using insecure protocols or to watch how other security tools on your device are communicating.

The paid version which is available as an IAP comes in two flavors. The first is a $.99 Connection Details which allows you to tap on a connection to see additional information. The second is a $3.99 IAP which includes the Connection Detail, but also adds audio alerts, delta mode for new activity, sorting connections by various criteria, host connectivity testing, whois lookup and port info.

The free version allows export to CSV which will give you basically the same thing as the $.99 IAP for Connection Details with just a couple extra steps.

One potentially fatal limitation is the lack of IPv6 support. If IPv4 is all you need though, then this will do the trick.

- Leif Gregory, Security Professional