Friday, February 20, 2015

iOS Security Tools - RBL Status

RBL Status - $1.99

Developer: Pavel Ahafonau

One of the other hats I wear is as a web application developer predominately in the PHP / MySQL realm and I generally build, harden and deploy the web servers to run those applications on. Sometimes those servers also include a Mail Transfer Agent (MTA) / mail server depending upon the business need.

Whether you're troubleshooting an email issue or you're wanting to verify your mailform code is secure or that your mail server is properly hardened and not configured as an open-relay, Real-time Blackhole Lists (RBLs) can help you determine whether your server is listed as being a source of spam.

The efficacy of RBLs, also referred to as DNS blacklists or DNSRBLs, is debatable for a couple of reasons. One of the biggest problems it presents is the collateral damage that ensues when a single domain on a shared host is exploited to send spam. Because RBLs are IP based, an insecure mailform on a website sharing the same IP as you could cause the IP to be blacklisted. This is an extremely frustrating situation to be in because until they fix the problem you'll be punished right alongside them.

A similar situation can occur if you're running a server on a dynamic IP and you happen to one day pick up an IP that has been blacklisted.

To further complicate the matter, there are a number of RBL services and to effectively troubleshoot, you have to track down which one is being used by the mailserver denying your emails. Getting your IP delisted can sometimes be difficult and each RBL service has varying policies for automated or manual delisting.

If you'd like to learn more, take a look at Wikipedia's Comparison of DNS blacklists

The RBL Status app is an easy and quick tool to determine whether your IP address has been blacklisted. Currently it supports thirteen of the most popular RBLs, with seven selected by default for checking when you install the app. Based on your needs, you can select or deselect the RBLs that are most appropriate for you.

As an example, I took the IP for one of the top spam senders according to McAfee's Threat Intelligence site. In the below screenshot you can see that the IP is listed in two RBLs.

There are two downsides to the RBL Status app that I see. The first is that aside from the information it displays, you can not drill down to get more information. Based on the previous issue, the second is that the links it provides for further information where an IP is listed are not clickable and so you'll have to resort to typing the URLs in manually, or choosing the arrow button to the left of the Check button to send the info via email where you can then copy and paste the URL into a browser.

Visiting the URL listed for SORBS in the above screenshot will bring you to the below page where you can determine how fresh the listing is etc.

One nice benny RBL Status has is that you can perform a whois lookup on the domain, the IP, and the reverse hostname.

So, that's it in a nutshell. Hopefully you won't be on the wrong side of an RBL listing and have to deal with the headache of delisting.

Tuesday, February 10, 2015

iOS Security Tools - Netstat

Netstat - FREE with IAPs
Developer: James Devenish

Netstat, as you may be familiar with already on Linux and Windows, gives you live information such as protocol (http, https, imaps), remote address, connection duration, idle time, round-trip-time (rtt) and bytes received grouped by interface such as wifi, VPN or cellular.

Netstat on an iOS device is a useful tool for being able to see where an app is connecting to and over what protocols without having to packet sniff your device traffic. It's also handy for finding apps that might be sending your information across the internet using insecure protocols or to watch how other security tools on your device are communicating.

The paid version which is available as an IAP comes in two flavors. The first is a $.99 Connection Details which allows you to tap on a connection to see additional information. The second is a $3.99 IAP which includes the Connection Detail, but also adds audio alerts, delta mode for new activity, sorting connections by various criteria, host connectivity testing, whois lookup and port info.

The free version allows export to CSV which will give you basically the same thing as the $.99 IAP for Connection Details with just a couple extra steps.

One potentially fatal limitation is the lack of IPv6 support. If IPv4 is all you need though, then this will do the trick.

- Leif Gregory, Security Professional