Nov 09

iPhone Security

I like opening with that subject – because it’s two words that Apple seems to never want to see next to each other.

On Slashdot today, an article covered my friends from F-Secure discussing the barriers that are precluding the antivirus industry from making inroads in protecting iPhones from malware.

Indeed, they are correct, you cannot build A/V into the iPhone platform – the API is explicitly designed to forbid that. However, I have to counterpoint. I mentioned in a tweet several days ago:

The constraints keeping security s/w from diving deeper into the iPhone platform are the same ones precluding any need for them.

Yes, you read that right. I’m saying that the iPhone doesn’t need antivirus. Instead, Apple’s bigger problem is the lack of a mature platform management solution for the iPhone. Let me show you why.

When I went to Winternals, we rapidly discovered a giant chasm in security as Mark and I discussed how UAC (LUA at the time) would fall far short of creating a security boundary for Windows Vista (and continues to do so for Windows 7). The chasm is the latency between these steps:

  1. Exploit is identified
  2. Malware is authored and released
  3. Malware spreads
  4. Malware is identified
  5. Malware can be contained

You see, the flaw is that step 4 has to exist at all.

The fundamental flaw is blacklisting. Instead of fighting the good (but intractable) fight trying to identify all of the bad code, whitelisting relies on the premise that only known good, known trusted, code can start at all.

At Winternals, we created Protection Manager to respond to this hole in the security market. The key goals of the product were to only let known trusted code run, and to optionally run it with least privilege. In 2006, Microsoft acquired Winternals and, regrettably, discontinued the Protection Manager product. While Windows 7 features AppLocker, which theoretically applies whitelisting to Software Restriction Policies, I believe AppLocker has some fundamental shortcomings that I’ll discuss in a future post. Some aspects of Protection Manager, most notably the premise that a Digital Signature (code signing) is the best way of authenticating that code is:

  1. From a trusted source and
  2. Not been tampered with since publication

After Winternals, I worked on whitelisting again at CoreTrace, where the Bouncer product evolved to also recognize the importance of Digital Signatures, as one of the sources of Trusted Change. Only known trusted code is allowed to execute first off, and only code with specific properties is allowed to enable new code to be added to the whitelist.

Today, you hear mention all over the Internet of the rickrolling iPhone worm. Many have mimicked the code created on a whim by Ashley Towns, the worm’s creator. But the fundamental issue here isn’t the iPhone’s susceptibility to malware. Nope. Not at all.

You see, all existing worms that have compromised the iPhone rely on the fact that the iPhone must be both jailbroken and it must then have SSH installed, with an unmodified root password. Both qualify as best of breed “worst practices” from a security perspective.

In fact, those of us who haven’t jailbroken our iPhones (not arguing the ethics of that – that’s a separate conversation for another time) were not, and are not, susceptible at all. Why? Because the iPhone infrastructure as defined by Apple utilizes whitelisting. Only applications signed by software vendors that Apple has authorized (and that have signed the code) are ever countersigned by Apple and pushed through the App Store to be downloaded for purchase. Similar, but not as restrictive, constraints exist for Apple’s Enterprise program for application publishing.

To date, I have not seen any published malware that runs on an iPhone that has not been jailbroken or otherwise forced to run unsigned code (see Law #1 in the 10 Immutable Laws of Security. Any hack that does ever do so will rely on somehow compromising the signature infrastructure used for application publishing on the iPhone by Apple.

You may recall my original point – that the problem was the lack of enterprise management software of the iPhone itself. At CoreTrace, we were approached by an organization we were already working with that was realizing the growing number of Macs – and of even more concerning, the number of “rogue” iPhones (phones brought in by employees, and connected to the local wireless network and/or Exchange Server without IT ownership at any level).

The more we dug into it and researched, including the limited analysis necessary of the iPhone API and two fun, but largely circular conversations with Apple in Cupertino, the more we realized that they weren’t asking for, nor could we deliver (at least on non-jailbroken hardware) any form of “Bouncer for iPhone”.

Instead of security, the problem posed to an enterprise admin by the iPhone is that as an organization, you don’t need to control what is running on your iPhones from a “bad code” perspective, rather that the iPhone needs hardcore, Apple provided (and secured) management¬†in order to control how “renegade” the devices themselves are. That means the ability to:

  1. Prevent connectivity of jailbroken hardware to an organization (Exchange, wireless, Bluetooth, or other)
  2. Prevent jailbreaking of connected hardware (or sever connectivity at a hardware level when it occurs)
  3. Explicitly control which Apple or Enterprise published applications can be downloaded or run on connected iPhones (don’t allow games, allow only these 10 applications, etc)
  4. Explicitly control the iPhone’s software image, configuration, and settings (much as Group Policy can do with Microsoft Windows systems) – NOT trying to reverse engineer how images get pushed out in a decentralized way via iTunes itself
  5. Explicitly control how applications can access any PII on the device or in documents (GPS location, email addresses, address book or call history info, etc)
  6. Explicitly control document DRM on the platform as IRM/RMS can do for Microsoft Office and Windows

Today (even following those conversations with Apple), KACE is the only vendor I’m aware of that performs any aspect of this kind of work, besides Apple’s weak Configuration Utility. KACE’s is very comprehensive – but both approaches suffer from the fact that they are after the fact management solutions, not built into the hardware and software of the iPhone itself.

From the time that I was at Microsoft, I kept hearing more and more “security experts” talk about how the impending doomsday was coming for handhelds. It still hasn’t really come. I believe that through their native use of whitelisting, Apple has fended this threat off for the foreseeable future for the iPhone platform. Instead, I believe that the biggest problem facing the iPhone isn’t “potential attackers” – there will be plenty of those – but their chance of success is very low.

Instead, it is the iPhone’s impending success eating into the enterprise market from the bottom up that is the problem.¬†The lack of an enterprise management solution that is built into the deepest aspects of the system will not preclude the iPhone’s success at building up a rogue enterprise following. But it will both leave a bad taste in the mouth of the IT admins fighting the good fight to try and keep their organizations secure, and potentially introduce some bad compliance-related headaches in organizations already struggling to keep/retain compliance, due to the lack of DRM and platform control over the device itself and any information on it.

Apple itself needs to come to terms that the iPhone (and the Mac platform itself, frankly) need proper security and policy management at the lowest levels, or de-emphasize their viability as an enterprise platform on both counts.

Sorry for the length of this post – but this topic has been burning in me for a bit – I needed to get it all down for the record.

Dec 08

Preying on ignorance

I’ve been spending a bit of time looking into something that has bothered me for awhile. I refer to it as “Predatory Utility Software”, or “PUS”.

On Christmas day, I received two pieces of spam. These were admirable because they were able to defeat SpamSieve (my favorite software purchase of 2008). They were frustrating because they offered a piece of… software called “Error Nuker”.

For years, I’ve been telling people that so-called “registry cleaners” don’t do anything, and in fact can be the single most destructive tool you can run in Windows. One bad edit, and you can kill Windows.

I’m not even going to delve into the method that many tools like this use to spread themselves. While not “malware” in the truest sense of the word, spamming novice users, and confusing them to the point that they download tools like this should be illegal.

Windows gets “cruft” in the registry and occasionally in the filesystem over time with the installation, uninstallation, and updating of applications and Windows itself. The thing is, though this cruft in the registry causes your registry hive files to grow in size, it is benign. Tools such as this that lie to users and tell them that “errors” will occur are frankly more malignant than the actual problem they feign to solve.

I ran “Error Nuker” on a test Windows VM. It took quite a bit of time to “scan” my system, telling me each of the locations it was scanning. But you know what? In the end, all it did was point out locations in the registry that referenced files on the disk that were no longer there.

Now, it’s important to note that dead links from the registry are usually the result of uninstalling the application that put them there*. Meaning that, the only thing that cares that the link is dead is the application or application(s) that are no longer there! Meaning it does nothing!

*This tool also calls out files in Most Recently Used (MRU) menu locations in Windows – which if you are like me, you edit, send, and delete documents like crazy. But these MRU links being dead is hardly what I’d call an error condition.

“Error Nuker” is something like $20-$49 (depends on which spammer you get solicited by, I guess). Frankly, it isn’t worth free. It literally does nothing, and although it has a safe delete option, the fact that it is just a glorified registry cleaner means it’s effectively useless. An analogy? Do you think washing your car will make it go faster? Me either.

I’ve seen worse “PUS” – specifically the kind that is truly malware. But it’s really a shame that we’ve gotten to this point, where Windows users will fall prey to junk software pimping itself as fixing Windows’ problems.