Sunday, April 23, 2017

Punycode

Wordfence is a security service for WordPress sites. I heard Leo Laporte talk about a recent post Wordfence had demonstrating a potential phishing technique.

To demonstrate this Wordfence created web site using an technique known as Punycode to encode the URL.

Here is a link to their demonstration site. Look closely at the address bar when you get there.

     https://www.ะตั€ั–ั.com/

Here is a link to the real site. Look closely at the address bar when you get there.

     https://www.epic.com

Can you tell the difference?

So you think you're a real geek and you always right click on a link and select "Copy link address" and then paste it into Notepad to see what the link REALLY links to. Knock yourself out. Try it.

Now is a good time to start worrying.

The only way to discern the difference in the URL is to actually browse to the demonstration site. Then highlight the URL and copy it. Now paste it into Notepad.

     https://www.xn--e1awd7f.com

That "xn--" is the Punycode.

I hope you noticed that the demonstration site also showed the padlock in the address bar. You can thank LetsEncrypt for that.

There's a workaround in Wordfence's post for Firefox and reportedly a fix in version 59 of Chrome.

In the meantime, do you think this would fool your mother?



Sunday, April 16, 2017

Shadow Breakers

There have been several leaks of supposed NSA hacks recently. Generally they have been older vulnerabilities and minimal impact.

Microsoft responded with a blog post.
Our engineers have investigated the disclosed exploits, and most of the exploits are already patched.
However there's somewhat of a back story.

You'll remember that Microsoft mysteriously pulled their February updates with no explanation.

Then in March Microsoft fixed several flaws with no attribution. You have to back into this discovery by matching this with this.

This Engadget article speculates on how/why this happened. There's more speculation from Quartz here.

Whatever happened the result is that Microsoft did a good job of protecting their current platforms from the 0-day vulnerabilities. The same can't be said for the NSA.

Sunday, April 09, 2017

iOS 10.3.Whatever

tl;dr Install iOS 10.3.1 now

On March 27, 2017 Apple released iOS 10.3 with little fanfare. Here are their release notes:
iOS 10.3
iOS 10.3 introduces new features including the ability to locate AirPods using Find my iPhone and more ways to use Siri with payment, ride booking and automaker apps.

Find My iPhone
  • View the current or last known location of your AirPods
  • Play a sound on one or both AirPods to help you find them

Siri
  • Support for paying and checking status of bills with payment apps
  • Support for scheduling with ride booking apps
  • Support for checking car fuel level, lock status, turning on lights and activating horn with automaker apps
  • Cricket sports scores and statistics for Indian Premier League and International Cricket Council

CarPlay
  • Shortcuts in the status bar for easy access to last used apps
  • Apple Music Now Playing screen gives access to Up Next and the currently playing song’s album
  • Daily curated playlists and new music categories in Apple Music

Other improvements and fixes
  • Rent once and watch your iTunes movies across your devices
  • New Settings unified view for your Apple ID account information, settings and devices
  • Hourly weather in Maps using 3D Touch on the displayed current temperature
  • Support for searching “parked car" in Maps
  • Calendar adds the ability to delete an unwanted invite and report it as junk
  • Home app support to trigger scenes using accessories with switches and buttons
  • Home app support for accessory battery level status
  • Podcasts support for 3D Touch and Today widget to access recently updated shows
  • Podcast shows or episodes are shareable to Messages with full playback support
  • Fixes an issue that could prevent Maps from displaying your current location after resetting Location & Privacy
  • VoiceOver stability improvements for Phone, Safari and Mail

Weren't we all waiting for improvements in "Cricket sports scores?"

Well, there were a few more things in iOS 10.3. Good things. Things worth talking about. Things worth shouting from the roof tops about. But Apple didn't mention them in the release notice.

MacRumors noted:
iOS 10.3 introduces a new Apple File System (APFS), which is installed when an iOS device is updated. APFS is optimized for flash/SSD storage and includes improved support for encryption. Other features include snapshots for freezing the state of a file system (better for backups), space sharing, and better space efficiency, all of which should result in a more stable platform. Customers updating to iOS 10.3 should first make a backup given that the update installs a new file system.
More on the storage savings from APFS later...

In a separate document from the release notice Apple casually mentioned a few security updates. Specifically it documents 89 CVEs (Common Vulnerabilities and Exposures).

You'd think Apple would tout that.

Maybe there was a reason they didn't though.

On April 3, 2017 Apple released iOS 10.3.1 with ONE security fix.
Wi-Fi
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later
Impact: An attacker within range may be able to execute arbitrary code on the Wi-Fi chip
Description: A stack buffer overflow was addressed through improved input validation.
CVE-2017-6975: Gal Beniamini of Google Project Zero
Read that again. Especially this part:
Impact: An attacker within range may be able to execute arbitrary code on the Wi-Fi chip
This is NASTY. The Register has a good summary. This is a problem in Broadcom's Wi-Fi stack which is used by iPhones after the iPhone 4 and in newer iPods and iPads and some Android phones including Google's Nexus 5, 6 and 6P, most Samsung flagship devices.

The good news is that Apple's ecosystem is able to respond very quickly to vulnerabilities such as this. The bad news is that Android can't.

On a related topic, the implementation of new Apple File System (APFS) that comes with the installation of iOS 10.3.Whatever yields significant savings in storage.

On my 16GB iPad Air, my available storage increased more than 1GB. It took about half an hour to install.




Sunday, April 02, 2017

Setting TuneIn Favorites on Amazon Echo

I bought an Amazon Dot on Black Friday and have been playing with it. One capability I really like is to play radio stations on it. However it doesn't always chose the right radio station. Here's how to set TuneIn Favorites for your preferred radio stations.
You can add them as favorites within the TuneIn section of the Echo App or within the iHeart Radio section.  Both work the same way--so where it says "TuneIn" below, read "iHeart Radio" if that's the one you're working with. 
To do that, select TuneIn from the sidebar menu within the app.  Search for the station (I just searched for German radio and found Antenne Bayern, as well as a bunch of others.) It should switch to that and start playing. :D   You'll see the "play bar" at the bottom of the screen, below the list of search results.  Tap on the TuneIn or Station icon.  (Some stations have their own icon.) 
Now the station play bar will fill the right side of the app.  On the right side, you'll see "Queue" and "History" and the name of the current song underneath.
To the right of the song that's playing will be a little gray down arrow that is hard to see. Tap on that.  When you do, you should see the option "Favorite Station" in gray.  Tap on that.  It should turn red. 
*** 
Now, go to the Home Screen and tap on TuneIn again.  Scroll the right side of the app where it says Browse, Local radio, Trending, etc, to see the bottom of the list. 
Under Favorites, you should see your station and you can play them from there.  In the future, you'll only have to do the parts under the *** to play favorites.
https://www.kboards.com/index.php?topic=206521.0
While this is talking about a smart device app, I found that the web interface worked just the same.