Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Last Daily Podcast (Fri, Oct 21st):#NanoCore RAT; #DirtyCow Priv Escalation Flaw;

Latest Diaries DDoS Attack

Published: 2016-10-21
Last Updated: 2016-10-21 16:36:22 UTC
by Johannes Ullrich (Version: 1)
5 comment(s), a popular dynmic DNS provider and provider of commercial managed DNS services is currently experiencing a massice DDoS attack. As a result, many sites that are using's services are experiencing issues. 

Affected are not just home/hobby sites that traditionally use dynamic DNS services, but also large "name brand" sites that use's managed DNS service. For example Twitter, Spotify, Etsry, Github and others (domains hosted by often use * name servers)

You can find status updates from here:

Johannes B. Ullrich, Ph.D.

5 comment(s)

How Stolen iOS Devices Are Unlocked

Published: 2016-10-21
Last Updated: 2016-10-21 14:36:41 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

For a number of years now, Apple has been implementing "Activation Lock" and "Find my iPhone" to deter the theft of iOS devices. According to some statistics, this effort has had some success. But with millions of users carrying devices costing $500 and more loosely secured in their pockets, mobile devices far exceed the value of an average wallet.

Activation Lock links a device to a user's iCloud account. If a user configures a new device, the user is asked for iCloud credentials or offered to set up a new iCloud account. A device can not be activated without providing this information. If you sell or pass on a device, deleting the data from the device is not sufficient, but you will also have to remove the link to your iCloud account, for example by turning off "Find My iPhone." Changing the setting always requires at least a password (and if configured two-factor authentication). Biometrics can be used to unlock the phone, but it can not be used to remove the iCloud link.

But iOS devices are still being stolen, and thieves have come up with some rather ingenious methods to unlock them:

1 - Phishing E-Mails

If you lose track of an iOS device, you have the option to register it as stolen via "Find my iPhone." Once the device is found, you will receive an e-mail or a pop-up on another iOS device. Thieves have used this technique to phish the owner's iCloud credentials. If they are aware of the owner's phone number or e-mail address (it is often displayed as part of the "Lost Phone" message), then they will send a "Found" e-mail to the address or an SMS to the phone number claiming that the phone has been found. The user is then sent to an iCloud look alike site which is asking the user to log in. The attacker will then use the harvested credentials to unlock the phone. [1]

2 - Purchase Offer

Making an offer to buy your device is probably the most brazen approach. The "finder" of the phone will contact the displayed phone number, and offering you to buy the phone from you. Making a purchase offer is in particular popular if the phone was found in a foreign country and the owner is already back home. Shipping the phone back to the owner would often be quite expensive. The finder then asks the owner to unlock the phone before payment is received to "proof" that the owner is legitimate.

3 - Password Resets

In many cases, your phone is critical to reset your password because you configured various sites (including iCloud) to use SMS messages to your phone for reset codes. On a locked phone, SMS messages may still appear on the screen, so will many messages from other applications (like iMessage, Whats App). An attacker can also remove the SIM card from a phone and plug it into another phone to receive messages unless your SIM card is secured with a PIN code.

How to Secure Your Devices

- Set up two-factor authentication

Apple offers two-factor as well as two-step authentication. If you enable it, make sure you keep the recovery code in a safe place. Apple does not offer a way to "turn off" two-factor authentication if you lose your recovery options. This can be the case in particular if your iPhone is lost/stolen and the only device you configured for two-factor authentication. Try to setup multiple devices to receive the code so you have a backup. [4]

- Enable "Find my iPhone."

This will allow you to locate a lost device if the device is connected to a network (WiFi or Cellular). You should also configure the feature to transmit its location before the device runs out of power.

- Limit messages displayed on the lock screen

You can configure what is displayed on the lock screen for each application. It may be ok to see things like news items, but you should not display e-mail content, SMS messages or output from other messaging applications like Skype.

- Protect your SIM card with a PIN

I find that in the US, most SIM cards arrive unlocked. In Europe, SIM cards are often locked via a PIN. But even if your SIM card is not locked, you can usually configure a PIN for it. Before you do so, make sure that you have the current PIN code (usual default is 1111 or 234) and the PUK code, which can be used to recover a locked card. In many cases, you can look it up on your carrier's website, or it may be included with your SIM card. Write the PUK down and keep it in a safe place. Your phone will allow you to configure a new PIN (but the PUK is fixed). Now you will have to enter the PIN whenever you power up the phone or whenever you remove the SIM cards and plug it into a new phone.

- Test "Lost my iPhone."

It is important to test the "Lost my iPhone" feature to make sure you have it setup correctly. See this article at Macrumors for more details [3].



Johannes B. Ullrich, Ph.D.

0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Malspam delivers NanoCore RAT
2 days ago by Brad (1 comment)

Spam Delivered via .ICS Files
2 days ago by Xme (3 comments)

OpenSSH Protocol Mismatch In Response to SSL Client Hello
3 days ago by Dr. J. (0 comments)

Maldoc VBA Anti-Analysis: Video
4 days ago by DidierStevens (0 comments)

Analyzing Office Maldocs With Decoder.xls
5 days ago by DidierStevens (0 comments)

Maldoc VBA Anti-Analysis
6 days ago by DidierStevens (2 comments)

View All Diaries →

Latest Discussions

Question about faux news websites
created 1 week ago by Marko (0 replies)

Event Logging Requirements
created 3 weeks ago by Circadian (4 replies)

Configuring 'cvtwin': Windows 10 and Norton 360 Premier
created 3 weeks ago by Anonymous (0 replies)

Best way to reduce spam?
created 4 weeks ago by RafealHenco (1 reply)

Best security software to protect my PC!
created 4 weeks ago by RafealHenco (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries DDoS Attack
16 hours ago by Dr. J. (2 comments)

Critical Cisco ASA IKEv1/v2 Vulnerability. Active Scanning Detected
8 months ago by Dr. J. (25 comments)

New tool:
1 week ago by Jim (4 comments)

Spam Delivered via .ICS Files
2 days ago by Xme (3 comments)

SSL Requests to non-SSL HTTP Servers
2 weeks ago by Dr. J. (0 comments)