Security Bits Logo no alpha channel

Security Bits — 20 March 2022

Feedback & Followups

Deep Dive 1 — Two iOS-Targeting Scam Techniques to be Aware of

Sophos have released a report detailing two approaches scammers are using to attack iOS users — beta software and web clips.

Firstly, it’s very important to stress that these are social engineering techniques, there are no software or hardware vulnerabilities involved. The only defences are understanding and vigilance.

Test Flight is a service Apple offers developers that allows them to distribute beta versions of their apps to testers before apps are submitted for app review.

Apple make users jump through quite some hoops to enroll a device into a developer’s test program, and until a device is enrolled, it can’t run the developer’s beta apps. The reason you have to jump through hoops is that joining a beta program is an act of trust — you are trusting the developer to run code of their creation on your device without that code having been vetted by Apple.

Sophos warn of active cryptocurrency scams tricking users into joining Test Flight beta programs and installing supposed crypto wallets that simply steal people’s coins and/or NFTs.

Don’t enroll your devices into beta programs run by anyone you don’t have a trust relationship with!

Secondly, since before there even was an app store, Apple have allowed websites to be saved to the home screen as if they were apps. Clicking on the link opens the web page in a full-screen browser without the usual browser buttons, so it feels more like an app than a website.

Scammers are abusing this feature to make their phishing websites look more legitimate like they are approved apps. Saving a web clip is a different process from installing an app, but with the appropriate social engineering, scammers are guiding users through the process and misleading them into thinking they’re installing legitimate apps.

I guess the simplest advice is to only install apps from, and via the app store, and to be suspicious when you’re being guided down an unusual path. If an ‘app’ isn’t using the normal process, always ask why, and examine the motives of the person leading you down the odd path. Have they earned your trust?

Links

Deep Dive 2 — A Programming Lesson from OpenSSL

Due to some sloppy programming in a dusty part of the OpenSSL code base, it was possible to force open SSL into an infinite loop and hence trigger a denial of service on the server/app using the popular open source crypto library.

The bottom line is that the bug has been fixed and no data was ever put at risk. It was purely an embarrassing inconvenience. The reason I want to take a deeper look is that this bug perfectly illustrates both the broad reason you should always program defensively, and, a very specific piece of simple advice — always check which side of the fence you’re on.

A lot of the time when you’re writing loops the code is very simplistic, you have a counter that gets changed by a set amount every time, and you keep looping until the counter reaches some value. In JavaScript that would be something like:

let counter = 5;
while(counter != 0){ // while the counter is not equal to zero
  console.log(''); // print pancakes
  counter--; // reduce the value of the counter by 1
}

This will print the pancakes emoji five times, once when the counter is 5, again when it’s 4, 3, 2, and 1, and then the loop ends when the counter reaches zero.

Note that I chose to exit the loop when my counter reaches zero. I am checking if my counter is exactly on some kind of boundary. In other words, I check if the counter is on the fence.

The following code does the same thing, but in a slightly different way:

let counter = 5;
while(counter > 0){ // while the counter is greater than zero
  console.log(''); // print pancakes
  counter--; // reduce the value of the counter by 1
}

The difference is the logic I use to exit the loop — instead of checking if my counter is on a boundary, I check if it’s crossed a boundary, I check which side of the fence it’s on.

In this case, there is no functional difference in the two checks, but one is inherently brittle, the other is not. Let’s say I want to add some code to skip a pancake if the millisecond Unix Time Stamp is a palindrome (the same forwards as backwards), I cold add a skip condition into my loop like so:

let counter = 5;
while(counter != 0){ // while the counter is greater than zero
  console.log(''); // print pancakes
  counter--; // reduce the value of the counter by 1

  // reduce by an extra 1 if the unix timestamp is a palindrome
  const uts = String(Date.now()); // get the MS Unix Time Stamp as a string
  const revUts =  uts.split('').reverse().join(''); // reverse the time stamp
  if(utsString == utsString.reverse()) counter--;
}

Note that I went back to checking if my counter is on the fence, and by doing so, I added a subtle bug that will only strike sometimes. Firstly, most Unix Timestamps aren’t palindromic, so most of the time, five pancakes will be printed. Assuming the loop takes at least a millisecond to run, When there is a palindromic millisecond, there is a 4-in-5 chance the code will work as expected, printing 4 pancakes, but there’s a 1-in-5 chance of an infinite loop!

If the palindromic millisecond happens when the counter is at one then it will jump right over the fence to minus one, and continue to go lower and lower for evermore! By only exiting the loop when the counter is exactly zero, we created an infinite loop.

If we followed the advice to check which side of the fence you’re on, that would never happen — whether we jump from 1 to 0 or from 1 to -1, the counter will always stop being greater than zero, so the loop will end as it should.

So, unless you specifically need to do something only when a counter is at a specific value, always check which side of the proverbial fence it’s on!

Links

❗ Action Alerts

Worthy Warnings

Notable News

Top Tips

Interesting Insights

Palate Cleansers

Legend

When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.

Emoji Meaning
A link to audio content, probably a podcast.
A call to action.
flag The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country.
A link to graphical content, probably a chart, graph, or diagram.
A story that has been over-hyped in the media, or, “no need to light your hair on fire”
A link to an article behind a paywall.
A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future.
A tip of the hat to thank a member of the community for bringing the story to our attention.

Leave a Reply

Your email address will not be published.

Scroll to top