Category: NetworkToolbox news

A very provocative title isn’t it? But yes, it’s true, it is good. I will explain why.

I have received a couple of support mails regarding the no longer working Connections tool. Some people were just wondering when it will come back. Some are blaming Apple for it and one unpleasant person even had nothing else to do than blaming me with loads of unpleasant words and sentences that I don’t want to repeat here (but I will if this person doesn’t stop this).

So what has happened ? I am usually testing compatibility of my Apps with pre-release versions of iOS. In case some action is required I will prepare an update. At some point, Apple released a pre-release that prevented the Connection tool to work. Often, such thing happened and with further pre-releases things get back to normal – and so it does. The Connections tool started working again. But later, with the latest Release Candidate of iOS 10 it discontinued to work again so I started investigating why.

It turned out that Apple has completely removed an API I was using to generate the connection list for the Connections tool. By that date, I investigated in many alternatives which all turned out not to work (anymore or not at all on an i-Device). That was sad as I am also using this Tool quite often, whenever I like to analyze suspicious behavior of newly installed Apps and often discovered bad “calls home” or other undesired connections (e.g. Flurry).

On the other hand, while implementing the Connections tool some time ago, I was even surprised that Apple did offer the API in question as it also allows many other even bad things to do. Other Apps can and likely may have already used the same API for other, undesirable purposes. After implementing the Connections tool and submitting the App to Apple, I also expected that Apple will reject my App – which was obviously not the case.

The problem here is, that even though I call it API, it’s not really a typical “officially documented” API. It was rather a system call with very specific parameters. Such a system call is hard to identify within the review process and that’s probably why. But as mentioned before, this system call can also be used for many other things I definitely don’t want another App to do on my iPhone or iPad.

So even though it’s sad that the Connections Tool can now no longer be used, it is good that this particular API (or System call) is gone. This is indeed a real gain in security and I am hoping Apple will continue to walk this Path. I think it is way more important that our i-Devices can not be compromised and that bad Apps can harm our security and privacy and I think it’s worth the disadvantage that we now no longer have a Connections tool available.

I think Apple is doing a great job by not only continuously adding new great features but also care for security. This is why all my Android Devices (I have quite a few since I used to develop Android Apps as well but discontinued some time ago) remain in my drawer and will not be connected to my internal network. Those devices are quite insecure and exactly the opposite. Google doesn’t care about security and they are even the worst data spy themselves. A Connections tool for Android would still be possible of course but I would not trade any Android Device with any of my iPhones or iPads.

So as you can see, it is very unlikely that the Connections Tool may come back in the future but there is no reason to complain about Apple. They did their job well.

I leave it up to you to decide if it is me who needs to be blamed.

Don’t trust the evil!

Regards,

Marcus

 

 

 

 

 

 

 

---

A new version of NetworkToolbox is available.

The new version contains various changes, additions and fixes:

■ Renewed Bluetooth Tool

I have completely re-written the Bluetooth LE scanner. It is now more reliable and easier to use.

■ New Health Check Tool

This new Tool can be used to perform recurring pre-defined tests. You can add multiple sites (IP Addresses or hosts) and perform Ping, Certificate, Mailserver and other tests with a single button press. This way, you can quickly check the availability of components either in your home network or your Internet Servers.

■ New SMB Tool

You can now even browse Windows or other Samba shares using this new Tool. It is also possible to download files.

■ New Speed Test Tool

This new Tool implements the iPerf Speed Test standard and can be used to perform Network Speed/Bandwidth tests to one of the public iPerf Servers or even between two NetworkToolbox Apps running on the Network since the Tool also provides the possibility to run an iPerf Server.

■ Further improved network scan

Now, SMB Network Names and Vendor Names will be displayed in the list itself and not only on the detail screen.

■ Export Settings

As requested, you can now export the settings either for backup purposes or to submit the settings (including the user passwords etc.) to another iOS Device.

■ Reverse DNS and DNS Lookup improved

Even though the Tool is still called NS-Lookup, it is now rather a multipurpose tool that shows all kind of information available to an IP Address or host such as DNS Record information, Revers DNS Lookup, Provider information and more.

■ Macros for Telnet and SSH

It is now possible to write and maintain Macros that can be submitted from inside the Telnet or SSH Tool. Macros also let you sent special Key combinations and supports delays.

■ Other Telnet and SSH improvements

The Keyboard window will now only cover the necessary part of the screen and in case you are using a hardware keyboard, you will now see the full telnet/ssh screen.

Now you can also directly send special keys that are not available on the software or hardware keyboard.

■ WOL (Wake on Lan) has been built in

■ HTTP Head Tool improvements

This Tool now also shows the Status code returned from the Server and an explanation of the meaning this code.

■ IPv6 support

Most Tools now support IPv6 where appropriate. If available, you will see IPv4 as well as IPv6 addresses in the result lists of several tools. You can also enter IPv6 addresses in several Tools in the same way you enter IPv4 addresses.

■ New IP Calculations

With the introduction of IPv6 Addresses, there are also three new Calculations for the IP-Calculation Tool such as IPv4 to IPv6, 6to4/6RD and Teredo calculations.

■ New Manual

As you may already know, this App contains a lot of information and help texts with general information as well as for each individual tool and how to use it (Thanks again to Martin who helped me out here). Several users appreciated that but asked for a separate manual so they can read it side by side with the App. This is now possible. I have moved the existing content and added some more text to a separate manual, which can also be opened from here: http://go-to.me/nettb-manual but also still from inside the App by hitting the (i) button as usual. If you prefer a printed version, you can also download the manual as PDF file.

■ Bye-bye to the connections Tool

With iOS 10, Apple has removed an API which has been used for the Connections Tool. This means, that this tool no longer works under iOS 10 and you will get an according message if you try to use it. Even though it is not nice that this valuable tool now no longer can be used, Apples decision is a major increase on Security as this API could have also been used for other purposes by any App.

■ Other bug fixes and improvements

Besides the lost Connections Tool, NetworkToolbox is now fully compatible with iOS 10 and even uses some of the new advantages. On an iPad Pro, it can also run in Multitasking and Split Screen mode and it runs just fine on the new iPhone 7 devices.

 

As you can see, there were many changes with this new Update. It even took quite some time as due to IPv6 Support major parts of the App needed to be re-written.

This said, I wouldn’t be surprised if me or my valued Beta Testers would have missed one or two Bugs. Please don’t worry and just let me know so I can fix it timely.

Updating this App means that it will lose all your nice and kind reviews.

So please, after you installed the update, update your review as well or write a new one.

I hate these annoying nag-screens reminding users to write a review and don’t want to include that.

For your review, you can also tap here.

Thanks for your great support!

 

Kind regards,

Marcus

---

Sometimes, you may whish to connect to a network via Ethernet Cable in order to inspect or analyze a network. So far with NetworkToolbox it is only possible to connect to a network via Wlan/WiFi.

But there is good news today!

For this reason, some time ago, I bought me the Lightning Ethernet Cable (L2-NET) from Redpark. This cable requires some developments as it’s not supported by any iOS Device itself. I also had to register for Apples MFI Program which is necessary if you want to ship an App which uses a hardware accessory. I did that and I also did already develop almost all necessary changes for NetworkToolbox which was quite a lot as all network routines (especially the scanning and sniffing ones) will have to be adapted for this cable. Unfortunately, at the end, it turned out that the provided Library had some bugs but moreover the Cable often ended up in a situation where I had to completely re-start the device which was the reason why I never released this feature. I was in contact with Redpark a couple of times. They were very kind, committed and helpful but at the end it turned out that the cable issue cannot be solved at least not for NetworkToolbox. If this would change in the future, I will be more than happy to support this cable as I really like it.

However, here is something new:

You can use the new Lightning to USB 3 Camera Adapter along with the USB Ethernet Adapter.

The USB 3 Camera Adapter, which is basically a USB 3 Adapter, was introduced for the new (big!) iPad Pro (the new small iPad Pro doesn’t support USB 3 by the way). I wanted to buy this adapter for my big iPad Pro anyways but added the USB Ethernet Adapter to my order – just in case.

Once the package arrived, I tried to connect both Adapters together and plugged them to my iPad Pro. Then I got a message saying that the Ethernet Adapter consumes too much power and cannot be used.

Two things where surprising with this message: 1.) I didn’t get the usual message saying that this device is not supported, 2.) It even recognizes the second adapter as an “Ethernet Adapter”.

I then put a regular USB hub in between the two Adapters and provided power to the HUB.

Success !!  – as a result, I didn’t see any message anymore but also nothing else. No confirmation message, no additional menus in the Device settings (as it was the case with the L2-NET cable).

Then I switched off WiFi and Cellular, started NetworkToolbox and to my surprised, the Adapter was found and I even got a DHCP Ethernet Address. I was also able to Browser (real fast!) and perform Network scans with NetworkToolbox – pretty cool isn’t it ?

Next, I tried the same with other devices and found that at least my iPad air 2, iPhone 6 and 6s are working well. There may be others working as well but I have not tried it yet.

I then tried to use other HUBs and found that almost all I have are working, except for one old HUB.

I also tried different USB Ethernet Cables which all didn’t work.

I did not try but this solution may even work with the old iPhone Camera Adapter.

So in short, here is what you need:
[su_list icon=”icon: check-square-o”]

• Apple Lightning Camera Adapter
• Apple USB Ethernet Adapter
• Powered USB Hub
• Works with iPad Pro, iPhone 6, 6s, iPad Air 2 and probably other on iOS 9.3.x

[/su_list]

If you plug all together and power the USB Hub, switch your iPad/iPhone to Airplane Mode (to disable all other communications), wait a few seconds and then try to use Safari to see if the connection is working. If not, double check the HUB or try another HUB.

Even though NetworkToolbox reports a 0.0.0.0 local IP, it reports a public IP and correct DNS Server and is working very well with this solution.

Please let me know if anybody of you is successfully testing this solution on other devices, or even found that the old Camera Adapter is working well so I can update the compatibility list on this post.

UPDATE: Cristian from Gibraltar just reports that the old USB Camera Adapter works as well with the Ethernet USB Adapter. Thanks Cristian!

Don’t trust the evil!
Best Regards,
Marcus

---

A dear user and contributor of NetworkToolbox just raised a point I would like to share with you.

While discussing my arguments against Web-Mail services and my suggestion to rather use a Mail client instead, he mentioned that he got frightened some time ago even while using his iPhone mail client. What happened was, that he received an Amazon gift voucher from a relative and while he wanted to thank him five minutes later for the gift, the relative told him that he already knew that he received his gift because he’d just received an email from Amazon informing him about it.

So you may wonder how this could have happened even on a relative secure Apple device. The trick is quite simple and widely used by many newsletters, eCards and even regular mails.There are many service providers offering such a feature to companies even garnished with sophisticated statistics about reading time and even the location of the recipient.

What the do is, they just add a small image (visible or not) to each email. This image has an individual name which is different for every recipient. Once the email has been opened, the email client tries to download this image from the server in order to show the email right.

The Server, where the image comes from just responds with the requested image, maybe an empty 1×1 white pixel. So far so good. But any Web-Server, and the server for such an email image is also a Web-Server, will see the requesting IP Address and, of course, the file name of the requested image. Remember, as mentioned before, the file name is basically a unique Identifier which identifies each recipient and the IP Address will help to track down the location and other information such as type of device (e.g. iPhone) as well as the client software the recipient is using. And of course, all of that is being logged and can trigger an email to somebody who is interested in knowing when you read their mail.

But for iOS users, it’s not too bad at all. There is something one can do against it what the dear user found out on his own while googling. There is a setting under Email settings called “load remote images” (or “Bilder vom Websever laden” for the German users) which should be switched off.

It is very unfortunate that this setting is turned on by default but I would strongly recommend turning it off. This setting will prevent the things I mentioned before from happening. The only disadvantage is, that some mails might look a bit strange without images which will no longer be loaded in the future once this setting has been disabled but it’s often not too bad and you can manually force the images to be reloaded. But then, keep in mind, the sender may (and most likely will) track this.

You may wonder why you see images in mails even while “load remote images” has been switched off. The reason is, that in that case, images have been embedded in the mail and thus, don’t need to be downloaded and thus, can also not be used for tracking. The disadvantage for this approach is, that such mails get bigger, are causing more network traffic while sent out and while downloaded on your device.

So, don’t trust the evil.
Stay safe!
Regards,
Marcus

---

What is the worst thing to happen with regards to network security you can imagine?

How about a network device that should care for your network security which has a back-door that allows access by everyone from everywhere? Yes, that’s scary, right?

Exactly this has happened to Juniper users – and we all are affected.

For your information, Juniper is the second largest company selling Routers, Switches, Firewalls and other network products after Cisco. Their products are widely used from small businesses, large companies, Network providers to governmental networks.

Recently Juniper indicated that they had discovered unauthorized code in their ScreenOS software used in their Netscreen firewalls. It turned out that this code contains two back-doors which allows full device access and VPN traffic monitoring. Further investigations revealed that all of their firewalls running software versions shipped from 2013 until recently can be accessed from everywhere by everyone via SSH using any username and password “<<< %s(un=’%s’) = %u”. An update will fix this issue.

So far, it is unknown how this backdoor slipped into their code.

Currently, Morpheus and Shodan finds more the 30.000 of these devices.

Maybe you personally don’t use Juniper hardware but be assured, your Provider, Bank, online Store, Company you are working for may likely use Juniper hardware.

It was good that Juniper offensively informed about their findings so that security researchers were able to start their own investigations. However, it took two years to find the back-doors. My personal assumption is, that organizations like NSA, GCHQ, Asian or Russian organizations are responsible for this and moreover, I further assume that similar Back-doors are available in other Network Devices such as those from Cisco and other “big Players”.

I even now see the other Back-doors I mentioned in my blog (here and here) from a different perspective. Not unlikely that these back-doors were not results of brain-dead developers but have the same source.

Regardless whether my assumptions are correct, many networks are currently at high risk. Even more because not only NSA, GHCQ etc. are able to access our data, now even inexperienced criminals can.

Due to the impact of this issue, there is not much one can do other than to follow following rules that make sense regardless of this impact:
[su_list icon=”icon: check-square-o”]

• Think twice if you have to give out personal information such as Name, Address, Email Address and payment information. Better enter it for every single transaction rather than let your online shop conveniently store it
• Use strong passwords and change your passwords regularly
• Never use one and the same password for different services
• Never use one service to log into another service (e.g. don’t use “Login with Facebook” for Netflix)
• If possible, create some fake accounts and fake identities and use them instead of your real accounts where possible
• Leave Yahoo. If you still have A Yahoo account, close it. Not unlikely that Yahoo will be sold soon so your information might end up somewhere else
• Better don’t use a public WiFi network without VPN. Rather use your Cell network (3G/4G/LTE) when security is important
• Use Firefox instead of Internet Explorer
• Use Ove’s Self-Destructing Cookies plugin or similar in your browser
• Setup your mail clients to use encrypted passwords and SSL/TLS
• Better don’t use Web-Mail clients (except for your fake accounts)
• Never ever use Android devices
• Never ever use Windows XP anymore
• Always install updates (for Software and Hardware)
• Always change default passwords
• And of course, consider NetworkToolbox to check for security issues

[/su_list]

Of course, there is much more we can do but most of the above is either easy to do or simply mandatory and without alternative.

Regardless, I wish you and your families a Merry Christmas and all the Best and secure 2016!

Marcus

---

As requested (and to be honest also for my own sake) I added a linux cheat sheet to NetworkToolbox.

This additional information resource doesn’t cover those simple and basic Linux commands. Instead it contains many less known and easy to forget commands, especially for network administration and information gathering.

If some of you are interested even in the simple commands, please drop me a line and I will be happy to add those as well.

In order to install this cheat sheet, just perform a data update by heading to the settings screen of NetworkToolbox, scroll down and press Check for data update.

After the update, you will see a new Icon in the Resources section of the App which contains the new Linux cheat sheet.

---

Support Anonymous – and don’t trust the evil

---

I assume you have heard already from the recent findings of exploitable Netgear routers.

If not, here is a brief summary:

Due to another ignorance or security in-awareness of developers of the Netgear router firmware, it is possible to access several (thousands!) Netgear routers from the internet without entering correct credentials. For details see here.

If this alone isn’t scary enough, Netgear has again to be blamed for their slow and ignorant response to this serious security flaw.

Even though Netgear has finally released an update that fixes this issue, still thousand of routers can by found using Morpheus or Shodan which still run the old firmware and thus are exploitable.

To check if your own router is affected, I have written and just release a new security check for NetworkToolbox which can be downloaded by running a data update from the settings screen of NetworkToolbox.

After downloading, you will find a new entry called “Netgear router exploit” in the Security Check tool.

So, better check yourself with NetworkToolbox and don’t trust the evil.

Regards,

Marcus

---

See my update below.

As this already goes around in the news and not only in the technical press, you will have heard about the XCode Ghost issue and the so claimed “Apple’s biggest malware attack”.

What happened is in short: Some developers, mainly from China downloaded the so called XCode development environment, which is required to develop Apps from dubious websites instead of Apples official website or Apples App Store. The version they downloaded was infected and so were the Apps produced by this XCode version. Some Apps made it to the App Store and some are still available for downloading.

So far, so bad. Scary, isn’t it.

No, it’s not that bad.

Unfortunately, the press and even the people from paloalto networks who “revealed” this story first are currently mystifying this subject rather than informing fully and correctly. They even provide misleading and even obviously wrong information.

So here is my story:

I personally found one of the effected Apps on my device (CamScanner this App has yet been removed from the Store so I can’t provide the link). I reverse engineered this App and can confirm that it indeed contains the XCode Ghost “Virus”.

Further investigation of the code revealed that this code is almost harmless. At least as harmless as all the damn Flurry, AppCrashLog, UserActivity Libraries I am complaining about for quite some time.

It “just” collects even less than Flurry does and submits it to a server (init.icloud-analysis.com). There is DEFINITELY NO key logger included, NO POPUP will be displayed that asks for an Apple ID/iCloud access or something similar. The rumors about this are absolutely wrong.

Of course, the code could have been more dangerous and my finding depends on just one App so this is not an “all-clear”.

However, most likely it is not as bad as the press writes. There is no prove (maybe yet) that there is any App “infected” in a way that user’s security is affected.

The reason why I am very confident about this is, that I was able to find the source code on the Internet which is 100% identical to the code I found in CamScanner and that also fit’s 100% to the story of paloalto networks. That source code is also garnished with a Chinese “excuse me” of the developer who is claiming to be the author of XCode Ghost.

Take a look yourself here: github.com/XcodeGhostSource (maybe use Google translate to read it)

Until there is no further prove otherwise, I assume that this is exactly the code which is included now in some Apps on the App Store.

Apple is currently trying to identify these Apps (which should not be too difficult) and removing them. I however would also expect a list of these Apps from Apple (not like the one on the paloalto website which contains spelling errors and App Names that are available several times on the App Store) so we know which Apps may still reside on our devices.

For your information, and that’s also missing in all the other press statements, you just need to delete the App and it’s gone. There is nothing that remains on your device after you delete it.

And here is, what you can do as NetworkToolbox user:

As explained earlier, my App contains the recently introduced Connections tool. This is ideal to identify such unwanted connections. I just wrote a small tutorial which explains how to detect XCode Ghost using NetworkToolbox.

You may wonder what Apple can do to prevent this from happening in the future. To be honest, so far, there is nothing to blame Apple for right now because (as mentioned before) this code is “harmless” in terms that it doesn’t access secured information and it doesn’t use private APIs. Otherwise I would have been quite sure that Apple would have rejected the Apps (as happened to my Apps).

The most people that have to be blamed are the developers that downloaded XCode from the dubious websites and used it for submitting the Apps to Apple using it. The same thing could definitely have happened on the Microsoft Platform. Maybe even easier because Microsoft does not offer some real App Store approval process at all.Not to talk about Android where there is no protection at all for way easier kind of injections with way more uncontrolled device access.

But I guess, Apple will now most likely speed up and shorten the grace time period for developer of Apps that now have to use HTTPS/TLS rather than HTTP and need to announce and name all domains that their App connects to.

---

UPDATE

For long time, it seemed that I am the only one claiming that XCode Ghost is relatively harmless. All the so called ‘Security Researchers’, the big press like the German ‘Tagesschau’ and even Heise never got tired of repeating the same story that XCode Ghost has been the biggest hit to iPhone App users security ever and everybody is at risk.

Recently also FireEye (who already is one of my friends) was dared to say that they experienced some MITM (Man in the middle attacks) and offered to “protect their customers” against XCode Ghost.

I sent a lot of mails to those researchers and companies telling them that they are wrong in their assumptions and that they should spend a few minutes in analyzing the code. Probably that was either too difficult for them or they just didn’t listen.

For instance, I asked FireEye what the heck they think how MITM attacks could compromise the users of Apps with XCode Ghost. No answer. Dead end. Probably because the answer is, it makes absolutely no sense at all.

There are still numerous false alarms regarding Phishing and Clipboard interception capabilities of XCode Ghost.

Unfortunately, this all was said by inexperienced, unthinkingly, ignorant, arrogant and attention addictive so called security researchers and the unfortunate so called “press” and security websites just copied and pasted their wrong conclusions.

For me, this is definitely the real issue with XCode Ghost.

Anyway, I gave up repeating the truth about it, hoping many people will read this post and come to their own conclusion.

But it was nice to see that I am finally not alone with my conclusions. See here:

www.appthority.com/enterprise-mobile-threats

Don’t trust the evil!

Regards,

Marcus

---

Nowadays, ATM Skimmers use Bluetooth to transfer your stolen credit/debit card details and PIN code.

Brian Krebs today talked about this in a great story where he visited some Hotels in Mexico (even one I stayed in a few years ago) and found several Bluetooth Skimmers.

The hacked ATMs are using Bluetooth modules that are used to download the collected data from the Skimmer inside the ATM. This way, the criminals don’t need to get very close to the ATM to download the stolen data.

Even though this is another scary escalation of the Skimmer technology, the Bluetooth modules can be discovered even by NetworkToolbox. The Modules Brian found are standard Bluetooth modules from a company called Free2Move and that’s also the name these Bluetooth devices are propagating.

There are Bluetooth Modules available for Bluetooth 1.0, 2.0 and even 4.0 (LE) so you will have to discover all three standards. Bluetooth 1.0 and 2.0 devices can simply be discovered by going to the Settings screen of your iPhone, select Bluetooth, switch Bluetooth on if it’s off and wait if your iPhone discovers new Bluetooth devices around you. If you see “Free2Move” when standing close to the ATM you may better want to look for another ATM.

For Bluetooth 4.0 or Bluetooth LE (Low-Energy) you can use the Bluetooth Scanner which is included in NetworkToolbox (Please note: you need to have at least an iPhone 4s for this). Just run a Scan and check the names of the discovered devices and look for “Free2Move” or anything else that doesn’t look obvious.

Of course, the Criminals can change the name but so far, the Skimmers found by Brian Krebs can be discovered this way. At least I will try it whenever I am using an ATM and will let you know once I find a Skimmer or once I got suspected as criminal when standing in front of the ATM and do my scanning ;-).

Don’t trust the evil,

have a secure day,

Marcus

 

 

 

 

---

This story is not really related but I had to write it. Simply skip if you don’t use WordPress.

I am using WordPress for most of my Websites and some time ago I purchased the WPML plugin for easier handling of multi-language pages. This plugin wasn’t cheap (about 200 Bucks) but I thought it’s worth it. Little later, after using WPML for a while and after almost getting used to the cumbersome UI and weired bugs, I heard rumors about security issues with WPML. So I looked for updates and headed to their support forum. After reading that they are not really able to fix these issues soon because of issues with their update procedure, I took a look into their PHP code. After this, I knew I have to disable WPML immediate and switch to another solution.

It took me quite some time to find and migrate to another solution but thanks God I did. Later I forgot about WPML.

A few minutes ago, I received the following mail:

So in that mail WPML claims that they updated my password to a strong and secure one (I always thought I am using strong passwords by the way). Further down, they sent me the new password in plain text and EVEN added the Login name (for my convenience I guess) to that mail.

But it got worse. When inspecting the included link they added to the login page (probable even for my convenience) I found it contains the address of a redirect PHP on a completely different server.

At that point, I was pretty sure that this must be one of those usual phishing mails and just in case, I sent a mail to WPML (using the contact form) to inform about this.

Seconds later, they confirmed that this mail was real.

Isn’t that unbelievable ?

I think this finally proves that WPML definitely has no clue about security. So everybody who is still using WPML (probably not too many still) now know that they better switch to something else.

As a site note: WPML can be found on WPML.org which is ok. But WPML.com is available for sale. Imagine what happens if a bad guy would acquire WPML.com. But it’s not cheap I must admit.

Anyways, don’t trust the evil.

Best Regards,

Marcus

---

Regular readers of my blog know that I am no fan of anti-virus software.

Now, here is another argument against them. Tavis Ormandy recently exploited successfully Kaspersky in a way that users could find their systems easily compromised. Just recently he did the same for Sophos and ESET and even this Sunday, Kristian Erik Hermansen disclosed a zero-day vulnerability in another Malware protection solution from FireEye, which if exploited, results in unauthorized file access.

My personal opinion is that the good old days for those companies are over. Instead of continuing to invest in good security engineers and software developers, they spent their money rather for advertising, fighting against their competitors and seeking for additional ways to make money.

I guess all of you had once your own issues with your preferred virus-scanner or security suite (how they are nowadays called). Dramatical slow-downs, unreachable websites, odd browser behavior, undelivered mails or completely messed up firewall rules. All issues that suddenly disappeared once you switched off or uninstalled the virus scanner. Don’t you ? And for us network admins, isn’t it always scary when the preferred scan engine on the server gets updated because you still remember the server outage due to such an scanner update.

But you thought that this is the price we have to pay for increased security. Now we have learned that we even loose security when using Anti-Virus software.

My suggestion: Don’t use them! Stick with the built-in security measures of Windows, Mac or Linux. Use a good router, use NAT, use Firefox (or if you don’t like Firefox use Chrome for God’s sake) but always keep everything updated. This is all you need for regular browsing and working. The built in Windows defender for instance is not too bad at all. Even though those brave computer magazines regular tests show it never #1 in scanning accuracy. A few pages later you can learn why when reading the big advertisings of these Anti Virus companies.

In addition: if you have to visit suspicious websites or servers or need to access dubious systems or have to do some downloads and to unzip and install files from insecure sources: Never ever do this on your production system. At least setup a virtual machine or better use a separate computer running on a separate IP address space. This is easy to do, easy to recover in case of issues and the best protection you can get.

Don’t trust the evil,

Best regards,

Marcus

 

 

 

 

 

 

 

 

---

Maybe this is another bad coincidence. Shortly after my findings regarding the quite insecure ALDI / MAGINON web cameras, Rapid7 informs about IoT security issues, especially about 10 New Vulnerabilities for Several Video Baby Monitors.

There is nothing to add to this scary report except that this is just again another example of incompetent developers, IT and quality assurance departments of ‘well known’ companies. I hope all of them get fired but maybe they deserve something worse. For instance, that their family or kids get stalked. No – This is something we should not wish to anybody. This would be wrong. But they didn’t seem to care about your family and privacy.

To check your own devices, I just updated the default password database of NetworkToolbox accordingly.

Don’t trust the evil!

Regards,
Marcus

P.S. NetworkToolbox now has it’s own dedicated Facebook page.

---

You may have heard about about Ins0mnia which is a security vulnerability that allows an iOS App to continue to run in the background, even if the App was terminated by the user and not visible in the task switcher. Security researchers argue that Apps that are using this Ins0mnia vulnerability may even be able access the microphone or camera without your knowing.

As an App developer I can tell you that camera access is not possible in the background and both microphone and camera access will only be possible if a user acknowledged the request to access those peripherals. Without a user confirmation, even an App using the Ins0mnia vulnerability can not access microphone and camera.

But anyways, the Ins0mnia flaw is not good but it’s good that Apple fixed this security issue with iOS 8.4.1 (so hurry, if you didn’t already update).

So what about Ins0mnia and NetworkToolbox ? Can NetworkToolbox detect Ins0mnia ? I would be scared if that could be the case to be honest. Because that would mean that Apps would have access to other Apps out of it’s own Sandbox. This is only possible on Jailbroken devices and that’s why Jailbroken devices are quite insecure.

But NetworkToolbox can indeed help. With the recently introduced Connections Tool you can find out, if one of your Apps “calls home” which means if it sends data from your device to another server on the Internet. As already mentioned, I created a small tutorial which explains how to do that.

But it’s even easier with Ins0mnia because the nature of Ins0mnia is, that it continues to run in the background and also communicates over the network while in the background.

So here is, what you can do (not only to detect Ins0mnia) :

First, you should close all Apps on your device (double tap the home button and swipe all Apps to the top one after the other).

Then, start NetworkToolbox and open the Connections tool. Normally you will see about 10 to 15 connections. If you wait a while and press the refresh button, this number should go down to about five or even three. If you take a look at these few connections, you should only see Apples IP Addresses (those starting with 17), maybe the IP Address of the mail provider you are using and maybe some akamai domains. That should really be all you see after a few minutes. If you see more and different addresses, it’s worth to inspect them because that’s unusual and can be caused by an App using the Ins0mnia vulnerability.

Don’t trust the evil!

Best Regards,

Marcus

---

This is indeed a scary story.

Today, I went to my favorite discount grocery Store (ALDI) for buying some items. To my surprise, they offered PTZ WiFi WebCams for less than 40EUR (about 45 bucks) so at the checkout I asked for a couple of those cameras.

Once back home, I did some quick researching and can’t believe what I found. The camera came with default credentials (guess what: admin as username and blank password) so I started using my NetworkToolbox to explore the HTTP-Head information of the Camera internal web server. The results were:

Content-Type: text/html
Server: mcdhttpd/1.0
Connection: close

This revealed a very ‘good’ string (mcdhttpd) to search for on Morpheus or Shodan with my NetworkToolbox. Quick searches confirmed that the ALDI Camera was in fact the renamed Rollei SafetyCam. (You will agree that this Camera uses a quite misleading name after read further. ALDI must have known the issues as they call it different 😉 )

Both, Morpheus and Shodan found hundreds of such cameras even around the world. Most of them in Germany, Austria, Hungary and Switzerland where ALDI is locaded and seemed to sell this WebCam. Of course, I didn’t try but I am pretty sure that there are lots of cameras using the same default credentials.

UPDATE: Thank you for your reports, confirming that several of those entries are indeed still using the default credentials.

Until now, you might think, “Ok, so I can look into somebody else’s Garden or nursery room or listen to what the say – so what?”

But it gets worse.

The funny WebCam offers WiFi and direct DynDNS support and so it also includes configuration pages for maintaining those credentials. The good thing is, the Camera supports WPA2 PSK AES and TKIP WiFi encryption, the worse is, the PSK Key will be displayed (and likely stored) in plain text. So once you find such a camera, you know how to access the WiFi network of the owner.

Even better, almost the same applies to the DDNS settings. Here, the Password is a secured text field, but the password can easily be read out. So by this, you even know how to connect to that WebCam (and the network!) in the future.

Can this get worse. Yes, it can:

The same security issues apply to the setting for the Mail that the device can send in case of alarms. Mailserver, mail username and password are plain-text or easy to be read out. So we all can be lucky to get more spam in the future, sent from those WebCam mail accounts. Thank you!

So what is my Point?
[su_list icon=”icon: thumbs-o-down”]

• I complain that this camera uses default credentials. This is by all means NOT NECESSARY. There are many good alternatives. The simplest would be to request a password change along with the first login. And even if Maginon/Rollei would not be able to fix this security flaw, they should have a big warning in their manual saying “THE FIRST THING YOU SHOULD DO IS TO CHANGE THE DEFAULT PASSWORD“.
• I complain (even though this is unfortunately common to many devices) that they respond with a unique, easy to identify string on a HTTP HEAD request (mcdhttpd). This fact alone is responsible that thousands of ALDI customers that are on risk now as their devices can easily be found.
• I complain that they display the WiFi credentials in plain text and don’t encrypt other passwords (DDNS, SMTP Server, FTP, Additional users) so that they can easily be read out with a web browser. This is again simply NOT NECESSARY and INSECURE. I also bet they store them unencrypted (why to encrypt something that is displayed anyways)

[/su_list]
I contacted Maginon, informed them about these security issues and asked for a statement but got no response yet.

Some screen shots in the Manual contains dates of the year 2012. Likely this was the year when the Camera was developed. Looks as the security standard is even older and it has never been updated.

Very likely, this piece of hardware contains more internal vulnerabilities and security issues.

This is again an example of how a single device can jeopardize your whole network security when added to your network.

Don’t trust the evil.

Have a great weekend.

Regards,
Marcus

---

Just to keep you updated.

I have just finished the work for the next Update of NetworkToolbox.

Besides some bug fixes (sorry for the bugs in the current version) and many other improvements, the new version contains two nice features.

First, I will introduce PKI (Private-Key-Infrastructure) features with the next version. This includes possibilities and explanations on how to generate encrypted Public and Private keys and to use them as a replacement for login username and passwords for a more secure SSH or SFTP access. I have also added a PKI Key manager which can be used to generate, import and store keys which can be used from inside the SSH or SFTP tools.

Second, I added an interesting feature that shows all current connections to and from your device. This is quite useful if you want to identify other Apps on your device which calls home or opens hidden advertisements to make money. Such connections will be displayed in the new tool.

Normally and as already mentioned in other blog posts, I use a network sniffer on my Linux computer to find undesired network connections from Apps that are installed on my device. This was quite time consuming and complicated.

By the new connections tool of NetworkToolbox, I was already able to identify a couple of new bad connections within a few seconds. It was even helpful that I was able to combine this with other built-in tools such as the certificate tool which helped me to quickly identify each connection as either normal (like Apple or mail connections) or undesirable sites like appsflyer.com or pushwoosh.com which ended up quickly on my firewall.

Just two examples of what is coming next.

I can’t wait to release this update to you.

So please stay tuned and … don’t trust the evil!

Regards,

Marcus

---

If you are running a website and are using PHP FileManager you can be quite certain that your webserver has been compromised. The reason is, PHP FileManager, sold from Revivedwire, has a backdoor since 2010 along with several other critical security vulnerabilities. Revivedwire has been informed long time ago but since recently still sold PHP FileManager along with the Backdoor and vulnerabilities. Can that be right?

I said “quite certain” because PHP FileManager installations can easily be found using Google (you even don’t need Morpheus or Shodan). As already disclosed,the backdoor username is simply ****__DO_NOT_REMOVE_THIS_ENTRY__**** and the md5 hash for this username is da26c70fc120d803e24bff0c5e5f6bdd. A quick Google search for this hash reveals that the equivalent password for this hash is travan44 .

Using these credentials, additional users can be created with full admin rights, files can be uploaded and executed remotely so one can not only download sensitive files but also get full access to a webserver within seconds.

There are ways to remove this backdoor from an existing installation but because PHP FileManager contains so many additional critical and easy to use security vulnerabilities, the only recommendation I can give is to completely get rid of it.

Don’t trust the evil!

Regards,

Marcus

P.S. I am already working on the next version so stay tuned.

---

I thought this update deserves a separate post so here is the latest update to “Scary piwik findings“.

It seems my post regarding Piwik caused a lot of rumors and discussions.

Piwik contacted me yesterday with the following mail:

…Unfortunately, not all of the points mentioned are correct and we kindly ask you to issue a public correction, especially because your blog is a valued source of knowledge for many IT professionals. Below we present a short clarification of the two points raised in your article.

Firstly, all Piwik users have the possibility to make their analytics report data publicly accessible by anyone, but this is by no means a default setting. By default, all reports are protected and nobody can view the collected and analysed data without first signing in with a valid user account. It is, however, possible to make reports available to anyone – this feature was developed on purpose and is well-documented in Piwik’s FAQ. Some organisations, such as the Pirate Party mentioned in your publication, decide to make their analytics data open to anyone on purpose. This is mainly because their Piwik data may be of use to their communities.

Secondly, it’s true that some of the Piwik servers’ URLs can be discovered in search engines using allinurl: “piwik/index.php”. We would like to emphasise that this poses no security risk as Piwik, by default, protects all user data behind a login screen and there is no possibility of a data leak. Furthermore, an improvement will be developed by our community to tackle this issue (details: https://github.com/piwik/piwik/issues/6552)

And here is what I responded:

many thanks for your mail. I mainly agree to almost everything but not with all you wrote.

First of all, let me assure you that it was also not my intention to blame Piwik as I found it to be one of the (if not the) best statistics tools available, especially due to it’s possibility to generate stats without storing IP address information – as already mentioned in my blog.

I am usually referring to Piwik as “the opposite to Google Analytics” which I hope is a compliment.

I am aware and can confirm that the default settings of Piwik don’t allow unauthorized access to the stats per se.

However, my findings did indeed reveal security issues along with Piwik installations as follows:

When using these inurl: queries, you will find a lot of half-done or broken Piwik installations. The diagnostic messages that can be found are very helpful for the webmaster to fix the Piwik installation issues. However it is also very helpful for hackers as these diagnostic messages reveal the physical server directory structures, database names and I even saw DB user names entered by the webmaster. One example, why this is dangerous is the recent ProFTPD exploit for which a hacker will just need to know the physical directory structure in order to copy files to other location which can either be accessed from outside or files that contain information that, once overwritten, will no longer protect files or directories.

Second, even if the default settings of Piwik don’t allow anonymous access, it is scary to see so many installations where it is indeed possible. In most cases it is quite obvious that those installations are not intended to be open for the public and as mentioned in my blog, even if anonymous access has not been configured, in some cases it was possible to download the stats via the Piwik API. This at least sounds as there are webmasters who have issues with a correct configuration of Piwik.

Finally, the huge amount of wrong, mis-configured and unintentionally open Piwik installations surprises me. I can’t remember similar findings in similar cases like some years ago with phpBB.

Regarding the Pirate Party, they seem to have a communication issue as they are talking about different Piwik installations and they claim they are using Piwik since May 18. 2015 but their Stats start in 2011 and they forgot (still!) to update their disclaimers on the two mentioned websites. But that’s no security issue and not really worth to follow up. Just for clarification.

My suggestions to you are as follows:

[su_list icon=”icon: check”]

• It seems some Piwik installations used to be ok some time ago but for some reasons (maybe changes/updates on a server) seem to get broken. In such situations, I would suggest to not reveal server information on the Piwik Admin website.
• In general, I would rather suggest storing such information in log-files instead of displaying them so that they can only be accessed with appropriate privileges.
• I would suggest to split/separate the API URL from the Admisistration and Statistics URL. That would also support the use of .htaccess protection to the Admin and/or Statistics part of Piwik.
• I would definitely recommend to add the noindex, nofollow metatags as mentioned in your blog but I would also suggest to place an initial robots.txt file on the webserver root if it doesn’t exist or add lines to it if it exists. Both at least hides Piwik from search engines (even though not all engines regard those but Google does and was the main source of my findings)
• If one or all of the above would be too difficult or not yet possible, at least place some big warnings in your setup documentation or setup UI (like you already do for other purposes)

[/su_list]

I really appreciate your efforts to improve security and privacy in Piwik.

This helps to create a better, more secure world.

Thanks again,

best regards,

Marcus

---

Did you ever wonder why companies like Oracle or Adobe always wants to install unwanted software such as McAffee along with their free Java or Acrobat Reader ?

Or why so called “Best Antivirus Software” such as Avast or Symantec comes for free from your provider or pre-installed on your PC ?

Are those companies so generous? Do they only want your best?

You guessed it : No, of course not. They want money. Not just your money.

They get paid for every single installation of this unwanted piece of software!

So why is that ?

Because the unwanted software gets paid because it collects your data and they sell it.

Ok, you don’t believe me right ?

So here is an example:

Avast recently confirmed that they collect your data while running on your PC and scanning for viruses (see here if you don’t believe me)

Jumpshot is selling your data for just as much as US$ 500 per month! per account (see their pricing on www.jumpshot.com)

Avast claims that they don’t make money out of that but do you believe this ?

Do you believe McAffee, Ask with their Ask Toolbox and others don’t make money with collecting your data?

I personally don’t.

UPDATE:

It’s a funny coincident that Tim Cook yesterday talked about the very same subject. His speech at the Electronic Privacy Information Center (EPIC) is really worth reading and most of what he said speaks my mind. You can find his speech on the verge .

He said for instance:

“You might like these so-called free services, but we don’t think they’re worth having your email or your search history or now even your family photos data-mined and sold off for God knows what advertising purpose,” … “And we think someday, customers will see this for what it is.”

Don’t trust the evil!

Regards,

Marcus

---

Maybe not all of you know what Piwik is. It is very nice tool for website statistics. I like this tool especially because it offers features to hide and even don’t record visitors IP addresses and private information but still generates nice and good website statistics. So I would call it basically the opposite of Google Analytics.

Since Piwik is getting increasingly popular, many websites started using Piwik but like so often, even Piwik requires some basic understanding of PHP, Linux and Server security. Some website Admins seem to be blinded by the easy user interface and assume it is as easy to configure.

Obviously that’s not the case. There are several open (and more worse: half-done) Piwik Installations out there which can be accessed by anyone easily. Such installations are quite dangerous for the webadmin because they reveal a lot of important insight information about the server configuration and it will not take much to use such an installation to hijack a complete server.

You may wonder how such servers can be found. This is also quite easy and in that case Google is our friend (in other cases I would reject this statement vehemently). As mentioned some posts before, Google can be used to search for URLs with specific parameters if you prefix your search term with

allinurl:

so in case of Piwik you can enter

allinurl: "piwik/index.php"

Which will give you a list of websites where piwik is installed. It is funny alone to browse through these findings which often contains error backtraces and error logs.

I was even (not) more surprised that some installations even allowed anonymous access with admin privileges. To check for this, one just needs to add either either this:

/index.php?module=UsersManager&action=anonymousSettings

or this

/index.php?module=Installation&action=systemCheckPage

to the Google result list url right after

.../piwik

So for instance

http://www-nice-website/piwik/index.php?...

becomes

http://www-nice-website/piwik/index.php?module=UsersManager&action=anonymousSettings

UPDATE 1:
There seems to be an issue with Piwik that it is possible to download statistics even if there is no view access. If you add

?module=API&method=Live.getLastVisitsDetails&idSite=1&period=month&date=2015-05-01&format=Tsv&token_auth=anonymous&expanded=1

You will get a nice Excel or CSV file with the website details of Site=1 (change to any other number for additional websites).

UPDATE 2:

I did contact the German “Piraten Partei” before I wrote this blog post. So far: no answer. Meanwhile they responded to the press that they intentionally left the Statistics open to the public. This is fair enough as there is nothing to hide.

However, two questions remain:

1. why don’t they tell us that they are collecting our information (especially search queries, website referrals and exit sites) ? In their website disclaimer (even on Andrea Bogners website) they say “Eine Speicherung von Verbindungsdaten … erfolgt nicht” which means “we don’t store connection data” which is obviously wrong.
2. If they intentionally left their Piwik stats accessible, why don’t they officially link to these stats. Is there just an elitist circle who had or has access to these stats ?

UPDATE 3:

Please read this separate post for a further update.

Best Regards,

Marcus

---

This is a security alert, if you are running an FTP server that is using ProFTPD and are using the mod_copy setting.

A serious security issue was found in ProFTPD which allows copying of files such as /etc/passwd or wp-config.php even without authentication. This is a serious issue. Some Servers have already been reported as compromised.

This Vulnerability has been assigned the code CVE-2015-3306.

To check if your FTP Server is vulnerable, I have just added a new Security Check module called “ProFTPD mod_copy exploit (CVE-2015-3306)“.

Just perform a Data Update from the Settings Screen and perform a Data update. After the Update you can select that new test in the Security Check Tool. To run the test, you need to enter the IP address of the server you like to check. The port can be left blank and is optional.

If your server is vulnerable you should either remove the line

LoadModule mod_copy.c

in

/etc/proftpd/modules.conf

or completely stop the ProFTPD service on your server. As per today, there is only a quick patch available for ProFTPD which requires to compile ProFTPD on your server. I would not recommend to use FTP anyway. Instead use SSH/SFTP.

Don’t trust the evil!

Good luck!

Marcus

---

Finally, Version 8.1.3 of NetworkToolbox has been released by Apple.

Below is a summary of changes to the previous version. This is quite a long list. There are three new tools (27 in total now) and several parts have been completely re-coded. But this time, once I finished implementing one feature, I can’t wait to implement the next on my list. Maybe next time, I will create smaller updates.

Please support my work on this app by writing an app review. This really keeps this app going so you will also benefit.

If you already wrote an app review, you need to update it as otherwise it will get lost as every review only applies to a certain version.

Many thanks!

List of changes:

■ New Network and Port Scan engines

Network and Port Scanning is now blazing fast and even more accurate than before.

Now, hundreds of addresses and ports will be scanned simultaneously as fast as possible but still with the best possible accuracy. Since scanning is now way faster, all scans are repeated automatically a few times.

Scanning is also now random so that Firewalls and Intrusion detection systems will not immediately identify each scan easily.

■ Bookmarks is now Logbook

A new Logbook functionality has been introduced and the formerly available Bookmarks functionality has been integrated in this new Logbook function.
Logbooks can collect the following type of information

• Schodan and Morpheus Scan results
• Network Scan results
• Port Scan results
• Links
• Hosts (= former Bookmarks)

Best of all, Network- and Port- scans can now be compared to each other. This way, you can quickly find out what has been changed in your network between two scans.

Logs can of course also be exported or printed.

■ Custom Device Names

You can now (optionally) assign individual names for your devices on your network. This makes it easier than ever to identify each particular device in the various scans.

These names are tied together with the MAC address. Such a maintained device name will be displayed instead of the network name in a different color.
Custom Device Names can be maintained in three different ways

• In the Network Scan results. Just open the details of an entry and here you can directly enter an individual name
• You can export a complete list of a network scan to the list of individual names
• You can maintain the complete list of individual names from inside the settings screen

■ Improved DNS tool

The DNS Tool has been improved in several ways.

It still provides information about a certain domain with its IP Address, Provider, country and location.

Now, this tool also performs a reverse-DNS lookup with more than one record, if available.
Second, it now provides DNS Server information such as MX, NS, SOA and TXT Records.

■ Devices tool improvements

Now, all available interfaces (not just WiFi, Cell) will be displayed with much more detailed information. This way, you can even investigate your virtual VPN devices.

Proxy information now is also included.

Sensors such as Gyroscope, Accelerometer etc. will now be displayed graphically.

■ HTTP browser

The http tool now contains an improved browser. The browser also now records all requests a website initiate (even requests initiated by scripts) so you can easily inspect scriptfiles, images that are being loaded or even the sources of Ad banners.

The password test also has been improved and can now fill out many more types for login forms.

■ New Security Check tool

This is another new tool which required most of the development time. This tool contains several individual security checks for various exploits or issues. So far, it contains only a few checks but there are more to come over time.

The challenge was to implement a tool that I can use to quickly provide certain tests to you, without the necessity to send out a new app update. This is now possible with this new Security Check tool.
The idea was born when I added the Verizon Supercookie test but that was a quite simple test. Now even more sophisticated tests are possible and I can add all those tests via Data updates.

To use the test, you can either select the test inside the tool from the list or, like with most other tools, when working on results of any tool and using the […] button
I will announce new tests in the news section of the app but not on my website as this is too closely related to this app.

■ New Web-Service Tool

This new Tool allows to explore or debug SOAP and REST Web-Services. All API parameters such as URL Parameters, Header information and Request Body can easily be maintained and even stored under an individual name. The API requests can be executed via a HTTP-GET, -PUT or -POST methods.
JSON and XML results are being displayed in a hierarchical tree browser.

There are a few predefined Web-Service samples included such as the Google Geo API.

■ New Mail Server Tool

This tool checks for POP3, IMAP and SMTP mail services and provides useful information either for your Mail-Client settings and possible improvements for the Mail-Server settings.

■ Resources section has been completely re-coded

The resources section of the app contains a lot of information but wasn’t easy to find and use. It now has a similar user interface like the main app screen. It now also allows me to add more information via Data updates.

■ Various other changes and bug fixes

• Several design changes throughout the whole app
• The MAC address bug has been fixed which showed a wrong last byte of the MAC
• The local IP address has not always been displayed correctly (e.g. was shown as “error”)
• The MAC address is now displayed in the Network Scan report and no longer only in the details screen
• IP Calculator improvements
• Improvements for iPhone 6 and 6+
• 64-Bit support
• iOS 8.3 support

Please don’t forget to check for a data-update after the installation.

Please let me know should you find a bug or if you have additional ideas or requests.

Kind regards,

Marcus

---

I received quite a few questions regarding the possibility to add WiFi scanning to NetworkToolbox that displays the SSID (WiFi name) and RSSI (signal strength) of WiFi networks around you.

Unfortunately (or I would call it fortunately) Apple removed the possibility for developers to access the WiFi network device from inside an app (at least for non-Apple apps).

For this reason, there is no app available on the AppStore that can do these kind of things. There used to be a few apps in the past which were able to provide this on a very limited basis but they don’t run anymore on iOS 8 and can’t be updated by the developer as it would then not pass the App Store review process. Such apps have been submitted to Apple by the time when it was still possible to access the network device.

However, what a “regular” developer can’t do seem to be possible by apps developed by Apple.

See how you can still scan WiFi networks

There is still a way to scan your WiFi network although it’s a bit tricky to enable it.

The solution is, to use Apples AirPort Utility app and to enable a hidden feature for it. This works, even if you don’t have an Apple WiFi router.

Here is, how to enable WiFi Scanning:

1. Install the Apple AirPort Utility app from the App Store
2. Start the app one time and then close it
3. Go to Settings (of your iPhone/iPad) on the main screen, scroll down until you see the AirPort app and select it
4. Enable “Wi-Fi-Sanning”
5. Start the AirPort Utility app again
6. Tap on “Wi-Fi Scan”
7. Tap on “Scan”

After a while, you can see all WiFi networks around you even with Channel information, BSSID (Mac address of the device) and RSSI (signal strength). If you tap on an entry you can even see the more information like the signal strength history.

I think that’s a not-too-bad workaround.

Stay tuned!

Best regards,

Marcus

---

Happy New Year to you!

I hope you all had a good and secure start in the new year.

As so often, things you almost forgot and believed to be solved forever might come back after a new year break in a new incarnation and reminds you that there is no such thing like the “ultimate solution”. However, let’s see it as a challenge to at least get closer to the “ultimate solution”.

In this case, I am talking about ads which – all of a sudden – reappeared on my iPad, PCs and Macs even though I (at least thought) found a good solution by (ab)using my routers blacklist (see my flurry post from last year.).

So what happened ? After a bit of investigation, I found that some ad’s have changed from http:// to https://. This for me looked a bit surprising as ads usually (should) have nothing to hide so there should be no need to encrypt the web communication especially because of the extra effort for the ad-server to maintain certificates etc..

By that time, I was under the assumption that https:// addresses will be filtered by my router blacklist in the same way a normal http:// connection is. Not just because https just means that the content is transfered over port 443 instead of port 80 and even if traffic uses port 443 and is SSL/TLS encrypted, the domain needs to be resolved and if it’s blocked it can’t be resolved.

But further tests showed that my router indeed is just filtering http domains and not https. How come ? Further researches led me to the finding that (at least in the investigated cases) the issue was caused by websites which are also using https that include add banners with another https address. In such a case, the data (content) of the original website is SSL/TLS encrypted and maybe that’s why the containing https link is not filtered. I also found that my favorite AVM router is not the only one not being able to block https domains. Many other also can’t and even some popular firewalls have the same limitation.

I really don’t like ads do you? I am tired of ads!

I really got used to the ad-free websites and apps and I was also quite happy not to rely on such dubious Ad blockers like AdBlock Plus which even doesn’t really help to get rid of ads on my iOS devices. So I started thinking of a better solution. Especially because the router solution I was using so far only works with a few routers.

openDNS an alternative ? not really!

One solution I tried was openDNS . openDNS is a service on the web which offers two IP addresses that can be entered as DNS servers in your router. So openDNS replaces the DNS server of your ISP. All DNS queries will be sent to openDNS and they respond based on filter rules with the correct IP address or a dummy address. The good news is: it’s working. The bad news are, it costs about $20 per year (as the free service doesn’t offer enough custom filter settings) and much extra effort is necessary to handle dynamic IP address changes if you (as I) run your own DynDNS solution. They offer a in combination with their own service dnsomatic.com which can be used to chain additional DynDNS services but that doesn’t seem to work quite well. Finally (as I don’t trust the evil as you know) it is quite clear that they are collecting my DNS requests and sell it as this is quite interesting information for the ad industry.

So I discontinued my openDNS activities and thought about another solution.

running my own DNS Server!

And here is my (new) “ultimate solution” :

A Raspberry Pi connected to my favorite AVM router.

It was really simple to use an out-of-the-box $30 Raspberry Pi, setup my own “openDNS” by using dnsmasq on it. The Raspberry gets powered by the USB port of my router and is connected to it with a short network cable. No additional configuration on the clients was necessary and I just had to enter the Raspberry Pis IP address as DNS server address in the router settings.

My blacklist now resides on the Raspberry Pi and my router is no longer misused to blacklist ad servers.

even more advantages!

I now even have three more advantages:

• HTTPS domains are also filtered. So no big ad at the top of the youtube.com site. Hurray!
• DNS requests are noticeable faster as they are now cached inside my network
• Optionally, I can easily monitor all the DNS requests of my whole network

The last advantage is very comfortable in order to find additional servers that want to be blocked, especially when using an iOS device. In the past I always had to setup a proxy for this.

So I am happy again!

If you are interested in this solution, please drop me a line (or maybe additionally leave an app review which I would greatly appreciate;-) ) and if there is enough demand, I will create a small installation summary and post it on my website. I can even share my blacklist if you are interested.

Again, have a good, secure (and ad-free) start into 2015!

…and don’t trust the evil!

Best regards,
Marcus

---

Most of you may view eCards as harmless ways to spread Christmas cheer. You may think they are convenient or fast and easy and there’s no hassle queuing up at the post office and trying to beat the Christmas postal deadlines.

But most of them are anything but harmless. At least I don’t know a single service I would recommend.

eCard providers are well known as Email collectors. They sell the Email addresses you entered and even analyze the message you select or added to your seasonal greetings. They usually send a tracking code along with the mail and claim this is to generate a receipt for the sender but in addition, they keep the receivers IP address and will know where exactly he lives.

Last year, some even distributed viruses along with their greeting mail.

If you like to do yourself and especially your friends and loved ones a favor, don’t use eCards. Instead, write a regular letter or just call them (of course don’t Skype them).

And if you receive an eCard via Email, you better delete it. Maybe send the originator a link to this post and call him or her.

Don’t trust anything which is for free – don’t trust the evil.

New data update

Today, I sent out another data update with a new MAC Database and some other changes (Thanks Martin and Mike for your hints and help!).

A new app update is already under development which will cover a lot of suggestions and will offer some new features. I will need some more time to get it completed and tested but early next year I expect to be able to send it to Apple.

I really appreciate all your support and suggestions. Please continue to write if you have questions, suggestions or even find bugs (thanks Emile).

To you and your families, have a Merry Christmas and all the best for 2015!

And don’t forget: don’t trust the evil.

Best regards,
Marcus

---