In an ideal world, Mac and iPhone hacker Charlie Miller would discover vulnerabilities, inform Apple, and Apple would then patch them before they had any chance of being exploited “in the wild”.
Miller, however, prefers to keep them to himself so he can win MacBooks and detail them at Black Hat conferences. The good of the hacker obviously outweighs the good of the users, every one. So be it.
Miller’s latest iPhone-related find was disclosed at SyScan in Signapore:
a hole that would let attackers “run software code on the phone that is sent by SMS over a mobile operator’s network in order to monitor the location of the phone using GPS, turn on the phone’s microphone to eavesdrop on conversations, or make the phone join a distributed denial of service attack or a botnet.”
Apple, for their part, is hoping to have this patched before Miller’s upcoming Black Hat gig.
I’ve said it before and I’ll say it again (and again), 1Password is the first app I launch when I (re-)install a Mac, and the first iPhone (and iPod touch) app I go to any time I even think about logging in to a secure website or using credit card data. It’s one of my all-time favorites, and it’s just gone Pro.
The video above shows off the new iPhone 3.0 support in 1Password Pro 2.1, and the ability to extend secure logins out of the embedded browser and into Mobile Safari is very welcome. Better yet, the fine folks at Agile Web Solutions promise even more features are coming soon.
Available now via the iTunes App Store at a special introductory price of $5.99, and because Agile is awesome, they’ve given us ten (10) promo codes to give away to you.
Want one? Get over to the forums and tell us the lamest, most insecure, and useless password you can imagine. And ten of you will get free copies of the strong, secure, incredibly useful 1Password Pro in return.
Frequent user of sites like eBay, PayPal, AOL, or GEICO, paranoid about security, understand terms like multi-factor authentications, and don’t want to carry a football, card-based generator, or other extra dongle around with you? If you live in the US, VeriSign has an iPhone App for you.
Very little code is bullet-proof. Hackers will always find holes. The worst holes will be critical. The worst hacks will be zero-day and found in the wild — catching companies and users both by surprise.
Not sure we have any of that here. Macworld does report that, at the Black Hat Europe Security Conference, former NSA number cruncher Charlie Miller — who has rolled his ability to find exploits in the Mac version of Apple’s Safari Browser into tens of thousands of dollars and a couple free MacBooks at the annual Pwn2Own contest — claims to have:
…found a way to trick the iPhone into running code that enables shellcode. To run shellcode on an iPhone, however, an attacker would first need a working exploit for an iPhone, or a way to target some software vulnerability in, for example, the Safari Web browser or the mobile’s operating system. Miller said he doesn’t have one now.
Miller previously gained attention for a Mobile Safari exploit that made for some quick early jailbreaking and led to Apple patching the problem in firmware 1.0.1.
What’s particularly disturbing, however, is that Miller also says he’s unsure whether or not Apple knows about the potential vulnerability.
He should know that absolutely dead cold, of course. He should have told Apple long before he made the information public, and only made the information public when Apple had a fix rolled out or ignored his warnings for so long that public pressure could reasonably be considered the only option in getting them to roll out a fix.
Either way, Miller should know that Apple knows because he told them first. Or do we no longer warn people in a house when we see a potential fire starting, but wait and see how much attention and cash we can get for the info first?
Looks like another desktop Safari 4 Beta feature has found its way into the iPhone 3.0 version of the browser. Now, when you go to a site with an enhanced security certificate, the text on top of the browser turns green (like the green bar, we get it!), with little green lock icon beside it, and the name of the certificate’s trusted organization. For example, the above screenshots show how Apple’s order status page looks on iPhone 2.2.1 (top right) and iPhone 3.0.
What does this mean for users? In an age of increased phishing attacks, where bad sites try to trick you into thinking they’re your bank or shop and steak your login or credit card info, this is one more visual cue in your assessment process for determining if you can trust that the website is what it says it is.
Come iPhone 3.0, look for the green text on top of Safari and carefully check to make sure the company it identifies is the one you want to be dealing with.
No, not unlocking the iPhone from AT&T (JAR!), unlocking the iPhone so you can use it. Slide to unlock, passcode unlock, that kind of unlock. Okay, now if you’re still reading, Apple Insider has found some patent filings that suggest Apple is exploring things like biometrics (i.e. it reads your fingerprint while you slide to unlock), facial recognition (i.e. uses the camera to analyze who you are/might be) and pattern matching (i.e. choose unique shape combinations as a passcode). But it doesn’t stop there:
Apple goes so far as to suggest the possibility of recognizing the user’s distinctive voice or even collecting DNA samples to recognize a user’s genetic sequence. Biometrics could also be context-sensitive and detect the shape of a user’s ear before allowing a call to go through, for example.
Pwn2Own is a hacking contest which in previous years demanded OS exploits on day one, allowed browser vectors on day two (how OS X was compromised last year — thanks Safari!), and opened the floodgates with 3rd party bugware on day three. First person to successfully hack a machine won it as a prize, along with a nice cash bounty for their troubles.
This year, Ars Technica says Pwn2Own is doing something a little different: they’re bringing in the mobiles!
Apple’s iPhone is front and center on their target list, along with the Google Android G1, and devices from the BlackBerry, Symbian, and Windows Phone families. Pwn the mobile and you not only win it, but $10,000 to boot!
Not a lot of solid info on the rules yet, but we’ll keep a look out. Any white hats out there eager to try their luck?
Stealing credit card information is big business so perhaps it should come as no surprise that we’re seeing so many phishing attacks targeted at even niche services like MobileMe. We’ve reported on a bunch of them already, and this latest one is just more of the same.
If you get an email warning you about the status of your account, asking you to verify billing info, or basically asking you anything at all, NEVER click on the link. Always launch your web browser and type in the main URL by hand (i.e. don’t click on the email’s “Login” button, go to Firefox or Safari and type in “http://www.me.com/”). (And yes, DNS can be cache poisoned and localhosts can be over-written, but depending how valuable a target you are and how much time you want to invest in proofing yourself, manually entering URLs is a good compromise between convenience and security.
Apple Insider has all the details for those who want them. Surf safe!
Macrumors is quoting Spiegel.dewww. as saying that both a new security flaw has been found in iPhone OS 2.1, and that a patch will be included in iPhone OS 2.2 due to drop… tomorrow?!
[A] newly announced iPhone vulnerability that can force a (potentially expensive) phone call to be made simply by visiting a webpage in Safari… SIT reports that they notified Apple of the issue a month ago and that a fix will become available on November 21st through a firmware upgrade.
Forbes.com (via TUAW) is claiming Ziphone jailbreak author Piergiorgio Zambrini has found a way to crash the iPhone (and other computer systems, according to Zambrini’s own website) using specially crafted video files:
The bug Zambrini found is in the audio portion of Apple’s video format. Knowing the bug exists, someone could write a program that incorporates the bug into a video file and trigger a crash whenever an iPhone attempts to run that file. The bug, which is located in a shared code library that is used across most Apple operating systems and some Linux ones as well, doesn’t appear to cause any permanent damage, but immediately sends the device into a panic that leads to a lengthy reboot.
Since it crashed the device and not just the app, one security expert quoted feels it’s a kernal vulnerability that’s been discovered. Zambrini, who paradoxically claims to have both applied for a job with Apple’s security team, and that working for Apple is not his goal, is apparently exploring the vulnerability as a way to inject malicious code.
Lovely.
Howsabout next time we be a little more responsible and keep the information confidential, alerting only the OS makers involved, giving them a reasonable amount of time to patch the problem before we put real world end-users at risk by alerting bad guys to potential exploits, b’okay?
