NEWS: iPhone becomes phisherman's friend

<http://www.theregister.com/2007/07/17/iphone_phishing_risk/>

Security shortcomings in the design of Apple's iPhone might make it
easier to mount phishing and cross-site scripting attacks.

The iPhone's email client only displays the first few characters of a
weblink, a factor researchers at Fortify Software warn makes it
easier to hide a fraudulent URL at the end of a link without arousing
suspicion.

The mechanism the iPhone uses to link between web browser and
telephone functions also makes it easier to embed scam telephone
numbers within sites, which a user may be prompted to dial.

Fortify says the security shortcomings of the iPhone mean users are
exposed to risk from relatively simple phishing techniques, either by
accidentally clicking through to fraudulent websites or unwittingly
making expensive premium line calls.

"Without immediate attention, this problem could lead to a deluge of
hackers attempting to mimic native iPhone applications and gain
access to other personal information such as contacts, photos, and
maybe even the phone's physical location," Fortify chief scientist
Brian Chess said.

[MORE]

--
Best regards, FAQ FOR CINGULAR WIRELESS:
John Navas <http://en.wikibooks.org/wiki/Cingular_Wireless_FAQ>

---

› See More: NEWS: iPhone becomes phisherman's friend

At 17 Jul 2007 16:14:12 +0000 John Navas wrote:
> <http://www.theregister.com/2007/07/17/iphone_phishing_risk/>
>
> Security shortcomings in the design of Apple's iPhone might make it
> easier to mount phishing and cross-site scripting attacks.


While it may to true, I think "proprietary" OS devices like
Palm/WinMo/iPhones PDAs are generally MORE secure than laptop/desktop PCs
because they are essentially immune from virii, trojans, keyloggers, etc.
targeted at Wintel boxes.

I know when curiousity leads me to investigate a scam site I do it from
my WinMo phone knowing that whatever they intend to throw at me isn't
likely to even run on my device, and in the off chance it were to target
WinMo, my phone can't execute it without my permission.


> The iPhone's email client only displays the first few characters of a
> weblink, a factor researchers at Fortify Software warn makes it
> easier to hide a fraudulent URL at the end of a link without arousing
> suspicion.


I'm far more comfortable withany exploit that requires my stupidity to
assist it, than, say, something embedded in a macro that might attempt to
execute silently.

> Fortify says the security shortcomings of the iPhone mean users are
> exposed to risk from relatively simple phishing techniques, either by
> accidentally clicking through to fraudulent websites or unwittingly
> making expensive premium line calls.


While interesting, it still requires user-interaction, which should be
easily defeated by education and "safe computing" practices.

> "Without immediate attention, this problem could lead to a deluge of
> hackers attempting to mimic native iPhone applications and gain
> access to other personal information such as contacts, photos, and
> maybe even the phone's physical location," Fortify chief scientist
> Brian Chess said.


I love how every two-bit consulting and/or marketing firm is chafing at
the bit to "report" iPhone information and get their name out there!

The iPhone seems no less "secure" than any other smartphone that can
execute a system command (like dialing the phone!) from a clickable link.
Did "Fortify Software" issue these press releases for Blackberries,
Treos and iPaq phones as well?


The Register seems to enjoy "reporting" any anti-iPhone news they can find.
What iPhone-shaped bug crawled up their hindquarters?



--
Posted via a free Usenet account from http://www.teranews.com

It is alleged that Todd Allcock claimed:

> While it may to true, I think "proprietary" OS devices like
> Palm/WinMo/iPhones PDAs are generally MORE secure than laptop/desktop PCs
> because they are essentially immune from virii, trojans, keyloggers, etc.
> targeted at Wintel boxes.

Well, duh... if it's targeted at a Wintel box, it won't work on any
other device. The quoted article is specifying things targeted
directly to the iPhone.

> The Register seems to enjoy "reporting" any anti-iPhone news they can find.
> What iPhone-shaped bug crawled up their hindquarters?

The Reg rarely, in my experience, fawns over new equipment. The only
times I recall them doing so was when the item in question was truly
nothing more than a technotoy, with no pretensions of actual productive
use. Remember, their motto is "Biting the hand that feeds IT".

--
Jeffrey Kaplan www.gordol.org
The from userid is killfiled Send personal mail to gordol

"When our vice president had a disagreement with a Democratic senator,
he used a really bad word. If I said that word, I would be put in a
timeout. I think he should be put in a timeout." - Twelve-year-old
Ilana Wexler at the DNC, Jul 27, 2004

"Todd Allcock" wrote:
> At 17 Jul 2007 16:14:12 +0000 John Navas wrote:
>> <http://www.theregister.com/2007/07/17/iphone_phishing_risk/>
>>
>> Security shortcomings in the design of Apple's iPhone might make it
>> easier to mount phishing and cross-site scripting attacks.
>
>
> While it may to true, I think "proprietary" OS devices like
> Palm/WinMo/iPhones PDAs are generally MORE secure than laptop/desktop PCs
> because they are essentially immune from virii, trojans, keyloggers, etc.
> targeted at Wintel boxes.
>

While the virus thing is true it has little to do with phishing designed to
gather personal info (for those who might fall for that kind of thing).


--
Mike

At 17 Jul 2007 13:30:39 -0700 Tinman wrote:

> > While it may to true, I think "proprietary" OS devices like
> > Palm/WinMo/iPhones PDAs are generally MORE secure than laptop/desktop
PCs
> > because they are essentially immune from virii, trojans, keyloggers,
etc.
> > targeted at Wintel boxes.
> >
>
> While the virus thing is true it has little to do with phishing
designed to
> gather personal info (for those who might fall for that kind of thing).

Fair enough, but my (badly made!) point was that the iPhone is no more
vulnerable to that type of user stupidity than a Treo or a Blackberry.
Why is it "news" that stupid people can do stupid things on an iPhone?
If you really think that the Bank of America needs you enter all of your
personal info to "confrom suspicious activitys on your accounds" when you
don't even bank there in the first place, you're perhaps not ready for an
iPhone, or ANY phone except maybe a Firefly!


I just think a lot of consulting firms are getting their names out there
for their "revelations" about the iPhone.

I'm waiting for something like "Medical technology consultion firm
Meditech Group released their findings today that despite the hype
surrounding the iPhone launch, the iPhone has not shown any ability to
cure cancer. Officials at Apple and AT&T have not returned our request
for a statement..."


--
Posted via a free Usenet account from http://www.teranews.com

At 17 Jul 2007 16:18:38 -0400 Jeffrey Kaplan wrote:

> Well, duh... if it's targeted at a Wintel box, it won't work on any
> other device. The quoted article is specifying things targeted
> directly to the iPhone.

_Theoretically_ targeted at an iPhone, plus the usual phishing crap we
all get.


> The Reg rarely, in my experience, fawns over new equipment.

Fair enough.

> The only
> times I recall them doing so was when the item in question was truly
> nothing more than a technotoy, with no pretensions of actual productive
> use. Remember, their motto is "Biting the hand that feeds IT".


True- it just seems there are enough legit nits to pick with the iPhone
that you don't need to, well, "phish" for more! ;-)




--
Posted via a free Usenet account from http://www.teranews.com

On Tue, 17 Jul 2007 12:16:17 -0600, Todd Allcock
<[email protected]> wrote in
<[email protected]>:

>At 17 Jul 2007 16:14:12 +0000 John Navas wrote:
>> <http://www.theregister.com/2007/07/17/iphone_phishing_risk/>
>>
>> Security shortcomings in the design of Apple's iPhone might make it
>> easier to mount phishing and cross-site scripting attacks.
>
>While it may to true, I think "proprietary" OS devices like
>Palm/WinMo/iPhones PDAs are generally MORE secure than laptop/desktop PCs
>because they are essentially immune from virii, trojans, keyloggers, etc.
>targeted at Wintel boxes.

It's not a "proprietary" OS -- it's a well-understood UNIX-workalike.
(See below.)

>I know when curiousity leads me to investigate a scam site I do it from
>my WinMo phone knowing that whatever they intend to throw at me isn't
>likely to even run on my device, and in the off chance it were to target
>WinMo, my phone can't execute it without my permission.

There is no such security with _any_ network device. That's the whole
point of security exploits.

>> The iPhone's email client only displays the first few characters of a
>> weblink, a factor researchers at Fortify Software warn makes it
>> easier to hide a fraudulent URL at the end of a link without arousing
>> suspicion.
>
>I'm far more comfortable withany exploit that requires my stupidity to
>assist it, than, say, something embedded in a macro that might attempt to
>execute silently.

This is only a simple example. "Where there's smoke there's fire."
Much more dangerous are the unknown and invisible exploits.

>> Fortify says the security shortcomings of the iPhone mean users are
>> exposed to risk from relatively simple phishing techniques, either by
>> accidentally clicking through to fraudulent websites or unwittingly
>> making expensive premium line calls.
>
>While interesting, it still requires user-interaction, which should be
>easily defeated by education and "safe computing" practices.

Again, much more dangerous are the unknown and invisible exploits. That
such simple exploits exist should give you pause, not comfort.

>> "Without immediate attention, this problem could lead to a deluge of
>> hackers attempting to mimic native iPhone applications and gain
>> access to other personal information such as contacts, photos, and
>> maybe even the phone's physical location," Fortify chief scientist
>> Brian Chess said.
>
>I love how every two-bit consulting and/or marketing firm is chafing at
>the bit to "report" iPhone information and get their name out there!

I'd say it's more a matter of protecting users. This wouldn't be
happening if Apple had subjected the iPhone to 3r4d-party scrutiny in
advance. Thus we get it after the fact.

>The iPhone seems no less "secure" than any other smartphone that can
>execute a system command (like dialing the phone!) from a clickable link.

Based on what, your guess?

> Did "Fortify Software" issue these press releases for Blackberries,
>Treos and iPaq phones as well?

Why not check that out yourself?

>The Register seems to enjoy "reporting" any anti-iPhone news they can find.
> What iPhone-shaped bug crawled up their hindquarters?

Check out how many patches have been rushed out by Apple to deal with
Mac OS exploits, and then check out what the OS in the iPhone is based
on.

--
Best regards, FAQ FOR CINGULAR WIRELESS:
John Navas <http://en.wikibooks.org/wiki/Cingular_Wireless_FAQ>

On Tue, 17 Jul 2007 15:14:54 -0600, Todd Allcock
<[email protected]> wrote in
<[email protected]>:

>At 17 Jul 2007 13:30:39 -0700 Tinman wrote:

>> While the virus thing is true it has little to do with phishing
>designed to
>> gather personal info (for those who might fall for that kind of thing).
>
>Fair enough, but my (badly made!) point was that the iPhone is no more
>vulnerable to that type of user stupidity than a Treo or a Blackberry.
>Why is it "news" that stupid people can do stupid things on an iPhone?

Because Apple professes to be way better than the other guys. That kind
of hubris inevitably attracts rebuttal.

>If you really think that the Bank of America needs you enter all of your
>personal info to "confrom suspicious activitys on your accounds" when you
>don't even bank there in the first place, you're perhaps not ready for an
>iPhone, or ANY phone except maybe a Firefly!

Or living on the planet? There are lots of people who shouldn't have to
know that. The problem is that we've created a system for geeks and
near-geeks, not the "rest of us", for which we IT people should hang our
heads in shame. No special training is needed to use a microwave oven
or VCR, and a cell phone shouldn't be any different.

>I just think a lot of consulting firms are getting their names out there
>for their "revelations" about the iPhone.

They are actually looking out for the "rest of us".

>I'm waiting for something like "Medical technology consultion firm
>Meditech Group released their findings today that despite the hype
>surrounding the iPhone launch, the iPhone has not shown any ability to
>cure cancer. Officials at Apple and AT&T have not returned our request
>for a statement..."

No offense, but wild exaggeration doesn't make your case any more
compelling.

--
Best regards, FAQ FOR CINGULAR WIRELESS:
John Navas <http://en.wikibooks.org/wiki/Cingular_Wireless_FAQ>

Elmo P. Shagnasty wrote:
> In article <[email protected]>,
> John Navas <[email protected]> wrote:
>
>
>>Because Apple professes to be way better than the other guys. That kind
>>of hubris inevitably attracts rebuttal.
>
>
> oh, John. You keep walking right into things as if you can't see them.
>
> I can't imagine you didn't see this one. This tells me that you are
> just plain retarded.
>
> (To the lurkers: John professes to be way better/more knowledgeable
> than anyone else. That kind of hubris inevitably attracts rebuttal,
> which John is incapable of taking.)
>


BUSTED!

On Tue, 17 Jul 2007 20:11:46 -0400, "Elmo P. Shagnasty"
<[email protected]> wrote in
<[email protected]>:

>In article <[email protected]>,
> John Navas <[email protected]> wrote:
>
>> Because Apple professes to be way better than the other guys. That kind
>> of hubris inevitably attracts rebuttal.
>
>oh, John. You keep walking right into things as if you can't see them.
>
>I can't imagine you didn't see this one. This tells me that you are
>just plain retarded.
>
>(To the lurkers: John professes to be way better/more knowledgeable
>than anyone else. That kind of hubris inevitably attracts rebuttal,
>which John is incapable of taking.)

Not even a nice try. You really are lame. Hopefully you'll grow up in
time, and stop making yourself look so childish and foolish.

--
Best regards,
John Navas <http:/navasgroup.com>

"Usenet is like a herd of performing elephants with diarrhea - massive,
difficult to redirect, awe inspiring, entertaining, and a source of mind
boggling amounts of excrement when you least expect it." --Gene Spafford

It is alleged that Todd Allcock claimed:

> Fair enough, but my (badly made!) point was that the iPhone is no more
> vulnerable to that type of user stupidity than a Treo or a Blackberry.
> Why is it "news" that stupid people can do stupid things on an iPhone?

Maybe because it seems that for the first time, it's easier to do
something stupid on an Apple product than a Windows product?

--
Jeffrey Kaplan www.gordol.org
The from userid is killfiled Send personal mail to gordol

"Democracies do not remain democracies for long if elected leaders use
undemocratic methods."- Colin Powell, 4/18/02

At 17 Jul 2007 23:36:51 +0000 John Navas wrote:

> It's not a "proprietary" OS -- it's a well-understood UNIX-workalike.
> (See below.)


Perhaps, or perhaps it's a lookalike of a well-understood UNIX-workalike.

None of us here really knows what it's running- given the horsepower vs.
the relative snappiness of the device, I assume it's no more running
"OSX" than my WinMo phone is running Vista.

> This is only a simple example. "Where there's smoke there's fire."
> Much more dangerous are the unknown and invisible exploits.

True- yet if they're "unknown" we don't know if they exist or not.
Fortify is a third-party security software company warning us that a
phone that can't run third party apps is insecure. Hmmm... Perhaps they
have it 100% right, but the cynic in me thinks it's a bit like the
National Cattlemens' Association warning me of the health risks involved
in eating chicken...


> Again, much more dangerous are the unknown and invisible exploits. That
> such simple exploits exist should give you pause, not comfort.

Phishing isn't really an exploit as much as it's a confidence game for
the 21st century.


> >I love how every two-bit consulting and/or marketing firm is chafing at
> >the bit to "report" iPhone information and get their name out there!
>
> I'd say it's more a matter of protecting users. This wouldn't be
> happening if Apple had subjected the iPhone to 3r4d-party scrutiny in
> advance. Thus we get it after the fact.


Perhaps. But it smacks of self-serving to me.

> >The iPhone seems no less "secure" than any other smartphone that can
> >execute a system command (like dialing the phone!) from a clickable
link.
>
> Based on what, your guess?


Yes. An edumicated guess based on the fact the thing abhors 3rd-party
software, disallows the saving of e-mail attachments on the device
itself, and lacks java or flash support, minimizing the chance of any
executables sneaking on the device. Even the Weblets or whatever they
call them seem pretty anemic so far.

> > Did "Fortify Software" issue these press releases for Blackberries,
> >Treos and iPaq phones as well?
>
> Why not check that out yourself?

Actually I tried- their press releases didn't turn up anything nor did a
Google search in the amount of time I was willing to give it (very
little.)

> >The Register seems to enjoy "reporting" any anti-iPhone news they can
find.
> > What iPhone-shaped bug crawled up their hindquarters?
>
> Check out how many patches have been rushed out by Apple to deal with
> Mac OS exploits, and then check out what the OS in the iPhone is based
> on.

....or looks like. Windows Mobile has been around for over ten years, is
"based on" a very exploitable OS that's been patched more times than your
great-grandmother's quilt, and yet hasn't had a single exploit launched
against it other than a single proof-of-concept virus that required the
user to actually run the install file . Forgive me for thinking the
iPhone is probably relatively safe for the time-being.



--
Posted via a free Usenet account from http://www.teranews.com

"Todd Allcock" <[email protected]> wrote in message
news:[email protected]...
> At 17 Jul 2007 23:36:51 +0000 John Navas wrote:
>
>> It's not a "proprietary" OS -- it's a well-understood UNIX-workalike.
>> (See below.)
>
>
> Perhaps, or perhaps it's a lookalike of a well-understood UNIX-workalike.
>
> None of us here really knows what it's running- given the horsepower vs.
> the relative snappiness of the device, I assume it's no more running
> "OSX" than my WinMo phone is running Vista.

I believe it's a bit more than the WinMob Vs. full Windows scenario. The
iPhone's OS footprint is around 700 MB. Seems to be about 5-10x more space
than a WinMob device.


--
Mike

At 18 Jul 2007 11:08:59 -0700 Tinman wrote:

> I believe it's a bit more than the WinMob Vs. full Windows scenario.
The
> iPhone's OS footprint is around 700 MB. Seems to be about 5-10x more
space
> than a WinMob device.

Fair enough. That would make sense given the power of some of the
included apps like Safari.
I suspect, however, OSX takes up more than 700MB of space on a Mac- my
point was despite the name "OSX" on the iPhone OS, it isn't the full
equivalent of the desktop version.


--
Posted via a free Usenet account from http://www.teranews.com

In article <[email protected]>,
Todd Allcock <[email protected]> wrote:

> At 18 Jul 2007 11:08:59 -0700 Tinman wrote:
>
> > I believe it's a bit more than the WinMob Vs. full Windows scenario.
> The
> > iPhone's OS footprint is around 700 MB. Seems to be about 5-10x more
> space
> > than a WinMob device.
>
> Fair enough. That would make sense given the power of some of the
> included apps like Safari.
> I suspect, however, OSX takes up more than 700MB of space on a Mac- my
> point was despite the name "OSX" on the iPhone OS, it isn't the full
> equivalent of the desktop version.

Yes, though OSX (only one version) is not as bloaty as Vista (whichever
of the many different versions they offer), it still takes up some space.

Even better is that there still are no real viruses for Mac (you hear
rumors, but they never seem to transpire). I shudder to think the grief
I'd have with a PC open to the Internet.

The only bad thing is that with the popularity of the Mac OS in the
iPhone, there will be the kids trying to destroy it. Hopefully they can
keep their testosterone-fueled acts directed at Microsoft.

--
To reply by email, remove the word "space"