NEWS: iPhone becomes phisherman's friend

<http://www.theregister.com/2007/07/17/iphone_phishing_risk/>

Security shortcomings in the design of Apple's iPhone might make it
easier to mount phishing and cross-site scripting attacks.

The iPhone's email client only displays the first few characters of a
weblink, a factor researchers at Fortify Software warn makes it
easier to hide a fraudulent URL at the end of a link without arousing
suspicion.

The mechanism the iPhone uses to link between web browser and
telephone functions also makes it easier to embed scam telephone
numbers within sites, which a user may be prompted to dial.

Fortify says the security shortcomings of the iPhone mean users are
exposed to risk from relatively simple phishing techniques, either by
accidentally clicking through to fraudulent websites or unwittingly
making expensive premium line calls.

"Without immediate attention, this problem could lead to a deluge of
hackers attempting to mimic native iPhone applications and gain
access to other personal information such as contacts, photos, and
maybe even the phone's physical location," Fortify chief scientist
Brian Chess said.

[MORE]

--
Best regards, FAQ FOR CINGULAR WIRELESS:
John Navas <http://en.wikibooks.org/wiki/Cingular_Wireless_FAQ>

At 17 Jul 2007 16:14:12 +0000 John Navas wrote:
> <http://www.theregister.com/2007/07/17/iphone_phishing_risk/>
>
> Security shortcomings in the design of Apple's iPhone might make it
> easier to mount phishing and cross-site scripting attacks.


While it may to true, I think "proprietary" OS devices like
Palm/WinMo/iPhones PDAs are generally MORE secure than laptop/desktop PCs
because they are essentially immune from virii, trojans, keyloggers, etc.
targeted at Wintel boxes.

I know when curiousity leads me to investigate a scam site I do it from
my WinMo phone knowing that whatever they intend to throw at me isn't
likely to even run on my device, and in the off chance it were to target
WinMo, my phone can't execute it without my permission.


> The iPhone's email client only displays the first few characters of a
> weblink, a factor researchers at Fortify Software warn makes it
> easier to hide a fraudulent URL at the end of a link without arousing
> suspicion.


I'm far more comfortable withany exploit that requires my stupidity to
assist it, than, say, something embedded in a macro that might attempt to
execute silently.

> Fortify says the security shortcomings of the iPhone mean users are
> exposed to risk from relatively simple phishing techniques, either by
> accidentally clicking through to fraudulent websites or unwittingly
> making expensive premium line calls.


While interesting, it still requires user-interaction, which should be
easily defeated by education and "safe computing" practices.

> "Without immediate attention, this problem could lead to a deluge of
> hackers attempting to mimic native iPhone applications and gain
> access to other personal information such as contacts, photos, and
> maybe even the phone's physical location," Fortify chief scientist
> Brian Chess said.


I love how every two-bit consulting and/or marketing firm is chafing at
the bit to "report" iPhone information and get their name out there!

The iPhone seems no less "secure" than any other smartphone that can
execute a system command (like dialing the phone!) from a clickable link.
Did "Fortify Software" issue these press releases for Blackberries,
Treos and iPaq phones as well?


The Register seems to enjoy "reporting" any anti-iPhone news they can find.
What iPhone-shaped bug crawled up their hindquarters?



--
Posted via a free Usenet account from http://www.teranews.com

It is alleged that Todd Allcock claimed:

> While it may to true, I think "proprietary" OS devices like
> Palm/WinMo/iPhones PDAs are generally MORE secure than laptop/desktop PCs
> because they are essentially immune from virii, trojans, keyloggers, etc.
> targeted at Wintel boxes.

Well, duh... if it's targeted at a Wintel box, it won't work on any
other device. The quoted article is specifying things targeted
directly to the iPhone.

> The Register seems to enjoy "reporting" any anti-iPhone news they can find.
> What iPhone-shaped bug crawled up their hindquarters?

The Reg rarely, in my experience, fawns over new equipment. The only
times I recall them doing so was when the item in question was truly
nothing more than a technotoy, with no pretensions of actual productive
use. Remember, their motto is "Biting the hand that feeds IT".

--
Jeffrey Kaplan www.gordol.org
The from userid is killfiled Send personal mail to gordol

"When our vice president had a disagreement with a Democratic senator,
he used a really bad word. If I said that word, I would be put in a
timeout. I think he should be put in a timeout." - Twelve-year-old
Ilana Wexler at the DNC, Jul 27, 2004

"Todd Allcock" wrote:
> At 17 Jul 2007 16:14:12 +0000 John Navas wrote:
>> <http://www.theregister.com/2007/07/17/iphone_phishing_risk/>
>>
>> Security shortcomings in the design of Apple's iPhone might make it
>> easier to mount phishing and cross-site scripting attacks.
>
>
> While it may to true, I think "proprietary" OS devices like
> Palm/WinMo/iPhones PDAs are generally MORE secure than laptop/desktop PCs
> because they are essentially immune from virii, trojans, keyloggers, etc.
> targeted at Wintel boxes.
>

While the virus thing is true it has little to do with phishing designed to
gather personal info (for those who might fall for that kind of thing).


--
Mike

At 17 Jul 2007 13:30:39 -0700 Tinman wrote:

> > While it may to true, I think "proprietary" OS devices like
> > Palm/WinMo/iPhones PDAs are generally MORE secure than laptop/desktop
PCs
> > because they are essentially immune from virii, trojans, keyloggers,
etc.
> > targeted at Wintel boxes.
> >
>
> While the virus thing is true it has little to do with phishing
designed to
> gather personal info (for those who might fall for that kind of thing).

Fair enough, but my (badly made!) point was that the iPhone is no more
vulnerable to that type of user stupidity than a Treo or a Blackberry.
Why is it "news" that stupid people can do stupid things on an iPhone?
If you really think that the Bank of America needs you enter all of your
personal info to "confrom suspicious activitys on your accounds" when you
don't even bank there in the first place, you're perhaps not ready for an
iPhone, or ANY phone except maybe a Firefly!


I just think a lot of consulting firms are getting their names out there
for their "revelations" about the iPhone.

I'm waiting for something like "Medical technology consultion firm
Meditech Group released their findings today that despite the hype
surrounding the iPhone launch, the iPhone has not shown any ability to
cure cancer. Officials at Apple and AT&T have not returned our request
for a statement..."


--
Posted via a free Usenet account from http://www.teranews.com

At 17 Jul 2007 16:18:38 -0400 Jeffrey Kaplan wrote:

> Well, duh... if it's targeted at a Wintel box, it won't work on any
> other device. The quoted article is specifying things targeted
> directly to the iPhone.

_Theoretically_ targeted at an iPhone, plus the usual phishing crap we
all get.


> The Reg rarely, in my experience, fawns over new equipment.

Fair enough.

> The only
> times I recall them doing so was when the item in question was truly
> nothing more than a technotoy, with no pretensions of actual productive
> use. Remember, their motto is "Biting the hand that feeds IT".


True- it just seems there are enough legit nits to pick with the iPhone
that you don't need to, well, "phish" for more! ;-)




--
Posted via a free Usenet account from http://www.teranews.com

On Tue, 17 Jul 2007 12:16:17 -0600, Todd Allcock
<(E-Mail Removed)> wrote in
<(E-Mail Removed) om>:

>At 17 Jul 2007 16:14:12 +0000 John Navas wrote:
>> <http://www.theregister.com/2007/07/17/iphone_phishing_risk/>
>>
>> Security shortcomings in the design of Apple's iPhone might make it
>> easier to mount phishing and cross-site scripting attacks.
>
>While it may to true, I think "proprietary" OS devices like
>Palm/WinMo/iPhones PDAs are generally MORE secure than laptop/desktop PCs
>because they are essentially immune from virii, trojans, keyloggers, etc.
>targeted at Wintel boxes.

It's not a "proprietary" OS -- it's a well-understood UNIX-workalike.
(See below.)

>I know when curiousity leads me to investigate a scam site I do it from
>my WinMo phone knowing that whatever they intend to throw at me isn't
>likely to even run on my device, and in the off chance it were to target
>WinMo, my phone can't execute it without my permission.

There is no such security with _any_ network device. That's the whole
point of security exploits.

>> The iPhone's email client only displays the first few characters of a
>> weblink, a factor researchers at Fortify Software warn makes it
>> easier to hide a fraudulent URL at the end of a link without arousing
>> suspicion.
>
>I'm far more comfortable withany exploit that requires my stupidity to
>assist it, than, say, something embedded in a macro that might attempt to
>execute silently.

This is only a simple example. "Where there's smoke there's fire."
Much more dangerous are the unknown and invisible exploits.

>> Fortify says the security shortcomings of the iPhone mean users are
>> exposed to risk from relatively simple phishing techniques, either by
>> accidentally clicking through to fraudulent websites or unwittingly
>> making expensive premium line calls.
>
>While interesting, it still requires user-interaction, which should be
>easily defeated by education and "safe computing" practices.

Again, much more dangerous are the unknown and invisible exploits. That
such simple exploits exist should give you pause, not comfort.

>> "Without immediate attention, this problem could lead to a deluge of
>> hackers attempting to mimic native iPhone applications and gain
>> access to other personal information such as contacts, photos, and
>> maybe even the phone's physical location," Fortify chief scientist
>> Brian Chess said.
>
>I love how every two-bit consulting and/or marketing firm is chafing at
>the bit to "report" iPhone information and get their name out there!

I'd say it's more a matter of protecting users. This wouldn't be
happening if Apple had subjected the iPhone to 3r4d-party scrutiny in
advance. Thus we get it after the fact.

>The iPhone seems no less "secure" than any other smartphone that can
>execute a system command (like dialing the phone!) from a clickable link.

Based on what, your guess?

> Did "Fortify Software" issue these press releases for Blackberries,
>Treos and iPaq phones as well?

Why not check that out yourself?

>The Register seems to enjoy "reporting" any anti-iPhone news they can find.
> What iPhone-shaped bug crawled up their hindquarters?

Check out how many patches have been rushed out by Apple to deal with
Mac OS exploits, and then check out what the OS in the iPhone is based
on.

--
Best regards, FAQ FOR CINGULAR WIRELESS:
John Navas <http://en.wikibooks.org/wiki/Cingular_Wireless_FAQ>

On Tue, 17 Jul 2007 15:14:54 -0600, Todd Allcock
<(E-Mail Removed)> wrote in
<291638020620070717211454elecconnec@AmericaOnLine. com>:

>At 17 Jul 2007 13:30:39 -0700 Tinman wrote:

>> While the virus thing is true it has little to do with phishing
>designed to
>> gather personal info (for those who might fall for that kind of thing).
>
>Fair enough, but my (badly made!) point was that the iPhone is no more
>vulnerable to that type of user stupidity than a Treo or a Blackberry.
>Why is it "news" that stupid people can do stupid things on an iPhone?

Because Apple professes to be way better than the other guys. That kind
of hubris inevitably attracts rebuttal.

>If you really think that the Bank of America needs you enter all of your
>personal info to "confrom suspicious activitys on your accounds" when you
>don't even bank there in the first place, you're perhaps not ready for an
>iPhone, or ANY phone except maybe a Firefly!

Or living on the planet? There are lots of people who shouldn't have to
know that. The problem is that we've created a system for geeks and
near-geeks, not the "rest of us", for which we IT people should hang our
heads in shame. No special training is needed to use a microwave oven
or VCR, and a cell phone shouldn't be any different.

>I just think a lot of consulting firms are getting their names out there
>for their "revelations" about the iPhone.

They are actually looking out for the "rest of us".

>I'm waiting for something like "Medical technology consultion firm
>Meditech Group released their findings today that despite the hype
>surrounding the iPhone launch, the iPhone has not shown any ability to
>cure cancer. Officials at Apple and AT&T have not returned our request
>for a statement..."

No offense, but wild exaggeration doesn't make your case any more
compelling.

--
Best regards, FAQ FOR CINGULAR WIRELESS:
John Navas <http://en.wikibooks.org/wiki/Cingular_Wireless_FAQ>

In article <(E-Mail Removed)>,
John Navas <(E-Mail Removed)> wrote:

> Because Apple professes to be way better than the other guys. That kind
> of hubris inevitably attracts rebuttal.

oh, John. You keep walking right into things as if you can't see them.

I can't imagine you didn't see this one. This tells me that you are
just plain retarded.

(To the lurkers: John professes to be way better/more knowledgeable
than anyone else. That kind of hubris inevitably attracts rebuttal,
which John is incapable of taking.)

Elmo P. Shagnasty wrote:
> In article <(E-Mail Removed)>,
> John Navas <(E-Mail Removed)> wrote:
>
>
>>Because Apple professes to be way better than the other guys. That kind
>>of hubris inevitably attracts rebuttal.
>
>
> oh, John. You keep walking right into things as if you can't see them.
>
> I can't imagine you didn't see this one. This tells me that you are
> just plain retarded.
>
> (To the lurkers: John professes to be way better/more knowledgeable
> than anyone else. That kind of hubris inevitably attracts rebuttal,
> which John is incapable of taking.)
>


BUSTED!