Technological convergence came full circle with the release of the iPhone, Apple's newest wonder gadget. Arguably the most anticipated product so far for 2007, the iPhone is a multimedia & Internet enabled mobile phone that brings Apple into the mobile telecommunications market. While Apple plans to corner a 1% share in the global mobile phone market (roughly 10 million units) in its first year of availability, several analysis have forecasted even greater expectations given the iPod's amazing success.
With all the hype surrounding the iPhone, security researchers are waiting to determine whether it is secure enough to do more than just communicate & entertain. The platforms on which these mobile phones are running (such as Linux, Symbian, Palm & Windows Mobile) provide software development kits (SDKs) to 3rd-party vendors so that they may create compatible applications. Hackers have easy access to these platform blueprints, enabling them to find vulnerabilities in the system to inject malware. Some malware creators leveraged the type early without even creating malware for the device itself. On June 30, 2007, researchers reported the discovery of a pop-up ad that disguises as a venue that sells iPhone.
Trigged when visiting Google.com.my or Yahoo.com.my, the Trojan generated a pop-up ad that referred interested iPhone buyers to a phony Web site. However, the malware authors took the money from confirmed purchases & the buyers received nothing in return. A few months later, SDA Asia reported an e-mail spam version of this malware. The malware tried to improve its chances of successful installation by exploiting over 10 ActiveX vulnerabilities to install its malicious payload. Other features include use of XOR encryption & multiple fake Web sites to thwart detection. Apple developed the iPhone without releasing a software development kit (SDK), meaning developers & hackers alike will not find it easy to develop applications or malware for the iPhone.
However, days after its launch, Errata Security reported that one of the applications in the iPhone contained one of the vulnerabilities found in the beta version of Apple's Safari 3 browser. This vulnerability, when successfully exploited, may allow a remote user to assume control of Safari 3 to execute code of choice. Safari is the 3rd most popular Web browser with almost 5% of market share as of May 2007 (according to Net Applications.com). Hours after the release of the Safari 3 Beta for Mac & Windows on June 12, independent security researcher Thor Larholm found a zero-day vulnerability relating to the URL (uniform resource locator) protocol handler in the Windows version.
Another researcher, Errata Security found 6 other vulnerabilities in the Windows version - 4 of which could allow denial of service (DoS) attacks while the other 2 could allow remote code execution on the affected system. The bugs found on the Windows version of Safari may affect the iPhone as loopholes in one version can easily be located on another. Furthermore, the iPhones runs on Mac OS X, which has several issues of its own & it is likely that these will be encountered in the iPhone. These vulnerabilities may offset Apple's closed platform strategy, as they provide hackers with material to explore.
The Safari 3 & iPhone vulnerabilities combined with the malware events seem to tell the world that Apple products are popular enough to serve as prime targets for lucrative exploits & bugs. It is wise to expect additional attacks in the future as the iPhone rolls out & availability & popularity increase.
Jun 16, 2008
Jun 15, 2008
Yahoo! & eBay move to block phishers
Yahoo! Inc is working with auction leader eBay Inc & its PayPal payments unit to block fake e-mail messages to users purporting to be from eBay & PayPal, hoping to spur on an industry that has been slow to fight the scourage of socalled phishing attacks. eBay & PayPal have upgraded their computer systems to support an emerging technology standard known as DomainKeys invented by Yahoo! that authenticates e-mail senders are who they say they are, allowing Yahoo! to block fake e-mail messages. The technology upgrade will be made available to Yahoo! Mail users worldwide over the next several weeks. It is a big step forward for consumers in defense against the bad guys.
Along with banks & pharmaceutical makers, eBay & PayPal are among the brands most targeted by phishers seeking to trick consumers into divulging personal information such as credit card or password data in order to commit financial fraud. Over the past decade, phishing has been clogging the inboxes of e-mail users worldwide with ever more sophisticated attempts to fool users into clicking on fraudulent sites or giving up personal financial details to commit fraud. But to date, many of the defenses put forward by security software vendors & industry consortiums have failed to take hold with e-mail senders due to their complexity or costliness, or political infighting over standards, leaving individual consumers always guessing which e-mail may be real or fake.
A PayPal official said Yahoo!s system provides a way of automatically detecting potential phishing attacks without relying on the consumer to do anything new. If the consumer doesn't receive an e-mail in their inbox then it is very hard for the phisher to victimise them.
Fear of blocking
2 camps have emerged among technology providers seeking to develop a coherent approach to identifying e-mail senders. One backed by Yahoo! & Cisco Systems Inc, along with AOL, Google Inc, IBM Corp, Sendmail & VeriSign Inc, is the DomainKeys Identified Mail (DKIM) technology, which allows e-mail providers to identify the web domain from which a sender has sent e-mail. A 2nd standard known as Sender Policy Network (SPF) has been led by Microsoft Corp, which offers its own versions of SPF known as Sender ID. SPFbased protections are used by Amazon, AOL, GoDaddy & eBay, which supports both DKIM & SPF. DomainKeys relies on more sophisticated cryptography than the Microsoft-supported approach.
This sophistication can make DomainKeys harder for websites to install but offers greater long-term defense against phishing attacks. So far, most consumers have installed sender authentication inside their e-mail systems as a monitoring tool but do not block e-mail for fear of false positives mistakenly treating legitimate customer messages as phishing attempts. However, despite the industry disagreements, an underlying consensus is emerging among software vendors, Internet service providers & corporate websites that digital e-mail signing in one form or another is the best shot to combat phishing.
2 years ago if you asked companies whether they were using e-mail authentication, most people wouldn't have cared. Today if you ask most organisations if they think it is a good thing people would say, 'Yes'. The industry is slowly coming around. eBay & PayPal are some of the first to actively block unauthenticated e-mail messages.
Along with banks & pharmaceutical makers, eBay & PayPal are among the brands most targeted by phishers seeking to trick consumers into divulging personal information such as credit card or password data in order to commit financial fraud. Over the past decade, phishing has been clogging the inboxes of e-mail users worldwide with ever more sophisticated attempts to fool users into clicking on fraudulent sites or giving up personal financial details to commit fraud. But to date, many of the defenses put forward by security software vendors & industry consortiums have failed to take hold with e-mail senders due to their complexity or costliness, or political infighting over standards, leaving individual consumers always guessing which e-mail may be real or fake.
A PayPal official said Yahoo!s system provides a way of automatically detecting potential phishing attacks without relying on the consumer to do anything new. If the consumer doesn't receive an e-mail in their inbox then it is very hard for the phisher to victimise them.
Fear of blocking
2 camps have emerged among technology providers seeking to develop a coherent approach to identifying e-mail senders. One backed by Yahoo! & Cisco Systems Inc, along with AOL, Google Inc, IBM Corp, Sendmail & VeriSign Inc, is the DomainKeys Identified Mail (DKIM) technology, which allows e-mail providers to identify the web domain from which a sender has sent e-mail. A 2nd standard known as Sender Policy Network (SPF) has been led by Microsoft Corp, which offers its own versions of SPF known as Sender ID. SPFbased protections are used by Amazon, AOL, GoDaddy & eBay, which supports both DKIM & SPF. DomainKeys relies on more sophisticated cryptography than the Microsoft-supported approach.
This sophistication can make DomainKeys harder for websites to install but offers greater long-term defense against phishing attacks. So far, most consumers have installed sender authentication inside their e-mail systems as a monitoring tool but do not block e-mail for fear of false positives mistakenly treating legitimate customer messages as phishing attempts. However, despite the industry disagreements, an underlying consensus is emerging among software vendors, Internet service providers & corporate websites that digital e-mail signing in one form or another is the best shot to combat phishing.
2 years ago if you asked companies whether they were using e-mail authentication, most people wouldn't have cared. Today if you ask most organisations if they think it is a good thing people would say, 'Yes'. The industry is slowly coming around. eBay & PayPal are some of the first to actively block unauthenticated e-mail messages.
Subscribe to:
Posts (Atom)
Posts
