Search This Blog
Monday, July 23, 2007
LHC- My Space & Earth: Security flaw found in iPhone
Security flaw found in iPhone
The researchers at Independent Security Evaluators, which test the security of devices by hacking them, found that the Wi-Fi connectivity of the iPhone allowed them to take control of it and mine the wealth of private information the phones contain. The researchers also said that they could redirect users to a malicious Web site that could also circumvent the security on the phone.
The story quotes Lynn Fox, spokeswoman for Apple, saying, "Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users."
Shortly after the iPhone was released, a group of security researchers at Independent Security Evaluators decided to investigate how hard it would be for a remote adversary to compromise the private information stored on the device. Within two weeks of part time work, we had successfully discovered a vulnerability, developed a toolchain for working with the iPhone's architecture (which also includes some tools from the #iphone-dev community), and created a proof-of-concept exploit capable of delivering files from the user's iPhone to a remote attacker. We have notified Apple of the vulnerability and proposed a patch. Apple is currently looking into it.
A member of our team, Dr. Charlie Miller, will be presenting the full details of discovering the vulnerability and creating the exploit at BlackHat on August 2nd. This site will be updated to reflect those details at that time; until then, we have decided only to release general information about exploiting the iPhone.
How the exploit works
The exploit is delivered via a malicious web page opened in the Safari browser on the iPhone. There are several delivery vectors that an attacker might utilize to get a victim to open such a web page. For example:
An attacker controlled wireless access point: Because the iPhone learns access points by name (SSID), if a user ever gets near an attacker-controlled access point with the same name (and encryption type) as an access point previously trusted by the user, the iPhone will automatically use the malicious access point. This allows the attacker to add the exploit to any web page browsed by the user by replacing the requested page with a page containing the exploit.
A misconfigured forum website: If a web forum's software is not configured to prevent users from including potentially dangerous data in their posts, an attacker could cause the exploit to run in any iPhone browser that viewed the thread. (This would require some slight changes in our proof of concept exploit, however.)
A link delivered via e-mail or SMS: If an attacker can trick a user into opening a website that the attacker controls, the attacker can easily embed the exploit into the main page of the website.
When the iPhone's version of Safari opens the malicious web page, arbitrary code embedded in the exploit is run with administrative privileges. In our proof of concept, this code reads the log of SMS messages, the address book, the call history, and the voicemail data. It then transmits all this information to the attacker. However, this code could be replaced with code that does anything that the iPhone can do. It could send the user's mail passwords to the attacker, send text messages that sign the user up for pay services, or record audio that could be relayed to the attacker
MICROSOFT is moving to protect consumer privacy in web search and advertising and has called on the internet industry to support it.
MICROSOFT is moving to protect consumer privacy in web search and advertising and has called on the internet industry to support it.
Microsoft said it was responding to public concern over the recent consolidation of the online ad industry as well as stepped-up interest from government regulators in its call for a comprehensive rather than piecemeal approach to privacy.
"We think it's time for an industry-wide dialogue," Peter Cullen, Microsoft's chief privacy officer, said in an interview. "The current patchwork of protections and how companies explain them is really confusing to consumers."
Specifically, Microsoft said it would make all web search query data anonymous after 18 months on its "Live Search" service, unless it receives user consent to store it longer. The policy changes are retroactive and worldwide, it said.
Microsoft planned to store customer search data separately from data tied to people, email addresses or phone numbers and take steps to ensure no unauthorised correlation of these types of data could be made. It would also permanently remove "cookie" user identification data, web address, or other identifiers.
"Microsoft is going to do a more thorough scrub of customer data once it is too old," said Peter Swire, a law professor at Ohio State University who served as US privacy czar in the 1990s. "Previously, the practice was to do a partial scrub."
As part of Microsoft's push, Ask.com, the web search business of Barry Diller's IAC/InterActiveCorp, has agreed to join Microsoft in calling on the industry to adopt a common set of privacy practices for data collection, commercial use and consumer protection in search and online advertising. Last week, it unveiled AskEraser, a service that will allow Ask customers to change their privacy preferences at any time.
Microsoft's initiatives follow recent moves by Google, the dominant provider of web searches and the company most under fire by privacy advocates concerned at how rapid advances in search technology may pose unprecedented threats to consumer privacy.
Google set in motion industry efforts to limit how long web search data is stored by being first to say it will in the future cleanse personal information from its databases after 18 months. Microsoft is one-upping Google by making its move retroactive.
Google has stepped up its own efforts to reach compromises with European Union and US policy-makers in recent months.
Microsoft said it was taking new steps to notify users how technologies affected them, giving users more specific controls over their privacy and setting tighter limits on how long it kept search data. It will also minimise the amount of data it collects via its "Live Search" and online advertisement targeting services.
"Search, itself, is a relatively new business and advertising-supported search, and the issues it raises, are also relatively new," Mr Cullen said. "You have almost a collision of these two things."
Both Google and Microsoft have faced scrutiny from US and European regulators over their plans to merge with major players in the online advertising industry.
Google is seeking approval to buy advertising services firm DoubleClick for $US3.1 billion ($3.5 billion) , a move analysts said would more than double the number of web users to whom it serves up online ads. Similarly, Microsoft plans to buy diversified ad services company aQuantive, a DoubleClick rival, for $US6 billion. A shareholder meeting to approve the deal is set for August.
The DoubleClick deal, in particular, faces congressional hearings over the potential privacy issues that could arise from the concentration of data about consumer web-surfing habits, buying behaviour and advertising data.
Forrester privacy analyst Jennifer Albornoz Mulligan said the internet industry was feeling the heat from customers who were confused by the many conflicting state and federal privacy policies across banking, retail, advertising and elsewhere.
Most consumers had given up reading the detailed privacy notices contained in footnotes on websites because everyone knew that "you can adopt privacy principles without really doing a great job of protecting privacy", Ms Mulligan said.
Mr Cullen said ,Microsoft did not believe a one-size-fits-all approach to online privacy could work. It wanted consumers who sought anonymity online to have the power to do so, while giving customers who prized convenience over anonymity the access to a new class of personalised services that depend on user data.
"People want a high degree of personalisation, but they don't want to feel like they are being surveilled," he said
Back Story of Peter Cullen
REDMOND, Wash., June 23, 2003 — Microsoft Corp. today announced that Peter Cullen, a recognized privacy leader and current corporate privacy officer for Royal Bank of Canada (RBC), is joining the company as chief privacy strategist.
Cullen, who will join Microsoft on July 14, brings more than a decade of experience in privacy and data protection work to Microsoft's Trustworthy Computing initiative. Cullen will report to Scott Charney, chief Trustworthy Computing strategist, working closely with him to help ensure that privacy protections and best practices are incorporated into all Microsoft® products, services, systems and internal processes.
"Peter Cullen has the experience to drive Microsoft's commitment to privacy protections to the next level. With his deep background in privacy and data protection practices and their relationship to customer value, Peter will be an effective advocate for strong and innovative consumer privacy safeguards," Charney said. "We look forward to having Peter apply his experiences and skills to benefit Microsoft's customers and partners through the privacy pillar of our Trustworthy Computing initiative."
Cullen is widely recognized as a pioneer in privacy and helped develop the financial industry's best practices around the collection and use of information. His work resulted in Royal Bank of Canada (RBC) establishing important competitive differentiation that remains an example to several industries.
While at RBC, Cullen established the Corporate Privacy Group and its practices, a first for a Canadian financial institution. He also implemented an integrated privacy management/compliance structure for U.S. operations, which included six affiliate companies. As a result, Cullen helped RBC become recognized as a North American leader in the area of privacy management.
Microsoft's Trustworthy Computing initiative reflects the company's belief that technology must truly be trustworthy if it is ever to realize its full potential to enhance people's lives. Microsoft's Trustworthy Computing effort is focused on four key pillars: security, privacy, reliability and business integrity.
• Security means ensuring that one's information and data are safe. • Privacy means placing people in control of their personal information as well as respecting their right to be left alone. • Reliability means ensuring that technology works every time people need it. • Business integrity means being clear, open, fair, respectful and responsive to customers and the public.
Cullen said he decided to join Microsoft because of its commitment to driving privacy protections and programs within the company and throughout its industry.
"I look forward to joining Microsoft to help the company deliver on its vision of trustworthy computing," Cullen said. "Microsoft has placed a priority on privacy, and I look forward to applying my experience in developing innovative privacy practices and programs to deliver high-quality technologies and services to our customers and partners."
Cullen holds an MBA from Richard Ivey School of Business at the University of Western Ontario. He is a founding member of two networks of chief privacy officers and is an active public speaker.
price of space vacations boosted to higher orbit
The cost of flying to the international space station aboard a Russian Soyuz spaceship has increased from $25 million earlier this year to between $30 million and $40 million for trips planned in 2008 and 2009.
"It's mostly because of the fallen dollar," Eric Anderson, president and CEO of Space Adventures, said Wednesday. His company brokers the trips with Russia's space agency.
A U.S. dollar currently is worth about 25½ Russian rubles, compared with 32 rubles in 2002.
Five space tourists have paid $20 million to $25 million to visit the space station via the Soyuz vehicles through trips arranged by Space Adventures. The company announced Wednesday that two more Soyuz seats have been purchased for tourists to fly in 2008 and 2009.
Anderson said the space tourists flying in the two new seats probably would be an American and an Asian, but he offered no details. Prospective space tourists must put down a 20 percent deposit, pass physical examinations and later undergo training at a Russian space facility.
About a dozen prospective space tourists are in the process of reserving flights to the space station, even as the number of available seats on the three-man Soyuz vehicles is likely to diminish after space shuttles are grounded in 2010.
NASA is going to rely on the Soyuz vehicles to deliver astronauts to the space station between the end of the shuttle program in 2010 and the expected first manned flight in 2015 of the next-generation spacecraft, Orion, which NASA hopes takes astronauts back to the moon by 2020. Additionally, the three-member space station crew, consisting of U.S. astronauts and Russian cosmonauts, is expected to double in size in 2009.