Wednesday, July 25, 2007

What it took to hack the iPhone

The same Safari bug is also on Mac OS X and Windows, say researchers

July 24, 2007 (Computerworld) -- The iPhone vulnerability that could let hackers steal data or commandeer the device also exists in the desktop edition of Apple Inc.'s Mac OS X operating system, the exploit's researchers said today.

Charles Miller, one of the three researchers from Baltimore-based Independent Security Evaluators (ISE) who found the bug and wrote proof-of-concept exploits, confirmed that the vulnerability in the iPhone version of Safari is also present in the desktop version of the browser. Safari is included with all Mac OS X installations.

The Windows version of Safari is also vulnerable. "[But] it may or may not be exploitable there," Miller said.

Miller, Jake Honoroff and Joshua Mason found the Safari flaw using what Miller described as "fuzzing" techniques. Fuzzing, a tactic commonly used by vulnerability researchers, drops random data into applications or operating system components to see if -- and where -- breakdowns occur. Typically, the process is automated with a fuzzer, software that hammers on application inputs.

Not that the iPhone made it easy. The lack of debugger, for example, required that Miller and the others turn to alternatives, including the Mac OS X crash reporter, which logs all crashes, for ways to probe the iPhone. "The crash reports contained the contents of registers and what libraries were loaded," giving the team some clues, Miller said. Others they gleaned by examining the phone's core applications, which they could pull off the device only using iPhoneInterface. That program, part of the results of a group effort at the iPhone Dev Wiki, lets researchers and hackers modify the phone.

"Between the crash reports and the core files, we had a good picture of the application when it crashed," said Miller. "We found a few crashes that stuck out from the rest."

With iPhoneInterface and another program named Jailbreak -- Miller called them "hacking tools" -- the three researchers were able to pull Safari off the iPhone, disassemble it on a Mac desktop machine, and modify it so that would crash at the code location where the researchers wanted. "It was trial and error," Miller admitted. Testing required the application to be returned to the iPhone, where it was run, generating another crash report.

"It was like 'fuzzing' for an exploit," said Miller.

Although the three are withholding details until Aug. 2, when Miller will reveal more at the Black Hat security conference, one security expert is betting that the Safari vulnerability is a buffer overflow bug.

1 | 2 | NEXT

Saturday, July 07, 2007

Attention turns to second-gen iPhone

Next version of iPhone will take advantage of faster 3G wireless network speeds

By Matt Hamblen, Computerworld
July 06, 2007

The first-generation iPhone is barely on the streets, but some users and analysts are already talking about when a second-generation model will be launched to take advantage of faster 3G wireless networks for speedier Internet browsing.

The first version of iPhone supports AT&T's EDGE (Enhanced Data GSM Environment), a 2.5G network advertised as providing download speeds of 70Kbps to 135Kbps. AT&T and Apple chose that network because it is the largest, reaching 270 million people, company officials said last week.

However, several analysts and reviewers believe that the next-generation iPhone, which could ship early next year in the United States, will be provisioned to handle a faster 3G network, such as AT&T's High Speed Downlink Packet Access (HSDPA), to support download speeds of 400Kbps to 700Kbps. However, AT&T and Apple would not comment Thursday on their plans or a timetable for iPhone 2.0 or AT&T's HSDPA.

AT&T spokesman Mark Siegel stressed that "HSDPA is available in 160 metro areas, and AT&T will continue to build it out through the rest of the year, so obviously we're continuing to build 3G. "

But Siegel also repeated comments made last week that iPhone users will accept the slower EDGE speeds, especially since the iPhone can access faster Wi-Fi networks when a hotspot is available at home or a coffee shop. "We haven't had many complaints about EDGE," he said. "What really matters for a real human being using the iPhone who doesn't know anything about EDGE is that this is going to be a great experience in totality, whether searching for a stock quote or a map or many other things. We think overwhelmingly that people will be thrilled using this device. The experience they have on EDGE will be a really good one."

Siegel's comments, however, don't match user consternation about EDGE speeds registered at the MacRumors forums, or concerns raised by some reviewers, including one who said it took two minutes to download the Yahoo Web site home page.

The discussion thread at MacRumors asked people to post their EDGE speeds over iPhone using a network measuring tool. Some reported speeds were higher than those advertised by AT&T, but most were slower, with 64Kbps on July 3 in San Diego and 71Kbps in Los Angeles that same day. "Boooooo!" is the only comment from the San Diego user identified as FreeState. GnarleyMarley87 reported 126Kbps in Atlanta on EDGE, but 1,245Kbps over Wi-Fi at home. Other uses weighing in on MacRumors about the differences between 3G and EDGE and why Apple is waiting indicate that iPhone users are aware that AT&T's 3G network is not widely available in the United States. Users also noted that 3G-capable phones consistently run down batteries faster than those on slower networks. One analyst, Ken Dulaney at Gartner, recently confirmed that a 3G phone can use up a battery at a rate 30 percent faster than a 2.5G phone.

Apple officials would not comment on a timetable for the next iPhone release, or even whether it will support 3G.

Two analysts tended to support the decision to release the first iPhone over EDGE in order to get the broadest network reach over higher bandwidth. "EDGE is not a show-stopper for iPhone, and I think the next version will likely have 3G," said Michael King, an analyst at Gartner.

King said some industry experts believe Apple can have a second-generation device ready by October, but that Apple won't unveil them so closely behind the first version's June 29 release. King believes AT&T's HSDPA network will be more widely available for U.S. users in late 2008. "It's a pretty usable network now," he said.

With a second-generation iPhone, Apple is also likely to support QuickTime, giving access to streaming video that uses more bandwidth and tends to require a 3G network, King said.

Shiv Bakhshi, an analyst at IDC, said that Apple was "wise to have chosen ubiquitous network reach over bandwidth ... a culture of mobile data consumption in the United States is only beginning to set in. By the time it takes hold, Apple will be out with 3G iPhones and AT&T will likely roll a 3G HSDPA network across its national footprint."

Asked when both will happen, Bakhshi said "in under a year."

But Bakhshi said that it is not clear how much current iPhone users will be downloading from the Web. Songs and video can be imported from a PC, so EDGE speeds might not be an impediment for the average user.

"Every network falls short as your expectations rise higher," he said. "Some people will always be high-end users and will find EDGE really frustrating, but for the average Joe Blow like you and me, it will suffice."

Bakhshi added, "The single biggest driver of iPhone may not be data usage."

"Instead, it might be just its ability to invoke envy in your friends."

Friday, July 06, 2007

Mahalo Greenhouse Goes Live!!

Mahalo, dubbed the human-powered “search service” has accepted yours truly to be a part time guide. Even though they went live with the beta last week, it wasn't until earlier this week that I received my confirmation. So far things are rolling right along with 6 Search Results Pages (SeRPs.) done this week.

What is Mahalo you ask well check them out Mahalo FAQ's. If you'd like to become part of the Mahalo team drop by The Greenhouse. There you can find all the information on applying to become a part time guide.

For information on the projects that I've been working on visit my profile.

15 free security programs that work

I'm just going to say I was reading this list and I was seriously disappointed. There is no mention of two of the top tools in use today, spy-bot search and destroy and adaware. Neither of which you should do with out, and both are free. However the rest of the tools listed are fairly good and are definitely recommended to use.

From the moment you switch on your PC, your system faces countless Internet-borne dangers, including spyware attacks, viruses, Trojan horses, home-page hijackers, and hackers trying to weasel their way into your system. And the Internet isn't the only source of trouble. Anyone with access to your PC can invade your privacy by prying into which Web sites you visit -- and learning a great deal more as well.
But fighting back is easy. We've found 15 great pieces of software -- firewalls, spyware busters, antivirus software, rootkit killers, and general Internet security tools -- designed to protect you against any dangers that come your way. They're free, they're powerful and they're easy to use. So what are you waiting for? Start downloading.
Preventing and Eliminating Malware
From firewalls to antivirus software to tools for combatting rootkits and spyware, here are some great downloads to protect your system against malicious attacks.
Check Point Software's ZoneAlarm may well be the most popular free firewall on the planet, and the most recent release (finally) protects Vista machines. Arguably, ZoneAlarm is the product that made everyone conscious of the need for firewall protection. It's extremely easy to use, and its method of configuring outbound protection is particularly useful. Whenever a program tries to make an outbound Internet connection, ZoneAlarm announces it with a pop-up alert. You can then permit or disallow the connection, on a one-time basis or permanently. Configuring your level of protection is a simple matter of moving a few sliders. Though the free version of the software is exclusively a firewall, Check Point also offers for-pay security suites. But if all you're looking for is a firewall, stick with the free version.
Comodo Firewall Pro
ZoneAlarm is extremely popular, but that doesn't automatically make it the best free firewall you can find. One formidable contender is Comodo Firewall Pro, which independent testing site Matousec rated as the top firewall. Matousec found that Comodo offered the highest level of antileak protection, one measure of a firewall's effectiveness. Comodo offers true two-way firewall protection, is highly configurable, and (unlike most other firewalls) provides a great view of your system and your Internet connection.
1 | 2 | 3 | 4 | 5 | NEXT