Black Hat Security: iPhone And Firefox At Risk

Security researchers have demonstrated how both Windows Mobile and iPhone handsets can be hacked simply be sending a text message. It's also emerged that a flaw in the way secure websites worked could cause problems for Firefox users.

The news comes from the annual Black Hat security conference in Las Vegas, where it's joked that "black hat" hackers find these issues for criminal reasons, while "white hat" hackers are merely trying to improve security. However, it's generally understood that those who speak at the conference do so to highlight problems rather than exploit them.

SMS from a SOB

Charlie Miller (a two time winner of a national speed-hacking challenge) and Colin Mulliner unveiled the cellphone security hole. They showed how altering the data which is transmitted alongside an SMS (Short Message Service) message can potentially give a hacker remote access to applications such as an address book or stored images from a camera.

The bad news is that there is almost nothing phone users can do to protect themselves. Why? Because in most cases the messages appear perfectly legitimate. The good news is that researchers are keeping the full details secret until the firms behind mobile phone operating systems have fixed the flaw. (Source: bbc.co.uk)

Digital Certificates Grant Certified Danger

Meanwhile Dan Kaminsky and a man using the name "Moxie Marlinspike" demonstrated how it's possible to spoof digital certificates which are used to authenticate the validity of a website.

In somewhat technical jargon: the problem deals with a null character '\0', which is mostly used by computer programs as instruction to stop processing. That said, the '\' character by itself can be a legitimate part of a website domain name.

Researchers were able to obtain a digital certificate for a site they genuinely controlled (example: spoof site www.paypal.com\0.thoughtcrime.org) whereby the digital certificate was improperly labeled for 'www.paypal.com.'

Firefox Feels The Heat

The digital certificate exploit could allow hackers to fool a computer (and its owner) into thinking a bogus site was legitimate. It also poses a particular risk for the Mozilla Firefox browser, which uses this verification system in its auto-update feature to ensure that it is downloading genuine updates.

Upon announcing the flaw, "Marlinspike" advised Firefox users to turn off the auto-update feature until a fix was available. Mozilla says this would cause more risks than it was worth, but thankfully the firm has now issued a patch for the latest version of Firefox (3.51) and is working on a solution for earlier problems. (Source: cnet.com)