Now it wasn’t long ago when the first malicious iPhone worm appeared in the wild and well generally since the boom of the device people have looking at the security measures.

Huge sales are made to corporates touting the security, privacy and encryption features of the iPhone OS. The latest discovery is that using a PIN on your iPhone 3GS really doesn’t protect you from anything as long as the person has physical access to your phone.

But then the same thing goes for desktop/laptop computers too, if someone has physical access you’re done for.

Using a four-digit PIN to lock your iPhone doesn’t really protect your data, security and IT blogger Bernd Marienfeldt has discovered. In an article describing the iPhone’s business security framework, Marienfeldt has found a “data protection vulnerability” in Apple’s iPhone 3GS.

Marienfeldt, working with security expert Jim Herbeck, has been able to reproduce the vulnerability on at least three non jail-broken iPhone 3GS handsets with different iPhone OS versions installed (including the latest). All tested iPhones were protected with a four-digit PIN.

In Marienfeldt’s own words:

“The unprotected iPhone 3GS mounting is “limited” to the DCIM folder under Ubuntu < 10.04 LTS, Apple Macintosh, Windows 2000 SP2 and Windows 7. The way Ubuntu Lucid Lynx handles the iPhone 3GS [6,7,8] allows to get more content (please do make sure that the native Ubuntu system is fully up to date, e.g. "apt-get update, "apt-get upgrade" - any virtualization based solution will not work as described). I used the Alternate CD with x86 and AMD64 on different hardware."

I guess with phones/embedded system we expected the user data to a little more secure and well we guessed wrongly. With a total of 33.75 million iPhones sold up to Q4 2009 that’s a staggering amount of vulnerable devices out there.

Another issue is Apple haven’t as yet worked out what the problem is, they’ve given some vague mentions of “race conditions” or “a pairing issues” but haven’t been able to reproduce it so far.

Other people have had varying success in exploiting the flaw, it seems to depend on the actual iPhone itself rather than anything else.

Basically, plugging an up-to-date, non jail-broken, PIN-protected iPhone (powered off) into a computer running Ubuntu Lucid Lynx will allow the people to see practically all of the user’s data–including music, photos, videos, podcasts, voice recordings, Google safe browsing databases, and game contents. The “hacker” has read/write access to the iPhone, and the hack leaves no trace.

According to Marienfeldt, “The allowed write access could also lead into triggering a buffer overflow.” A buffer overflow could allow full write access, and full write access could potentially lead to the attacker being able to make phone calls (as far as we know, the attacker can access all of your data but they can’t make any phone calls…how reassuring).

Marienfeldt points out that this is especially an issue for corporate/business users, who “rely on the expectation that their iPhone 3GS’s whole content is protected by encryption with a passcode based authentication in place to unlock it.”

Apple has been notified of the flaw, but has yet to correct it (or give a timeline for the correction).

I hope Apple can address this phone and give a proper breakdown and explanation of why this happens, there must be some technical explanation for it and why it occurs in their so called ‘secure’ implementation.

You can read the original blog post here:

iPhone business security framework

Source: Network World

There have been plenty of stories about Facebook in the past and the latest is about their new privacy system. From what I understand they have abandoned the previous concept of “Networks” and now everyone is open to everyone else.

The network system was initially relevant when the site was targeted at only US college students, it easily allowed students from the same college to find each other. But now since it’s become global and the networks had changed into countries or even continents it was rather too open.

Facebook is urging its 350 million users to open their kimonos to the entire internet as part of its revamped security settings.

Unveiled on Wednesday, the social network’s new privacy controls are designed are to expose a user’s personal data – including status updates, posted content, and details about friends and family – to everyone on the wild, wild web.

Facebook says the freely-shared data “makes it easier for people to find and learn about you” — but critics claim it’s a actually ploy to drive up Facebook traffic by getting more of its pages cataloged by RSS feeds and search engines.

The surprising part is, when receiving the prompt today it suggests you open ALL your data to everyone! So instead of the expected tighter default privacy settings it’s pushing its users to disregard privacy totally.

It would make sense for them to push this, because if everyone opens everything there is far more for the search engines to spider and as a byproduct Facebook traffic will increase earning them more in the way of ad revenue.

Starting now, when a current user logs into Facebook, they will be asked to review and update their privacy settings. Users are then prompted to make changes to who (and what) is allowed to ogle various sections of their profile and postings.

While Facebook allows users to retain their old settings quite easily, the recommended options strongly encourage a brave new world of personal data sharing.

It should be noted that users under 18 are restricted to sharing details with Facebook friends no matter which options they select.

I’d imagine anyone here (if they even use Facebook) would already have fairly restrictive Facebook privacy settings in place..and well it’s easy enough to keep your old settings.

But for the less savvy user I think they may well take the suggestions and apply them…which is really not a good idea.

We will have to wait a few days and see if there is any major outcry.

Source: The Register

A UK firm Virtuity has created data protection software called BackStopp which comes with ’self-destruct’ technology based on Wi-Fi and RFID tags that starts to run as and when a laptop is moved from its designated space.

So in layman’s terms, if the laptop is moved from its permitted zone (which is set by the user) Backstopp sends out a self-destruct message to block access and ultimately destroy data, locating the laptop using Wi-Fi and radio frequency identification technology. What’s even cooler is that any laptop featuring an in-built webcam will be prompted to start taking photographs to help identify the thief.

There are millions of people out there who keep very secure data on their laptops which, if fallen into the wrong hands can cause damage to a lot of people. This FBI/CIA type security tool brings advanced security to all laptops users at a very affordable price of £10 per laptop per month.