or Connect
AppleInsider › Forums › Mobile › iPhone › Apple urges users to stick with iMessage to avoid iPhone SMS spoofing
New Posts  All Forums:Forum Nav:

Apple urges users to stick with iMessage to avoid iPhone SMS spoofing - Page 4

post #121 of 134
Quote:
Originally Posted by JohnnyW2001 View Post

On an unrelated note: It's also worth pointing out that Email has many anti-spam and verification processes. I'm not entirely sure why everyone is regurgitating the nonsense that it doesn't. Technologies like DKIM and Domain Keys, as well as server blacklists, have been verifying the origin servers for years.

True, but while you can verify the origin, you still cannot prevent a spoofed "From" field with unauthenticated SMTP.
post #122 of 134
Originally Posted by lightknight View Post
What's wrong with the sixth iPhone being called iPhone 5 really?

 

The lack of explanation therefor.

 

Originally Posted by Vadania View Post
Apple could call it what ever they want.

 

Exactly, and they will call it something that matters and makes sense. Not "iPhone 5"

Originally posted by Relic

...those little naked weirdos are going to get me investigated.
Reply

Originally posted by Relic

...those little naked weirdos are going to get me investigated.
Reply
post #123 of 134
Quote:
Originally Posted by muppetry View Post


True, but while you can verify the origin, you still cannot prevent a spoofed "From" field with unauthenticated SMTP.

 

No, but your email server can tell if it came from the server it claims to have. So if you send a spoof email from @apple.com, your email server can tell what actual server it was sent from (e.g. @spoofemails.com). If the servers don't match, straight into the SPAM folder.

 

Also, I wrote another reply explaining why it IS an iPhone issue, but it was held back for administrators to approve (it featured links and I'm still a new user).

 

The short version of that post is: We're NOT talking about SMS spoofing in general, but about the issue discovered by pod2g. That issue is entirely about the REPLY-TO field, as I previously described. In other words: It's an issue on iPhones and it's entirely up to Apple to fix it.

 

Yes, you can spoof the SMS "FROM" field, but that's not what the AppleInsider news article was about, nor was Apple's statement to Engadget. It was about the REPLY-TO issue that pod2g discovered.

 

Also, FWIW, nobody knows how secure iMessage is, as nobody but Apple knows what protocols and security they're using.


Edited by JohnnyW2001 - 8/20/12 at 9:56am
post #124 of 134
Quote:
Originally Posted by JohnnyW2001 View Post

 

No, but a your email server can tell if it came from the server it claims to have. So if you send a spoof email from @apple.com, your email server can tell what actual server it was sent from (e.g. @spoofemails.com). So ff they don't match, straight into the SPAM folder.

 

Also, I wrote another reply explaining why it IS an iPhone issue, but it was held back for administrators to approve (it featured links). Short version: We're NOT talking about SMS spoofing in general, but about the exploit discovered by pod2g. (That issue is entirely about the REPLY-TO field, as I previously described.) In other words: It's an issue on iPhones and it's entirely up to Apple to fix it.

 

Yes, you can spoof the SMS "FROM" field, but that's not what the AppleInsider news article was about, nor was Apple's statement to Engadget about that. It was about the problem that pod2g discovered only.

 

Also, FWIW, nobody knows how secure iMessage is, as nobody but Apple knows what protocols and security they're using.

 

Thanks for the clear details that cut to the specifics!

post #125 of 134
Quote:
Originally Posted by JohnnyW2001 View Post

Quote:
Originally Posted by muppetry View Post

True, but while you can verify the origin, you still cannot prevent a spoofed "From" field with unauthenticated SMTP.

No, but your email server can tell if it came from the server it claims to have. So if you send a spoof email from @apple.com, your email server can tell what actual server it was sent from (e.g. @spoofemails.com). If the servers don't match, straight into the SPAM folder.

That only helps if you always expect sender addresses to match originating server domains, which is often not the case. You could set your detection software to reject on that criterium, but it would trigger a lot of false positives.
post #126 of 134

or you could go with "BBM"... the long forgotten RIM/(IBM?) Blackberry message service... /rim shot

post #127 of 134
Quote:
Originally Posted by JohnnyW2001 View Post

No, but your email server can tell if it came from the server it claims to have. So if you send a spoof email from @apple.com, your email server can tell what actual server it was sent from (e.g. @spoofemails.com). If the servers don't match, straight into the SPAM folder.

Also, I wrote another reply explaining why it IS an iPhone issue, but it was held back for administrators to approve (it featured links and I'm still a new user).

The short version of that post is: We're NOT talking about SMS spoofing in general, but about the issue discovered by pod2g. That issue is entirely about the REPLY-TO field, as I previously described. In other words: It's an issue on iPhones and it's entirely up to Apple to fix it.

Yes, you can spoof the SMS "FROM" field, but that's not what the AppleInsider news article was about, nor was Apple's statement to Engadget. It was about the REPLY-TO issue that pod2g discovered.

Also, FWIW, nobody knows how secure iMessage is, as nobody but Apple knows what protocols and security they're using.

Still waiting for you to explain why everyone is up in arms about this problem on iOS. If they spoof the 'from' header, it affects everyone. And when you look at all the SMS spoofing sites around, that's what they do. Not surprising since 95% of phones out there don't use the 'reply-to' header and would be unaffected by that type of spoof. The ONLY time it is a problem unique to iOS is if they spoof the 'reply-to' but not the 'from' header. Considering that most people don't use the 'reply-to' header, that doesn't make sense - and I've never seen it happen.

So you have the every day 'from' spoofing that occurs every day and there are dozens of anonymizer sites that tell you how to do it or do it for you - and which affects everyone - vs the theoretical possibility that someone could possibly set up a spoof that only affects iPhones (and possibly a tiny number of other phones that might use the 'reply-to' header) - but which has never happened.

So why is it that you and all the press are screaming like crazy about the potential, theoretical, unobserved spoof that might affect only iPhones and ignoring the common, everyday spoofing that occurs every single day in the real world and which affects all phones.
"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
"I'm way over my head when it comes to technical issues like this"
Gatorguy 5/31/13
Reply
post #128 of 134
Quote:
Originally Posted by jragosta View Post


Still waiting for you to explain why everyone is up in arms about this problem on iOS. If they spoof the 'from' header, it affects everyone. And when you look at all the SMS spoofing sites around, that's what they do. Not surprising since 95% of phones out there don't use the 'reply-to' header and would be unaffected by that type of spoof. The ONLY time it is a problem unique to iOS is if they spoof the 'reply-to' but not the 'from' header. Considering that most people don't use the 'reply-to' header, that doesn't make sense - and I've never seen it happen.
So you have the every day 'from' spoofing that occurs every day and there are dozens of anonymizer sites that tell you how to do it or do it for you - and which affects everyone - vs the theoretical possibility that someone could possibly set up a spoof that only affects iPhones (and possibly a tiny number of other phones that might use the 'reply-to' header) - but which has never happened.
So why is it that you and all the press are screaming like crazy about the potential, theoretical, unobserved spoof that might affect only iPhones and ignoring the common, everyday spoofing that occurs every single day in the real world and which affects all phones.

 

Yes, there is still the "normal" FROM spoofing. This issue does seem somewhat minor compared to that, I agree. Never-the-less, this is what made the news, so that's what's being discussed. It sounds to me like you should be complaining to Apple Insider for making such a big deal about this new issue, really. Never-the-less, it's completely Apple's fault, and it's a very bizarre decision to implement the REPLY-TO field the way they have. The one distinction is that, unlike FROM spoofing, this is perfectly legitimate, and may result in accidental spoofing.

post #129 of 134
Quote:
Originally Posted by muppetry View Post


That only helps if you always expect sender addresses to match originating server domains, which is often not the case. You could set your detection software to reject on that criterium, but it would trigger a lot of false positives.

 

Sir, you have no idea what you're talking about. It is always expected that the servers match. Always. The only times it wouldn't be the case would be if an amateur was in charge of sys admin of a mail server, or if someone was deliberately trying to spoof an email address.

post #130 of 134
Quote:
Originally Posted by AppleInsider View Post

Apple on Saturday officially responded to reports that its latest mobile operating system remains vulnerable to text message spoofing, recommending that customers use its more secure iMessage service instead.
A hacker on Thursday drew headlines when he urged Apple to plug a hole in iOS that could allow malicious individuals to send text messages that appear as if they're coming from someone else.
Like other mobile operating systems, iOS SMS messages support transmission of optional, advanced features in the header section of text messages, including a "reply to" address. Since most wireless carriers don't perform verification checks on these header specifications, incoming SMS messages to iPhones could be manipulated to appear as if they're coming from the "reply to" address and not the actual sender.
In a statement obtained by Engadget, Apple reminds customers that its iMessage service was designed to safeguard against the vulnerabilities of the yesteryear Short Message Service (SMS):

Apple takes security very seriously. When using iMessage instead of SMS, addresses are verified which protects against these kinds of spoofing attacks. One of the limitations of SMS is that it allows messages to be sent with spoofed addresses to any phone, so we urge customers to be extremely careful if they're directed to an unknown website or address over SMS.


"Spoofed" SMS messages can include anything from a spam to phishing attempts at personal information. The weakness flaunted by the SMS specification is similar to vulnerabilities in the standard email specification, which similarly does not authentic the names and addresses in header data.
Introduced by Apple in June of 2011 as an alternative to SMS messaging, iMessage allows users to send texts, photos, videos, contact information, and group messages over Wi-Fi or 3G to other iOS?5 users. It's accessible through the Messages app on an iPhone, iPad, or an iPod touch running iOS 5 or later or on a Mac running OS X Mountain Lion or later.

 

I've got an iPhone 4s and have no idea if I'm texting in SMS mode or iMessage. How can I tell if I'm using iMessage or SMS? 

post #131 of 134
Originally Posted by sc_markt View Post
I've got an iPhone 4s and have no idea if I'm texting in SMS mode or iMessage. How can I tell if I'm using iMessage or SMS? 

 

iMessage is one color, SMS is the other. I can't remember which; my iMessages come in as all colors and I don't get SMS.


Edited by Tallest Skil - 8/21/12 at 1:46pm

Originally posted by Relic

...those little naked weirdos are going to get me investigated.
Reply

Originally posted by Relic

...those little naked weirdos are going to get me investigated.
Reply
post #132 of 134
Quote:
Originally Posted by JohnnyW2001 View Post

Quote:
Originally Posted by muppetry View Post

That only helps if you always expect sender addresses to match originating server domains, which is often not the case. You could set your detection software to reject on that criterium, but it would trigger a lot of false positives.

Sir, you have no idea what you're talking about. It is always expected that the servers match. Always. The only times it wouldn't be the case would be if an amateur was in charge of sys admin of a mail server, or if someone was deliberately trying to spoof an email address.

Perhaps you are restricting your thinking to corporate email, so I'll ignore your obnoxious first sentence. Many other users, especially residential, have email addresses that differ from their ISP domain. You were not aware of that?
post #133 of 134
Quote:
Originally Posted by Tallest Skil View Post

 

The lack of explanation therefor.

 

 

Exactly, and they will call it something that matters and makes sense. Not "iPhone 5"

 

Hmmm..... since the 'distinguishing feature' that makes sense seems to be the larger screen size how about they call it the iPhone 4"?

post #134 of 134
Originally Posted by Frood View Post
Hmmm..... since the 'distinguishing feature' that makes sense seems to be the larger screen size how about they call it the iPhone 4"?

 

I'm annoyed that I didn't come up with that name. lol.gif

Originally posted by Relic

...those little naked weirdos are going to get me investigated.
Reply

Originally posted by Relic

...those little naked weirdos are going to get me investigated.
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: iPhone
AppleInsider › Forums › Mobile › iPhone › Apple urges users to stick with iMessage to avoid iPhone SMS spoofing