[JeepBB]

It's revealed and unfixed on OS X...

Apple didn't reveal the exploit. Apple isn't run by morons.

[crackbrry fan]

Here's a test site that you can check your browsers against. The owner set up this port to be signed with a different key than the certs it presents. If your SSL security is implemented correctly, you'll get an SSL error from this link. Unpatched Apple users should be able to get to the site.

https://www.imperialviolet.org:1266/

I tested on Z10, PlayBook and a Nexus 4 and all caught the mismatch.

OMG you are 100 % correct tested BlackBerry and IOS7, only BlackBerry showed "error". I think that proves a lot!

Posted via CB10

[CherokeeMarty]

For me it seemed pretty clear given the recent news that the USAF was dropping BlackBerry for Apple and Android since they (the USAF) apparently feel Apple and Android security is adequate for the military.

Posted via CB10

The Snowden releases showed that the iPhone is known to be the easiest cell phone to hack. If I was the head of internal data security for the US military, for which the Air Force is responsible, and I thought that there might be a big security issue from someone inside, then I would make everyone carry a phone that was known to be easy to hack, such as 100% hackable, such as the iPhone.

[avt123]

Kinda like how people still quote the BIS outage that was like 4 or 5 years ago...

I agree.

[Wiki Cydia]

Both groups are vulnerable to this bad implementation of accepted security standards. You're splitting hairs ...

I'm not splitting hairs at all. The person he was responding to wasn't addressing typical users. . . users with "top secret info" were specifically referenced.

[Wiki Cydia]

Yes it was. The person I quoted was basically saying that because they don't connect to unsecured networks that it isn't an issue for anyone.

You must be relying on a rather liberal definition of the word "basically."

[playbookster]

And an update was released today to address the issue. What does this have to do with Blackberry again?

Because the US airforce announced they are going with iphone instead of blackberry, now a major flaw was revealed in iphone. How isnt it related?

[tickerguy]

So you have to be on an unsecured network? And the hacker has to be on that same unsecured network? How many people with top secret info use unsecured wifi networks to do their business? No matter the OS, I'm not doing banking or anything like that on an open unsecured wifi hotspot.

No, that's not true at all.

The problem is that the device is not checking the certificate. If someone can trick your device into connecting to another place than the intended one (and there are myriad ways of doing this, from simple speed by being closer to poisoning resolver caches to other, more-esoteric things) you are screwed as your device will THINK it is talking to the correct server when it is not, and it will dutifully negotiate a SSL connection with the fake that then delivers unencrypted data to the fake site!

The fake could then simply steal it with a fake login prompt or worse, connect to the real one, pass it through transparently and steal your login and password in the process and you would have no idea it happened.

There is no defense against this; I looked at the actual code "error" and what I want to know is when the bad code got in there and how many revs back have been sent out with this. There is every reason to believe this isn't a new problem and if so the number of thefts that have likely taken place are extremely high, including some really nasty systemic thefts that have involved re-routing traffic temporarily on the backbone through places like China and Belarus.

[Ecm]

[WARN]Please keep it civil. Debate the topic, not the person posting their opinion.[/WARN]

[GV2012]

It's trying to be one of those threads where blackberry haz expert pros security while everyone else doesn't.

no, its showing how USAF dropped BB to go with Apple and people on here said it was a dumb idea because of security issues - this came up in a BB forum - seems relevant to me foks!

[kbz1960]

Yes it was. The person I quoted was basically saying that because they don't connect to unsecured networks that it isn't an issue for anyone.


Posted via CB10

Basically that isn't what I was saying. Does everyone have top secret info in their emails they are sending?

[kbz1960]

Here's a test site that you can check your browsers against. The owner set up this port to be signed with a different key than the certs it presents. If your SSL security is implemented correctly, you'll get an SSL error from this link. Unpatched Apple users should be able to get to the site.

https://www.imperialviolet.org:1266/

I tested on Z10, PlayBook and a Nexus 4 and all caught the mismatch.

Windows 8.1 modern browser. Page can't be displayed.

[RazrRob]

Basically that isn't what I was saying. Does everyone have top secret info in their emails they are sending?

I work in risk management for a large multinational. We used to be BlackBerry only but now it's byod. Even though there is a policy that transmitting sensitive proprietary information via a smartphone is a terminable event, guess what? People still do it because it's easy and convenient. Just because there is a rule in place does not guarantee people will abide by it. So why take the chance?

[Wiki Cydia]

I work in risk management for a large multinational. We used to be BlackBerry only but now it's byod. Even though there is a policy that transmitting sensitive proprietary information via a smartphone is a terminable event, guess what? People still do it because it's easy and convenient. Just because there is a rule in place does not guarantee people will abide by it. So why take the chance?

The last line is a fair question. So why use mobile devices at all? I mean, why take the chance in the first place? Clearly, the benefits of mobile make up for the fact that it's less secure than other options.

[jamesy77]

I hope the USAF saw this news after they ditched Blackberry for Apple I-phone. This is evident that Apple products are susceptible to hackers because their IOS is not well secured, unlike the Blackberry that is #1 with phone security, even the POTUS has one. Shame on the US Air Force, I would have thought they would have followed their commander-in-chief and upgrade their phones to BES-10, but no they want to play candy crush and watch Nexflix all day, so they've switched to I-phone. Jokers!

[iN8ter]

It's trying to be one of those threads where blackberry haz expert pros security while everyone else doesn't.

Many of them still waiting for a 10.2 update. Got this update early this morning on my iPhone 😊


Sent from my iPhone 5S using Tapatalk

[Bla1ze]

Windows 8.1 modern browser. Page can't be displayed.

That site only works in Safari. It's moot for anyone not running an iOS device or a Mac to even try.


And yeah, my Mac (thus far) remains unpatched but at least they got the iOS patch out.

[revelations65]

No matter what Security issues there is with Apple IOS Apple fans will not change, I work for the councils here in the UK they are all Apple and Microsoft Phones, it starts from the IT Manager's they are Apple fans , the directors are Apple Fans , they cannot see changing to BES 10 or a Blackberry platform, it is all about the apps,
If I was in a position of influence in IT I would want the most secure platform especially if I was in Government, but this how these councils operate, and what scares me, is if any data gets capture or hacked, who will they blame.

[THBW]

Thank you for an intelligent comment. You don't build a platform, then in retrospect add a security patch and hope for the best. Security has to start at the ground floor which is why we hear at least 6-10 times a year about a security flaw.


Posted via CB10

[THBW]

They won't be able to play candy crush as the USAF, didn't buy the iPhone 5 or 5s. It that crappy old iPhone 4. Just wait till the service people get a hold of that lump of coal.

Posted via CB10

[anon(3993749)]

Basically that isn't what I was saying. Does everyone have top secret info in their emails they are sending?

This bug affects all traffic, not just email. When making an online payment someone connected to the same Wi-Fi network could in theory see your card details.

[Wiki Cydia]

Thank you for an intelligent comment. You don't build a platform, then in retrospect add a security patch and hope for the best. Security has to start at the ground floor which is why we hear at least 6-10 times a year about a security flaw.

True. But security clearly isn't the only priority. If it were, the USAF wouldn't be changing anything. (Also, again, the fact that these agencies use mobile platforms at all is per se proof that security is but one item on a list of priorities.) This is not new; security wasn't the only reason the USAF went with BlackBerry previously, either. Clearly though, BBRY had a lot more success competing against Palm and Windows Mobile than it does any of the current crop of competitors.

[Gran PC]

Apple didn't reveal the exploit. Apple isn't run by morons.

Correct, Apple didn't reveal the exploit. However, the community revealed the exploit. It was stupidly simple to spot.

It's for Android too.

Have no idea if it's related to WebKit but if it is, BB10 could have the same bug as well.

No, it's not for Android. It's an Apple bug.

I suggest you read this: Understanding Apple's SSL/TLS Bug | iMore

[RazrRob]

True. But security clearly isn't the only priority. If it were, the USAF wouldn't be changing anything. (Also, again, the fact that these agencies use mobile platforms at all is per se proof that security is but one item on a list of priorities.) This is not new; security wasn't the only reason the USAF went with BlackBerry previously, either. Clearly though, BBRY had a lot more success competing against Palm and Windows Mobile than it does any of the current crop of competitors.

That's exactly the point- these are not individual citizens using a phone for personal reasons, these are members of the military. The Department of Defense stated the #1 reason for switching was budgetary. It's cheaper for them to use Apple phones and iPads than to use Q10 on a BES. It's a shame that an organization with a budget the size of the US Military and charged with defending our country decides to save ~$16M by putting our security at risk. It's all about money.... if you read the DoD articles they also claim they don't have the proper controls in place to ensure iOS security, but they are working on it.

[axeman1000]

So who cares then? It's fixed, why does it matter now?

Because the holes keep coming...... every few weeks there is a new one. not the best platform to be using in any security capacity. Anyone can see that, if not they have their heads elsewhere.......apps or not.

If the app is that Important to have, then get the most secure company device in blackberry and develop the app for that....done!

Hate solves nothing, Respect gains everything!