Posted by: David Harley | March 19, 2010

Touching (or Bumping) Base

[Update, specially for Jimmy 😉 – no, on second thoughts I’ll make that a fresh blog.]

You’re right, I have been uncharacteristically quiet, due to much travelling (an AMTSO meeting and the RSA conference in Northern California, a few days with ESET in San Diego, and then a few days vacation).  So this is a friendly ping as opposed to an antisocial pong or even a heavy-duty blog. However, there are one or two issues around I thought were quite interesting.

Firstly, an item by The H (Heise) referring to Charlie Miller’s forthcoming presentation at CanSecWest next week. Miller claims to have discovered “20 zero-day holes are contained in closed source Apple products”, and will talk about how he used fuzzing to find them, though he won’t talk in detail about the holes themselves.

Secondly, SC Magazine’s Dan Raywood reports that Eugene Kaspersky, CEO of the eponymous security vendor, believes that desktop computers and the internet as we know it will give way to smartphones and mobile services, and that the need for security will disappear as a result. I’m far from convinced – there are far too many phone-based security issues around already for me to swallow that without blinking – but it’s an interesting hypothesis, and there’s probably some truth in it. Though I’m not sure that I’ll ever give up my laptops for something I can’t touch-type on…

Thirdly, Bill Ray of the Register reports that China Mobile, with about half a billion subscribers tied to the locally developed locally-developed TD-SCDMA standard (China has mandated that each of its three providers should use a different 3G standard), is hoping that Apple will forgo its insistence on sticking to GSM/WCDMA and produce a localized version of the iPhone. Will Apple be tempted by all those potential customers? I can see some interesting political (and security) ramifications there, though Ray doesn’t discuss them.

He doesn’t see any security problems with PayPal’s application allowing iPhone users to transfer cash by “Bumping” phones. I can see the app’s attraction for occasional, informal transactions, but I can’t agree that “with both parties authorising the payment manually the security risks are minimal.” Even if the process remains technically sound and secure, it certainly doesn’t negate the possibility that one of the parties to the cash transfer will turn out to be a bad actor (or a bad guy playing a good guy…), in which case social engineering will almost certainly trump technical security, sooner or later.

David Harley FBCS CITP CISSP
Mac Virus
Small Blue-Green World
AVIEN Chief Operations Officer
ESET Research Fellow & Director of Malware Intelligence

Also blogging at:
http://www.eset.com/threat-center/blog
http://avien.net/blog/
http://smallbluegreenblog.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/
http://dharley.wordpress.com

Advertisements

Responses

  1. […] "Touching (or Bumping) Base" addresses a mixed bag of issues: […]

  2. […] Go West, Young Mac, but Fuzzily Further to my recent blog, I notice that Dan Raywood of SC Magazine has flagged the imminent opening of the CanSecWest […]

  3. […] the conference, and on which he’s been fairly tightlipped so far: see previous blogs here and here. The iPhone hack used a technique called return-oriented programming to evade the iPhone’s […]

  4. […] "Touching (or Bumping) Base" addresses a mixed bag of issues: […]

  5. […] it happens, I commented a while ago here and here on Kaspersky’s interview with Dan Raywood of SC Magazine in which he suggested […]

  6. […] it happens, I commented a while ago here and here on Kaspersky’s interview with Dan Raywood of SC Magazine in which he suggested […]


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: