I got back a few days ago from Infosecurity Europe 2010, in London, where I had a number of meetings in and around the Exhibition, and also did a presentation on “Apple, Security And The Power Of Perception” in the Business Strategy Theatre (but if you read my earlier blog, you already knew that). Yes, I think it went quite well, thank you for asking. It was well-attended, no-one walked out, all the questions afterwards were sensible, no-one called me an idiot or worse (to my face, anyway) for daring to suggest that there are Mac security issues, and there was even some interest from the press.
In fact, I had a particularly interesting chat with journalist Asavin Wattanajantra, who raised some interesting questions regarding an earlier presentation from Eugene Kaspersky. I wasn’t at that presentation, but I gather that one of the points made was that “the iPhone is secure for now, but if Apple doesn’t open up the system it will lose out to rival mobile operating systems due to its lack of flexibility.”
smartphone devices will be powerful enough to replace notebooks with implications for security… “It is easier to build true security into a telephone. If ISPs don’t move to mobile phone areas they will have big problems in the future.”
So I had some idea of his thinking in this area already, and as it happens, some of my presentation was also around iPhone security. Asavin’s article for the Inquirer is here, if you’re interested in my musings about the continued feasibility of the iPhone whitelisting model in an age of jailbreaking.
But I came back to all that at the weekend in quite a different discussion thread, where Mike Lennon of Security Week pointed to his own article about a presentation by Peter Tippett, Vice President of Technology and Innovation at Verizon, stating that:
With online business transactions and consumer use of the Internet increasing dramatically, cybersecurity breaches are starting to level off, and in the next 10 years, Tippett believes security protection will become more effective and widespread as organizations band together to fight cybercrime.
As I’ve said before, I won’t be writing my next book on an iPhone, but Kaspersky’s point and Tippett’s may actually be running parallel. Many people already use a smartphone as their main PC, and the lockdown potential and actuality has positive security implications.
It’s been suggested that Kaspersky seems to want less application whitelisting while he wants and anticipates more mobile security. That kind of makes sense to me, though. One of the consequences of Apple’s iron grip on the iPhone is that it’s allowing only a very limited range of security apps onto the platform. So, for instance we’ve seen iPhone malware, but no conventional anti-malware.
My feeling is that expecting comprehensive, unified and ground-up security from telephony providers is probably as realistic as expecting Facebook to protect your privacy, but the potential is there, I guess. The question is whether they’ll find a balance between the whitelisting Single Point of Failure and the pressure to provide services that prioritize convenience over security. To quote myself (I know, a bad habit):
Do I think that the need for security will vanish as more people use mobile devices (after all, the iPod has some of the same functionality – and vulnerability – as the iPhone) as their primary machine? Frankly, no. The main security model for smartphones right now is application whitelisting, and the combination of determined experimentation and social engineering has already eroded that model.
David Harley FBCS CITP CISSP
Small Blue-Green World
AVIEN Chief Operations Officer
ESET Research Fellow & Director of Malware Intelligence
Also blogging at: