Comments for On the road to Bandol

Comment on Android malware hype by Erwan

Erwan — Tue, 29 Jun 2010 19:55:41 +0000

This reminds me the warning you get when installing some ports under FreeBSD:
the port foo installed /usr/local/libexec/barhelper and /usr/local/bin/bar whch can act as server and thus be a security breach…

Comment on Android malware hype by Axelle

Axelle — Tue, 29 Jun 2010 13:28:09 +0000

Hi Eric,

I must add a comment on spyware. There are two different class of spyware: a) Trojan spyware, which are real malware and will for instance forward SMS without your being aware of it (I’m sure you wouldn’t like that) and b) border-line spyware, which do something potentially bad to your privacy but may be ok in some situations.
Sending SMS without user interaction *is* a dangerous feature. It ought to be limited.

Also, I do agree that Androids are not ‘full of malware’ and that such reports may scare users.
But from what you quote of Smobile’s report, I wouldn’t disagree with them. And end-users are hardly ever aware that their phones are unsecure, so educating them can’t be a bad thing.

Finally, I disagree on this point:

“Google is likely to turn on the kill switch before the bad guy can make any real money.”

You have absolutely no proof about that. And my experience (not with Google though) is that they are unlikely to be aware and that the bad guy WILL make money before the tap is closed…

Comment on Android malware hype by Wadael

Wadael — Tue, 29 Jun 2010 08:02:55 +0000

Hi Eric,

You might have heard of the ‘hole’ that would be apps allowed to execute native code which they would get somewhere on the net, sometime later than install.

I use free apps and many have asked for auth. I do not see why they need it.
However, it auth. them to use the apps.

Somehow, it reminds me of the MS EULAs noone reads.

Is there a rule to recognize premium numbers ?

I don’t know how to put nets around those apps without doing a constant survey.

Jerome

Comment on Mobile applications may be dangerous by Axelle

Axelle — Tue, 22 Jun 2010 15:18:12 +0000

Sending SMS is VERY common.
But there are plenty of tricky schemes: transferring microfunds, dialing satellite premium numbers, eavesdropping conversations.

I would recommend you read some of these:
- http://blog.fortinet.com/winceterdial-or-impunity-for-dialers/
- http://www.fortiguard.com/papers/EICAR2010_Symbian-Yxes_Towards-Mobile-Botnets.pdf
- http://www.fortiguard.com/papers/CONFIDENCE2010_FourHorsemen_Malware-on-Mobile-Phones_sildes.pdf

Comment on Countdown: Which security in Java Card 3? by Blaufish

Blaufish — Tue, 01 Jun 2010 22:02:46 +0000

actually, the example app for Java Card connected edition is just a trainwreck of vulnerabilities. And you no longer need a smart card specialist to exploit it, anyone who knows websec can attack it.

http://blaufish.wordpress.com/2010/04/28/a-failure-of-imagination-javacard-3-0-xss-xsrf/

Comment on Mobile applications may be dangerous by Erwan David

Erwan David — Tue, 25 May 2010 10:43:36 +0000

I would think the billing link would work from a smartphone, making it send a SMS to a premium service.

From a PC, I do not see how it is possible.

Comment on Mobile applications may be dangerous by Kooorrg

Kooorrg — Mon, 24 May 2010 23:17:17 +0000

From my point of view, the security implications of user interfaces is the most interesting research topic within the security industry and has been for the last few years. Sure, breaking 3DES or cloning Mifare is fun, but showing that most users do not even check whether a connection is secure or not when making a payment is much more relevant to the day-to-day activities of actual people.

Comment on A new use for the (micro) SIM? by Erwan

Erwan — Wed, 05 May 2010 20:07:27 +0000

That’s done : the method to produce a micro-sim from a sim is at http://www.johnbenson.net/How_to_Convert_a_SIM_to_a_MicroSIM_with_a_Meat_Cleaver/How_to_Convert_a_SIM_to_a_MicroSIM_with_a_Meat_Cleaver.html

Comment on Java Card development environments by Frederic Martin

Frederic Martin — Fri, 09 Apr 2010 09:14:21 +0000

Just an update about usasmartcard.com…

I used to recommend this website but not anymore. Of course you are still free to buy a JCOP smartcard and hope that they still provide JCOP tools with the sample (i did not retry recently), but this “company” is probably a one-guy only thing : They do not answer to mail very often (nearly never in fact) and their website has been compromised/hacked during at least five months… I informed the owner of the website about the security hole (russian javascript injection) and never had an answer… even if at the end they managed to remove the hacked javascript injection.

So… so do not EVER fill a form on their website with your credit card informations.

Comment on Here and Now ! by Eric Vétillard

Eric Vétillard — Tue, 09 Mar 2010 13:53:03 +0000

Agreed with Frederic about the cloud definition. Basically, we are not exactly sure where the server is.

We can also extend it to say that a cloud may contain data from several providers, or that several clouds may need to collaborate. So, security looks like an issue.

Also, the cloud is about managing data, AND about providing services. And that’s where it can become mobile, if it includes mobility-related services, hence the “Here and now”.

So, what should be these mobility-relatey services? Well, mapping is obvious, but there must be much, much better.

Also, related to security, the way in which we handle the “history” of things is interesting. Think about what Microsoft (and others) would disclose to law enforcement about your whereabouts …