Archive for the ‘Risks’ Category

Thoughts on Trusting Password Managers

Tue, 14 Dec 2010

There has been a lot of buzz about the Gawker Media user account data breach, which came to light last weekend. One aspect of that is a privacy issue (anonymous comments are now no longer anonymous) but the main concern seems to be passwords from Gawker Media sites being used to gain access to accounts on other systems.

First a clarification: it’s not obvious that Gawker Media did anything fundamentally wrong here. The passwords were one-way encrypted, and database breaches can happen to even the most diligent system administrators (software inevitably has flaws, and there are lots of bad guys, some of whom will be able to develop or find out about Zero Day exploits). It doesn’t really matter how good the password encryption was either; once the encrypted passwords are available, off-the-shelf hardware can run through a staggering number of possible passwords to “brute-force” the encryption in seconds.

There are really only two defences, (more…)

Advertisements

Give the Bad Guys your PayPal Account?

Thu, 20 May 2010

I was concerned to read this blog post from PayPal’s VP of Platform, announcing their Mobile Payments Library. The feasibility of in-application mobile payments is something I’ve looked at often over the years, and I’ve always come to the conclusion that it’s extremely difficult to do securely. I haven’t seen any evidence here that PayPal have solved that.

There are some interesting challenges at the API level that are probably only relevant to security geeks (how does the service know that the application that’s invoking it is properly authorised?) but I won’t go into that now, because it seems there is a more basic and glaring error:

(more…)

Freeware Application Testing Idea

Thu, 01 Apr 2010

We know that there is a lot of inconvenience associated with distributing free (as in beer) applications for the Symbian platform at the moment – either the developer has to pay to get it Symbian Signed or every user has to sign the application for their own phone using Open Signed Online.

I am suggesting that the Symbian Foundation should host a beta test site for free applications. Developers and volunteer testers would be able to sign up to the site with just an email address and an IMEI, and then they could upload any application they like, and download any application they like. On download, the application would automatically go through Open Signed Online and be signed for that user’s specified IMEI.

(more…)

Health Apps on Phones?

Mon, 08 Feb 2010

This post is about trustworthiness (security in a broad sense) and specifically about reliability.

I see increasingly frequent suggestions that people should use their phones to monitor their health. This is, on the face of it, attractive; being an insulin-dependent diabetic, I carry a blood glucose meter with me pretty much everywhere, and in line with the general trend of convergence (calculator, camera, music player, radio, etc.) wouldn’t it be great if that was built in to my phone?

Well yes, that would be very convenient, but I’m afraid I think it’s a fundamentally bad idea.

(more…)

Worry Less About Malware, More About Losing Your Phone

Fri, 25 Sep 2009

There’s a very good article on the PC World Magazine site about the risks of mobile phone banking. The author, Eric Larkin, rightly suggests that the biggest risk is the physical one of losing your phone and someone finding information on it that could be used for identity fraud.

I don’t have good statistics on the number of mobile phones infected with malware yet, although I am in discussions with the GSM Association Security Group to see if we can publish some; still, I’m personally convinced it’s nowhere near “1 in 63”! Statistics on the theft of phones are easier to come by. In the UK, a 2009 report published by a government department states that 2% of mobile phone owners had their phones stolen in the 12 months covered by the survey – that’s 1 in 50. More people must surely have lost their phones by accidentally leaving them on trains, buses or in taxis, so physical loss of your phone does indeed seem to be the biggest risk.

The lesson? USE THE DEVICE LOCK ON YOUR PHONE! Yes, it’s a little bit of extra inconvenience, but it’s an important protection against identity fraud, which a lot of people are worrying about these days. There are step by step instructions for various devices here.