I participated on a panel on the topic "Mobile and Smartphone security" at InfoSecurity press conference in London today. My colleagues on panel were Nigel Stanley and John Coley.
The topic of mobile and Smartphone security is very interesting and has many viewpoints. I try to look at some of them, though the list is not exhaustive.
One could say that mobile phones, and especially smartphones, are just smaller computers. That is indeed true, with a twist. We tend to use smartphones almost like an accessory and a personal item. Many take phones to places where they would not take PC (even laptop) with them. That makes phones a target for criminals that want to monitor people's behaviors or even steal information that is nearby. There have been cases where microphone was enabled remotely and real time audit streamed to an attacker.
There are relatively few malware that target mobile phones and smartphones. Especially compared to their PC cousins. However, this is likely to change and we can expect big increase in malware that targets specifically smartphones. The HW and SW concept is very similar to PC (X86 architecture) as are some techniques to secure mobile phones SW and SW.
In some aspect, smartphone security can be seen as being more proactive. Look at mandatory digital signatures, sandboxing and limiting of accessible APIs just to name few.
Training and awareness
In security, most of the problem are caused by ill defined policies and inconsistent/non existent awareness and training. Take for example data classification policies. These document are sometimes very dry, written in highly level language and hard to apply in practical solutions.
I believe hat data security is where the most of the focus should be, followed by sound application and host security practices. If there is good security awareness supported by technology that allow classification and then enforcing the policy, mobile phones can be used in corporate environments. An example, is MS DRM technology that is now arriving at the network near you. Soon, it should be available on your mobile phone.
Mobile operators responsibility
Most of the mobile operators class themselves as "big pipe" from smartphones to the Internet. Yet, they are uniquely positioned to analyse traffic from smartphones for malware. If malware is found quarantine the phone (limit the speed or disable APN completely) and inform the owner of the phone. If this is happening on any network, please let me know.
Finally, mobile phone vendors and appstore operators should take more responsibility in making sure that the platform and applications in the app stores are programmed without vulnerabilities and does not act as malware. For example, if I program a game and plant a malware to extract details from phone's address book, that is very unusual operation.
The semantic web (or web 3.0 as some call it) is loosely defined as machine generated and consumed content. The If This Than That (IFTTT) is...
I have had my new Nexus 7 for 2 weeks now. It's now been updates to Android 4.2 after which I enabled the full disk encryption. Unlike i...
Introduction I am passionate about information risk security management. It is an area that is like shifting sands, constantly moving wi...
I have been using 1Password on my Mac since the version. Then with the arrival of iPhone and later iPad 1Password folks were quick to introd...
Yesterday I wrote about DigiNotar incident . And today another Certificate authority announced the incident as well. Apparently the same hac...
I have attended many interviews over last 10 months, all of them on the right side of the table though. I will never forget one particular c...
Today was certainly very busy in the security world. Security researches and analysis commented on #ShadyRAT report from McAfee. Just try...
I forgot my password for the FT.com site. Solution? Use a password recovery form, which I did, and received this email: Dear FT.com u...
Yet again, I have stumbled on a company that limits maximum password length. This time it is a giant software vendor, Adobe. I simply wa...
(c) Vladimir Jirasek. Powered by Blogger.
- ► 2012 (13)
- ▼ 2011 (23)
- ► 2010 (19)