...stuff I do and things I like...

Thursday, March 14 2013

Mobile Security News Update March 2013 part 2

CanSecWest was pretty good this year. My favorite talks were (no order): Desktop Insecurity - Ilja van Sprundel & Shane "K2" Macaulay, Smart TV Security - SeungJin Lee, Godel's Gourd - Fuzzing for Logic Issues - Mike "dd" Eddington, and Reflecting on Reflection - Exploiting Reflection Vulnerabilities in Managed Languages - James Forshaw. I can't wait to get the slides.

Call for Papers:
I totally missed Black Hat Europe, it had some interesting talks: The M2M Risk Assessment Guide, A Cyber Fast Track Project - Don A. Bailey, Practical Attacks Against MDM Solutions - Daniel Brodie + Michael Shaulov, Off Grid Communications With Android- Meshing The Mobile World - Josh Thomas + Jeff Robble, Next Generation Mobile Rootkits - Thomas Roth.

An interesting looking paper from TROOPERS13 UI Redressing Attacks on Android Devices (apparently it was released at Black Hat Abu Dhabi last year).

News Fun find by my former co-worker Matthias: Lost connection to Battery ... WTF!?!

Monday, March 04 2013

Mobile Security Update March 2013

Review RSA
    Last week I attend the RSA Conference for the first timer ever. I always had the impression that it is not worth going but this year I went anyway. The plan was to just hang around at the various side events that take place during RSAC. Meeting with people etc. That part is totally worth it if you can spent the day doing actual work. I ended up going to the conference to speak on the Mobile Security Battle Royale panel (as a replacement for Jon Oberheide). So I got a conference pass and could checkout the actual conference and expo. The expo was pretty standard if you are used to attend events like CeBIT or maybe CES. Just smaller and security companies only. I didn't have the chance to attend other talks besides Big Brother's Greek Tragedy State-Deployed Malware & Trojans so I can't really make my mind up if it is worth the money or not.

    SC Magazine wrote an article about the panel I spoke on. Here are some comments: Android certainly does support remote updates. But the problem really is that manufacturers and mobile carriers stop supporting devices after 12-18 month.

    Infiltrate posted a few more talks. The one I'm really interested in is: Josh "m0nk" Thomas - NAND-Xplore -> Bad Blocks = Well Hidden.

    Troopers in Heidelberg Germany (March). They have a few interesting talks: UI Redressing Attacks on Android Devices by Marcus Niemietz, Malicious Pixels: QR-Codes as attack vectors by Peter Kieseberg, Corporate Espionage via Mobile Compromise: A Technical Deep Dive by David Weinstein and a few other non mobile talks that look really interesting.

    Hack in the Box Amsterdam LTE Pwnage: Hacking HLR/HSS and MME Core Network Elements, SMS To Meterpreter: Fuzzing USB Internet Modems. I really need to go to HITB some day.

New Conferences
    NSC - NoSuchCon is a new conference held in May in Paris, France. The organizers seek strong (only) technical content.

    HTC Settles Privacy Case Over Flaws in Phones Interesting read, quote: The Federal Trade Commission charged HTC with customizing the software on its Android- and Windows-based phones in ways that let third-party applications install software that could steal personal information, surreptitiously send text messages or enable the device's microphone to record the user's phone calls.

Personal note: