Mobile Security

RSA: Chaos In the Security World, And the Situation Is Perfect

Right on cue this week, the anarchic hacking collective Anonymous stepped up and grabbed the story line away from the lions of the IT security industry.With the annual RSA Conference set to begin, the whistle blowing site Wikileaks released the first of some five million e-mail messages stolen from the security intelligence firm Stratfor. Ever sensitive to the fickle attention of the media, Anonymous inserted itself into the story, claiming responsibility for leaking the data and pointing a finger of blame at Stratfor and its media, private and public sector customers, which Anonymous accuses of spying and other dark offenses.

Apple Pushes Back Deadline for Sandboxing OS X Apps

Apple has pushed back the deadline for developers to include a sandbox in all of the apps on the Mac App Store, giving them a reprieve until June 1. The deadline was set for March 1, but Apple has changed it in order to give developers more time to work with the new requirements.

Context is a funny thing. In most segments of society, Apple is seen as an exemplary company, with an unrivaled record of innovation, much-admired ad campaigns and a stock price that is the envy of every company not named Google. But in the security community, Apple is regarded with some combination of disbelief, confusion and the disdain that once was reserved for Microsoft. 

When I first saw the release notes for the new Android Ice Cream Sandwich (ICS) platform, I was excited to see that Google mentioned that “Android 4.0 now provides address space layout randomization”. For the uninitiated, ASLR randomizes where various areas of memory (eg. stack, heap, libs, etc) are mapped in the address space of a process. Combined with complementary mitigation techniques such as non-executable memory protection (NX, XN, DEP, W^X, whatever you want to call it), ASLR makes the exploitation of traditional memory corruption vulnerabilities probabilistically difficult.

It’s gotten to the point now where it’s almost easier to talk about the mobile apps and services that don’t ship your personal data off to some remote server for purposes unknown rather than discussing the ones that do. The latest discussion of privacy invading apps flowed from the discovery that Twitter and some other iPhone apps were uploading users’ contact lists without their knowledge. Now, a researcher at Veracode has written a small app that allows users to figure out exactly which iOS apps are doing what with their personal data.

Avi Rubin is the technical director of the Information Security Institute at Johns Hopkins University, and in this talk from the TEDxMidAtlantic conference in November he discusses the history of hacks on various devices, including implanted medical devices, cars and virtually anything else with a computer chip.

VIEW SLIDESHOW Scenes from SAS 2012At Kaspersky Lab’s Security Analyst Summit last week, over 100 researchers and law enforcement officials converged in Cancun, Mexico over the course of five days to network and discuss a veritable cornucopia of security topics. Topics such as privacy, SCADA and PLC security, tracking cybercriminals and the evolution of malware were discussed in depth.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.