Two papers on mobile security were presented at the 20th USENIX Security Symposium, held in San Francisco recently.
Both touch on mobile security, a topic that’s become increasingly hot lately as security vendors warn that this may well be the year of the mobile hack.
Other security issues include the launching of security products and updates in the mobile and wireline areas, as well as Patch Tuesday, which occurred just this past week.
On to the USENIX papers.
Many Nodes Make Security Work
One of the papers presented at the USENIX conference was “Security Fusion: A New Security Architecture for Resource-Constrained Environments.”
Authored by Suku Nair, Subil Abraham and Omar Al Ibrahim of Southern Methodist University’s HACNET Labs, this suggests creating a large security umbrella for wireless sensors and RFID tags by aggregating strong security from each node rather than depending on each node to protect itself.
Each node will be equipped with three components: Computation, storage and a communication. The communication model is limited to a challenge-response interaction between the device readers and the nodes. Every node shares a secret key with the overall system.
The more nodes there are, the stronger the security.
Stealing Mobile Device Keystrokes from a Distance
The other paper discussed here is on inferring keystrokes on touchscreens from smartphone motion.
Its authors, Liang Cai and Hao Chen from the University of California at Davis, state that every time you touch a key on the soft keyboard of a mobile device held in your hand, the phone moves just a little. The mobile device’s motion sensors pick up that motion, and this can be used to figure out your keystrokes.
As proof, they developed TouchLogger, an Android app that does exactly that. The app’s success rate was more than 70 percent for keys typed on a numbers-only soft keyboard.
There’s lots of stuff about azimuth angles, tuples, dominating edges, and “max (bp 2+g 2) on the upper lobe (b>0)” in the description of how TouchLogger works, but boiled down to the basics, it means that the angle at which your device tilts after you touch a key can tell you what key you touched. Wouldn’t poker players call that a tell?
Post-Patch Tuesday Blues
Pay special attention to the software patches released by Microsoft last Tuesday and install them if you haven’t done so already.
One of the patches fixes the so-called ping of death. Apparently hackers can leverage this bug to cause a remote reboot of Windows devices even if their local firewalls are up.
Another patch you should especially focus on is the one for Internet Explorer.
“Given the continued increase in client-side bugs over the last few years, IE patches should always be a top priority for all users,” Andrew Storms, director of security at nCircle, told TechNewsWorld.
The ping of death bug will most severely affect businesses with high-availability requirements, Storms added.
Mobile Security Announcements
Roam Data has announced that it has become the leading provider of secure mobile phone card readers worldwide, with about 300,000 sold to merchant service providers.
Roam’s products are mag stripe cards that incorporate payment card industry (PCI) security.
Won’t mag stripe cards be overtaken by other forms of mobile payments?
“What merchants care about the most is whether they can accept a payment form to close the sale,” Will Graylin, Roam Data’s founder and CEO told TechNewsWorld. Other forms of mobile payment will take years to really gain a foothold, he added.
Meanwhile, McAfee is pushing into the mobile security arena. Last week, it jointly announced with Sprint that McAfee Mobile Security and McAfee Family Protection Android Edition will be available for Sprint customers as apps in the Android Market.
On Monday, McAfee announced McAfee WaveSecure software iOS Edition. This is an app that protects individual iPhone users.
Wireline Security Announcements
Prolexic Technologies, which offers Distributed Denial of Service (DDoS) mitigation services, says it’s become the first DDoS mitigation provider to secure PCI DSS (Payment Card Industry Data Security Standard) level 2 certification.
Companies with a global reach may look to CSIDentity for their security needs. CSIDentity has officially launched Global ID Protector, an identity protection solution that spans languages and geographical locations.
The product was deployed in July, and is only now being officially launched, Joe Ross, president of CSIDentity, told TechNewsWorld.
Kaspersky Lab on Monday unveiled its 2012 line of PC security software. This consists of Kaspersky Internet Security 2012 and Kaspersky Anti-Virus 2012.
These are hybrid products, leveraging the cloud and feeding the information to software installed on users’ PCs. Users get real time data from the cloud and Kaspersky’s products check the trustworthiness of files on users’ PCs with a worldwide reputation check.