Friday, December 23, 2011

Android remote shell via no-permission applications

The Android's permission management architecture suffers from a vulnerability that allows an attacker to access the system via a remote shell. In this video ... explains how a "no-permission application" - which doesn't ask any sensitive operation permission to work - can be exploited.
from the original post:

"It is not a zero-day exploit or a root exploit. We are using Android the way it was designed to work, but in a clever way in order to establish a 2-way communication channel."

I think that the issue is a matter of  the "Least Privilege" principle!  

Saturday, December 10, 2011

Carrier IQ

The case of Carrier IQ software was on top headline of news. As mobile device usage increases, more user privacy issues raise.  

Sunday, November 27, 2011

The importance of program rewriting approach to security

I was reading this post of schneier on security blog:


"..What happens when anyone can develop and publish an application to the Android Market? A 472% increase in Android malware samples since July 2011. These days, it seems all you need is a developer account, that is relatively easy to anonymize, pay $25 and you can post your applications."


"...I believe that smart phones are going to become the primary platform of attack for cybercriminals in the coming years. As the phones become more integrated into people's lives -- smart phone banking, electronic wallets -- they're simply going to become the most valuable device for criminals to go after. And I don't believe the iPhone will be more secure because of Apple's rigid policies for the app store...securing those devices is going to be hard, because we don't have the same low level of access to these devices that we have with computers."


Mobile, untrusted codes are being spread over the net and our lives is being dependent to these applications more and more. There are huge security and privacy concerns here and we need new mechanisms to securely use theses types of applications. Those mechanisms should be flexible enough to enforce different types of security policies - that may be deliberately violated by program author - and also powerful enough to be useful. The "program rewriting" approach of language-based security aims at providing these types of security enforces which are suitable for securing untrusted codes before executing on the host platform.

Sunday, November 6, 2011

Language-based Security

For the one who wants to begin studying language-based security, this paper, written by is the best:
"A Language-Base Approach to Security"
It is a comprehensive introduction to the field and explains the main idea.

Tuesday, October 18, 2011

Interesting research on attacking CAPTCHAs

CAPTCHAs have been widely used as a defense against automatic attacks. In this interesting research, it has been shown that CAPTCHAs - like any other security mechanisms - are not the final solution! 
Abstract:
We report a novel attack on two CAPTCHAs that have been widely deployed on the Internet, one being Google's home design and the other acquired by Google (i.e. reCAPTCHA). With a minor change, our attack program also works well on the latest ReCAPTCHA version, which uses a new defence mechanism that was unknown to us when we designed our attack. This suggests that our attack works in a fundamental level. Our attack appears to be applicable to a whole family of text CAPTCHAs that build on top of the popular segmentation-resistant mechanism of "crowding character together" for security. Next, we propose a novel framework that guides the application of our well-tested security engineering methodology for evaluating CAPTCHA robustness, and we propose a new general principle for CAPTCHA design. 

According to the paper, a CAPTCHA must be "segmentation resistant", which refers to the complexity of locating individuals characters (rather than recognizing what a character is) for an attack software.

Tuesday, October 11, 2011

The First Post

This is the first post of the "Thoughts on IT Security" blog. Here I want to write and share different things related to Information and IT Security world.
For now, look at this article from sophos.com's nakedsecurity blog about the threats facing children when using devices like IPad at school:

"I was chatting with a friend of mine whose 5-year-old twins start school this year. She was telling me about the list of school supplies they need: pencils, crayons, paper, iPad..
Say again?? Yep, she said iPad. It was a new policy this year for all students at the school to have an iPad. Apparently her twins are not allowed to share, so she will have to purchase two of them.
I sat back and started thinking about this. Besides the obvious price implications of demanding parents buy an expensive device for their young child, what was being done to ensure safe and secure surfing?"

Exactly the same situation happened for me. The writer explains different concerns and threat on this issue.