The Google Two-Step

February 11, 2011

Google has announced that two-factor authentication will be available for users to log into their Google Apps / GMail accounts. Essentially, the account holder’s mobile phone is used as an authentication token; once the number is registered, the user can opt to receive a numeric authentication code via SMS or voice call, or generate it with a local application. Both the traditional password and the authentication code from the phone must be used to access the account.

This is a tremendous step forward in security, especially for a free online service. Passwords have historically been the weak link in most network security schemes; they are often easily guessed or acquired through social engineering techniques. By requiring users to not only have a password but also have a physical token like a designated mobile phone, Google can render phishing and brute-force attacks completely impotent.

Excellent.

Leave a Comment » | Networking, Smartphones, Social Engineering, Syndicated | Permalink
Posted by matt

New HP Products

February 9, 2011

HP has been remarkably quiet since their acquisition of Palm last year, but that might be changing soon – it looks like they will be releasing a new tablet as well as a pair of new phones. It will be interesting to see if the WebOS platform, which was an impressive product doomed by Palm’s atrocious marketing techniques, can gain a foothold in the iOS dominated smartphone and tablet market.

Leave a Comment » | Smartphones | Permalink
Posted by matt

Android Data Leak

February 2, 2011

A new exploit has been discovered for a once-patched vulnerability in Android 2.3. A security hole in the default web browser allows a malicious web page to harvest the contents of the handset’s SD card, which could contain sensitive information.

Google is aware of the issue; their current workarounds are to disable Javascript, use a different web browser, or remove the SD card.

Leave a Comment » | Exploits, Smartphones | Permalink
Posted by matt

In-App Purchases on Android

January 26, 2011

Google has announced that they are adding the capability for purchases from inside of an application to the Android operating system. For example, if a video game company wants to sell additional content to players, that will be doable from inside of the game itself rather than some kludgey additional app download.

I can’t wait to see what the scammers come up with to exploit this idea.

Leave a Comment » | Smartphones | Permalink
Posted by matt

iPhone NFC

January 25, 2011

Apple is planning on introducing NFC, or “Near Field Communications”, in the next generation of iDevices. This means that users will be able to pay for purchases at NFC-compliant kiosks using their smart phone as an authentication token.

It will be interesting to see how Apple secures this functionality; I would hope that there is some sort of PIN or other unlocking required. Otherwise, losing a phone would be equivalent to losing a phone and a credit card. In fact, since NFC payment is generally a direct bank account debit rather than a credit transaction, it would be even worse.

Leave a Comment » | Smartphones | Permalink
Posted by matt

Rogue GSM

January 21, 2011

An interesting demonstration at Black Hat DC, proving how easy it is to create a fake GSM network and lure unsuspecting users into connecting to it.

From the article:

Ralf-Philipp Weinmann showed how to cobble together a laptop using open-source software OpenBTS and other low-cost gear to create a fake GSM transmitter base station to locate iPhones in order to send their owners a message. A number of iPhone users in the room expressed surprise that they had gotten a message asking them to join the network.

Weinmann, who is researching vulnerabilities in cellular networks, said that with the right equipment, the range for the rogue GSM station he built can be 35 kilometers.

Once someone is connected to a GSM station you own, of course, that means that their voice traffic will pass through it and can be easily recorded. Perhaps it’s time for an overhaul of the Clinton-era code underlying the GSM networks.

Leave a Comment » | Smartphones, Syndicated | Permalink
Posted by matt

Soundminer

January 20, 2011

Security researchers have developed an application for Android phones that listens to phone calls, and records any credit card numbers or PINs that are spoken or entered on the keypad.

The Android platform does require the user to explicitly allow the application to have access to Phone features at install time, but this is more of a social engineering issue than anything else. Disguising this as another app in a trojan horse scenario would be trivial.

Leave a Comment » | Smartphones | Permalink
Posted by matt

Next Entries »