I thought I'd write a blog entry around this, as it seems that it is a question that comes up a lot when speaking to press, operators, enterprises, and users alike. The common question is usually along the lines of: "Why not build security into the network to protect mobile devices?" In this case the “network” could be cellular, WiFi, WiMax, or a hybrid of technologies; “mobile devices” can be cell phones, SmartPhones, PDAs or laptops, among others.
Well, there are two reasons why a network can’t mitigate all the risks involving mobile devices. First, mobile devices today are not always connected via a network that is controlled by just one entity. For example, it is feasible (although in my experience, rare) within GPRS (2.5G) or UMTS (3G) to ensure that a roaming user's traffic never touches the home operator’s Gateway GPRS Support Node (GGSN) when the user is, say, accessing the Internet using a mobile device (this is dependent on the policies...
Lately, there has been a whole bunch of cities announcing plans for the creation of municipal (“muni”) Wi-Fi networks. From San Francisco and Silicon Valley to New York, Philadelphia, Toronto, and even Paris, this seems to be the hot new thing to do for cities that want to be "modern". Everyone...
I've always wondered why SMS/MMS isn't used more often for spam or other malicious activities (CommWarrior being one notable exception). After talking to people in the industry about this, (that is, the security industry with a cellular or mobile flavor) it became apparent that we all have numerous hypotheses that try to explain the lack of SMS/MMS spam or phishing attacks. Some of the ideas that I've heard over the years include: a) It costs money to send SMS/MMS messages, whereas to send e-mail it, for all intents and purposes, is free. b) Any spam originating from a single operator or third party SMS/MMS originator can easily be shut down. c) There is no need to complicate things as people still fall for e-mail phishing.
These opinions are certainly valid, but I think the tide may be turning, albeit on a very small scale. SMS is...
HD Moore and the MetaSploit project have gone to town with their toolbox of fuzzers and insight. They have unleashed a raft of security vulnerabilities on the world, in major browsers across many different platforms, one a day for an entire month (it is now day five of the Month of Browser Bugs as I write this).
While I think it's awesome that HD and the project team have made such a concerted effort to investigate most of the major sub-systems used in today's browsers (I don't want to detract from their initiative, motivation, or skill) it should be noted they were not the first to take a look at them, thinking that, aside from ActiveX (for a change) they could be fuzzed with high yield results. Similar methods were used by the illustrious group at Oulu university in 2001,...
