Busting Anti-Theft Software Myths: Interview with Simon Roses Femerling

Simon Roses Femerling Simon Roses holds a B.S. from Suffolk University (Boston), Postgraduate in e-Commerce from Harvard University (Boston), and an Executive MBA from IE Business School (IE, Madrid).

Simon Roses is currently the CEO at VULNEX, driving security innovation. Simon is also working on a project for the DARPA Cyber Fast Track on improving secure software development.

His former companies include: Microsoft, PriceWaterhouseCoopers and @Stake.

Simon has authored and cooperated in several security Open Source projects like OWASP Pantera and LibExploit. He has also published security advisories in commercial products.

Simon is a frequent speaker at security industry events including Black Hat, RSA, OWASP, SOURCE, DeepSec and Microsoft Security Technets.

– Simon, your recent talk at Black Hat was about anti-theft software. You talked about various security issues these programs turn out to have. What products have you examined and what is the biggest security problem with them?

– We examined a variety of products such as anti-theft solutions, MDM and anti-virus (as many AV products include anti-theft features nowadays) for desktops (Windows, Linux and MacOS) and mobile (iPhone, Android and Windows Phone). In many cases these products do not understand or address the threats they are supposed to protect from.

– Have you informed vendors directly about these security issues or have they perhaps contacted you and maybe asked not to reveal too much?

– We have not contacted any vendors as we usually don’t, and no vendors have contacted us either. I guess they do not follow security news. We only inform about our security research to our customers until we make it public in conferences and papers.

– How frequently are OWASP Top 10 threats present among anti-theft products?

– Some products did address OWASP Top 10 threats but many did not. We perform a lot of application security reviews and too often we see security issues known for years and widely covered in guides like OWASP Top 10. There are still a lot of developer houses that have never heard about OWASP for example.

– You said that crypto totally fails in these applications. Have you found at least several programs that use crypto properly?

– Yes, some products did a better job providing secure channels, performing server validation and using strong crypto to protect data.

– Do many apps store info in cleartext? Is this a general problem with most of them?

– I will say this kind of issue has decreased (or so I hope) but we still find it too often when we reverse engineer mobile apps.

– What do you think of biometric identification for devices and apps? Have you heard of any positive results in this sphere?

– I read about products and projects, but I have not seen anything fully working yet. This kind of technology can address some issues but developers need to develop secure software anyways.

– Do you know how widely such security feature as remote revocation is used, where an application can be globally uninstalled on all devices it’s on?

– Both Apple and Google have done on their platforms to remove malicious software but fortunately they are rarely used.

Read next: Interview with Simon Roses Femerling. Part 2

Like This Article? Let Others Know!
Related Articles:

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: