Simon Roses holds a B.S. from Suffolk University (Boston), Postgraduate in e-Commerce from Harvard University (Boston), and an Executive MBA from IE Business School (IE, Madrid).
Simon Roses is currently the CEO at VULNEX, driving security innovation. Simon is also working on a project for the DARPA Cyber Fast Track on improving secure software development.
His former companies include: Microsoft, PriceWaterhouseCoopers and @Stake.
Simon has authored and cooperated in several security Open Source projects like OWASP Pantera and LibExploit. He has also published security advisories in commercial products.
Simon is a frequent speaker at security industry events including Black Hat, RSA, OWASP, SOURCE, DeepSec and Microsoft Security Technets.
– Simon, your recent talk at Black Hat was about anti-theft software. You talked about various security issues these programs turn out to have. What products have you examined and what is the biggest security problem with them?
– We examined a variety of products such as anti-theft solutions, MDM and anti-virus (as many AV products include anti-theft features nowadays) for desktops (Windows, Linux and MacOS) and mobile (iPhone, Android and Windows Phone). In many cases these products do not understand or address the threats they are supposed to protect from.
– Have you informed vendors directly about these security issues or have they perhaps contacted you and maybe asked not to reveal too much?
– We have not contacted any vendors as we usually don’t, and no vendors have contacted us either. I guess they do not follow security news. We only inform about our security research to our customers until we make it public in conferences and papers.
– How frequently are OWASP Top 10 threats present among anti-theft products?
– Some products did address OWASP Top 10 threats but many did not. We perform a lot of application security reviews and too often we see security issues known for years and widely covered in guides like OWASP Top 10. There are still a lot of developer houses that have never heard about OWASP for example.
– You said that crypto totally fails in these applications. Have you found at least several programs that use crypto properly?
– Yes, some products did a better job providing secure channels, performing server validation and using strong crypto to protect data.
– Do many apps store info in cleartext? Is this a general problem with most of them?
– I will say this kind of issue has decreased (or so I hope) but we still find it too often when we reverse engineer mobile apps.
– What do you think of biometric identification for devices and apps? Have you heard of any positive results in this sphere?
– I read about products and projects, but I have not seen anything fully working yet. This kind of technology can address some issues but developers need to develop secure software anyways.
– Do you know how widely such security feature as remote revocation is used, where an application can be globally uninstalled on all devices it’s on?
– Both Apple and Google have done on their platforms to remove malicious software but fortunately they are rarely used.
– Have you encountered spyware or malware inside legitimate anti-theft products?
– None in any of the products we have examined, but it doesn’t mean it couldn’t exist. We did study 40 products but for sure there are many more. The products in the official markets should be free of malware.
– Are you aware of any cases when anti-theft products help tracing the real robber? Do you have any stats on how many devices were returned to owners with the help of anti-theft software?
– It is really hard to find such stats, some anti-theft vendors put out some numbers of success recovered cases to help them with marketing but we cannot guarantee the authenticity of those claims.
– Does it require strong tech skills to steal a phone and not get traced, or anyone can just find several YouTube videos and do it?
– To steal a phone is not hard at all but to break its security requires more skills if the device is secured. We can find all kind of resources – videos, books, etc. – on how to break and secure mobiles.
– Are anti-theft products equally bad among all operating systems or maybe some OS (Android/iOS) offer better anti-theft software?
– All products have common threats, and depending on the platform they can also have specifics threats. It is not about the platform but how well the product was developed.– You found that none of the anti-theft products could really do a secure wipe. It’s a big issue when small and big vendors just fool their customers and do not do what they claim. What do you think?
– We were really surprised to uncover that none of the anti-theft products have secure wipe features; instead they just call the operating system to delete a file or perform a factory reset, so information can be recovered. We think this is a serious issue and anti-theft products are making false claims and charging for it.
– Can you recommend any specific anti-theft solution that is really secure and does what it claims?
– We prefer not to mention any product but I will say that in this case anti-virus products are a bit better, AV from top players mostly.
– Do you know how widely application vulnerability scanners and static code analysis tools are used among mobile software developers? The problem with such tests is they are run during short time periods and not too often whereas attackers have all their time 24/7/365 to hack into anything. What do you think?
– In our experience many software developer houses do not use this kind of security tools at all due to several reasons (lack of resources or trained staff, etc.). In our security application services at VULNEX we help clients to adopt an application assurance program that fits their needs. We help them using this kind of tools and more to develop secure and high quality products.
– Please advise our readers who already installed anti-theft software or other security software on how to use it effectively and securely.
– Well, we will recommend doing a Google search on what others say about the product and search for its vulnerability history. From a user perspective there are several things to do:
- Keep up with operating system and Apps updates
- Use anti-virus and firewalls products
- Encrypt the entire disk on your device
- Always use strong passwords
- Beware of public networks