RSS Alerts

Related Links

  • Fortify Software
  • Elsevier Ltd is not responsible for the content of external websites.

Related Stories

  • Giesecke & Devrient play secure Android card
    Cellular specialist Giesecke & Devrient (G&D) has unveiled a memory card for Android mobile phones that is claimed to make applications running on the host Android-compliant handset ultra-secure.
  • Smartphones to become major hacker target says Google expert
    Contrary to the views of many of his colleagues in the IT industry, Rich Cannings, Google's Android security leader, thinks that smartphones are now a primary target for malware and hacker attacks.
  • Linux, Symbian, Android, Apple or Blackberry? A tough choice for CIOs
    The recent launch of nine high-specification mobile phones that use the Mobile Linux operating system (Limo) will add fuel to an already overheated market.
  • Smartphone apps need securing at the software development stages
    Smartphones could very easily become spy phones, with hackers able to eavesdrop on your conversations, researchers at Rutgers University in the US have warned.
  • What’s in store for 2010?
    The Noughties are behind us now, but memories of a decade of data breaches will continue to haunt the infosec professional. If only there was a way of knowing what the threat landscape would look like in the months to come. Well you’re in luck as Davey Winder has dusted off the crystal ball and spoken to a broad church of infosec professionals to get some informed predictions for 2010

News

Fortify warns on modification risks from portable devices

06 January 2010

Fortify Software is warning that software crackers are likely to continue modifying relatively low-cost specific-application devices, such as e-readers, but that the potential security risks to companies are significant.

The reason, says Richard Kirk, the security vendor's European director, is that whilst best practice principles are usually applied to a portable firmware-driven device - such as an electronic book reader - in terms of operating system and allied software, all of these principles tend to disappear out of the window when the device is `cracked' and effectively re-purposed.

Kirk's comments come as the Nook e-book reader - a low-cost device developed by Barnes & Noble last year - has been hacked to fully utilise the Android operating system.

Under the modifications, the e-book reader is effective turned into an Android operating system-based tablet PC complete with a free mobile connection.

"Although the Nook uses a customised version of the Android operating system, it also supports WiFi and 3G cellular, which means it has connectivity with all manner of systems via the Internet," said Kirk.

"This is why the e-reader - which has already been cracked to load the Pandora web-based music service, a Twitter application and a number of Facebook applications - has now been fully cracked to run most Android applications," he added.

According to Kirk, whilst this is potentially great news for home users of the Nook, it poses a significant security risk for companies interested in using the device for corporate purposes, since there is no way of knowing whether the newly installed software - as well as the operating system cracks - comply with security best practices.

These practices, he says, include the need for regular security testing to ensure software that is being developed is inherently secure.

The software industry, he explained, has been extolling the benefits of secure coding practices - so that developers do not keep introducing vulnerabilities - for many years now, as witnessed by his company's Fortify 360 application vulnerability checking service,

Most `home brew' software is excellent from a functional perspective he went on to say, but rarely complies with software development best practices when it comes to security, which is where the risk of using such cracked devices in a company environment enters the frame.

"You wouldn't expect an IT manager to allow unchecked third-party applications to be loaded onto company desktops, so why allow a modified e-reader into the office environment?" he said.

"The problem facing IT managers is that they have no way of knowing whether a portable device like the Nook, has been modified or not, which is why we believe that cracked devices like this pose a potentially serious security risk for companies of all sizes," he added.

 

 

This article is featured in:
Compliance and Policy Wireless and Mobile Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Copyright © 2010
Elsevier Ltd. All rights reserved.
Terms & Conditions | Privacy | Website Design Working with water