Apple’s #gotofail weekend

February 24, 2014 by

gotofail

In case you spent your weekend watching closing ceremonies and not reading tech news, there was a lot of buzz around a security problem in Apple products. On Friday, Apple released an emergency update for iOS7 that fixed a severe vulnerability in their SSL/TLS implementation on the iPhone.

For those who are not technically inclined, SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are the encryption protocols underlying, among many things, the little lock icon you see in the upper right corner of your browser. This encryption protects you from eavesdroppers when logging into any secure site, like your bank account. It also protects you from actors like the NSA (and other governments) scooping up your emails in bulk when you’re … well … anywhere. After Apple released the emergency update for iPhone, security firm CrowdStrike examined the patch and reverse engineered the vulnerabilities it was addressing, only to find out that it repaired some pretty significant parts of the iPhone operating system. They also found that the same vulnerability exists in Apple’s OS X operating system meaning that the problem extends to Mac OS X laptops/desktops, not just iPhones. [Read more…]

Filed Under: Blog Tagged With: , , , ,

Circumvention Tech Summit

April 26, 2013 by

Hong Kong | April 26-28, 2013

I participated in the third annual Circumvention Tech Summit.  This meeting of developers and activists is focused on increasing dialogue among circumvention tech developers and providing them with the knowledge and resources they need to create and develop better tools.

Filed Under: Talks Tagged With: , , ,

ACM Conference on Security and Privacy in Wireless and Mobile Networks

April 17, 2013 by

Budapest, Hungary | April 17-19, 2013

WiSec presents high quality research papers exploring security and privacy aspects of wireless communications, mobile networks, and their applications.

I gave a plenary talk about mobile threats to privacy. My presentation covered common threats to mobile privacy and security, focusing on what information is stored on your smartphone and what information is shared – intentionally and unintentionally – with cloud providers and third parties. I reviewed common security problems and pitfalls, as well as the privacy risks consumers assume by operating smartphones powered by a burgeoning advertising industry.

Filed Under: Talks Tagged With: , ,

FinCapDev: Privacy, Security and Mobile App Development

April 10, 2013 by

I hosted a webinar with Manas Mohapatra, the Director of Mobile Policy for the Federal Trade Commission’s Mobile Technology Unit, for the FinCapDev Finalists.  We discussed security and privacy issues related to mobile app development.

Webinar is archived here.

Filed Under: Talks Tagged With: , , , , ,

Facepalm

June 18, 2012 by Leave a Comment

facepalm
There’s been a lot of attention around the Israeli facial recognition startup Face.com.  They, amongst other things, make a mobile app called “KLIK” which lets users tag their friend’s faces in real-time, as they walk down the street. Just today, they announced that they’re being acquired by Facebook for $100M.

A few weeks ago, I noticed a different kind of excitement surrounding the startup. I found an extremely basic vulnerability in the which the app allows access to other user’s KLIK information, including private ‘authentication tokens’ (i.e keys) for user’s Facebook & Twitter accounts (KLIK relies on Facebook to use the app).

Face.com essentially allowed anyone to hijack a KLIK user’s Facebook and Twitter accounts to get access to photos and social graph (which enables ‘face prints’), even if that information isn’t public.

[Read more…]

Filed Under: Blog Tagged With: , , , ,

NYU/Princeton Conference on Mobile and Location Privacy: A Technology and Policy Dialog

April 13, 2012 by

NYU Law School, New York, NY | April 13, 2013

People routinely carry smartphones and other devices capable of recording and transmitting immense quantities of personal information and tracking their every move. Privacy has suffered in this new environment, with new reports every week of vulnerabilities and unintended disclosures of private information. New York University’s Information Law Institute and Princeton’s Center for Information Technology Policy hosted a technology and policy dialogue about the new world of mobile and location privacy.  They brought together the policy and technology communities to discuss the substantial privacy issues arising from the growth of mobile and location technologies.

I gave a technical demonstration.

NYU/Princeton Conference on Mobile and Location Privacy — Technology Demonstration: Askhan Soltani from NYU Information Law Institute on Vimeo.

Filed Under: Talks Tagged With: , , ,