Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Jailbreaking Mobile Devices: Thats Not The Real Problem
Threaded  |  Newest First  |  Oldest First
cgates666
cgates666,
User Rank: Apprentice
10/12/2015 | 12:22:18 PM
Agree with you right up to the last paragraph
Excellent article, except I take exception with your last paragraph.  Making the assertion that the solution lies at the App layer is living in a "fool's paradise".  

"Yes" the App has to have mitigations for its vulnerabilities as they exist at the App level, but that is a far cry from actually securing the operating environment. And without securing the OS operation the App can be made to believe that anything is occurring (or not occurring) as desired to exploit a weakness in the system.

Security is a chain that has to have 'strong links' at every level.

There has been a marketing trend of late, claiming that "their product" can magically secure the operating environment by running it on your App.  Managers love this type of easy solution; it is just a shame that they are largely ineffective, at best just securing some limited aspects of App operation.  At worst they are a lot of 'security theater' and hand waving.

In my opinion, the best approach is a multi-layered solution with a hardware root of trust.  The use of TrustZone is a good first step towards this, and with all the security company acquisitions that ARM is making lately apparently they must be headed in that direction as well.

Now all we have to do is to convince the OS manufacturers that security is important enough to us that they will then start to use some of these hardware security tools that are available to them.

Instead they are releasing "new features" like 'upper / lower case keyboards' and 'long press', as if these are some new revolutionary concepts.  We need them to focus on the real issues, not the fluff.

Maybe voting with our wallets will get their attention.


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Improving Enterprise Cybersecurity With XDR
Enterprises are looking at eXtended Detection and Response technologies to improve their abilities to detect, and respond to, threats. While endpoint detection and response is not new to enterprise security, organizations have to improve network visibility, expand data collection and expand threat hunting capabilites if they want their XDR deployments to succeed. This issue of Tech Insights also includes: a market overview for XDR from Omdia, questions to ask before deploying XDR, and an XDR primer.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-33085
PUBLISHED: 2022-06-30
ESPCMS P8 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the fetch_filename function at \espcms_public\espcms_templates\ESPCMS_Templates.
CVE-2022-33087
PUBLISHED: 2022-06-30
A stack overflow in the function DM_ In fillobjbystr() of TP-Link Archer C50&A5(US)_V5_200407 allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request.
CVE-2022-31115
PUBLISHED: 2022-06-30
opensearch-ruby is a community-driven, open source fork of elasticsearch-ruby. In versions prior to 2.0.1 the ruby `YAML.load` function was used instead of `YAML.safe_load`. As a result opensearch-ruby 2.0.0 and prior can lead to unsafe deserialization using YAML.load if the response is of type YAML...
CVE-2022-33082
PUBLISHED: 2022-06-30
An issue in the AST parser (ast/compile.go) of Open Policy Agent v0.10.2 allows attackers to cause a Denial of Service (DoS) via a crafted input.
CVE-2013-5683
PUBLISHED: 2022-06-30
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2013. Notes: none.