Newsletter

08.17.2021 | 6'' read

Corellium dunks on Apple

by Ryan Naraine

* This newsletter is sponsored by Uptycs, the cloud-native security analytics platform with multiple solutions for EDRCWPPCSPM, asset insights and inventory, audit and compliance. 

The most clicked link from last week’s issue was the video of Orange Tsai’s talk on scary new attack surfaces found on Microsoft Exchange Server. Here’s the technical paper and slides from the presentation.

Notes.
  • I’m currently neck-deep working on the agenda for this year’s CISO Forum, coming up on September 14-15, 2021. We’ll be talking high-end malware, software supply chain, SBOMs, ransomware and cyber insurance.
  • The Dan Kaminsky Fellowship is now accepting applications.

Monday blues.It was a little verklempt over the weekend as we moved my son Jake into Arizona State University to pursue studies in Computer Science (Cybersecurity).

Computer security is in the midst of an important generational handoff (see my OPCDE keynote) and I’m thrilled to observe this class of students prepare themselves to operate in a tech world that spins in weird ways.

On Sunday, as I watched the kids unpack in new dorms with unbridled optimism, my mind wandered to Sir Ken Robinson’s seminal TED talk on education, creativity and that fact that nobody knows what the world will look like in a few years’ time.

Jake’s class graduates in 2025.  What will the security landscape look like?  Will the the cloud and micro-services look like?  What happens to the ransomware epidemic? Can we really get rid of passwords forever? Where does mobile computing go?  What happens to security below the operating system?

So many questions for which there are no answers.   Jake’s generation gets to pick up the baton, with an impossible task of defending moving goal posts.  I wish them the very best.

_ryan


A word from our sponsor – Uptycs 

The Uptycs Security Analytics Platform offers one platform with multiple solutions for EDRCWPPCSPM, asset insights and inventory, and audit and compliance. Schedule a demo today.


Corellium dunks on Apple

It’s pretty amusing to watch security startup Corellium dunking on Apple at every opportunity.  Less than a week after prevailing in a legal case filed by Apple, Corellium pounced on the controversy surrounding Cupertino’s new CSAM child-safety system to kick sand in Apple’s eyes:

A new Corellium Open Security Initiative will offer three $5,000 grants and free access to the company’s iOS virtualization platform for researchers who can “validate any security and privacy claims” made by Apple or any other mobile software vendor.

From the announcement:

We applaud Apple’s commitment to holding itself accountable by third-party researchers. We believe our platform is uniquely capable of supporting researchers in that effort. Our “jailbroken” virtual devices do not make use of any exploits, and instead rely on our unique hypervisor technology. This allows us to provide rooted virtual devices for dynamic security analysis almost as soon as a new version of iOS is released. In addition, our platform provides tools and capabilities not readily available with physical devices.

We hope that other mobile software vendors will follow Apple’s example in promoting independent verification of security and privacy claims. To encourage this important research, for this initial pilot of our Security Initiative, we will be accepting proposals for research projects designed to validate any security and privacy claims for any mobile software vendor, whether in the operating system or third-party applications.

Separately, the company released Corellium for Journalists less than a month after the NSO/Pegasus scandal exposed Apple’s iOS black hole as a problem for journalists and activists.

Also, a new petition from the Electronic Frontier Foundation:Apple has abandoned its once-famous commitment to security and privacy. The next version of iOS will contain software that scans users’ photos and messages. Under pressure from U.S. law enforcement, Apple has put a backdoor into their encryption system. Sign our petition and tell Apple to stop its plan to scan our phones. Users need to speak up say this violation of our privacy is wrong.

People and jobs.

Nation-state APT things.

Readables.

Leftovers.

P.S. Full podcast episodes are available on the SecurityConversations.com home page, and on all major platforms. Subscribe directly: Apple/iPhoneGoogle/AndroidSpotify and Amazon/Audible.
|

This site uses cookies and may process personal data based on our Privacy Policy