REALTIME IT NEWS
REALTIME IT NEWS
Newsletters Select newsletters below and click the button to sign up!
Internetnews BloggersRecent Entries
ArchivesMonthly ArchivesSearch The Blog
« Red Hat on the S&P 500 is a sign of Linux maturity |
Sean Michael Kerner Blog
| Ubuntu Launchpad now open source (finally!) »
Symbian signed malware - does signing matter? From the 'who can you trust' files:
The Symbian mobile OS is used by millions of phones globally and thanks to a (now corrected) oversight they could have potentially installed malware - with Symbian's approval. Symbian has a program called Symbian Signed - which digitally signs applications that meet the approval of Symbian. That system was thwarted and a piece of mobile malware known as Transmitter.C (aka Sexy Space and Sexy View) was signed. Symbian admitted the signing on Thursday and also provided a fix which demonstrates the power of the signing process. "As soon as we were notified of that (the following day) we revoked both the content certificate and the publisher certificate used to sign the malware," Symbian security chief Craig Heath blogged. "That means that the Symbian software installer will not now install the malware, providing that revocation checking is turned on."Ok so Symbian signed a bad piece of code - that's bad - but the signing system does work as it should, doesn't it? You see with a digital signature or certificate there is always a signing authority. That authority not only signs the app but it is also where browsers (in this case the mobile phone) checks to ensure the authenticity of the signature or certificate. The signing authority can revoke a certificate/signature which is exactly what Symbian is doing in this case. The system works (or does it?). How a piece of malware was signed in the first place is another story. Symbian uses the services of Finnish anti-virus vendor F-secure in order to scan apps for malware. F-Secure's chief research officer Mikko Hypponen blogged that in his view, "...the virus writer submitted the malware through the Express Signing procedure, where most applications are not inspected by humans." That's still a little troubling to me. It still means the virus was scanned and that it passed the test. I personally think that is a major issue for F-secure and one that affects their credibility. That issue aside, Hypponen does not see the revocation of the certificates to be the end of the problem for Symbian. "The revocation certificates are not immediately distributed to all the hundreds of millions of Symbian smartphones," Hypponen wrote. "The default setting in most Symbian phones has to be changed to enable them to receive revocation certificates. To do this, go to Application Manager's Settings and set the Online certificate check to Must be passed." 0 TrackBacksListed below are links to blogs that reference this entry: Symbian signed malware - does signing matter?. TrackBack URL for this entry: https://swarm.jupitermedia.com/mt-tb.cgi/8515 1 CommentsLeave a comment |
||
Legal Notices, Licensing, Permissions, Privacy Policy.
Advertise | Newsletters | Shopping | E-mail Offers | Freelance Jobs 
Digg
Del.icio.us
furl
StumbleUpon
BlinkList
Newsvine
Magnolia
Facebook
Tailrank
Slashdot
Technorati
Google
Bookmarks
Yahoo
Favorites
Windows
Live
Ask
Good information so we have to look into other option me personaly i have a nokia N95 8 gb and i put me eyes on the new N97 version .
So i m intersted in the posible option for protecting my phone ,i read olso that bitdefender in working for a beta version designed for symbian that will appear this year.