SensePost is proud to announce a competition to identify the best information security research published by a resident of South Africa in 2011 (Jan 1st to Dec 3rd). Much security research is unfunded and private but, when published, enters the toolsets and minds of security companies worldwide. South Africa's security industry is best-described as "fledgling", and we want to support researchers who produce quality research.

Heads up: even if you're not a researcher, you can still win by nominating work, so continue reading.

What are we doing?

On December 3 2011 at B-Sides Cape Town, SensePost will present a prize for the best research by a South African resident. In order to judge this, we are seeking nominations for the prize.

Dates?

• November 21 - Competition announced
• November 30 23:59 - Nominations close
• December 3 - Winner announced at B-Sides Cape Town

Who qualifies as a nominator?

Any living person. You can nominate as many pieces of research as you like. You can also nominate your own work, if it qualifies with everything below.

Who qualifies as a researcher?

Any resident of South Africa. Publication location can be local or international.

SensePost employees and members of the judging panel are obviously excluded.

What research qualifies?

A single piece of information security research published in 2011 at, at the minimum, a semi-formal venue. Conferences (industry cons such as ITWeb, ZaCon or B-Sides and academic cons such as ISSA, SATNAC or SAICSIT), journals, whitepapers all are in scope. Blogs, forums and IRC unfortunately don't count. We aim for inclusivity, so contact us (see below) if you're unsure.

We're seeking interesting / groundbreaking / game-changing information security research, either industry-focused or academically-inclined.

You're welcome to make multiple nominations for different work, and even nominate your own work.

What are the prizes?

R5000 (five grand) in cold hard cash, awarded to a single piece of work (no runner-ups), with the entire prize going to the winner. In the event of co-authors, the prize will be split as they deem fit. Should it not be possible to track down the prize holder (anonymous etc), then the prize money will be awarded to the next best work.

In addition, we'll award a R500 finder's fee to the person who nominated the winner. Should the winner have been nominated multiple times, then all verified nominator names will be placed into a hat and a single winner drawn.

Do I need to be present at B-Sides Cape Town?

No. While it would be great, your presence there isn't required. Winners will be announced at B-Sides and later notified via email. An interview will be conducted with the winner for further exposure of their research.

Who is judging this?

A few senior SensePost guys in collaboration with industry/academic peers. Full panel will be announced when the winners are announced.

Submission!!!

Mail the details below to zaprize@sensepost.com.

• Researcher Name
• Research Title
• Publication Venue and Date
• Your (nominator's) name. Handle is fine, but if you want to enter the finder's fee competition, we'll need a name too.

Boilerplate

Judges decision is final and, while we will accept correspondence, it will be printed out and made fun of. But we're not changing our decisions.

This week, Charl van der Walt and I (Saurabh) spoke at Mobile Security Summit organized by IIR (http://www.iir.co.za/detail.php?e=2389).

Charl was the keynote speaker and presented his insight on the impact of the adoption of mobile devices throughout Africa and the subsequent rise of security related risks. During his talk, he addressed the following:

• Understanding the need for mobile security to be taken seriously in Africa
• Analysing the broader implications for the user and the company
• The types of attacks occurring against mobile devices
• What does the future of mobile security look like and what are the potential threats to users?
• Understanding the particular threats posed by smartphones and other portable devices, e.g. tablets

The presentation can be accessed via link below:

http://prezi.com/as-szhrug5zr/examining-the-impact-of-the-adoption-of-mobile-devices-throughout-africa-and-the-subsequent-rise-of-security-related-risks-sensepost-information-security/

I spoke on iPhone and Android security, demonstrating the ease with which mobile security can be breached and presented some live demos. Below is the agenda of my talk:

• Why everyone rants about SmartPhone security
• Understanding iPhone Application layout
• Decrypting iPhone apps & what can we achieve
• Android Architecture
• Android Permission Model & Sandbox
• Analyzing Android Apps - Deep sea diving
• Practical Attacks on Android
• Demos
• Introducing Manifestor.py

I also released a Python script, Manifestor.py, which can be used by Penetration testers and Android geeks to find permission-based flaws in Android applications. The script is in early stage of development and will be enhanced in near future. A working copy of this script can be downloaded from link below:

http://www.sensepost.com/labs/tools/poc/manifestor

The original presentation can be downloaded from link below:

http://www.slideshare.net/sensepost/outsmarting-smartphones