The Journal of Object Technology has posted a document with some in-depth information on the security of Java 2 Micro-Edition Connected Limited Device Configuration (J2ME CLDC). With so many mobile devices, including phones, running this platform expect to see more and more analysis and attacks in this area.

Problems already found show that the usual suspects (buffer overflow, input validation, confidentiality, session control, etc.) linger and should not be overlooked:

We showed that the J2ME CLDC security model needs some refinements (e.g. permissions and protection domains). Moreover, we demonstrated the presence of some vulnerabilities exist in the RI of MIDP 2.0 (e.g. SSL implementation). Some phones were also shown to be vulnerable to security attacks like the Siemens SMS attack, while other phones followed a restrictive approach in implementing the J2ME CLDC platform.

New meaning for “web hits”? Report by the Chicago police dept on how violent gangs are using the web to plan violent attacks:

Work by Special Gang Task Force Foils Murder Plot by Members of New Breed Street Gang: A special gang task force formed by Chicago Police helped disrupt escalating violence between two rival Chicago street gangs as well as foil a murder plot by one of the gangs earlier this week, police reported Thursday.

The full text of the report has several interesting points, including the use of wiretap by the police, the use of anti-forensics measures by the gangs, and how information on the web fit into the gang’s plans:

[Supt. Philip] Cline said the gang members used sophisticated means as they plotted the hit, including accessing the Illinois Department of Correction Web site for photos of rival gang members so they would have an exact description of their target.