Android more at risk than iOS, says Trend Micro

When it comes to mobile security, Apple's iOS platform might get the nod over Android, according to security software maker Trend Micro.
Speaking to Bloomberg yesterday, Trend Micro Chairman Steve Chang said that "Android is open-source, which means the hacker can also understand the underlying architecture and source code." Apple, he said in the interview, has been "very careful about it. It's impossible for certain types of viruses" to run on the company's iPhone.
Chang specifically pointed to Apple's "sandbox concept that isolates the platform, which prevents certain viruses that want to replicate themselves or decompose and recompose to avoid virus scanners."
For its part, Google told Bloomberg that its platform has safeguards in place that "limit the amount of trust a user must grant to any given application developer."
Debates are ongoing with respect to the security of Android and iOS. In July, security experts revealed that both iOS and Android have "comparable" security, but they achieve it in different ways. Moreover, an expert told CNET at the time that the threats each mobile operating system poses aren't affecting users all that much.
"Security concerns are mostly theoretical, at this point," Independent Security Evaluators principal analyst Charlie Miller said in an interview with CNET. "You are more likely to lose the phone."
In November, security firm Coverity found that Android suffers from 359 code flaws that could cause security problems on the platform. The company said that 88 of those flaws are "high-risk problems."
Last week, Trend Micro released Trend Micro Mobile Security for Android. The app, which retails for $3.99, protects users against phishing attacks, call and text message filtering, malware prevention, and identity protection. The company also has a security app for iOS.

Report: Stolen data sold over online black market

Cybercriminals buy and sell stolen information using a vast network of online stores, forums, and even social-networking accounts, according to a report released yesterday by PandaLabs.
Posing as a cybercriminal to gain access to this online black market, PandaLabs researchers uncovered a world where the bad guys work together to buy and sell stolen bank account information, credit card numbers, passwords, and other products. Much of this illegal enterprise is done through online stores and forums, but PandaLabs found criminals using Facebook and Twitter accounts to set up shop as well.
Though this black market is relatively open, the security firm discovered that the sellers of stolen data are careful about protecting their anonymity, demanding that their "customers" contact them only through IM or generic e-mail accounts that can't easily be traced.
In many ways, the cybercriminal network operates like any other business. The list of products for sale sounds like a standard online shopping catalog, from cheap no-frills items to more expensive ones with all the works.
Basic bank and credit card information can sell for as little as $2 a pop, though at that price the buyer doesn't get verification of the actual account balance. For $80, customers can get a credit card or bank account number with confirmation of a small balance, while $700 will buy them a guaranteed balance of $82,000, according to the report (PDF). Prices go up from there on accounts that have already been used to shop online or tap into PayPal.

Here is a list of black market prices, according to the PandaLabs report.

(Credit: PandaLabs)

But it's not just digital data for sale. PandaLabs found cloned credit cards selling for $190, card cloning machines running anywhere from $200 to $1,000, and fake ATM machines costing from $3,500 to $35,000.
Those who want to go into business for themselves can even buy money laundering services, kicking in a seller's commission of 10 to 40 percent. Like any good consultant, the sellers are available for project work where they can set up fake online stores for their customers, says PandaLabs.
Competition in the black market also keeps prices from getting too high, while customers who do a lot of business can even get volume discounts. Paying for the stolen or phony items works just like it does at any online retailer. Buyers can shop at a Web site set up by the seller, adding items to their cart as they browse the different offerings. But payment is made up-front and only through services like Western Union, Liberty Reserve, and WebMoney.
To protect your own data from being stolen and sold on the black market, PandaLabs offers an array of tips, including checking your invoices and credit card statements carefully, filing or destroying ATM receipts, asking a neighbor to collect your mail when you're away, never using a debit card for online purchases, and, of course, making sure you run up-to-date security software.

FBI issues warrants over pro-WikiLeaks attacks

The FBI is on the hunt for the hackers responsible for a recent wave of cyberattacks launched in defense of WikiLeaks.

FBI agents yesterday executed more than 40 search warrants in the United States as part of their ongoing investigation. Pointing to the group Anonymous, which has taken responsibility for the attacks, the FBI said that the distributed denial of service (DDoS) assaults were facilitated by software the group makes available as free downloads.
Late last year, PayPal, Visa, MasterCard, and other companies were hit by DDoS attacks triggered by activists in support of WikiLeaks after the companies cut off sources of funding to the whistle-blowing site.
The FBI apparently started its investigation after it was contacted by PayPal in December and was able to trace two of the IP addresses provided by PayPal to physical locations, one of which was in Texas where the agency seized a server.
Looking beyond the United States, the FBI said it's working with other law enforcement agencies abroad. Officials in the Netherlands, Germany, and France are each conducting their own probes into the cyberattacks, while police in the U.K. arrested five people yesterday on suspicion of involvement in the attacks launched by Anonymous.
Additionally, an organization called the National Cyber-Forensics and Training Alliance is lending a hand in the investigations. With a focus on cybercrime, the group provides a bridge between the private sector and law enforcement agencies and has worked directly with the FBI in the past.
Those who facilitate or conduct a DDoS attack face up to 10 years in prison and civil fines over damages, according to the FBI.

India still wants BlackBerry access but ban unlikely

India appears unlikely to implement its threatened ban on BlackBerry services, but the government is still demanding access to the data on Research In Motion's secure enterprise network--something RIM keeps insisting it cannot provide.

RIM had been ordered to give the Indian government a permanent solution on access to its BlackBerry Enterprise Server (BES) by yesterday to avoid a ban on its services. India has been insisting on the access for the past several months as a way to monitor e-mails for national security reasons. But with the deadline past and no solution apparently in place, what does that mean for RIM?
A senior official with India's Ministry of Home Affairs told the country's Economic Times that no decision has yet been made on extending the deadline but that a ban on BlackBerry services was unlikely.
However, that doesn't get RIM off the hook. Early last month, the company did provide an interim solution by giving India access to its consumer services, which includes BlackBerry Messenger and BlackBerry Internet Services e-mail. But that access did not extend to the BlackBerry Enterprise Server used by RIM's corporate customers. This hasn't pleased the Indian government.
"Just like they [BlackBerry makers] have given a solution to [monitor] messenger service, we will insist that they also give us a solution to enterprise service," Union Home Minister P. Chidambaram recently told reporters, according to the Economic Times.
RIM's position almost from the start has been clear and oft repeated. The company has insisted that it does not hold the keys to the encrypted data flowing through its enterprise server network and therefore cannot provide the keys. Those keys instead rest in the hands of its customers. RIM again stressed its position late last week just before the deadline. Speaking to reporters in India, Robert Crow, the company's vice president for industry, government, and university, said "there is no solution, there are no keys to be handed."
RIM has tried to conjure up ways to skirt the issue, such as suggesting that governments directly ask its customers for the encryption keys. But even RIM acknowledged that countries may be wary of taking such an extreme measure for fear of alienating the very companies that generate local business.

How easy is it to hack a mobile?

I was astonished and surprised and shocked to read this blog on BBC. I was wondering if technology is at our service or our lives are at its stake. Read this blog and see for yourself.

Continuing scrutiny of the methods used by some journalists to listen to private voicemails has turned the spotlight on mobile security. But how easy is it to hack a handset? It depends on how much money, time and effort you want to put into it. There are a number of ways to get at information on a handset was growing, even as it got far less likely that the method used by the journalists would still work. The journalists are believed to have listened to voicemail messages but changes introduced by UK network operators in recent months made it harder for anyone but the correct customer to listen to those messages. Some have also questioned whether the use of default pin codes to get at those voicemail accounts could be considered hacking. In addition, said Simeon Coney, a spokesman for mobile security firm, the declining use of voicemail made it a less tempting target. Rather than leave a voicemail, people will more likely send a text. It's very, very hard to get access to people's text messages without putting something on the device. It's a separate architecture that the operators run to manage text messages.

Access All Areas Key to handset hacking, he said, was installing software on a device either by getting physical access to the mobile, tricking its owner into downloading a booby-trapped application or making them visit a page that inserts malware onto a device. There are commercial software, known as spyware, available that could take copies of everything on a phone, log its location and switch on any of its components. All without revealing its presence on a handset. They give remote access, take copies of text messages and can turn the telephone into an audio bug. The hard part, he said, was getting hold of a device for a few minutes to insert the software. Alternatively, he said, targets could be sent an e-mail they read on their phone that contains a link to a website that looks benign but, in the background, is installing spyware. Security researchers have demonstrated such an attack working on high-end smartphones. It only required a user to look at a website. That loaded the software on the device. It would not be hard to target someone like that. Bugs in the Bluetooth short-range radio technology common on many smartphones could also mean that some information about a handset could be "sniffed" from only a few metres away. Security firms also report a growing number of cases in which games and other applications have been found to contain code that steals more information than it should. Leaving aside the technology, modern smartphones leak information about their owners in a way that can be hard to control. Anyone sending tweets via their phone could be revealing their location and some of the apps that can be loaded on phones report where in the world they are at that moment.

Human factors
The flaws in the early versions of mobile network software meant that it was possible for skilful attackers to build hardware that pretended to be a mobile base station. The flaws in the mobile network software made it hard for phone owners to be sure they were connecting to a legitimate base station. Control of that fake base station would give attackers access to everything a mobile owner was doing. 3G networks removed this flaw, but the equipment needed to pose as a mobile base station was getting cheaper, smaller and easier to use all the time. A similar research project was also in the process of producing an easy to use kit that contains, among other things, all the encryption keys used on 2G networks that would give attackers access to tap into mobile calls. There have been instances of setting up the equipment to pose as a base station or crack phone conversations broke several UK laws. It is also illegal to carry out surveillance as the prison sentences handed down to the journalists shows.

Mobiles were only likely to become more tempting for attackers as people do more with them. Getting hold of the data on a handset could unlock access to much more intimate details such as Facebook accounts, private e-mails, instant messages, photos, videos and much more. People live their lives through their phone, they are more relevant and personal than a computer. Finally, he added, the easiest way to get at a mobile was perhaps to avoid technology all together.