Android more at risk than iOS, says Trend Micro

When it comes to mobile security, Apple's iOS platform might get the nod over Android, according to security software maker Trend Micro.
Speaking to Bloomberg yesterday, Trend Micro Chairman Steve Chang said that "Android is open-source, which means the hacker can also understand the underlying architecture and source code." Apple, he said in the interview, has been "very careful about it. It's impossible for certain types of viruses" to run on the company's iPhone.
Chang specifically pointed to Apple's "sandbox concept that isolates the platform, which prevents certain viruses that want to replicate themselves or decompose and recompose to avoid virus scanners."
For its part, Google told Bloomberg that its platform has safeguards in place that "limit the amount of trust a user must grant to any given application developer."
Debates are ongoing with respect to the security of Android and iOS. In July, security experts revealed that both iOS and Android have "comparable" security, but they achieve it in different ways. Moreover, an expert told CNET at the time that the threats each mobile operating system poses aren't affecting users all that much.
"Security concerns are mostly theoretical, at this point," Independent Security Evaluators principal analyst Charlie Miller said in an interview with CNET. "You are more likely to lose the phone."
In November, security firm Coverity found that Android suffers from 359 code flaws that could cause security problems on the platform. The company said that 88 of those flaws are "high-risk problems."
Last week, Trend Micro released Trend Micro Mobile Security for Android. The app, which retails for $3.99, protects users against phishing attacks, call and text message filtering, malware prevention, and identity protection. The company also has a security app for iOS.

Report: Stolen data sold over online black market

Cybercriminals buy and sell stolen information using a vast network of online stores, forums, and even social-networking accounts, according to a report released yesterday by PandaLabs.
Posing as a cybercriminal to gain access to this online black market, PandaLabs researchers uncovered a world where the bad guys work together to buy and sell stolen bank account information, credit card numbers, passwords, and other products. Much of this illegal enterprise is done through online stores and forums, but PandaLabs found criminals using Facebook and Twitter accounts to set up shop as well.
Though this black market is relatively open, the security firm discovered that the sellers of stolen data are careful about protecting their anonymity, demanding that their "customers" contact them only through IM or generic e-mail accounts that can't easily be traced.
In many ways, the cybercriminal network operates like any other business. The list of products for sale sounds like a standard online shopping catalog, from cheap no-frills items to more expensive ones with all the works.
Basic bank and credit card information can sell for as little as $2 a pop, though at that price the buyer doesn't get verification of the actual account balance. For $80, customers can get a credit card or bank account number with confirmation of a small balance, while $700 will buy them a guaranteed balance of $82,000, according to the report (PDF). Prices go up from there on accounts that have already been used to shop online or tap into PayPal.

Here is a list of black market prices, according to the PandaLabs report.

(Credit: PandaLabs)

But it's not just digital data for sale. PandaLabs found cloned credit cards selling for $190, card cloning machines running anywhere from $200 to $1,000, and fake ATM machines costing from $3,500 to $35,000.
Those who want to go into business for themselves can even buy money laundering services, kicking in a seller's commission of 10 to 40 percent. Like any good consultant, the sellers are available for project work where they can set up fake online stores for their customers, says PandaLabs.
Competition in the black market also keeps prices from getting too high, while customers who do a lot of business can even get volume discounts. Paying for the stolen or phony items works just like it does at any online retailer. Buyers can shop at a Web site set up by the seller, adding items to their cart as they browse the different offerings. But payment is made up-front and only through services like Western Union, Liberty Reserve, and WebMoney.
To protect your own data from being stolen and sold on the black market, PandaLabs offers an array of tips, including checking your invoices and credit card statements carefully, filing or destroying ATM receipts, asking a neighbor to collect your mail when you're away, never using a debit card for online purchases, and, of course, making sure you run up-to-date security software.

FBI issues warrants over pro-WikiLeaks attacks

The FBI is on the hunt for the hackers responsible for a recent wave of cyberattacks launched in defense of WikiLeaks.

FBI agents yesterday executed more than 40 search warrants in the United States as part of their ongoing investigation. Pointing to the group Anonymous, which has taken responsibility for the attacks, the FBI said that the distributed denial of service (DDoS) assaults were facilitated by software the group makes available as free downloads.
Late last year, PayPal, Visa, MasterCard, and other companies were hit by DDoS attacks triggered by activists in support of WikiLeaks after the companies cut off sources of funding to the whistle-blowing site.
The FBI apparently started its investigation after it was contacted by PayPal in December and was able to trace two of the IP addresses provided by PayPal to physical locations, one of which was in Texas where the agency seized a server.
Looking beyond the United States, the FBI said it's working with other law enforcement agencies abroad. Officials in the Netherlands, Germany, and France are each conducting their own probes into the cyberattacks, while police in the U.K. arrested five people yesterday on suspicion of involvement in the attacks launched by Anonymous.
Additionally, an organization called the National Cyber-Forensics and Training Alliance is lending a hand in the investigations. With a focus on cybercrime, the group provides a bridge between the private sector and law enforcement agencies and has worked directly with the FBI in the past.
Those who facilitate or conduct a DDoS attack face up to 10 years in prison and civil fines over damages, according to the FBI.

India still wants BlackBerry access but ban unlikely

India appears unlikely to implement its threatened ban on BlackBerry services, but the government is still demanding access to the data on Research In Motion's secure enterprise network--something RIM keeps insisting it cannot provide.

RIM had been ordered to give the Indian government a permanent solution on access to its BlackBerry Enterprise Server (BES) by yesterday to avoid a ban on its services. India has been insisting on the access for the past several months as a way to monitor e-mails for national security reasons. But with the deadline past and no solution apparently in place, what does that mean for RIM?
A senior official with India's Ministry of Home Affairs told the country's Economic Times that no decision has yet been made on extending the deadline but that a ban on BlackBerry services was unlikely.
However, that doesn't get RIM off the hook. Early last month, the company did provide an interim solution by giving India access to its consumer services, which includes BlackBerry Messenger and BlackBerry Internet Services e-mail. But that access did not extend to the BlackBerry Enterprise Server used by RIM's corporate customers. This hasn't pleased the Indian government.
"Just like they [BlackBerry makers] have given a solution to [monitor] messenger service, we will insist that they also give us a solution to enterprise service," Union Home Minister P. Chidambaram recently told reporters, according to the Economic Times.
RIM's position almost from the start has been clear and oft repeated. The company has insisted that it does not hold the keys to the encrypted data flowing through its enterprise server network and therefore cannot provide the keys. Those keys instead rest in the hands of its customers. RIM again stressed its position late last week just before the deadline. Speaking to reporters in India, Robert Crow, the company's vice president for industry, government, and university, said "there is no solution, there are no keys to be handed."
RIM has tried to conjure up ways to skirt the issue, such as suggesting that governments directly ask its customers for the encryption keys. But even RIM acknowledged that countries may be wary of taking such an extreme measure for fear of alienating the very companies that generate local business.

How easy is it to hack a mobile?

I was astonished and surprised and shocked to read this blog on BBC. I was wondering if technology is at our service or our lives are at its stake. Read this blog and see for yourself.

Continuing scrutiny of the methods used by some journalists to listen to private voicemails has turned the spotlight on mobile security. But how easy is it to hack a handset? It depends on how much money, time and effort you want to put into it. There are a number of ways to get at information on a handset was growing, even as it got far less likely that the method used by the journalists would still work. The journalists are believed to have listened to voicemail messages but changes introduced by UK network operators in recent months made it harder for anyone but the correct customer to listen to those messages. Some have also questioned whether the use of default pin codes to get at those voicemail accounts could be considered hacking. In addition, said Simeon Coney, a spokesman for mobile security firm, the declining use of voicemail made it a less tempting target. Rather than leave a voicemail, people will more likely send a text. It's very, very hard to get access to people's text messages without putting something on the device. It's a separate architecture that the operators run to manage text messages.

Access All Areas Key to handset hacking, he said, was installing software on a device either by getting physical access to the mobile, tricking its owner into downloading a booby-trapped application or making them visit a page that inserts malware onto a device. There are commercial software, known as spyware, available that could take copies of everything on a phone, log its location and switch on any of its components. All without revealing its presence on a handset. They give remote access, take copies of text messages and can turn the telephone into an audio bug. The hard part, he said, was getting hold of a device for a few minutes to insert the software. Alternatively, he said, targets could be sent an e-mail they read on their phone that contains a link to a website that looks benign but, in the background, is installing spyware. Security researchers have demonstrated such an attack working on high-end smartphones. It only required a user to look at a website. That loaded the software on the device. It would not be hard to target someone like that. Bugs in the Bluetooth short-range radio technology common on many smartphones could also mean that some information about a handset could be "sniffed" from only a few metres away. Security firms also report a growing number of cases in which games and other applications have been found to contain code that steals more information than it should. Leaving aside the technology, modern smartphones leak information about their owners in a way that can be hard to control. Anyone sending tweets via their phone could be revealing their location and some of the apps that can be loaded on phones report where in the world they are at that moment.

Human factors
The flaws in the early versions of mobile network software meant that it was possible for skilful attackers to build hardware that pretended to be a mobile base station. The flaws in the mobile network software made it hard for phone owners to be sure they were connecting to a legitimate base station. Control of that fake base station would give attackers access to everything a mobile owner was doing. 3G networks removed this flaw, but the equipment needed to pose as a mobile base station was getting cheaper, smaller and easier to use all the time. A similar research project was also in the process of producing an easy to use kit that contains, among other things, all the encryption keys used on 2G networks that would give attackers access to tap into mobile calls. There have been instances of setting up the equipment to pose as a base station or crack phone conversations broke several UK laws. It is also illegal to carry out surveillance as the prison sentences handed down to the journalists shows.

Mobiles were only likely to become more tempting for attackers as people do more with them. Getting hold of the data on a handset could unlock access to much more intimate details such as Facebook accounts, private e-mails, instant messages, photos, videos and much more. People live their lives through their phone, they are more relevant and personal than a computer. Finally, he added, the easiest way to get at a mobile was perhaps to avoid technology all together.

Ten tips for smartphone security

With the holiday season in full swing, more people are using their smartphone for tasks such as last minute shopping, accessing bank accounts, connecting with friends or making shopping lists on their phone.

Smartphones are also expected to be one on the top gifts under the tree this season, so millions of new users will be trying out their new phones and looking for tips for getting started and staying safe.


For anyone with a smartphone this season, Lookout Mobile Security created a quick list of tips to help smartphone owners stay safe.

1. Set a password. One of the most common challenges for smartphone owners is losing the phone and all the personal data on it. Setting a strong password for your phone and enabling the screen auto-lock time to be five minutes is the simplest way to keep your personal information private during this busy season.

2. Download the updates for your phone. Always take the extra time to download software updates. Often, they include patches to security flaws recently found in the software. Just like a desktop or laptop computer, staying up to date is your first line of defense from hackers and viruses.

3. Treat your phone like your PC. As phones become more powerful and consumers do more with them, they become more attractive targets for malicious attacks. Protect yourself and your private data from malware, spyware and malicious apps by downloading a security app like Lookout Mobile Security.

4. Use discretion when downloading apps. One of the most exciting things to do with a new smartphone is explore all the great applications you can download onto it. As you begin to explore, make sure you download responsibly. Only download apps from sites you trust, check the app’s rating and read the reviews to make sure they’re widely used and respected.

5. Pay attention to the private data accessed by apps. Applications have the capability to access a lot of information about you. When you install an app, take the time to read the data and personal information that it needs to access. Whether it is access to your location, your personal information or text messages, it should make sense that the application needs access to those capabilities.

6. Download a “find your phone” app. No matter how diligent you are about keeping your phone on you at all times, you’re bound to lose it once, or it may even get stolen at some point. Download an app that helps you find your phone in case it is lost or stolen. Make sure you can remotely lock your phone if it is lost or stolen.

7. Exercise caution with links in SMS messages. Smishing, or a combination of SMS texting and phishing, is when scammers send you a text to a malicious website or ask you to enter sensitive information. Don’t click on links in text messages or emails if you don’t know the sender or they look suspicious. Trust your instincts.

8. On Public Wi-Fi, limit email, social networking and only window shop. Public Wi-Fi networks have become ubiquitous, but unfortunately securing the websites you may access haven’t. Many websites, email programs, instant messaging programs and social networking sites are not entirely safe to browse or access from a public Wi-Fi network. Also, trying to limit your online shopping to “window shopping” on a public network.

9. Never enter your credit card information on a site that begins with only “http://”. If a website ever asks you to enter your credit card information, you should automatically look to see if the web address begins with “https”. On unsecured networks, (those that have only have http://), mean a hacker could easily steal information like usernames, passwords and credit card numbers, which could lead to identity theft.

10. Enable a Wipe feature on your phone. If you find yourself (or your phone) in a difficult situation, and you won’t be able to get your phone back, a Wipe application will clear all the data so your private information won’t fall into the wrong hands. If you can, try to download an app where you can wipe your SD card too.

How to repair MDF files not detached from SQL Server 2000

If you have an mdf file that was not properly detached from SQL Server 2000 (possibly due to a hard drive crash), the first (best) option is to restore the database from a valid backup.  If that is not an option, then you may need to repair the mdf before you are able to attach the database.

If you are using SQL Server 2000, the following are instructions on how to repair the mdf file. Replace the filenames with your filename!

1. Make sure you have a copy of eshadata.MDF (or gendata.mdf)
2. Create a new database called fake (default file locations)
3. Stop SQL Service
4. Delete the fake_Data.MDF and copy eshadata.MDF (or gendata.mdf) to where fake_Data.MDF used to be and rename the file to  fake_Data.MDF
5. Start SQL Service
6. Database fake will appear as suspect in EM
7. Open Query Analyser and in master database run the following :

   sp_configure 'allow updates',1
   go
   reconfigure with override
   go
   update sysdatabases set
      status=-32768 where dbid=DB_ID('fake')
   go
   sp_configure 'allow updates',0
   go
   reconfigure with override
   go

   This will put the database in emergency recovery mode
8. Stop SQL Service
9. Delete the fake_Log.LDF file
10. Restart SQL Service
11. In QA run the following (with correct path for log)

    dbcc rebuild_log('fake','h:\fake_log.ldf')
    go
    dbcc checkdb('fake') -- to check for errors
    go

12. Now we need to rename the files, run the following (make sure there are no connections to it) in Query Analyser (At this stage you can actually access the database so you could use DTS or bcp to move the data to another database .)
    

    use master
    go
    
    sp_helpdb 'fake'
    go
    
    /* Make a note of the names of the files , you will need them in the next bit of the script to replace datafilename and logfilename - it might be that they have the right names  */
    
    sp_renamedb 'fake','eshadata'
    go
    
    alter database eshadata
    MODIFY FILE(NAME='fake', NEWNAME = 'eshadata')
    go
    
    alter database eshadata
    MODIFY FILE(NAME='fake_log', NEWNAME = 'eshadata_log')
    go
    
    dbcc checkdb('eshadata')
    go
    
    sp_dboption 'eshadata','dbo use only','false'
    go
    
    use eshadata
    go
    
    sp_updatestats
    go

13. You should now have a working database. However the log file will be small so it will be worth increasing its size. Unfortunately your files will be called fake_Data.MDF and fake_Log.LDF but you can get round this by detaching the database properly and then renaming the files and reattaching it.
    Run the following in QA

    sp_detach_db eshadata
    
    --now rename the files then reattach
    
    sp_attach_db 'eshadata','h:\eshadata.mdf','h:\eshadata_log.ldf'