Mobile devices must be treated like computers and have comparable security, says hacker for hire Johnny Cache.

Johnny Cache, hacker for hire, agrees with Schmidt. "Mobile devices are running real operating systems; therefore, they must be treated like computers and have comparable security."

In his keynote, Cache said years ago anti-virus vendors were trying to hype mobile security, claiming these devices were like computers. "This wasn't true then, they had their own little operating systems and only ran voice. However, technology has been progressing at such a speed, the hardware in your pocket is the same as the hardware on your desk, the specs are the same."

The hardware on mobile devices is so advanced it has turned them into real computers. According to Cache, this makes them an attractive target. The 400MHz processors on phones are comparable to laptops of only a couple of years ago. The huge investment of time has been removed, as there is a whole industry of standardised operating systems, and code that attacks them all. This is what is making mobile devices attractive targets today.

Banking on security

Barclays deputy head of group information risk management Mark Logsdon said as financial institutions are increasingly operating from a mobile platform, new security issues are raising their heads.

"New vulnerabilities are arising with mobile banking, driving new solutions and challenges all the time."

Not enough people are looking after security of mobile applications, says Howard Schmidt, president and CEO of R&H Security Consulting.

Schmidt said the traditional virus companies are obviously best positioned to tackle mobile security, but commercially they are still ahead of the curve - there is still not enough user demand for them to focus on it. New players may emerge to fill the gap. In the meantime, security professionals should use their experience to do preventative work, he noted.

"You [IT security professionals] can help prevent the next generation of bad criminal activity from happening on the mobile platform. We've got enough experience to be able to prevent attacks and do some preventative work not to allow the destructive attacks on mobile applications."

He commented that significant progress had been achieved in protecting fixed infrastructure networks, and that experience should be used in pre-empting mobile vulnerabilities. In August, it will be five years since the last major Internet outage, like the Nimda virus attack that caused a massive ripple effect across the Internet.

"We've been doing a pretty good job," he noted.

Schmidt likened a security infrastructure to the Taj Mahal, which is made up of tiny individual tiles - each is different, but each plays a role in making up the whole structure. "I'm asking you as an individual to be part of that mosaic - to do your part to make your environment more secure, robust, richer, more resilient and more secure."

Software is sold vulnerable and these vulnerabilities have a value, so why not create an open marketplace in which to sell them? asked Preatoni.

This is one aspect of why WabiSabiLabi was created. Another reason is to balance the security marketplace and provide security researchers with possible revenue from the service they provide.

Preatoni believes security researchers are seen negatively as long-haired, malicious, underground hackers. However, he said they have been painted with the wrong brush and are providing a valuable service to security and software vendors, as well as the public. “They are securing your machines.”

The industry does not provide an adequate environment for researchers to create revenue from the work they provide. “Security researchers' work is exploited for free due to ethical blackmailing, wrong laws, abusing the de-facto position and the misconception of the researchers' role.”

WabiSabiLabi provides a platform where security researchers cannot only sell their discovered vulnerabilities, but they can choose to do so either to the highest bidder, or through mass selling. Initially, Preatoni wanted to give vendors first option to purchase the vulnerability from the auction; however, several legal advisors explained that it was considered blackmail.

WabiSabiLabi vets buyers and sellers, requiring a passport copy and landline contact number, and double-checking the banking details against those sent to the site. In this way, said Preatoni, the site ensures illegal purchases are curbed.

Software vendors, for the most part, are angry at the concept of a vulnerability marketplace. While others – such as Microsoft – have been open-minded about the site and even given positive feedback.

Preatoni listed the top 10 “hit parade”, of companies that most often check the WabiSabiLabi Web site. They are, from least to highest activity: SAP, VeriSign, Oracle, the US Army, F-Secure, Symantec, Veritas, IBM, Microsoft, and Cisco taking the lead.