Google SVP Pichai defends Android smartphone security

Sundar Pichai, Google senior vice president for Android, Chrome and Apps has defended the mobile operating system against claims that it is insecure, insisting it is only the most popular target for mobile malware because it is the most-used smartphone operating system. Pichai made the remarks during a session at Mobile World Congress (MWC) after a delegate made comments about the apparent comparative security of Apple's IOS devices when compared with products running Google's Android OS. It is an idea Pichai said he "respectfully" dismissed as he argued the open nature of Android – and the fact anyone could examine it – makes it more secure. "Open platforms historically undergo a lot of scrutiny, but there are a lot of advantages to having an open source platform from a security standpoint. I would argue that it is the best way for a platform to be secure, because every researcher in the world can inspect it, every developer in the world can inspect it, and I think that contributes a lot to Android security," he said. Pichai went on to insist that Android "was built to be very, very secure", but seemed to acknowledge vulnerabilities could become apparent if devices were running an older version of Android software. However, he insisted, that does not make Android inherently vulnerable to hackers and malware. "The thing that you're seeing is because Android is an open platform, many people can ship Android in many different ways and so there are some partners when they ship devices, they have an older version of Android," said Pichai. "Sure, you can have a security vulnerability there, but that doesn't mean Android isn't secure. We go to great lengths… to make it secure." The MWC was told that Android is "very, very secure", if updates to the operating system are applied. Pichai went on to suggest that the reason Android is the target of most unscrupulous mobile attacks is because its widespread use means there are more potential targets for cyber criminals. "Malware targets where users are," he said. "When you say numbers like 90 per cent of malware is targeting Android, I hate to point out that if you're a smart business person running this malware company, that's what you should do. "Obviously, you will always see more malware targeting Android because Android is used more than any smartphone platform by a pretty substantial difference. I think that drives a lot of it so I understand that part of it. "What matters much more is, as a user, if you use Android, are you fundamentally more compromised? We don't think so," he concluded. Google were forced to issue a transcript of the discussion after translations of one French blog reported Pichai said: "We cannot guarantee that Android is designed to be safe." Google was quick to issue corrections. Earlier this week it was announced research teams across four UK universities have been given shares of £3m in funding by Engineering and Physical Sciences Research Council to help counter the threat of malware distributed through mobile applications.

The academics will be examining the Android platform.

Mt. Gox Is Dead, Is Bitcoin Dead Too?

NEWS ANALYSIS: One-time leading Bitcoin exchange Mt. Gox loses $473 million in theft and declares bankruptcy, but it's not necessarily the end for Bitcoin. Mt. Gox, the one-time leading exchange for Bitcoin in the world, has declared bankruptcy after suffering a technical meltdown and hacker attack that robbed its users of 750,000 Bitcoins.

The Wall St. Journal estimated the value of the theft at $473 million. The first signs of trouble at Mt. Gox appeared on Feb. 7 when the site announced that it was experiencing some delays. On Feb. 10, the site blamed a Bitcoin protocol issue known as transaction malleability for enabling attackers to alter transactions. On Feb. 24, Mt. Gox changed the front page of its site, listing the following message: "In light of recent news reports and the potential repercussions on MtGox's operations and the market, a decision was taken to close all transactions for the time being in order to protect the site and our users." Two days later, on Feb. 26, Mt. Gox CEO Mark Karpeles posted a short note on the Mt. Gox Website. "As there is a lot of speculation regarding Mt. Gox and its future, I would like to use this opportunity to reassure everyone that I am still in Japan, and working very hard with the support of different parties to find a solution to our recent issues," Karpeles wrote. Apparently there is no solution, and Mt. Gox is now bankrupt after a spectacular failure that will likely only serve to further erode confidence in Bitcoin, if not kill the nascent currency altogether. It's a crisis of confidence born out of a lack of security. At the RSA security conference in San Francisco on Feb. 27, I was in a packed session called "How to Hack Bitcoin." In front of a live audience, Etay Maor, fraud prevention solutions manager at IBM, and Uri Rivner, head of cyber-strategy at BioCatch, demonstrated how to steal Bitcoins in real time. It wasn't very hard. The two researchers asserted that Bitcoin exchanges, which include Mt. Gox as well as numerous others, do not employ basic security controls. By using malware known as Spyeye on a target machine, the researchers were able execute the theft in seconds (from one researcher to the other). "Bitcoin exchanges are basically sitting ducks," Rivner said. The Future of Bitcoin While the spectacular collapse of Mt. Gox is an epic failure that will have a long-lasting impact on the Bitcoin marketplace, it doesn't necessarily spell the end of Bitcoin itself. Remember Napster? Napster helped start the whole era of digital music downloads, though the initial model wasn't right. Napster was illegal, letting users essentially steal music, but the basic idea of having an easy-to-use digital music download service was valid. When Napster collapsed in 2001, some thought it was the end of the digital music business, but it wasn't—it was just the beginning. The same is likely true here with Bitcoin.

The rise of Mt. Gox in the first place is a testament to the incredible demand for Bitcoin.

The failure was not in Bitcoin itself, but rather a lack of maturity and security. Other entrepreneurs will pick through the rubble of Mt. Gox and learn lessons.

Although today is a dark day for all those who lost money and the Bitcoin market has been bruised badly, it is not dead. Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

EU takes on “misleading” free-to-play games

In-app purchases are in the crosshairs.

Bitcoin losses spur Mt. Gox to bankruptcy filing

Bad day for the big Bitcoin exchange: CEO Mark Karpeles says Mt. Gox lost some 750,000 customer bitcoins, plus 100,000 of its own. February 28, 2014 5:24 AM PST Mt. Gox chief Mark Karpeles (second from right) speaks at a press conference in Tokyo...

‘Unconnected’ XP machines just as dangerous as networked ones, argues Coalfire...

Coalfire Systems' IT infrastructure security consultant Andrew Barratt has stated that legacy Windows XP systems that are not connected to the internet – such as ATMs and other customer kiosks – are just as dangerous to IT users as networked systems. Barratt's comments came in reaction to Computing's interview with KPMG executive CIO advisor Mark Carter, in which he suggested that such "unintelligent systems" caused little risk, the main problem being "people accessing the internet" on connected systems. "The ‘It doesn't face the internet' argument is a flawed one for businesses concerned about criminal activity.

If there is a way out, there can be a way in," Barratt told Computing. Barratt claims that "a quick search" using computing device search engine Shodan "shows close to 4,000 devices with an XP signature", many of which are only "thought to be ‘not connected to the internet' or ‘not internet facing'". "Other types of attack are also attacking the OS; USB ATM attacks are now starting to be circulated as viable, Stuxnet was deployed via USB albeit with significant insider effort," he continued. According to Barratt, insider threats have the potential to cause significantly more harm and "even physical damage", when "the soft inner layer" has no more vendor support for security patches, for instance in the case of Windows XP, support for which Microsoft abandons in April 2014. "Attacks focusing on the browsers, user error or other applications that can connect out to the internet will be the preferred vector," he said.

Justice Department Asks FISC to Let U.S. Keep Phone Records Longer

NEWS ANALYSIS: The filing with Foreign Intelligence Surveillance Court would allow the government to retain phone records for more than five years to protect itself against lawsuits. If you spend enough time here in Washington you begin to realize that you have to be careful what you ask for, because you might get it. Another thing you learn is that for every official action, there is an equal, opposite and unintended reaction.

A corollary to that rule is that "no well-intended deed goes unpunished." With that in mind, it's time to say, "Welcome to the Real Washington, privacy advocates." What's going on this time is that several organizations that oppose the National Security Agency's collection of phone call metadata are suing the federal government to make the data collection stop.

A main goal of the American Civil Liberties Union is to have the entire database of phone call data deleted.

Other groups say that the collection is overly broad and want better oversight. But in a motion uncovered by the Wall Street Journal, the Department of Justice is asking the Foreign Intelligence Surveillance Court to allow it to stop deleting those records, and for permission to retain them as long as that material needs to be available as evidence. In other words, instead of deleting records after they have been retained for five years, the government would keep them longer. "But wait," you're probably saying to yourself right now, "isn't the ACLU trying to keep them for less time, and maybe not at all?" That is correct.

The unintended consequence of the ACLU's legal action itself is that the record would be retained longer than current law authorizes. Furthermore, in an effort to show that the data collection wasn't overly broad, the Justice Department is keeping them all so that the government can show that it really only managed to gather 20 percent of so of what it was trying to collect. So now that the advocacy groups got what they wanted—that is, a lawsuit to try to force the government to either stop keeping those metadata records or to shorten the time they're retained—the unintended reaction is that not only are those records being kept, they're being kept longer. This should not be a big surprise to the advocacy groups, who must have known that there would be a long legal battle. It is the duty, after all, of a party in litigation to preserve as much evidence as possible just in case it's needed in the lawsuit.

This way, the Justice Department will be able to point to the phone records in the NSA's database and show that there's really not as much there as everybody feared.

CA Bets Expanded Mobility Features Will Help Enterprises Retain Users

CA's Peter Griffiths talked with eWEEK at Mobile World Congress to share his company's vision about better mobility tools for enterprise users. BARCELONA, Spain—As the use of mobile devices has proliferated wildly in the last few years among consumers and business users, it's easy to think that we are today at the pinnacle of the mobile marketplace. But Peter J.L. Griffiths, head of the enterprise solutions and technology group at CA Technologies, begs to differ. "We are still at the beginning" of the mobile revolution, Griffiths told eWEEK in an interview here this week at the Mobile World Congress event. "These devices are just at the beginning of their exploitation" as tools and revenue-generation machines for business.

And what that means, he added, is that businesses need mobile management systems that will help them optimize, secure and take advantage of all kinds of mobile transactions and connections with their customers around the world. "The sort of management systems that companies want require the ability to manage these things seamlessly," said Griffiths. Earlier this week, CA unveiled at Mobile World Congress its new enterprise mobile management suite, which aims to help enterprises give more freedom to mobile workers so they can get their work done while still protecting the critical business data handled by the companies.

The new product, CA's Management Cloud for Mobility, includes new "smart containerization" technology that allows enterprises to create policy rules to protect data as required, while at the same time giving employees more flexibility to do their jobs with the mobile devices they want to use for work. "When I sit down with our customers, the mobile experience for all of them is an enormous priority," said Griffiths. "That experience starts to become brand recognition," which is why it is so important for enterprises to be sure that mobile connections to customers work well all the time and don't let their customers down, he said. That's where CA's new Management Cloud for Mobility comes in, he said: to help businesses cover every angle of their mobility management efforts with employees, partners and customers. But instead of just helping businesses manage mobile devices alone, the new CA suite also offers other needed enterprise applications, including a Mobile DevOps component to help with mobile application development and deployment, and an Enterprise Internet of Things piece that is designed to assist businesses as they expand into the world of Internet-connected devices in the future. "There are a lot of companies out there with a point solution for mobile device management [MDM]," said Griffiths, but with the new CA suite businesses can also get many of their related technology needs met from one vendor.

At the same time, customers have the flexibility to only buy and use the pieces they require today, he said. "We're not expecting customers to rip out [what they have today] and replace it all," said Griffiths. "We can embrace what you have.

As time goes by, we hope that customers see the compelling aspects of the full suite of connected systems," and they will bring in additional components. "Customers want flexibility and a partner whom they're working with … who is not going to lock them into a stack." The new CA suite is evidence that the company means business in serving its customers and giving them the tools that they need to continue to grow their operations and serve their customers, said Griffiths. "For us, this is a central, transformational investment," he said of the development of the new CA suite. "It's going to be a very interesting next five years." CA has been working hard since early 2013 to refocus its products to better serve its broad customer base after the arrival of a new CEO, Michael Gregoire. CA, which began operations in 1976 as a business software innovator and later emerged as a corporate acquisition machine, has been hard at work driving new innovations in service management. CA was founded in 1976 by the flamboyant Charles Wang and business partner Russell Artzt. Since then, CA has been one of the most acquisitive software companies in the history of the business.

In the late 1980s, CA became the first software company to top $1 billion in sales. In 2005, CA launched a rebranding campaign, referring to itself as CA as opposed to Computer Associates. In 2010, it changed its name once again, to CA Technologies.

Texas appeals court says police can’t search your phone after you’re...

Looking at your texts is not like searching your pockets, judges say.

FBI Wants to Work With Private-Sector Partners Against Cyber-Crime

The private sector is the primary victim of cyber-crime and is also the key to defeating it, FBI Director James Comey told RSA Conference attendees. SAN FRANCISCO—Federal Bureau of Investigation Director James Comey came to the RSA Conference here with a message: The FBI wants to work with the tech industry to make everyone safer. Cyber-security threats are at the top of the list of risks that face the United States, and the FBI is taking them very seriously, Comey said in his a keynote address Feb. 26. "We want to predict and prevent attacks rather than reacting after the fact," Comey said. To achieve its goals, the FBI is using modern techniques as well as the same tried-and-true methods the agency has used throughout its existence, including the use of information sources and wire taps. While the FBI has been doing a lot to secure the cyber-domain, it's not enough, Comey said. "We need help; we need our private-sector partners." The private sector is the primary victim of cyber-crime and is also the key to defeating it, Comey said. "We are trying to actively listen to your concerns." That said, the FBI director admitted that there is still confusion in the private sector about who to turn to in the U.S. government when cyber-security help is needed and which agency will help enterprises navigate the federal bureaucracy. Comey pledged to do his part to help in that regard by enabling private organizations to get whatever assistance is needed. Information sharing was another key issue in Comey's talk.

Although there is information in the government that the FBI can't share, the agency will share as much as it can as quickly as it can, he said. In terms of how Comey wants to work with private enterprises, his goal is for the FBI to be surgical and precise in its efforts to help minimize the risks of cyber-crime and to find attackers. Working together with commercial firms is another goal that Comey identified, and he said that the FBI needs to have systems in place to provide and share information quickly and routinely. Cultivating personal relationships in which FBI special agents are on a first-name basis with key stakeholders in the enterprise landscape is also something that Comey would like to see happen. "The time to patch the roof is when the sun is shining, and right now it is cloudy out there," Comey said. Although the human element is important, in the modern era, working at machine speed is essential, Comey said. Data sharing at machine speed must be subject to law and respect privacy as the FBI seeks to deal with the increasing speed of modern threats, he said. "We must build an intelligence-driven predicative capability," Comey said.Part of that capability will be developed through the FBI's Binary Analysis, Characterization and Storage System (BACSS). Comey explained that BACSS is a tool that enables the FBI to analyze malware and correlate threats.

Organizations can send potential malware to the FBI, where BACSS will be used to provide a detailed report about how it works and the associated risks. "Our goal is to make BACS like our fingerprint and DNA registries," Comey said.The issue of government over-reach in the post-Snowden era is top-of-mind at the RSA conference this week, and it's a subject Comey also touched on in his keynote. "There is no conflict between protecting privacy and civil liberties," Comey said. "At our best, we are looking for security that enhances liberty." Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.  

TrustyCon’s RSA Conference rebels promise more to come

Government-sponsored malware, the legal implications of the US government's pro-spying defense, and a discussion of tools to fight for the future lit up the agenda at the first Trustworthy Technology Conference. Finnish national Mikko Hypponen, TrustyC...

California court says it’s ok for drivers to look at smartphone...

Appeals court notes that in 2006, when law passed, most phones were just phones.

Google keeps an ever-closer eye on non-Play Store apps

Google is taking additional steps with Verify Apps to protect Android users from potentially malicious non-Play Store apps, even after they've been installed. February 27, 2014 4:16 PM PST This chart from Google indicates that the Potentially Ha...