The Google home page is shown on Google's latest version of the Android operating system, Honeycomb, on a Motorola Xoom tablet device following a news conference at Google Headquarters in Mountain View, California February 2, 2011.

Credit: Reuters/Beck Diefenbach

BOSTON (Reuters) - A mobile security expert says he has found new ways for hackers to attack phones running Google Inc's Android operating system.

Riley Hassell, who caused a stir when he called off an appearance at a hacker's conference last week, told Reuters he and colleague Shane Macaulay decided not to lay out their research at the gathering for fear criminals would use it attack Android phones.

He said in an interview he identified more than a dozen widely used Android applications that make the phones vulnerable to attack.

"App developers frequently fail to follow security guidelines and write applications properly," he said.

"Some apps expose themselves to outside contact. If these apps are vulnerable, then an attacker can remotely compromise that app and potentially the phone using something as simple as a text message."

He declined to identify those apps, saying he fears hackers might exploit the vulnerabilities.

"When you release a threat and there's no patch ready, then there is mayhem," said Hassell, founder of boutique security firm Privateer Labs.

Hassell said he and Macaulay alerted Google to the software shortcomings they unearthed.

Google spokesman Jay Nancarrow said Android security experts discussed the research with Hassell and did not believe he had uncovered problems with Android.

"The identified bugs are not present in Android," he said, declining to elaborate.

It was the first public explanation for the failure of Hassell and Macaulay to make a scheduled presentation at the annual Black Hat hacking conference in Las Vegas, the hacking community's largest annual gathering.

They had been scheduled to talk about "Hacking Androids for Profit." Hundreds of people waited for them to show up at a crowded conference room.

Hassell said in an interview late on Thursday the pair also learned -- at the last minute -- that some of their work may have replicated previously published research and they wanted to make sure they properly acknowledged that work.

"This was a choice we made, to prevent an unacceptable window of risk to consumers worldwide and to guarantee credit where it was due," he said.

A mobile security researcher familiar with the work of Hassell and Macaulay said he understood why the pair decided not to disclose their findings.

"When something can be used for exploitation and there is no way to fix it, it is very dangerous to go out publicly with that information," the researcher said. "When there is not a lot that people can do to protect themselves, disclosure is sometimes not the best policy."

Hassell said he plans to give his talk at the Hack in The Box security conference in Kuala Lumpur in October.

(Reporting by Jim Finkle; editing by John Wallace and Andre Grenon)

original content on reuters

(AFP/Getty Images/File) - The McAfee logo is displayed outside of the company's headquarters in Santa Clara, California, in 2010. The United States, United Nations, defense contractors and the International Olympic Committee were targets of a massive global cyber spying campaign, a computer security firm said Wednesday, with China seen as the likely culprit.(AFP/Getty Images/File/Justin Sullivan)

The company logo is shown at the headquarters of Oracle Corporation in Redwood City, California February 2, 2010. Picture taken February 2, 2010.

Credit: Reuters/Robert Galbraith

LAS VEGAS (Reuters) - A weekend contest at the world's largest hacking convention in Las Vegas showed one reason why big corporations seem to be such easy prey for cyber criminals: their workers are poorly trained in security.

Amid a spate of high-profile cyber assaults on targets ranging from Sony Corp to the International Monetary Fund, one would think that many companies would be paying special attention to security these days.

But hackers taking part in the competition on Friday and Saturday found it ridiculously easy in some cases to trick employees at some of the largest U.S. companies to reveal information that can be used in planning cyber attacks against them.

The contestants also managed to get employees to use their corporate computers to browse websites the hackers suggested. Had these been criminal hackers, the websites could have loaded malicious software onto the PCs.

In one case, a contestant pretended to work for a company's IT department and persuaded an employee to give him information on the configuration of her PC, data that could help a hacker decide what type of malware would work best in an attack.

"For me it was a scary call because she was so willing to comply," said Chris Hadnagy, one of the organizers of the contest at the Defcon conference in Las Vegas.

"A lot of this could facilitate serious attacks if used by the right people," Hadnagy said.

Defcon is organized by benevolent hackers, partly to promote research on security vulnerabilities in order to pressure companies to fix them. The contest was sponsored by so-called white-hat hackers to show companies how weak their security is and encourage them to better educate their employees about the risks of hacking.

The company whose employees handed over the most data was Oracle Corp, according to Hadnagy. One of the world's largest software makers, Oracle got its start more than 30 years ago by selling secure databases to the Central Intelligence Agency.

Oracle spokeswoman Deborah Hellinger declined comment.

Other targets included Apple Inc, AT&T Inc, ConAgra Foods Inc, Delta Air Lines Inc, Symantec Corp, Sysco Corp, United Continental Holdings Inc's United Airlines and Verizon Communications Inc.

It was the second year that Defcon held a contest in "social engineering," or the practice where hackers con people into handing over information or taking actions such as downloading malicious software.

Social engineering is frequently used in attacks where the hackers send a "spear phishing" e-mail in which they impersonate a friend of the recipient and ask him or her to open a tainted file or visit a malicious website.

Security experts say spear phishing have led to many hacks over the past year, including ones on U.S. defense contractors, the IMF, EMC Corp's RSA Security division and government agencies around the world.

"It's better whenever you can get data non-confrontationally," said Johnny Long, a consultant who companies hire to hack into their data networks, using tools such as social engineering, to identify weaknesses.

The contestants were charged with obtaining specific information from their targets, including information about how the company backs up and secures its data, wireless network use, and the names of companies that provide on-site security, toner and copier paper.

(Reporting by Jim Finkle, editing by Tiffany Wu, Gary Crosse and Matt Driskill))

original content on reuters

(AFP/Getty Images/File) - Google co-founder Larry Page looks on during a product launch in San Jose, California, in February 2011. Oracle will get to question Page under terms set by a US judge presiding over a patent suit pitting the business software titan against the Internet giant.(AFP/Getty Images/File/Justin Sullivan)

Related Video

Netflix subscriber outlook panned

Mon, Jul 25 2011

1 of 2. A Netflix disk envelope is displayed in Encinitas, California, July 25, 2011.

Credit: Reuters/Mike Blake

LOS ANGELES/NEW YORK (Reuters) - Netflix Inc, facing a backlash from customers upset over a price hike, warned its subscriber growth would cool down in the third quarter, and its shares fell 10 percent.

The movie rental company, whose stock is up 850 percent since early 2009, set off alarm bells on Monday when it said customer defections would take a bite out of its subscriber count.

Netflix will essentially end the third quarter with the same number, or only slightly more, subscribers as it had at the end of the second quarter. For investors accustomed to spectacular growth, the forecast represented a bitter pill and made clear that customers are sufficiently upset over a recent change to cancel the service.

Those cancellations will largely offset any new subscriber additions in the third quarter, and pressure financial results. Netflix forecast earnings and revenue for the third quarter that would come up short of current analyst estimates.

And that is on top of a second quarter revenue figure that looked light to analysts.

Netflix "came into the quarter as Superman and it looks like they ran into a little bit of kryptonite and lost some of their super power," said Barton Crockett, an analyst with Lazard Capital Markets.

The company forecast third-quarter revenue of between $780 million to $805 million in the United States compared with an average analyst estimate of $846.5 million, according to Thomson Reuters I/B/E/S. It is expecting global earnings of 72 cents a share to $1.07 a share, which is also below the current analyst estimate of $1.09 a share.

Netflix shares fell about 10 percent to $253 after closing at $281.53 in the regular session on Nasdaq, wrongfooting options traders who were betting that the stock would keep chugging higher, and bringing some welcome relief to short sellers.

"It's too early to call on Netflix's future at this point. I have a 'sell' rating on the company based on its high valuation, but I'm not shorting it because it's still a great company," said Brett Harriss, analyst at Gabelli & Co. "There's just not enough margin of safety to buy it here."

NO FLAWS ALLOWED

Previously, Netflix wowed Wall Street with big subscriber additions quarter after quarter, and investors piled in. The company trades at 61 times this year's earnings estimates, a valuation that brings high investor expectations.

While "the business is still healthy," the company's results must be "flawless to support a stock" at those levels, analyst Crockett said.

Netflix sparked a backlash earlier this month when it announced it was raising prices as much as 60 percent for plans that provide DVD rentals and online streaming of movies and television shows. Thousands of subscribers complained on the Netflix blog and Facebook page with many threatening to cancel their subscriptions.

In a letter to shareholders, Netflix said: "We hate making our subscribers upset with us, but we feel like we provide a fantastic service and we're working hard to further improve the quality and range of our streaming content."

By the end of the third quarter, it estimates it will have about 25 million total U.S. subscribers. That is barely more than the 24.59 million it now has.

The company said it expected customer growth to return in the fourth quarter. With the full impact of the price hike, the fourth quarter also could be "our first billion dollar global revenue quarter, driven by strong U.S. performance," the company said.

For the second quarter, the company's revenue rose 52 percent to $788.6 million, but fell short of the average analyst estimate of $791.5 million, according to Thomson Reuters I/B/E/S.

Second-quarter earnings surpassed expectations in rising to $68 million, or $1.26 a share, from $44 million, or 80 cents a share, in the period a year ago.

(Additional reporting by Yinka Adegoke and Jennifer Saba in New York; Editing by Gary Hill and Carol Bishopric.)

original content on reuters