Google Will Launch Android O After The Total Solar Eclipse On Aug. 21: Rumors Say It's Android Oreo

Google announced that it will launch Android O on Aug. 21, and rumors claim that the next major version of the mobile operating system will indeed be named Android Oreo.

Android O will be unveiled right after the total solar eclipse, a phenomenon that will sweep across the entire country for the first time since 1918.

Android O To Launch Aug. 21
Google created a webpage dedicated to the upcoming total solar eclipse, which includes important information on the phenomenon, such as its expected time and ways to watch it for users outside the United States. Google also revealed details about the Eclipse Megamovie Project, which will gather videos from more than 1,000 volunteers across the United States to create a movie of a continuous view of the total solar eclipse.

The main news on the Android Eclipse page, however, is the announcement that Google will officially reveal Android O at 2:40 p.m. ET. The total solar eclipse is expected to end at 2:37 p.m. ET, and Google will jump into the trail left behind by the phenomenon to unveil the next major version of Android.

The Aug. 21 Android O release date partially confirms a report from last week, wherein Android Police managing editor David Ruddock and prolific leaker Evan Blass both claimed that the operating system will be rolled out on that day. The partial confirmation is because it is unclear if Google will also be rolling out Android O after its official unveiling.

The report also claimed that the official name of Android O will be revealed on Aug. 21.

Android O Name: Android Oreo?
Android Oreo has long been theorized as the official name of Android O, as Google names the major versions of the mobile operating system after sweets. Tying up with a brand for the name is not unprecedented, as Google already did it before with Android KitKat.

Two new clues have increased the likelihood that Android O will indeed be named Android Oreo. The first hint comes from Blass, who simply tweeted "Happy Eclipse" alongside a picture of an Oreo cookie. The connection is easy to make, considering the planned Android O launch after the total solar eclipse.

The second clue is much more definitive, and comes from Google itself. Google uploaded a video on Google+, and its filename was "GoogleOreo_Teaser_0817_noDroids (1).mp4". While this is not complete confirmation of the Android Oreo name, the fact that the post containing the video was taken down and replaced with a video named "Octopus Teaser.mp4" means that uploading the first one was a mistake, and spoiled the operating system's name.

How To Watch The Total Solar Eclipse
Google's Android Eclipse page contains a link to the NASA livestream of the total solar eclipse, though users can also watch the phenomemon on Twitter, in partnership with The Weather Channel.

For those who will be watching the total solar eclipse not on their computer monitors but outside, you will need to exercise proper safety precautions, including making sure the eclipse glasses you purchased will really protect you.

Read More >>

Read More

New Android Malware Simulates Shutdown and Mines Your Data

If you have an Android phone and have purchased third-party apps from outside of the more well-known app stores, you may have put your device at risk from an ingenious new malware that makes it look like you’ve shut off your phone, but instead has only simulated the shutdown with identical shut off animations.

Once the screen goes black and you forget about it, the malware kicks in and roots around through your device, accessing your data. Even scarier, the malware can use your phone to make outgoing calls, take pictures, and utilize a host of other features.

This malware, called the PowerOffHijack, was first spotted by AVG, who explained how it worked on their blog post. Their team believes it originated in China and is spreading via apps that originated within the country, estimating that as many as 10,000 devices have already been infected.

There are a couple of ways to know if you’re safe, even if you don’t have a clear way to know if your phone is infected. If you’re running a version of Android that’s at least v.5, you should be all right; at the same time, if your phone has not been modified (jailbroken) to allow different forms of functionality, then you’re probably okay, too.

The only issue is some retailers sell their phones with this level of functionality already in place, so you may not be aware of the potential danger. Finally, if you’ve only downloaded apps from the Google Play store, you’re probably safe as well since that app store is not available in China.

For now, there’s no patch to combat the PowerOffHijack’s capabilities. Experts are currently recommending users physically remove their batteries when they power off their phones, at least until a patch can be made available.

Read More >>

Read More

Questions for Google about Android security, Glass privacy

As European officials continue to voice concerns about privacy, surveillance, and Google’s products, researchers released a report this week on the security of the search engine company’s operating system:

Security researchers believe they have found a major security flaw in Google’s Android mobile operating system, which could affect up to 99 percent of Android phones now in consumers’ hands . . .

The problem lies in the security verification process that has been used on the Google Play applications store since the release of Android 1.6. It could leave up to 900 million devices open to hackers. The flaw, the research firm said, is a weakness in the way that Android applications verify changes to their code. The weakness would allow hackers to “turn any legitimate application into a malicious Trojan” without flagging the attention of Google’s app store, a mobile phone or the person using an application.

The result, researchers said, would be that anyone who breaks into an app this way would have access to the data that app collects and — if an app made by the device manufacturer gets exploited — could even “take over normal functioning of a phone.”. . .

Security is a common concern on Android phones, in part because the open nature of the system also means that it’s easy for anyone to find out how it works. Android is the OS of choice for 75 percent of the world’s smartphones, IDC reported in May. But a report released in March from the F-Secure security firm found that 79 percent of all mobile malware found in 2012 was running on Android phones.

This problem is exacerbated by the fact that so many smartphone manufacturers use their own versions of the Android operating system, making it more difficult to get system updates that may include security fixes out to customers. Hayley Tsukayama

On the same day that the report was released, a German official advised users to avoid certain companies, including Google, that share information with the U.S. government if they are concerned about eavesdropping:

NSA leaker Edward Snowden claimed Google, Facebook and Microsoft were among several Internet companies to give the U.S. National Security Agency access to their users’ data under a program known as PRISM. The companies have contested this, but the claims prompted outrage in Europe and calls for tighter international rules on data protection.

“Whoever fears their communication is being intercepted in any way should use services that don’t go through American servers,” German Interior Minister Hans-Peter Friedrich said.

He also said German officials are in touch with their U.S. counterparts “on all levels” and a delegation is scheduled to fly to Washington next week to discuss the claims that ordinary citizens — and even European diplomats — were being spied upon by the NSA. Associated Press

British regulators announced Thursday that they have asked Google to revise its privacy policy:

Google is facing more pressure in Europe as British regulators ordered the tech giant to make changes to its privacy policy in Europe by Sept. 20, following actions earlier this month from France and Spain. . .

The agency said that it was particularly concerned that Google’s policy, which went into effect in March and covers over 60 Google services, does not give users enough information about the data the firm collects and how it is used. It also has concerns that the policy does not share enough information about how long Google keeps user data.

If Google does not amend its policy, the British agency said, it will “leave the company open to the possibility of formal enforcement action.” The Guardian reported that the company could also face fines of up to $750,000, but only if there is proof that individuals may have been harmed by the policy.

Also on Thursday, the data protection office in Hamburg, Germany — where Google’s German office is based — said in a statement that it will be calling Google in for a hearing over concerns that the policy’s provisions on data collection are unclear.

Data protection officials from across the European Union have been scrutinizing Google’s privacy protections. The French data protection authority CNIL, which led a year-long investigation into Google’s privacy policy, and said in its order to the company in June that regulators in the Netherlands and Italy were assessing whether the policy violated data protection rules in those countries. Hayley Tsukayama

While European regulators have been more skeptical of Google’s policies than their counterparts in the United States, lawmakers in Congress have questioned Google about its new Glass headware:

On Monday, Google attempted to assure U.S. lawmakers that the headset, which mimics many of the functions of a smartphone, does not push the barriers of its privacy standards. But that was not enough to satisfy some lawmakers’ lingering concerns. . .

Rep. Joe Barton (R-Tex.), co-chairman of the caucus, said that Google has failed to answer the key question: How can it ensure the privacy of passersby who have not agreed to be photographed or videotaped?

He said that there ought to be a way to alert individuals that they may be on camera and that there should be limits on the types of data that Google and other companies can collect from it, as well as limits on how long that data can be stored.

“There do not appear to me to be strong privacy protections for the population at large, or even ownership protection for the user of the Google Glass product,” Barton said. Hayley Tsukayama

Google has argued that it will be clear to people in the vicinity when the device is active or recording.

Read More >>

Read More

Hidden Google Glass code hints at 'Boutique' app store

As Google continues to shape its pre-release version of Google Glass, the latest firmware update has brought new features such a web browser - but it turns out that there are also a few other hints below the surface.
The most interesting new discovery lying dormant in the XE7 APK update code is a "Boutique" which hints at being a centralised app store.
Google Glass is currently lacking a go-to destination for applications, and the new discovery reveals that something is coming to fill that gap, well ahead of its consumer release.

Lock 'n' load

Another welcome new feature hinted at is a locking mechanism, which would function by the wearer swiping in a specific pattern.
This is something Google has mentioned in the past in response to questions over what happens when someone steals your Glass and suddenly has access to all your information.
Also buried in the code are some new media player functions, featuring playback controls, track information and some talk of a video player as well. Volume control has been officially added already, so everything seems to be coming together nicely.
There's no way of knowing when these new features will arrive, but the fact they're showing up in the coding now should mean that Google is busily working to get them out the door soon.
Check out a demo of the Google Glass XE7 web browser below.

Read More >>

Read More

Hack Obtains 9 Bogus Certificates for Prominent Websites; Traced to Iran

In a fresh blow to the fundamental integrity of the internet, a hacker last week obtained legitimate web certificates that would have allowed him to impersonate some of the top sites on the internet, including the login pages used by Google, Microsoft and Yahoo e-mail customers.

The hacker, whose March 15 attack was traced to an IP address in Iran, compromised a partner account at the respected certificate authority Comodo Group, which he used to request eight SSL certificates for six domains: mail.google.com, www.google.com, login.yahoo.com, login.skype.com, addons.mozilla.org and login.live.com.

The certificates would have allowed the attacker to craft fake pages that would have been accepted by browsers as the legitimate websites. The certificates would have been most useful as part of an attack that redirected traffic intended for Skype, Google and Yahoo to a machine under the attacker’s control. Such an attack can range from small-scale Wi-Fi spoofing at a coffee shop all the way to global hijacking of internet routes.

At a minimum, the attacker would then be able to steal login credentials from anyone who entered a username and password into the fake page, or perform a “man in the middle” attack to eavesdrop on the user’s session.

Comodo CEO Melih Abdulhayoglu calls the breach the certificate authority’s version of the Sept. 11 terror attacks.

“Our own planes are being used against us in the C.A. [certificate authority] world,” Abdulhayoglu told Threat Level in an interview. “We have to up the bar and react to these new threat models. This untrusted DNS infrastructure cannot be what drives the internet going forward. If DNS was trusted, none of this would have been an issue.”

Comodo says the attacker was well prepared, and appeared to have a list of targets at the ready when he logged into the company’s system and began requesting certificates.
In addition to the bogus certificates, the attacker created a ninth certificate for a domain of his own under the name “Global Trustee,” according to Abdulhayoglu.

Abdulhayoglu says the attack has all the markings of a state-sponsored intrusion rather than a criminal attack.
“We deal with [cybercriminals] all day long,” he said. But “there are zero footprints of cybercriminals here.”

“If you look at all these domains, every single one of them are communications-related,” he continued. “My personal opinion is that someone is trying to read people’s e-mail communications. [But] the only way for this attack to work [on a large scale] is if you have access to the DNS infrastructure. The certificates on their own are no use, unless they have access to the DNS infrastructure itself, which a state would.”

Though he acknowledges that the attack could have originated anywhere, and been routed through Iranian servers as a proxy, he says Iranian president Mahmoud Ahmadinejad’s regime is the obvious suspect.
Out of the nine fraudulent certificates the hacker requested, only one — for Yahoo — was found to be active. Abdulhayoglu said Comodo tracked it, because the attackers had tried to test the certificate using a second Iranian IP address.

All of the fraudulent certificates have since been revoked, and Mozilla, Google and Microsoft have issued updates to their Firefox, Chrome and Internet Explorer browsers to block any websites from using the fraudulent certificates.

Comodo came clean about the breach this week, after security researcher Jacob Appelbaum noticed the updates to Chrome and Firefox and began poking around. Mozilla persuaded Appelbaum to withhold public disclosure of the information until the situation with the certificates could be resolved, which he agreed to do.
Abdulhayoglu told Threat Level that his company first learned of the breach from the partner that was compromised.

The attacker had compromised the username and password of a registration authority, or R.A., in southern Europe that had been a Comodo Trusted Partner for five or six years, he said. Registration authorities are entities that are authorized to issue certificates after conducting a due-diligence check to determine that the person or entity seeking the certificate is legitimate.

“We have certain checks and balances that alerted the R.A. [about the breach], which brought it to our attention,” he said. “Within hours we were alerted to it, and within hours we revoked everything.”
It’s not the first time that the integrity of web certificates has come into question.

Security researcher Moxie Marlinspike showed in 2009 how a vulnerability in the way that web certificates are issued by authorities and authenticated by web browsers would allow an attacker to impersonate any trusted website with a legitimately issued certificate.

Photo: Iranian President Mahmoud Ahmadinejad gestures as he talks at a 2006 news conference. (Misha Japaridze/AP)
Read More >>

Read More

Google Discovers Fraudulent Digital Certificate Issued for Its Domain

Santa wasn’t the only one sneaking around on Christmas Eve this year. Google says that someone was caught trying to use an unauthorized digital certificate issued in its name in an attempt to impersonate Google.com for a man-in-the-middle attack.

Google revealed in a blog post Thursday that its Chrome web browser detected the certificate being used late on the evening of Dec. 24 and immediately blocked it.
The unauthorized certificate was created after a Trusted Root certificate authority in Turkey, Turktrust, issued intermediate Certificate Authority certificates to two entities last year that should not have received them. Turktrust told Google that it issued the two CA certificates by mistake, inadvertently giving the two entities certificate authority status.

With CA status, the two entities could then generate digital certificates, like a trusted certificate authority, for any domain. These digital certificates could then be misused to intercept traffic intended for that domain in order to steal log-in credentials or read communication.
Google did not identify the two entities who were issued CA certificates, but Microsoft identified them in a blog post as *.EGO.GOV.TR, a Turkish government agency that operates buses and other public transportation in that country, and http://e-islam.kktcmerkezbankasi.org, a domain that does not currently resolve to anything.

The unauthorized Google.com certificate was generated under the *.EGO.GOV.TR certificate authority and was being used to man-in-the-middle traffic on the *.EGO.GOV.TR network. Google’s spokesman said the unauthorized Google certificate was created sometime in early December, fourteen months after Turktrust issued the CA certificate to *.EGO.GOV.TR.

The *.google.com certificate, a so-called wild-card certificate, would have allowed whoever was using it to intercept and read any communication that passed from users on the *.EGO.GOV.TR network to any google.com domain, including encrypted Gmail traffic.

Google engineers have updated Chrome’s revocation list to block any other unauthorized certificates that might have been issued by the two companies. Google also notified Microsoft and Mozilla so that they could update their browsers to block certificates from these companies. Mozilla said in a blog post that it was also suspending Turktrust from inclusion in its trusted root certificate list pending further investigation into how the mixup occurred.

This is at least the third time that a fraudulent certificate for Google has been issued. In 2011, a hacker was able to trick a certificate authority in Europe, Comodo Group, into issuing him fraudulent certificates for domains belonging to Google, Microsoft and Yahoo.

A couple of months later, intruders broke into the network of Dutch certificate authority DigiNotar and were able to issue themselves more than 200 fraudulent certificates, including one for Google.

Read More >>

Read More

Google pulls content in India

Google Inc. has agreed to remove some content in India that is considered offensive by political and religious leaders in the country, the Mercury News reports.

Google (NASDAQ: GOOG) was complying with a court order in the latest twist in legal fights over Web censorship around the globe.

Google pulled content from its search service, its YouTube video site and its Blogger blogging site.

The move comes after weeks of Indian government pressure on 22 Internet companies to remove photos, videos and text considered to be "anti-religious" or "anti-social."
Read More >>

Read More