[ISN] CA and F-Secure squabble over mobile threats

From: InfoSec News (alerts@private)
Date: Mon Jul 24 2006 - 23:13:13 PDT


http://news.zdnet.co.uk/communications/3ggprs/0,39020339,39279551,00.htm

By Tom Espiner
ZDNet UK
July 24, 2006

A spat has erupted between the two security services companies
folllowing CA's accusation that antivirus vendor F-Secure was
overplaying the threat of mobile malware.

Software and services company CA has accused F-Secure of hyping
security threats to smartphones after the Finnish antivirus specialist
launched a mobile security service last week.

CA released a statement on Monday claiming F-Secure has created a
market for its mobile anti-malware service through a sustained
campaign of hype.

"F-Secure is saying there's a huge risk of malcode spreading, but
they've built this up," said Simon Perry, European vice president of
security for CA. "If you look at their behaviour, they've consistently
pushed this message. But it's a theoretical, not a real threat," he
added.

F-Secure signed a deal with Orange last week to provide security for
the mobile operator's smart devices claiming the threat of mobile
malware would increase in the near future.

Matias Impivaara, director of mobile security for F-Secure, denied
that the company had engaged in hype.

"It's amusing - the idea that I could sell something to an operator
that they don't need," Impivaara told ZDNet UK. "Orange had a formal
procurement process, where they put the contract out to tender based
on their own analysis. It's a process that doesn't happen by
accident."

F-Secure's marketing machine is not so big that it could change the
opinion of the world, added Impivaara. "It's flattering for me as a
salesperson - but I'm just not that good," he said.

CA insists that the threat to smartphone users was minimal and that
Orange customers were better off not spending their money on mobile
security. "Dig below the skin and the message stops sounding pithy and
starts smelling rather rotten. At the core of the rot is the mostly
undeniable fact that there is no threat to protect against," said
Perry.

Confronted by CA's scepticism, F-Secure accepted there were few
examples of smartphone malcode at the moment, but said that cases had
been seen in the wild.

"It's not a global epidemic, but there are real people who have got
it. There have been several tens of different viruses - this is early
days for mobile virus writers," said Impivaara.

CA claims that criminals do not have an economic incentive to develop
malcode, and that the risk of malware spreading around smartphones was
minimal because of a lack of interoperability between platforms and
phone models. Network services don't allow for the fast spreading of
code from phone to phone, and user interaction is required for any
viruses to spread, the company added.

CA claims F-Secure has created an atmosphere of fear, uncertainty and
doubt to sell its product - undermining the relationship of trust that
has been established between industry and vendors.

"While F-Secure's bankers and owners may be pleased with the cash
flowing into their coffers from the deal, every security professional
should be appalled by the perception this creates of our market," said
Perry. "Industry and vendors are now more consultative and honest
about risks, not just beating something up to sell it. F-Secure has
done the industry a disservice."

F-Secure's Impivaara responded by saying that both mobile operators
and clients had approached F-Secure, and insisted it had not hyped the
threats.

"It could be bad for the industry if we were trying to scare people,
but people call us with real problems and real viruses. We have
created a solution to these threats for our customers. If we have
mobile operators coming to us, we would be quite stupid to turn them
down," he said.

"I have difficulty understanding how this can be bad for [the
antivirus] business. This is not a mass problem for all consumers, but
our solution is available to those who need it, and there are people
who need it today," Impivaara added.


_________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.
www.blackhat.com



This archive was generated by hypermail 2.1.3 : Mon Jul 24 2006 - 23:29:09 PDT