A new exploit has been discovered that allows unauthorized access to a user’s Google Wallet account with a simple hack that can be performed by anyone in a matter of minutes. A security firm recently exposed a Google Wallet vulnerability that allowed hackers to bypass PIN protection, but the vulnerability is only present on rooted Galaxy Nexus handsets. This new exploit, however, does not require a handset to be rooted, which leaves all Google Wallet users exposed. Read on for more.

As mobile blog The Smartphone Champ explains, the newly exposed security hole allows someone to simply reset a user’s Google Wallet password by clearing the Google Wallet application data from within the phone’s settings menu. A user’s Google Wallet PIN is not required to wipe this data and once the information has been cleared, the handset will prompt the user for a new PIN without first requiring that the old PIN be entered. Anyone who performs this simple procedure will be able to access funds on the original user’s Google prepaid card.

A Google spokesperson acknowledged the vulnerability and gave the following statement to Android and Me: “We strongly encourage anyone who loses or wants to sell their phone to call Google Wallet support toll-free at 855-492-5538 to disable the prepaid card. We are currently working on an automated fix as well that will be available soon. We also advise all Wallet users to set up a screen lock as an additional layer of protection for their phone.”

A video demonstration of the simple hack follows below.

[Via Android and Me]

Read

The security experts at zVelo have discovered a vulnerability in Google Wallet that allows them to “easily reveal” users’ PINs. If a Google Nexus is rooted, Google Wallet’s PIN verification system can be cracked using a brute force attack. zVelo said on Wednesday that it immediately reported its findings to Google, and the company “agreed to work quickly to resolve it,” although the researchers said Google “ran into obstacles.” To fix the problem, the PIN verification must be moved into the secure element of the NFC chip in a device, however to do so Google must apparently coordinate with banks. Moreover, changing the way a PIN is stored will also change which company is responsible for its security. Read on for more.

If users refrain from rooting their devices, enable a passcode to lock their device, disable USB debugging and enable Full Disk Encryption, they will be better protected from a possible attack. Google released a statement to TheNextWeb and ensures users that the vulnerability only affects rooted devices. “We strongly encourage people to not install Google Wallet on rooted devices and to always set up a screen lock as an additional layer of security for their phone,” said a company spokesperson.

Read

Yesterday it was revealed that the popular social networking app Path was uploading entire iPhone address books to the company’s server. The data uploaded included full names, phone numbers and email addresses, and the app uploaded all this data without ever asking for permission. Dave Morin, Path’s co-founder and CEO, admitted fault on Wednesday through the company’s website and announced an update to allow users to either opt in or out of the contact collection feature. “We believe you should have control when it comes to sharing your personal information. We also believe that actions speak louder than words,” Morin said. “So, as a clear signal of our commitment to your privacy, we’ve deleted the entire collection of user uploaded contact information from our servers. Your trust matters to us and we want you to feel completely in control of your information on Path.” The company maintains that when data is transmitted to its servers, it is always sent securely through an encrypted connection and protected by industry-standard firewalls.

Read

Path, the popular social network that competes with the likes of Instagram, may be uploading your iPhone’s entire address book up to its servers. Arun Thampi from mclov.in noticed the Path app’s steal data dump while trying to create a Mac OS X application for the social network during a hackathon. “Upon inspecting closer, I noticed that my entire address book (including full names, emails and phone numbers) was being sent as a plist to Path,” Thampi said, noting that Path didn’t ever ask for permission to do so. It’s unclear why Path is uploading the iPhone’s entire address book, but Thampi noticed that the social network performs the action during an API call with basic HTTP authentication. It remains unclear if Path’s Android application is also guilty of uploading personal information. Thampi has instructions on how to catch Path in the action on his blog.

UPDATE: A response from Path’s CEO follows after the break.

Arun, thanks for pointing this out. We actually think this is an important conversation and take this very seriously. We upload the address book to our servers in order to help the user find and connect to their friends and family on Path quickly and effeciently as well as to notify them when friends and family join Path. Nothing more.

We believe that this type of friend finding & matching is important to the industry and that it is important that users clearly understand it, so we proactively rolled out an opt-in for this on our Android client a few weeks ago and are rolling out the opt-in for this in 2.0.6 of our iOS Client, pending App Store approval.

Dave Morin
Co-Founder and CEO of Path

Read

Regulators with the European Union have asked Google to stop rolling out new privacy changes that the company originally introduced earlier this month. “Given the wide range of services you offer, and the popularity of these services, changes in your privacy policy may affect many citizens in most or all of the EU member states,” the European wrote in a letter to Google’s CEO Larry Page. “We wish to check the possible consequences for the protection of the personal data of these citizens in a coordinated way. In light of the above, we call for a pause in the interests of ensuring that there can be no misunderstanding about Google’s commitments to information rights of their users and EU citizens, until we have completed our analysis.” Google said it was introducing the new privacy changes, which go into effect on March 1, to provide a “more intuitive Google experience” for its users, but several groups, including the U.S. House Energy and Commerce Committee, have accused Google of collecting more data than ever before. Google told BGR in a statement that it is “not collecting any new or additional data about users.”

Read

Google announced on Thursday that the company has begun to take a more active approach to keeping malware out of the Android Market. The search giant is using a new service called “Bouncer” to search through the Market for potential malware. Bouncer will scan new applications, ones already in the Market, and developer accounts for known malware, spyware, trojans and misbehaving apps. The service has been running for some time and between the first and second halves of 2011, the company reports a 40% decrease in the number of potentially-malicious downloads from the Android Market. The drop comes as security companies have been reporting that instances of malicious applications are on the rise. Google also said Android is designed to prevent malware from doing any critical damage. “In addition to using new services to help prevent malware, we designed Android from the beginning to make mobile malware less disruptive,” the company wrote on its blog. “In the PC model, malware has more potential to misuse your information. We learned from this approach, designing Android for Internet-connected devices.”

Read

HTC has acknowledged that some the company’s handsets contain a security hole involving the handling of certain data requests while connected to a Wi-Fi network. Security researchers Chris Hessing and Bret Jordan discovered the vulnerability, which could use the android.permission.ACCESS_WIFI_STATE permission to create a command to view all Wi-Fi credentials while connected to the network. The researchers discovered the flaw in September, however over the past few months they have worked with HTC and Google to patch things up before going public. The hole could have been used to transmit information to a remote server using the Internet access permission. Read on for more.

“HTC has developed a fix for a small WiFi issue affecting some HTC phones,” HTC posted on its support site. “Most phones have received this fix already through regular updates and upgrades. However, some phones will need to have the fix manually loaded. Please check back next week for more information about this fix and a manual download if you need to update your phone.”

Four Froyo devices are vulnerable to the exploit — the Glacier (myTouch 4G), DROID Incredible, Thunderbolt 4G and Desire HD — and four Gingerbread devices are vulnerable — the Desire HD, Desire S, Sensation and EVO 3D.

[Via TheNextWeb]

Read

Research In Motion’s latest BlackBerry 7 devices has=ve been granted Federal Information Processing Standard (FIPS) 140-2 certification by the National Institute of Standards and Technology (NIST) and the Communications Security Establishment Canada (CSEC). FIPS certification is required before a device can be used by a government agency in either the U.S. or Canada. ”The FIPS 140-2 certification for BlackBerry 7.0 and 7.1 illustrates RIM’s continuing commitment to providing industry-leading, secure, mobile computing platforms for our customers,” said Scott Totzke, Senior Vice President, BlackBerry Security at Research In Motion. “With all of the latest BlackBerry smartphones and the PlayBook tablet certified under the FIPS program, government and security-conscious customers can deploy our entire range of products with confidence.” Devices that received FIPS 140-2 certification include the BlackBerry PlayBook, the BlackBerry Bold 9900, 9790, BlackBerry Torch 9850, 9860 and 910, and the BlackBerry Curve 9350, 9360, 9370 and 9380. RIM’s full press release follows after the break.

BlackBerry 7 and 7.1 OS Achieve FIPS 140-2 Certification

Waterloo, ON – Research In Motion (RIM) (NASDAQ: RIMM; TSX: RIM) today announced that BlackBerry® smartphones running on the powerful new BlackBerry® 7 and BlackBerry® 7.1 Operating Systems (OS) have been awarded FIPS 140-2 certification by the National Institute of Standards and Technology (NIST) and the Communications Security Establishment Canada (CSEC). FIPS (Federal Information Processing Standard) 140-2 is recognized by the U.S. and Canadian governments and is required under the Federal Information Security Management Act of 2002 (FISMA).
All BlackBerry smartphones running BlackBerry 7 and BlackBerry 7.1 benefit from this certification, including the BlackBerry® Bold™ 9900, 9930 and 9790, BlackBerry® Torch™ 9850, 9860 and 9810, and BlackBerry® Curve™ 9350, 9360, 9370 and 9380.

“The FIPS 140-2 certification for BlackBerry 7.0 and 7.1 illustrates RIM’s continuing commitment to providing industry-leading, secure, mobile computing platforms for our customers,” said Scott Totzke, Senior Vice President, BlackBerry Security at Research In Motion. “With all of the latest BlackBerry smartphones and the PlayBook tablet certified under the FIPS program, government and security-conscious customers can deploy our entire range of products with confidence.”

In addition to FIPS 140-2 certification, the BlackBerry 7 OS has received Common Criteria EAL4+ certification (see announcement – November 14, 2011). The BlackBerry® PlayBook™ tablet has also received FIPS 140-2 validation (see announcement – July 21, 2011).

Google on Monday announced that the company would combine individual privacy policies from a variety of its products into one main policy. Critics of the change were worried that Google was now collecting more data than before, and the U.S. House Energy and Commerce Committee demanded answers. The Mountain View-based company has now responded to Congress and defended its decision to change the policy. Read on for more.

In a 13-page letter to several members of Congress, Google answered the lawmakers’ questions and addressed concerns. ”Last week we heard from members of Congress about Google’s plans to update our privacy policies by consolidating them into a single document on March 1,” Google’s director of public policy Pablo Chavez wrote on the company’s blog. “Protecting people’s privacy is something we think about all day across the company, and we welcome discussions about our approach. We hope this letter, in which we respond to the members’ questions, clears up the confusion about these changes.”

Google maintains that while the policy will be changed, users will continue to have custom controls over what Google can and can’t do. According to the company, Google collects three types of data from users: log data, account data, and service data. Log data is anonymous and consists of a computer’s interaction with Google’s services. Account data is all the user information stored for each individual, and service data is information that relates to a particular product, such as Google Maps, however it is “not necessarily associated with any users.”

UPDATE: Google reached out to us with a statement and informed us that the company is not collecting any new or additional data.

“We’re not collecting any new or additional data about users. Our updated privacy policy simply makes it clear that we use data to refine and improve our users’ experiences on Google – whichever services they use. This is something we have already done for a long time for many of our products.”

Read

Earlier this week, Google announced that the company would combine individual privacy policies from a variety of its products into one main policy. The idea behind it was to provide users with a “more intuitive Google experience.” Critics of the change are worried that Google is now collecting more data than ever, however, leading members of the U.S. House Energy and Commerce Committee to demand answers. Read on for more.

The search giant claims that it is not collecting more data and the new terms merely clarify how existing data is used to improve the Google experience. “We’re making things simpler and we’re trying to be upfront about it. Period,” said Google’s policy manager Betsy Masiello in a blog post. “You still have choice and control. You don’t need to log in to use many of our services, including Search, Maps and YouTube.”

Users will also have access to privacy controls, with the ability to customize options for search history, Gmail, and other services. “You can use as much or as little of Google as you want. For example, you can have a Google Account and choose to use Gmail, but not use Google+,” Masiello added. “Or you could keep your data separate with different accounts — for example, one for YouTube and another for Gmail.”

IBM and HTC are working together to make Android a more attractive platform for the enterprise market. Executives from both companies recently demoed IBM software running on HTC smartphones and tablets during IBM’s Lotusphere and Connect conference, TechWeek Europe said recently. “It’s only been really relatively recently that HTC has broken into the enterprise space,” HTC’s executive director Global Enterprise and Services David Jaegar said. “We’re driving toward that magic 100-million device number globally. We see IBM as the gold standard for an enterprise partnership. We want to make sure if IBM is talking about Android or tablets, HTC is in the conversation.” HTC is focusing specifically on security applications, Jaegar explained recently. The Taiwan-based phone and tablet maker also said it is working with third-party developers and businesses to help firms create custom applications for HTC tablets.

Read

Twitter finally appears to be preparing a new wave of attacks on the malicious spammers that have overrun the popular social network during the past year. Web security firm Dasient on Monday announced that it has been acquired by Twitter. ”Since its inception, Dasient has been focused on solving web-scale security problems involving malware and other types of online abuse,” the firm noted in a blog post. “In 2009, Dasient launched its web anti-malware platform, capable of scanning URLs and websites for the presence of harmful content. In 2010, Dasient launched the industry’s first anti-malvertising service to protect ad networks and publishers from the scourge of malicious ads. Over the last year, we have been very active in securing the ads and content of the some of the industry’s largest ad networks and web sites.” The firm is seen as playing a large role in securing new self-service advertising efforts Twitter is preparing to roll out in the near future. A secondary benefit to end users, however, is that the link-spam currently plaguing members of the social network may be quelled as part of Twitter’s efforts with Dasient technology.

Read

Research In Motion is currently weighing every single option it can think of in an effort to reverse a negative trend that is approaching a boiling point for investors. Reports that RIM is currently in talks to license its software to other vendors are accurate according to our trusted sources, though we have been told that RIM is most likely leaning toward an outright sale of one or more divisions, or even the whole company. The front runner, we have been told by a trusted source with knowledge of the situation, is Samsung, which might be interested in RIM for a number of reasons.

One of the biggest assets RIM has is BlackBerry Messenger, and it would be a smart way for Samsung to differentiate itself inside the Android ecosystem. HTC has its Sense suite and it recently bought into Beats by Dr. Dre. Samsung could buy RIM, or a part of the company, and integrate not only BBM but also several other enterprise features into Android to make its devices an even bigger threat to competitors. This could also help Samsung better differentiate itself on the software and OS level, pulling more control into its hands and away from Google.

We have heard that Jim Balsillie is actively meeting with almost every company that might be interested in either a part or all of RIM, in addition to having talks about licensing. “Jim is going hard after Samsung,” said a source with knowledge of the negotiations. One of the reasons no deal has been struck, however, is that RIM’s co-CEOs are asking for way too much.

We have heard the company is looking for more than $10 billion for a full sale, likely somewhere in the $12 billion to $15 billion range, or between approximately $22.90 and $28.60 per share. RIM’s market capitalization currently sits at about $8.5 billion, though several analysts think that even $8.5 billion is more than an interested party would consider bidding at the moment.

Samsung declined to comment and a spokesperson for RIM did not immediately respond to a request for comment. It’s certainly an interesting time at Research In Motion, and we’ll have much more on RIM in the coming days.

UPDATE: In a statement provided to Reuters Wednesday evening, a Samsung spokesman said the company is not interested in an outright purchase of Research In Motion. The spokesman did not address reports that Samsung is considering licensing RIM’s software, however, or purchasing a portion of RIM’s assets.

Zappos on Sunday confirmed that hackers breached the company’s servers and accessed personal data belonging to many of its customers. The Amazon-owned shoe retailer known for top-notch service and surprising customers with express shipping at no extra cost confirmed that personal data from 24 million accounts was accessed during a recent security breach. The hackers gained access to range of sensitive data including user names, encrypted passwords, customer names, email addresses, phone numbers and the last four digits of credit card numbers. The company stated that full credit card numbers were not compromised. As a security measure, Zappos reset the passwords of all affected customers and sent out emails alerting them to the situation. The company’s full email to customers follows below.

First, the bad news:

We are writing to let you know that there may have been illegal and unauthorized access to some of your customer account information on Zappos.com, including one or more of the following: your name, e-mail address, billing and shipping addresses, phone number, the last four digits of your credit card number (the standard information you find on receipts), and/or your cryptographically scrambled password (but not your actual password).

THE BETTER NEWS:

The database that stores your critical credit card and other payment data was NOT affected or accessed.

SECURITY PRECAUTIONS:

For your protection and to prevent unauthorized access, we have expired and reset your password so you can create a new password. Please follow the instructions below to create a new password.

We also recommend that you change your password on any other web site where you use the same or a similar password. As always, please remember that Zappos.com will never ask you for personal or account information in an e-mail. Please exercise caution if you receive any emails or phone calls that ask for personal information or direct you to a web site where you are asked to provide personal information.

PLEASE CREATE A NEW PASSWORD:

We have expired and reset your password so you can create a new password. Please create a new password by visiting Zappos.com and clicking on the “Create a New Password” link in the upper right corner of the web site and follow the steps from there.

We sincerely apologize for any inconvenience this may cause. If you have any additional questions about this process, please email us at passwordchange@zappos.com.

T-Mobile USA and Motorola have both responded to a request for information on Carrier IQ from Senator Al Franken, and both firms admitted to using the software on their handsets. Carrier IQ’s wide-reaching existence was revealed earlier this month by a security expert who pointed out that the software could be used by phone makers and carriers to spy on mobile phone users. T-Mobile said the software is installed on devices owned by an estimated 450,000 customers but that it uses the “technical data solely to understand what is happening on the device and the network so that [T-Mobile] can more effectively and directly troubleshoot issues.” T-Mobile also admitted Carrier IQ comes pre-loaded on the Galaxy S II, the HTC Amaze, the Samsung Exhibit II 4G, the BlackBerry Bold 9900, the BlackBerry Curve 9360, the BlackBerry Torch 9810 and LG’s MyTouch, MyTouch Q and LG DoublePlay. There’s no word yet of T-Mobile will follow in Sprint’s footprints and disable the software’s functionality. Motorola also said it installs Carrier IQ software on its Admiral, Titanium, Bravo and Atrix 2 phones, but only because Sprint and AT&T ask it to. “As of the end of the third-quarter of 2011, we have sold a total of approximately 145,000 units of these models to our wireless carrier partners,” said Motorola government relations senior vice president Dale Stone.

Read