The method requires only that a user clear the data for the Google Wallet app in the phone’s applications settings menu and then enter a new pin when prompted to do so. This is the second security problem that has been reported with Google Wallet. Users might want to think twice about keeping this thing around.

Update: Google responds.

A hacker going by the handle Casi dumped information from the United Nations Web site yesterday that contained many vulnerabilities that other hackers could use to get inside the UN’s database to cause some real damage.

I guess the question here is why did Casi hack the UN? Well, he tells us himself:

I fuck actually system… I fighting for Internet Freedom, equiality & rights for all. You’re FREEDOM my brothers & my sisters ! <3

What does it mean? I don’t know, but it must have been a pretty good reason to expose almost every weakness currently in the UN’s database.

Similarly, the reason behind listing the vulnerabilities is just as cryptic:

I give vulnerabilities because it’s fucking asshole ! We are FREEDOm !

We are clearly dealing with a criminal mastermind here, or maybe not according to Aaron Titus, Chief Privacy Officer for Identity Finder. Speaking to Fox News’ New York affiliate, he said that the breach was a “very simple attack” and that the UN “could have prevented this very easily and should have prevented it.”

So it seems that the UN just has bad cyber security. It must be embarrassing for the them to be hacked by such a basic SQL injection attack.

Passwords were not exposed, but the real danger lies in what other hackers can do with the information. Identity Finder has reached out to the UN to alert them of the potential danger, but the organization has not replied.

With all these hacks, it’s just a matter of time until every governmental organization’s Web site is laid bare for the world to see. I personally can’t wait to see the database for the White House’s Web site. It must be so scandalous, probably full of photos of the President’s pet.

UK police and the FBI held a conference call last week concerning cyber security, especially focusing on Anonymous and LulzSec members. The email planning the conference call was intercepted by Anonymous and shared on the net.

Naked Security confirms that the email titled “Anon-Lulz International Coordination Call” was sent to “over 40 law enforcement officers in the USA, UK, Ireland, Netherlands, France and Sweden.”

Anonymous used the leaked email to get into the phone conference and record the entirety of it. The entire 16 minute conversation has been uploaded to YouTube, among other places.

The conversation details the continued investigation into Anonymous and LulzSec. While most of the names of the hackers are censored, two hackers are explicitly named – Jake Davis (suspected of being the public face of Anonymous) and Ryan Clearly (who allegedly launched a DDoS attack on the Serious Organised Crime Agency’s Web site).

The FBI and UK Police did finally confirm that their call was intercepted, but the damage was already done.

Anonymous has, of course, been poking fun at the FBI since the hack was made clear:

We’ll continue to keep you up to date on the latest Anonymous escapades as they happen. They’re promising some “lulzy” stuff today.

And now, swiping is on the way out thanks to RFID (radio-frequency identification). Rather than assign you a plastic card with magnetic stripe, credit card companies are moving toward chips programmed with your relevant information. Have a credit card that says “PayPass” on it? Then you have RFID.

RFID is not new. I once worked a security job where I was assigned an ID card that I passed in front of a scanner at every door I entered. The chip in the card was passive, but got its power from the scanner itself when placed near it. Many of us guards learned that we did not even have to pull our cards out of our wallets, but simply wave the entire wallet in front of the scanner.

And, you can see where this is going.

In the old days (i.e. now), credit card thieves might work at a ritzy restaurant for a bit, harvesting card info with a mag stripe reader they could hide in their vest. Trouble with that was that all those cards had one thing in common: they were all used at that restaurant. On the thief’s shift. At his tables. Arrest was quick.

For about $300, you can purchase a cordless RFID scanning device online. It does have to be pretty close to, but not in contact with, a chip in order to power it and read it.

So, imagine: You get into a crowd, start bumping into people’s purses, back pockets, collecting card info with your scanner. Maybe on the subway, where everyone is headed to somewhere else. Your victim base is decentralized. That’s the first step.

Then, you transfer the card info to a cheap mag stripe card. You can buy them in bulk for 30 cents a piece. Hotels and department stores use them all the time. That equipment to do it will set you back another $350. That done, you now have a clone of that person’s credit card.

From there, it’s all up to what manner of crook you want to be. Sell those card clones for $50 each? For a night on the town, that beats Groupon deals. Hook up with the right gangs in a city or overseas buyers online and you could move many of those at a time.

Or, you could swipe them yourself with smartphone accessories straight into an account. Given the right bank, that could work. Fold them into a grander money-laundering scheme?

What if you paid runners a buck apiece to wander subways, concert halls, and other thickly populated areas with your readers tucked away?

Let’s do the math on one simple scenario that does not involve any cohorts, just willing buyers you meet online and $700 in readily-available equipment. Scan 100 RFID chips per day (easy in crowded areas) and you can recoup that investment in your first day’s “work”. After that, $30 worth of blank cards per day nets you $5,000 from your buyers. $25,000 per 5-day work week. Take a couple weeks vacation each year, like normal folk. Clear $1,250,000 your first year grinding.

Beats a job. Beats selling drugs. Do it all yourself out of an apartment.

If you’re crooked.

All this is possible because credit card companies want you to be embarrassed to pay with cash or check. Their commercials show you inconveniencing people in line behind you, then tell you their products are for *your* convenience. They make it easy to swipe, easy to lose track of your spending. Credit and overdraft fees rack up when you are out of touch with your spending.

And now, they make it easier than ever for thieves to steal you money by taking the card-in-my-hands factor out of the equation. Your info is now broadcast, albeit over a short distance.

Pickpocketing was never easier.

Doubt this all would work? It already has.

Well, apparently that last part is a bit malleable.

Turns out the perception of one’s location is good enough to fool Color into letting you invade photostreams anywhere, anytime.  Within hours of its release, Veracode CTO Chris Wysopal tweeted:

When he tested it out, he found that he could go anywhere and see anything – much easier than expected.  He used a jailbroken iPad and an app called FakeLocation.  With this app, he was allowed to bypass the iPad’s GPS and set his location to anywhere in the world.

I’m sure most of you can see where this is going.

When he opened the Color app, bingo!  He could now browse all the photos from an area hundreds of miles away.  “This only took about five minutes to download the FakeLocation app and try a few locations where I figured there would be early adopters who like trying out the latest apps,” Wysopal told Forbes’ Andy Greenberg. “No hacking involved.”

To prove his success, Wysopal (in New York City) sent Greenberg a screencap of Color CEO Bill Nguyen’s photostream (Palo Alto, California):

Once again, this “cheat” is not ruffling any feathers over at Color headquarters.  As a spokesman said to Forbes, they never promised privacy.  “It is all public, and we’ve been very clear about that from the very beginning. Within the app, there’s already functionality to look through the entire social graph. Very few people will probably do what you’re saying, but all the pictures, all the comments, all the videos are out there for the public to see.”

And how many Color users, happy to share their photos with any stranger around them, would really care that the stranger lives in another state – or country?

RUN! Close down your browser, turn off your computer, do not pass “Go”, do not collect $200!

Why such panic? Because, if you ever see a pop-up similar to that above, it may not be as innocuous as the one created by the guys over at Dave Naylor’s blog. In fact, someone with half an ounce of tech savvy could

…make a Twitter ‘application’ and start sending tweets with it. Using the simple instructions below, it can be arranged so that if another Twitter user so much as sees one of these tweets – and they are logged in to Twitter – their account could be taken over.

Yikes!

Twitter confirmed that the exploit had been fixed, but apparently no one over at Twitter thought to contact Naylor’s team to learn exactly how they exploited the web interface, because even after the fix, they replicated it.

If you’re using a third-party application to send and read Tweets, you should be safe. Other advice includes:

• If you’re not logged in to Twitter, there’s no opportunity to steal your details or impersonate you, however malicious code could still send you to other websites or otherwise annoy you, so it doesn’t completely fix the problem.
• Unfollow anyone you don’t know or don’t trust that could be exploiting this. Who’s to say they’re not already stealing your details? If you don’t see their tweets they can’t harm you.

Let’s hope that Twitter gets a real fix in place soon.

Comments

Do you think this hack on Twitter will have any lasting impact? Tell us what you think.

To help explain the incident, and try to squash the potential hazardous pr matter, Biz Stone (@Biz) updated the company blog to address certain issues stemming from the hack. In an effort minimize the boredom; I’ll only post the meaningful parts:

Is your Twitter account safe?

"It’s important to note that the stolen documents which where downloaded and offered to various blogs and publications are not Twitter user accounts nor were any user accounts compromised (except for a screenshot of one person’s account and we contacted that person and recommended changing their password). This was not a hack on the Twitter service, it was a personal attack followed by the theft of private company documents."

Should I be concerned with the security of Google Docs?

"This attack had nothing to do with any vulnerability in Google Apps which we continue to use"

"This isn’t about any flaw in web apps, it speaks to the importance of following good personal security guidelines such as choosing strong passwords."

Is Twitter worried about the stolen documents?

"Obviously, these docs are not polished or ready for prime time and they’re certainly not revealing some big, secret plan for taking over the world."

"Nevertheless, as they were never meant for public communication, publishing these documents publicly could jeopardize relationships with Twitter’s ongoing and potential partners. We’re doing our best to reach out to these folks and talk over any questions and concerns. However, our goal remains focusing on the most important business at hand—creating value for users and building the best possible Twitter service."

Does Twitter plan any legal action?

We are in touch with our legal counsel about what this theft means for Twitter, the hacker, and anyone who accepts and subsequently shares or publishes these stolen documents. We’re not sure yet exactly what the implications are for folks who choose to get involved at this point but when we learn more and are able to share more, we will.

So there you go, nothing that should have a lasting impact on Twitter’s growth… but, this is another blemish on the microblogging sites extremely sloppy growth.

Are you concerned with the safety of your Twitter account? Tell us.

He’s passionate about new technology and social media/networking and what it can do for you, personally and professionally.

Justin is also running for Mayor of Santa Barbara in the upcoming November 3 election. He’s using these social tools – Facebook especially – to help spread his political message, as well as his philanthropical one (Justin’s campaign message is “Humanitarian first, politician second”).

It seems a natural thing to do, when you see how much social media and online networks helped the  Obama presidential campaign.

And it would be – if Justin wasn’t the victim of a cyber criminal who has stolen his identity on Facebook. Not just the  fake account “fun” that Twitter suffers from – Justin’s legitimate Facebook account has been closed due to the actions of the cyber criminal.

Here are just some of the events so far:

• Justin’s original Facebook profile cloned.
• Account starts sending weird spam to friends and supporters.
• Account starts to get flagged by cyber criminal so people believe real Justin is impostor.
• Legitimate Facebook account deleted.
• Spam attacks start on Justin’s Facebook political page.
• Calls Facebook Palo Alto office and is advised to speak to cyber crimes division.
• Files police report.

Justin’s tried talking to the person behind these attacks. The responses from the fake Justin Michael account show that the hacker isn’t too bothered about the legal ramifications. He’ll simply keep changing IP addresses each time the one he’s using is tracked.

The reasons behind the attacks aren’t clear. Justin suspects who the cyber criminal is. Maybe it’s politically charged? In one of the message exchanges on Facebook, Justin is advised that if he removes his Internet presence (MySpace, Twitter, Facebook) and reverts to traditional campaigning, his harasser will remove the fake accounts.

Whatever the reasoning, it’s another sad example of how vulnerable our identities are on social networks. It’s too easy to set up an account and impersonate a person or business. All that’s needed is a basic email account and some knowledge of the person or brand involved.

Sure, there are ways that you can protect yourself – brand monitoring, alerts and observant friends and colleagues being just some of the methods. But these will only alert you after the event. By then, the damage can be irreparable.

What about the social networks in question? Can they be more stringent in their account activation process? Possibly. But how do you know the initial account isn’t fake to begin with? And that you’re subsequently blocking the real person or brand from coming on to your network to try and limit damage control?

Sadly, there doesn’t seem to be any immediate and easy answers. For social networks. For cyber crime. For people like Justin Michael. For you, for me.

Social networking is the ultimate connection platform. The question is, are people connecting with you or someone else?

Comments

As a T-Mobile customer, I assure you this isn’t exactly the brightest part of my morning.  I was just doing a quick (Bing) search on T-Mobile this morning to see if there was any news about a release date on the new Google Phone…  and this is what I get. 

Not only is there still not a peep about the phone I’m obsessing over  looking for, it seems as though I now get to wonder about the security of my data.  Of course anytime you hear about a company you do business with ‘losing’ their data, you have to wonder how and if it will come back to haunt you in some aspect.

If a company loses your data, do you leave them for a competitor? Sound off in the comments.

As of the posting of this article, I have yet to see a peep from T-Mobile in the way of a comment about how extensive the loss is or what level of risk it represents to the customer base.  The hacker guys, however, make the following claim “T-Mobile has been owned for some time. We have everything, their databases, confidential documents, scripts and programs from their servers, financial documents up to 2009.”

Believe it or not, that quote is also apparently part of their sales pitch.  These guys are actively seeking buyers for the T-Mobile haul.  Having “already contacted with their (T-Mobile’s) competitors and they didn’t show interest in buying their data -probably because the mails got to the wrong people- so now we are offering them for the highest bidder.”

So, there’s that.  I guess I should be glad the new myTouch 3G Google phone didn’t come out last week.  If this goes badly, I may have to learn to fall in love with an iPhone or a Pre. I will be very displeased if I have to deal with any headaches that T-Mobile may have created for me out of their inattention to security.  Very displeased indeed.

UPDATE:

Shortly, after we went live with this, I was contacted by T-Mobile reps with the following statement:

So, there you have it.  T-Mobile says we’re all cool.  Good to know and I am extremely relieved. Now, I don’t have to stop obsessing about looking forward to the myTouch 3G.