The fix prevents existing prepaid cards from being swapped from one user to another, something Google says it believes will help tighten up Wallet security overall. As for the temporary lock-down, Google reckons that – despite there being no evidence of real-world hacks – it took the step merely as a precaution.

“Yesterday afternoon, we restored the ability to issue new prepaid cards to the Wallet. In addition, we issued a fix that prevents an existing prepaid card from being re-provisioned to another user. While we’re not aware of any abuse of prepaid cards or the Wallet PIN resulting from these recent reports, we took this step as a precaution to ensure the security of our Wallet customers” Osama Bedier, Vice President, Google Wallet and Payments

Still, Google maintains that those with rooted devices shouldn’t use Google Wallet. “Sometimes users choose to disable important security mechanisms in order to gain system-level “root” access to their phone” the company said in a statement last week, “we strongly discourage doing so if you plan to use Google Wallet because the product is not supported on rooted phones.”

It remains to be seen whether the security blip will impact adoption of Google Wallet, or indeed dissuade current users from trusting the service. Let us know how you feel in the poll below.

[Thanks Carl!]

The widespread and long-lasting intrusion was exposed by the Wall Street Journal, which received information from former Nortel employee Brian Shields. According to the report, the hackers have been gaining access to sensitive information – technical papers, R&D report, employee e-mails, and business plans – since the year 2000. Nortel did not return the publication’s request for comments.

When the intrusion was finally noticed, the executives changed their passwords and an investigation was launched, but it seems like little was done to fully track down the source of the problem. It would after all be very difficult to trace down the evidence to a single individual or group. It’s unclear what damage, implicit or otherwise, might have occurred from these 10 long years of data leaks.

[via PC Mag]

Lurking on the counter like an oversized microwave, the INSIGHT100 can identify liquids, powders and gels inside sealed containers such as glass or plastic bottles or tubs, even if those containers are opaque. The system is said to have a false alarm rate of 1.5-percent or less, and each scan takes under five seconds.

The magic is in something called Spatially Offset Raman Spectroscopy (SORS), bouncing certain spectra of light off a substance depending on the molecules that substance is made up of. As each substance scatters light in different ways, the INSIGHT100 can recognize which are safe and which could be potentially dangerous. Cobalt says it can subsequently update the scanner’s database as new molecular “fingerprints” are identified.

Having already been approved by the European Civil Aviation Conference for its abilities to check for liquid explosives, it’s seemingly down to airports to decide whether to include the INSIGHT100 in their scanning arsenal. Of course, loosening the regulations around bottled water might make things easier for travelers, but it would also cut into a useful extra revenue stream for retailers and airlines; whether they’ll be so happy is questionable.

[via Gizmag]

Google has disabled the use of prepaid credit cards with Google Wallet. The reason for disabling the prepaid cards is to prevent unauthorized access if the phone is lost or stolen. Apparently, debit cards linked to the Google Wallet accounts are still safe. Google is presumably working on a patch that will repair the vulnerability that Wallet Cracker exposed.

There were steps outlined last week that the user of the smartphone could take to plug the gap that allows the PIN to be accessed. This involved changing settings on the Android device such as activating a screen lock feature. I would bet Google would have a patch for the Wallet issue very shortly since the breach is hurting the trust consumers have in the application.

[via AndroidCommunity]

The photo that replaced the website homepage showed that the responsible parties for the hack were EvilShadow team – 7z1&Ancker. The hackers are apparently from China and at this point, there’s no indication of why they hacked the site. The hackers were also able to upload an additional photo some verbiage the read “Unsafe system will be baptized.”

The part of this hack that will concern people who have done business with the Microsoft Store in India the most is that the database was breached, and passwords were stolen. The passwords were reportedly stored on the server in plain text. As of now, there’s no word on whether credit card data was stolen in the hack.

[via WPsauce]

So here’s the thing – your Google Wallet PIN is at risk of being pilfered. Of course, for that to happen, you need two things. First, you need to actually have an active Google Wallet function on your phone, which limits the subset to only those with a Citi credit card, an NFC-enabled phone, Sprint as their mobile carrier, and enough initiative to apply for Google Wallet. That narrows down the field enough to make it a very small concern, but even among that group, only people who have rooted their phone are at risk.

“Google Wallet is protected by a PIN — as well as the phone’s lock screen, if a user sets that option. But sometimes users choose to disable important security mechanisms in order to gain system-level “root” access to their phone; we strongly discourage doing so if you plan to use Google Wallet because the product is not supported on rooted phones,” said Google in an e-mail to Forbes. The search giant stands by its product. It noted, You can be confident that the digital wallet you carry provides defenses that plastic and leather simply don’t.”

[via Forbes]

Around Eastern time 3:30pm, Anonymous posted via its Twitter account the following tweet: “CIA TANGO DOWN: https://www.cia.gov/ #Anonymous.” The CIA website had become unresponsive likely due to a distribute denial of service (DDoS) type of attack that the hacker group commonly launches against its targets.

Following the recent MegaUpload shutdown, those targets have included websites belonging to the FBI, the Department of Justice, and the US Copyright Office. Anonymous also recently intercepted a call between the FBI and Scotland Yard in which the two agencies discussed investigations into the hacker group’s activities.

[via PCMag]

That opens the chance that nefarious types could steal your PIN number securing your Google Wallet account. The issue apparently stems from the fact that PIN information is actually stored on the phone without being secured with the NFC chip. According to Zvelo, “this completely negates all of the security of this mobile phone payment system.”

The good news if you’re one of the people that could be affected by this vulnerability is that you can fix it yourself. Apparently, what you need to do is add a lock screen security pattern or a PIN to your smart phone and disable USB debugging. It is probably a safe assumption that Google is at work on a fix itself.

[via Android Community]

And as anyone living in the US in the 2010s knows, being able to do something from your house is always better than going out to do it. Yes, perhaps it is sad that someone might not have the energe to go to the local McDonald’s to connect to Nintendo Zone, but we’re not judging. A user who goes by the online handle DarkWish found out that this hack is actually one of extreme ease. In fact, it’s so simple it almost boggles the mind. Anyone can do it, and here’s how:

“If you set your wireless network to be named attwifi and make it unsecured, then add that network on your 3DS… you can access the Nintendo Zone from home! So whatever demos (right now it’s just Mario & Sonic), Pokémon TV show episodes, and other content they have on there is now accessible from home.” So the Nintendo Zone is not exactly set up with proprietary restrictions. It’s kind of interesting that no one figured this out sooner. Here’s a video so you can see for yourself:

[via Escapist]

The flaw was first discovered and reported on in January by a blog called Console Cowboys, which revealed that by simply appending a specific code to a camera’s IP address, the password requirement could be bypassed. The blog posted detailed instructions on how to breach Trendnet cameras, resulting in links being posted to various message boards.

Offices, children’s bedrooms, and even someone’s bathroom were viewable among the list of video feeds exposed. A list of 679 web addresses to exposed video feeds were posted to a message board within two days with more listings revealed that were also associated with Google Maps locations.

Trendnet is scrambling to release firmware updates to fix the problem, but estimates that there are 26 camera models that are affected. To see if your camera model could be a spy cam, check out the full list here. Also, be sure to check Trendnet’s download page for firmware updates.

[via PC Mag]

In the e-mail, Thomas wrote that Symantec would pay $50,000 total the hackers to keep the source code from being posted publicly. The e-mails also show Thomas claimed Symantec wanted to use a payment system with $2500 a month for the first three months and the balance once it was convinced the source code was destroyed. Symantec has confirmed the extortion attempt to CNET and says that they were conducting an investigation in cooperation with authorities.

Symantec also says that the investigation is ongoing, and it will not release the name of law-enforcement agencies that are involved. Presumably, the FBI will be included in the investigation and perhaps other agencies as well. Negotiations broke down before the agreement was in place. Apparently, no money was ever sent. CNET now reports that the 1.2 GB file titled “Symantec’s pcAnywhere source code” has been posted to The Pirate Bay.

[via CNET]

Okay, so here’s the deal. When you register your iMessages app, it look at the phone number on your SIM card and then apparently never looks at your SIM card again. It never ties this information to your Apple ID or anything else that registers the app to your actual phone. As such, some iPhone users have found out that if you use iMessages from one iPhone, and then put the SIM card in another iPhone, the same iMessages account appears in both phones.

That’s right. Even the original phone, without a SIM card, still has an active iMessages app. And even if the SIM card finds its way back to the original iPhone, any other iPhone it had contact with will have access to the same iMessages conversations. So if you let your friend borrow your iPhone, or you happen to lose it, or you take it in for repairs at a shady store, anyone who had access to your SIM card can infiltrate your iMessages account.

Even if you perform a remote wipe, it won’t change the fact that the third-party iPhones have registered your SIM card. The only way to cut off access to those “spying” iPhones is to call your carrier and completely deactivate your SIM card. The third-party phones see everything, including message you send and messages you receive. And they can even pretend to be you and send out messages of their own. Now of course, this requires someone else to physically have access to your SIM card and have an extra iPhone lying around without its own SIM card. Chances are that won’t happen to the average iPhone owners. But it is a glitch, and something as private as text messaging conversations will always be a hot button issue. For now, there doesn’t seem to be any sort of software fix on the way.

[via The Verge]

Microsoft and Kaspersky Lab were able use some sort of technical means to get the 45,000 computers that make up the botnet to communicate with what they called a “sinkhole” which was a computer that the two firms controlled. The problem was the computers that were infected with the software for the botnet were still unclean. It was known from the get go that eventually that the nefarious sorts in command of the botnet would regain control.

Microsoft and Kaspersky could have used the communications with their sinkhole computer to force the infected machines to clean their act up, but in some countries, that act would have been illegal. Apparently, there are also new variants of Kelihos using new forms of encryption to hide the mass communication between the slaves and the botnet controllers. One researcher has also pointed out that there are two different RSA keys being used, indicating that two nefarious groups may be controlling the botnet. All this really means for normal Internet users is that we can probably expect an increase in spam.

[via Techworld]

Symantec aside, Google is indeed bumping up their efforts to keep the Android Market clean with Bouncer as well as reinforcing through words the security that’s already in place and has been for some time with Android. Bouncer sits at the heart of the Android Market and checks for malicious software once an app is uploaded, checking it for known viral bits as well as codes that show that it was built by a known malicious developer or has hidden codes made to mess with users in any way at all. Each app is run on Google’s cloud infrastructure and actually tested out so that simulations can show how the application really truly works. Google also mentioned that Android malware downloads have decreased between the first and second halves of 2011:

“We saw a 40% decrease in the number of potentially-malicious downloads from Android Market. This drop occurred at the same time that companies who market and sell anti-malware and security software have been reporting that malicious applications are on the rise. While it’s not possible to prevent bad people from building malware, the most important measurement is whether those bad applications are being installed from Android Market – and we know the rate is declining significantly.” – Hiroshi Lockheimer, VP of Engineering, Android

uspicious talk there, ladies and gentlemen! In addition, Google mentions that Android as a software sitting on all of your phones right now has Sandboxing features which keep a malicious bit of software contained in one area of your phone if it does exist, first of all. Second there’s a screen between you downloading and you installing your applications one by one that asks whether you want to give that app permission to touch your device in many different ways – that’s all on you. Third, malware removal is simple on an Android device, from the Android Market being able to remotely remove malware from your device to your own ability to see into the guts of your Android device if need be and take the malicious software out yourself. So stay safe, Android users, Google has your back!

[via Google]

Cernaianu also offered for sale software that he claimed would allow others to hack into these servers. He even demonstrated in videos how he carried out his attacks on the US government websites. However, the motivations behind his exploits were more to point out security flaws than for financial gain or anything truly malicious.

As TinKode, Cernaianu often published the security flaws of the websites he hacked into over the last few years, including high-profile websites of the US Army, NASA, the UK Royal Navy, the European Space Agency, MySQL, and Google. Regardless of his intentions, authorities claim that his actions have caused significant damage to the servers and hacking into websites is still a crime.

[via PCMag]

Hardware

Dropcam’s is rightly proud of the HD: its first-gen hardware, the Echo, was designed externally, but the company brought development in-house for this new model. The end result is something that looks far more consumer-friendly than the blocky white Echo. The Dropcam HD itself is a small glossy black puck that slots into a detachable metal stand with a posable base: together, they’re 4.5-inches high and about 3.15-inches across.

The hinged base is stiff enough to stay at whatever angle you set it to, and you can tilt the Dropcam HD itself in the stand to fine-tune things. Power is courtesy of a compact AC brick with a long microUSB cable up to the camera itself; unlike the previous Dropcam models, there’s no ethernet option, only WiFi b/g/n, though that’s no great loss for the consumer market. A rubber foot for the stand has a clip to keep the power cable in place.

Setup requires plugging the Dropcam HD into your computer via USB, creating an account through Dropcam’s site and punching in your WiFi network credentials. After that, it automatically logs on overtime it’s powered up. There’s a 12-LED infrared light array around the lens, for nighttime use, along with a speaker and a microphone.

Service

Part of the easy setup of the Dropcam Echo is the absence of any local software to install: everything is accessed – and stored – in the cloud. The company offer several tiers of service: the free “Basic” package allows you to log in and view live streaming video, either through the regular browser or the iOS app, but no recording functionality. There are also email and mobile (iPhone-only) alerts triggered by the sound and motion sensors. For $9.95 per month and the “Plus” package you get live streaming together with seven days of archive access (and the ability to download select clips or photos to your own computer).

Finally, the “Pro” plan offers 30 days of online recording for $29.95. It’s worth noting that the subscription fees increase per camera you add: $4.95 per extra for the Plus plan or $14.95 per month for the Pro plan. If you have, say, three cameras and want a month’s historic access to the footage each records, you’re looking at almost $60 per month. The Android and iPhone apps themselves are free and work with all tiers of service, though there’s no iPad-specific version. If you have a device with Flash support in the browser, you can log into the Dropcam site and stream video that way instead.

Performance

Where the original Dropcam was limited to QVGA 320 x 240 resolution video, and only offered streaming two-way audio on a more expensive model, the Dropcam HD promises both 720p HD footage and sound as standard.

Unfortunately video quality is only average, suffering particularly in low-light, though it’s reasonably smooth thanks to the 30fps refresh rate. Audio quality is fair, and the microphone is actually quite sensitive, though we noticed a significant amount of crackling both through the desktop UI and the mobile apps. The speaker – used for two-way audio – is small and subsequently suffers very low volume, and there’s no audio output for plugging in a more vocal system. With observed a roughly 2-3 second delay on audio.

Desktop

iPhone 4S

Galaxy Nexus

Motion and audio detection are both very sensitive, and lack controls to adjust exactly what they’ll respond to. Each will mark the online timeline (in the Plus and Pro subscription packages) to indicate when noise or movement was spotted; both packages, plus the Free plan, can optionally send out an alert to let you know something has happened. Their effectiveness is generally down to where the camera is positioned, and if you have pets you can expect plenty of false alarms.

Still, the automatic flagging makes reviewing footage a lot more straightforward than scrubbing through the entire timeline, and you can request a download clip of any section that comes through in MP4 format with audio.

Wrap-Up

Setup, convenience and – if you opt for a subscription – functionality can’t be criticized in the Dropcam HD. The camera is compact, discrete and easy to place, especially if you use only the puck central section, which blends reasonably well into the shadows, and the desktop UI and mobile apps are straightforward to use.

Although the subscription-free option is welcome, we can’t really recommend it for any but the most casual of users. Even with the real-time movement alerts, you’ll probably struggle to access the webcam feed quickly enough to see what has been happening; that’s when the online DVR feature comes in most useful.

That said, the $149 starting price for the Dropcam HD is just that: a starting figure after which you have to take into account subscription fees. Dropcam offers a year’s access to the Plus plan for $99.95 if you pay upfront; still, scale up to a few cameras spread about the house, as many home surveillance enthusiasts would prefer, and you’re looking at a few hundred dollars each year. Contrast that with Logitech’s Alert camera system, which offers local DVR-style storage on your home network (and premium remote access to recordings for $80 per year, per system).

The Dropcam service is certainly easy to use, and there are handy sharing features, which allow you to send clips and images to others – great for showing grandparents what the baby is up to – but it’s an expensive way of doing things. In the end, you pay for the privilege of Dropcam’s simplicity.
-dropcam HD

According to Symantec, the software is safe to use again as long as customers apply all the latest updates and security patches. A patch was released last week for pcAnywhere 12.5 followed by patches for versions 12.0 and 12.1. You can download the patches here or you can contact Symantec at pcanywhere@symantic.com for more information.

The security risk was exposed after a hacker by the name YamaTough released the source code of Symantec’s Norton Utilities PC software and threatened to publish the source code for the company’s anti-virus programs as well. Symantec then admitted that the source code for its Norton Antivirus Corporate Edition, Norton internet Security, Norton Utilities, and Norton GoBack had all been stolen when someone hacked into its network in 2006.

But unlike the antivirus products, which all have been updated since, the pcAnywhere software has remained relatively unchanged since 2006, making it more vulnerable. With the latest software patches, Symantec insists that versions 12.0 and 12.1 are safe to use again and it’s also offering free upgrades to version 12.5.

[via Reuters]

“Email phishing defrauds millions of people and companies every year, resulting in a loss of consumer confidence in email and the Internet as a whole. Industry cooperation – combined with technology and consumer education – is crucial to fight phishing” Brett McDowell, Chair of DMARC.org and Senior Manager of Customer Security Initiatives at PayPal

According to DMARC, the widespread problems with spam and phishing today are the result of confusion and uncertainty between email providers over what security and authentication options are supported by both sender and recipient. Although existing options – such as SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) – can be used, there’s no way for providers to know if they’ve been implemented.

What DMARC has done, supposedly, is to integrate authentication more completely into their infrastructure. “A sender could set policies to easily request a provider to discard unauthenticated email in order to block phishing attacks” the group suggests; meanwhile, comprehensive reports are supplied to help spot any loopholes or gaps in the system.

Those taking part in the scheme are a mixture of email providers, security experts, social media firms and, not least, the banks and financial institutions that often have to pay up when credit card insurance claims are filed. AOL, Gmail, Hotmail, Yahoo! Mail, Bank of America, Fidelity Investments, PayPal, American Greetings, Facebook, LinkedIn, Agari, Cloudmark, eCert, Return Path and the Trusted Domain Project are all involved.

Symantec urges users to take a look at the list they’ve got of applications which hold the infected files on them. If you see an application that you’ve downloaded recently on the list, uninstall it and/or reboot your device entirely back to stock. The trojan in this attack is but a minor modification of what’s been know up until now as Android.Tonclank, an application which can receive commands without your knowledge and carry out commands as well as steal sensitive information from your device. Smartphone users are urged to take action on this bit of malware immediately.

If you believe you have an infected application that is not on the list, you can check by seeing if there appears to be two instances of said app running at once when you open it. Another way is to notice a Search icon above your home screen when there should be no such icon. Have a peek at the list of infected applications here and report to Symantec if you believe you’ve detected any additional apps with this same trojan aboard.

[via Symantec]

You make a copy of that data and use it in training materials that you use in your side business, right? Well maybe you don’t, but that’s exactly what the FBI alleges Mr. Zhang did. That’s right; he didn’t use the information for personal gain or to plan an attack on the Federal Reserve. He used it because he wanted to have a nice-looking set of data for training purposes.

It is not believed that Zhang’s illegal theft of government property poses any kind of risk to the government’s financial structure. The data he stole was largely clerical in nature and detailed payments that were sent between federal agencies. “As today’s case demonstrates, our cyber infrastructure is vulnerable not only to cyber criminals and hackers but also alleged thieves like Bo Zhang, who used his position as a contract employee to steal government intellectual property,” said US Attorney Preet Bharara in an FBI press release.

[via Bank Info Security]

Twitter has acquired web security firm Dasient, a real-time link checking system that scans URLs for malware and other online threats, in a move that will likely make clicking a link on the terse social network safer in future. Terms of the deal were not disclosed. Dasient’s technology scans both web addresses and sites for potentially harmful content, as well as operating a service that keeps web-based advertising malware-free.

The acquisition is not Twitter’s only security-related buy in recent months. Back in November 2011, the short messaging service bought Whisper Systems, an Android security and encryption app specialist. No indication of exactly what Whisper’s tech – which includes modifying the core Android kernel to lock down user date – will be used for at Twitter has been given.

Use-cases for Dasient are far easier to envisage, however. Twitter continues to struggle with malware links shared by fake accounts, masked by the general use of URL shorteners to get longer web addresses to fit into the 140-character messages. “Dasient will be able to apply its technology and team to the world’s largest real-time information network” the security firm says.

Dasient was founded in 2008, by a team including ex-Google staff and security researchers from well-known firms like McAfee.

It was Tuesday when the flaw was exposed by two rightfully mad customers, with McAfee responding with as quick a fix as they could muster soon after. What this fix does, they say, is to shut down one of the features involved in the exploit down completely and make additional fixes which make the security risk again reduce down “to zero.” As McAfee said this week:

“We have mitigating factors already in place that reduce risk. The patch for the spam issue is now rolling out to customers, and everyone should have the update shortly.” – McAfee

One vulnerability was found in the ActiveX control and allowed attackers to execute their own arbitrary code, the other found in McAfee’s Rumor Technology, this being the one that allowed hackers to turn your computer into a Spam magnet. While these problems appear now to only be affecting SaaS products or business users with the Enterprise version, you should keep your eyes open, consumers, for similar breaks if you know how to look.

The way you’ll be able to make a quick check on if you’ve been affected by this situation, you SaaS product users or business owners with the Enterprise version, is to simply contact your internet service provider and ask if you’ve had unusual traffic spikes lately. You’ll have already noticed that your internet speed has been slow as of late as well – though that could be anything, technically. Stay safe, everyone!

[via SecurityWatch]

DARPA has put out a draft request for proposals, and the goal is to have developers craft games that are “intuitively understandable by ordinary people.” The goal is to make the games playable and solvable using laptops, smartphones, tablets, and consoles. The solutions to the games would be entered into a database to be used for improving analyzing software.

The hope is that the crowd source testing via games of the source code would help the military to better ensure that their software is free from issues with security or stability. The current process of testing software is falling short, and the military is also facing a shortage of specialists in computer security. Crowd sourcing the testing would be a way to get more hands on the testing deck in a fun way for the end user.

[via Nextgov]

The heist occurred during the first few days of the month against the branch of the bank in Johannesburg. Net-Security reports that the hackers gained access to the bank network months before actually stealing the money and set the groundwork. The attack apparently started with a compromised computer in one location.

Once that worker computer was compromised, the hackers then set up their own accounts. After those accounts were ready to go, the hackers transferred money from other accounts into theirs. The theft took place while the bank was closed over the New Year holiday and was finished by the time workers returned after the break. The investigation is attempting to determine now if the worker whose system was compromised was part of the heist or allowed the machine to be hacked by mistake.

[via Net-Security]

The same hacker sent out a message overnight that he, and his hacker group called Nightmare would be bringing down the sites of the Tel Aviv Stock Exchange and national airline Al El. The attack against the sites was a simple DOS attack. The sites were reportedly able to recover from the attack in hours and neither airline flights, nor the economy in Israel was harmed.

El Al took the company site offline as a precaution when unusual activity was discovered. The site was closed after normal activity of about 50 simultaneous access requests went up to 1,000 requests. Israel has previously stated it will retaliate against hacking attempts just as it does other terrorist attacks.

[via SFGate]

ReadWriteWeb reports that the vandals have moved and or deleted some map details and has changed the direction of traffic flow on one-way streets. This is the same range of IP addresses that were busted stealing data from a database owned by Mocality. The data in that case was used to call and offer paid placements in a deal said to be with Google and Mocality.

Google is investigating the allegations, and I am sure we will hear more on this. Google can’t be happy that someone is using its IP addresses to commit these acts. Open Street Map has found two accounts that have modified streets in New York, London and other cities since last week. There is an investigation going on, and it seems the vandalism may be very widespread. Open Street Maps claim that there are at least 17 accounts that have accessed its maps from the Google IPs to the tune of 100,000 times in the last year.

[via ReadWriteWeb]

Google has had a safer login process uses a two-form identification process for a while. The trusted device is your smartphone in this system, and it generates a short code needed to log in. The new system allows you to log into your Gmail account on the smartphone and then automatically logs you into the Gmail account on the computer.

You never had to enter your password details on the public terminal eliminating the worry about key loggers. Apparently, the public terminal generates a QR code on the screen that you scan with the smartphone, and then you are logged in. You will need a QR code reader for your smartphone to use the system and the Google Goggles app will work. The system apparently works with the iPhone, Android and supposedly Windows Phone too.

[via PCWorld]

Zappos users here are the subject matter simply because it’s the most recent attack, but it’s true for whatever set of services you use on the daily. If you’ve got an eBay account, an account for your online bank account, and an account for Zappos, you need, need, NEED to have a different password for each of them. What you do when you keep the same password for each of these sites is to open yourself up to a MUCH wider array of hackers than if you change your password for each.

For those of you that live in a house, here’s a good example of what this is like: You’ve got a door that needs a key to open it. You keep that key on your person, but you also have a key hidden in the yard just incase you’ve lost your own key.

This is what it’s like to have one password for one site – someone could figure out where that key is, but they’ve only got one door they could open with it. What having the same password for all of your sites is like would be if that key was not only duplicated several times to be hidden in different areas of your yard, but also opened up your house, your garage, your shed, and your car.

Make yourself a different key for each of your buildings and vehicles. Make yourself a different password for each of the sites you access. It’s as simple as that.

BONUS: for those of you that have a difficult time remembering a ton of passwords, there’s always an app for that. Check out 1Password for desktop and mobile including iPhone and Android, LastPass 1.72 Premium as found at LastPass.com has the same benefits but also works on such platforms at Linux, symbian, BlackBerry, and more, and KeePass is your open-source free alternative, if you know how to make it work, that is.

[poll 25]

6pm.com was hewn off and run separately from Zappos back in 2008, focusing on the discount end of the market. The retail site has proved a hit with bargain shoppers, offering up to 75-percent cuts on RRP, though unlike Zappos does not include free two-way shipping, and products have a reduced, 30-day warranty period.

As is the case for Zappos customers, 6pm users’ credit card details have not been leaked. Instead, only the final four digits of registered cards – commonly used to identify the stored card to the shopper on the checkout page – are among the hacked data.

6pm users can reset their password here, and are advised to change the password on other sites they may have registered with using the same credentials. However, those currently outside the US – either international customers or US-based customers traveling – are unable to access the site, both Zappos and 6pm being temporarily closed to international traffic.

“We are cooperating with law enforcement to undergo an exhaustive investigation. Because of the nature of the investigation, the information in this email is being sent a bit more formally, and unfortunately we are not able to provide any more details about specifics of the attack beyond what is in this email and the link at the end of this email, but we can say that THE DATABASE THAT STORES OUR CUSTOMERS’ CRITICAL CREDIT CARD AND OTHER PAYMENT DATA WAS NOT AFFECTED OR ACCESSED.

The most important focus for us right now is the safety and security of our customers’ information. Within the next hour, we will begin the process of notifying the 24+ million customer accounts in our database about the incident and help step them through the process of choosing a new password for their accounts. (We’ve already reset and expired their existing passwords.)” Tony Hsieh, CEO, Zappos

Zappos has already voided existing passwords, and will direct users to http://www.zappos.com/passwordchange in an email informing them of the security breach. The company is also suggesting that users change their password on other services where they are registered with the same details.

Although a vocal response is expected from shoppers, Zappos has actually decided to shut down its phone support lines and instead rely solely on email to communicate. That’s being portrayed as a time-saving measure: the retailer’s entire headquarters staff are being drafted in to handle customer services messages, and the predicted surge of concerned users would quickly overwhelm the switchboard.

“In order to service as many customer inquiries as possible, we will be asking all employees at our headquarters, regardless of department, to help with assisting customers.  Due to the volume of inquiries we are expecting, we realized that we could serve the most customers by answering their questions by email. We have made the hard decision to temporarily turn off our phones and direct customers to contact us by email because our phone systems simply aren’t capable of handling so much volume. (If 5% of our customers call, that would be over 1 million phone calls, most of which would not even make it into our phone system in the first place.)” Zappos

[Thanks to everyone who sent this in!]

“We were mortified to learn that a team of people working on a Google project improperly used Mocality’s data and misrepresented our relationship with Mocality to encourage customers to create new websites. We’ve already unreservedly apologized to Mocality. We’re still investigating exactly how this happened, and as soon as we have all the facts, we’ll be taking the appropriate action with the people involved” Nelson Mattos, Vice-President for Product and Engineering, Europe and Emerging Markets

Mocality built its business list through paid crowd-sourcing, handing out cash through a Kenyan mobile money system to users who submitted information on local companies and kept that information up-to-date. Unlike in other countries, no existing list of Kenyan businesses is readily available.

A team of people working on Google’s own business website project in Kenya apparently decided that Mocality’s database was easy pickings, systematically pulling entries and contacting them. According to the startup’s investigations, the Google staff misrepresented them, either saying that Google’s GKBO project was in partnership with Mocality, or that Mocality would charge the equivalent of $200 per site whereas in fact it does not.

Google is still looking into exactly what went wrong, and Mocality is yet to comment on the search giant’s response to the matter.

The duo found that they can listen in on the Bluetooth connection between the devices. RIM left the security token needed to decrypt emails in a place where anyone that knows where to look can find it. Once they had hands on that token, the researchers were able to access all the email and other information they wanted as a privileged user.

The key to allowing the exploit was the discovery of the security token sitting there waiting to be found. The token sits in a place that is world readable while the Playbook and smartphone are in a Bridge session. There are caveats to the attack though. The Playbook has to be running an app that can access the token. A malicious app could also be installed on the tablet to open access to the token.

[via ThreatPost]

Have a peek at this device right here in the video and let us know if this is something you’d be wanting to use in the very near future to watch over your household. You’ve got to take into account that your smartphone, the device you’ve got on you each and every day, will be able to control and feed information back to you whenever you like. Internal antennas, 11n wireless connectivity, and H.264 enhanced video compression will aid you on your way.

As a sort of bonus, this device contains both an internal microphone and a speaker so you can both listen in on the immediate area and project your voice to speak to whoever might want to hear. You’ve got 720p video, easy setup Wireless 802.11n compliant and Wi-Fi Protected (WPS) button, and of course the ability to record directly to a microSD card. Check out the rest of our on-site CES 2012 coverage with our CES Live tag – get it all!

The Home Control Switch allows you to plug in a lamp or other mains gizmo and then turn it on both remotely, via the app, or locally, via a button on the box itself. Alternatively, you can have it trigger automatically, when the Motion Sensor spots movement, either turning lights or other devices on when you walk into range, or off when you leave the room.

Belkin only has these two devices so far, but promises that a remote garage door opener, door lock, lighting controls and a baby monitor – with streaming audio – are in the pipeline. The company has also done a deal with electric lock company Kwikset, whose Home Connect security locks will also gain WeMo support: users will be able to lock or unlock remotely, as well as see the current security status on-screen.

The Belkin Home Control Switch and Motion Sensor will go on sale this coming summer, priced at $49.99 for the switch and $99.99 for both devices in a bundle. The control app will be a free download when it arrives in the App Store.

The webcam supports night vision and two-way audio, and footage can be streamed to a desktop browser, iPhone, Android phone, iPad or Android tablet. Alternatively you can scroll back through up to thirty days of cloud-stored archive footage, though you’ll need to sign up to a service plan for that; they start at $9.95 a month for 7 days of archive access, or $29.95 for the full month.

A free plan allows you to simply view what’s going on there and then, complete with alerts if the camera spots any movement. The Dropcam HD WiFi camera is priced at $149 and is up for pre-order today; the company tells us that it will begin shipping on January 31.

According to the Israeli investigators, the hacker is said to be a 19-year old that lives in Mexico. OxOmar has claimed to be a Saudi citizen reports the BBC. The Mexican government hasn’t been called in to assist at this point according to reports.

Israel considers cyber attacks to be a breach of sovereignty along the lines of any terrorist act and says that it will treat the hack as such. Israel also boasted about its capability for retaliation, but didn’t offer specifics.

[via BBC]

Unlike the TP-LINK TL-SC4171G we reviewed recently, the SmartCam doesn’t offer motorized pan/tilt for scoping out the room. There’s still nighttime illumination, however, thanks to infrared LEDs, along with audio and motion detection and – for those nude refrigerator raids you’d rather nobody find out about – a privacy button.

Video is streamed at either 640 x 480 or 320 x 240 and at up to 30fps, and there’s two-way audio support too. Up to five viewers can access the camera at any one time, and you can set the SmartCam to automatically begin recording and uploading clips, when triggered with movement/sound, to a secure YouTube account with a push notification sent out to alert you.

The Samsung SmartCam is set to go on sale in March, priced at $149.

The unit can be used free-standing or fixed to the wall with the bundled bracket, while the lens itself can be tilted between 0 and 150 degrees. There’s an integrated microphone and speaker, for two-way audio – ideal for remotely chiding your child – along with IR LEDs for keeping an eye on them when the lights go out.

If movement or sound is spotted, the camera can be set to automatically begin recording and upload the footage to a password-protected YouTube account; meanwhile a notification is sent out to the owner. Free Android and iOS apps are available, and setup is apparently the work of seconds thanks to WPS WiFi pairing and simple account setup through Samsung’s online portal.

The Samsung WiFI Video Baby Monitor will go on sale in March, priced at $149.

That’s a disappointment, but Lenovo has skinned the smartphone with its Mondrian UI so users might not notice much difference, at least on the surface. Other specs include an 8-megapixel main camera and a front-facing camera, with panoramic photo support and instant cloud-sync with the online storage space Lenovo bundles with each phone.

Interestingly, aesthetically the Lenovo S2 looks a whole lot like the leaked Lenovo Windows Phone handset spotted back in November. At the time, the company confirmed that it was working on a Windows Phone device, but said it would not be ready for primetime until the second half of 2012.

As with the TV and tablet, Lenovo is offering the S2 smartphone in China first, with a roll-out in other territories not coming until later. No word on when, exactly, that might be, nor what sort of price-tag the S2 could be carrying when indeed it arrives.

Apparently, HiGear was targeted by a ring of thieves that stole four cars using the service with the value of the cars at about $300,000. The thieves used stolen credit cards and stolen identities to get around all the security that HiGear had in place to prevent this sort of thing. After the incidents, HiGear was forced to admit that there was no sure way to prevent theft of this sort from happening in the future.

As a result, the company has simply opted to close up shop. HiGear only focused on high-end brands and says that normal cars may not be such prime targets for thieves. The police recovered some of the stolen cars, and insurance claims are being processed on others. This is exactly one of the reasons I never though renting your own car out made sense.

[via TechCrunch]