Folks, listen up. If you have a wireless modem provided by Time Warner Cable you might want to have a look at it. No it won’t catch fire. But some 65,000 of them have a security hole –

Time Warner acknowledged the problem to Threat Level on Tuesday, and says it’s in the process of testing replacement firmware code from the router manufacturer, which it plans to push out to customers soon.

“We were aware of the problem last week and have been working on it since,” said Time Warner spokesman Alex Dudley.

The vulnerability lies with Time Warner’s SMC8014 series cable modem/Wi-Fi router combo, made by SMC. The device is one of several options Time Warner offers to customers who don’t want to install their own modem and router to use with the company’s broadband service. The device is installed with default configurations, which customers can alter only slightly through its built-in web server. The most customers can do through this page is add a list of URLs they want their router to block.

But blogger David Chen, writing at chenosaurus.com, recently discovered he could easily gain remote access to an administrative page served by the router that would allow him greater control of the device.

Chen, founder of a software startup called Pip.io, said he was trying to help a friend change the settings on his cable modem and discovered that Time Warner had hidden administrative functions from its customers with Javascript code. By simply disabling Javascript in his browser, he was able to see those functions, which included a tool to dump the router’s configuration file.

If you have a SMC8014 in your home network PROVIDED by TWC you might want to inquire with TWC as to whether your particular device has had a patch applied. Oh, and don’t take their word for it. Ask for the work order record. If they don’t have one for your account they probably did not do it. Keep in mind that somebody could drive up to your curb and be manipulating your device. Do not take this issue lightly.

Linky.

Above all, though, Weigman is still a teenager. While he expresses remorse over his swatting attacks, he takes giddy pleasure in recounting his other exploits — whether punking celebrities or playing the phone companies like an Xbox. “The phone system and infrastructure is just weak,” he says. “I had access to the entire AT&T and Verizon networks at times. I could have shut down an entire area.” Then he segues into an earnest pitch for a future job. “I’d love to work for a phone company, just doing what I do legally,” he says. “It’s not about power. I know the phone and telecommunication systems and can be a crucial part of any company.”

This is one graph out of a very interesting phreaking story here. Most that read this board probably know what a phreak is — someone who manipulates the PSTN network for fun. Please do read the whole thing, its interesting.

But the sobering side shows just how vulnerable our telecommunications on PSTN is at two levels. A) That it can be socially engineered around. B) That the infrastructure itself is very naive.

The latter first. Back in the 60’s two things happened. The Bells figured out how to design a computer that could operate like the old mechanical stepper CO switches without all the support issues. The second was the development of FSK keying better know to the public as touchtone. Both developments design at a time when shall we say the world that America operated in was one of innocence. The thoughts were, why would anybody muck with the phone systems? Its dull boring stuff that even those in the companies found only peripherally interesting. It never occurred to anyone that Bell could represent a ‘respectable’ challenge to manipulate.

Consider touchtone® its basically a two tone modulated signaling system. Barely a step up from Morse code. Its weak link is that it is in the human audio range. From a security perspective probably the worst set of choices one could make. Tones can be recorded. Tones can be generated to overcome the system (a blue box.) Compared to systems to day, its a security nightmare.

Then there are the companies themselves. For years, even while I was there, if you were ‘in the Bell loop’ you were a trusted entity. The companies are vast and diverse. If you work there you live on the phone, conduct most business via long distance and for the most part rarely if ever physically meet the people you interoperate with on a daily basis. It worked quite well so long as parties worked on the knowledge that their peers could be trusted. And why not? You were an employee!

That breaks down when outsiders can mimic the technobabble that is used in the industry. Even though employees are trained to spot interlopers, a 10% failure rate in that regard opens a large bundle of opportunity. Security training is required yearly at most Telcos. They still do it. But here is the interesting thing. To my knowledge none of them have implemented the simplest of measures for providing secure lines for fraud, security, and collection departments. Its one of the prime reasons that phreaking works.

Still sound droll, even with a possible threat of a swatting attack going wrong? Well then think about this before you go to bed tonight — What could Weigman have done had he been hired by terrorists?

If you live in Florida and you want to sell or trade a video game, you have to provide a thumb print now. Since Oct the Florida Legislature has criminalized you for being a gamer and selling your own property. –

I called back and talked to Gamestop manager Carlos Rivera, who said every video game store in Broward County got a visit from a deputy back in October. The deputy told them to start collecting thumb prints from people who return games.

So what did the good folks at Gamestop do? Break out a BFG9000?

“They have guns,” Rivera said. “I don’t argue with people with guns.”

Broward County Sheriff’s Office spokeswoman Kayla Concepcion said the new requirement comes straight from the Florida Legislature, which enacted a law on October 1 of last year that treated video games like second-hand goods sold at pawn shops. Now any store buying used video games has to collect the thumb prints, along with a bunch of other personal info about the seller.

Rivera told me most video-game-returning customers don’t really care, he said, but a few have turned around and walked out. “Haven’t had any fights over it yet,” Rivera said.

Next thing you know they will be asking for thumbprints when you buy groceries at the store.

Linky.

OK, it looks like he’s latching onto the latest greatest thing - telling the JavaOne conference that now Oracle is swallowing Sun, he could well imagine the market welcoming Java-powered netbooks.

In fact, he ventured, “I don’t see why some of those devices shouldn’t come from Sun. Here will be computers that are based on Java and JavaFX and devices based on Java and JavaFX, not only from Google but also from Sun.”

But this will all bring tears of nostalgia to the eyes of anyone who remembers the ground-breaking launch of the network computer, back in 1995.

Back then, when it looked like Wintel was going to dominate the world forever, Ellison and his plucky sidekicks - Scott McNealy and some guy from IBM - took to the stage at Comdex to propose a line of cheap, diskless PCs that would take full advantage of the network or even something called the internet.

As a concept the idea of the netcomputer that is pretty much nothing more than a high intelligence dumb tube has a lot going for it. Fact the numbers in reducing headcount on the admin backend is favorable. But there a lot of caveats attached to that effort. –

• Is your staff already trained in the use of Sun VDI and Solaris on the backend?
• Are you prepared or considering the hardware upgrade on the client level?
• Is your layer 1 network current? If not add that to the costs.

If not you have to add all those costs to the mix in any assessment of a switch. Once the ROI calculations are in you will find that the savings are thin indeed. Not Sun’s issue, but the reality is transitions costs are high. Which in these uncertain times if you don’t have a ROI winner then management passes.

So now Larry wants you to buy into this concept as part of the current netbook craze. Technically I can see some advantages here on a portable device like a netbook. If one is very security conscious, think NYSE, then presenting the desktop in that manner makes imminent sense. There is nothing to steal as it all resides on the server. But as a general mode of operation? Pass. You are adding recurring costs on top of the current management of the portable device fleet.

Pure marketing, attempting to gain presence on top of a successful trend.

Linky.

A TV investigation has revealed that secondhand BlackBerries on Nigerian markets are priced according to the data held on them, not the age or the model of a phone.

Jon Godfrey, director of Sims LifeCycle Services, who is advising on a TV investigation into the trade due to screen later this year, said that BlackBerries sell for between $25 to $65 on Lagos markets. Details of the trade come from an agent in Nigeria unaffiliated to Sims’ technology recycling business.

Godfrey explained that the smart phones offered for sale come from the US, continental Europe and the UK. “It’s unclear as yet whether the phones are either sold, thrown away, lost or stolen,” Godfrey explained.

Other type of smartphone are also of potential interest to data thieves, but it is the trade in Blackberries that seems to be the most active. Data retrieved from smartphones is itself traded by crooks in Nigeria.

If you are trading in a Blackberry or other smartphone –

• Best. Download all your data yourself to your PC or Mac. Then wipe the phone clean yourself. And validate that it is all gone. Upload the data to the new phone when you get home.
• Good. Watch the representative upload the data to the new phone. Then request they delete the data off the old phone. Then take the old phone in your hands and check that its memory has been cleared.

If confirmed this represents a ratchet up from the usual phising expeditions on the unwary to active pirating of data in a open market.

Linky.

Two things to keep in mind –

1) Treat your cell phone like your wallet. Most of the spyware programs require physical access to be installed on the phone.
2) Password protect your phone. Most have that capability now. Its not foolproof but it makes it harder to for the casual hacker to mess with your device.

Another article here.

While the sentence is light, it appears that at least one court is taking data theft seriously. The growing problem of botnet operators implanting malware on end user’s systems is exploding. On the rare occasion when an identity thief is caught, prosecution has been minimal We don’t need new laws, we need more enforcement.

Prosecutors say 27-year-old John Schiefer was sentenced Wednesday after pleading guilty last April to computer fraud.

Prosecutors say Schiefer and his associates created “botnets” — armies of infected computers — to steal individuals’ identities by extracting information from their personal computers.

Schiefer also worked as a consultant with a Dutch Internet advertising company to defraud it with his botnets. He was ordered to pay $19,000 in restitution to PayPal and other companies. (Yahoo)

OS and browser vendors need to do a better job of educating the public on this growing problem. Microsoft is at the top of the list of companies who been less than proactive in defending and education users. It’s sloppily written automated updates have generated so many system difficulties that many users refuse to install them.  End users need to take responsibility for their own protection. If you’re not proactive in securing your own system, it’s the equivalent of leaving you door unlocked.

Yes, you know who you are. You worry about EM radiation from toasters and late night knocks on the door from MaBell Phone Cops. Well you might be able to rest a little easier if you start using Skype. Especially if you can get on an European server –

The spybiz exec, who preferred to remain anonymous, confirmed that Skype continues to be a major problem for government listening agencies, spooks and police. This was already thought to be the case, following requests from German authorities for special intercept/bugging powers to help them deal with Skype-loving malefactors. Britain’s GCHQ has also stated that it has severe problems intercepting VoIP and internet communication in general.

Skype in particular is a serious problem for spooks and cops. Being P2P, the network can’t be accessed by the company providing it and the authorities can’t gain access by that route. The company won’t disclose details of its encryption, either, and isn’t required to as it is Europe based. This lack of openness prompts many security pros to rubbish Skype on “security through obscurity” grounds: but nonetheless it remains a popular choice with those who think they might find themselves under surveillance. Rumour suggests that America’s NSA may be able to break Skype encryption - assuming they have access to a given call or message - but nobody else.

The NSA may be able to do that: but it seems that if so, this uses up too much of the agency’s resources at present.

“They are saying to the industry, you get us into Skype and we will make you a very rich company,” said the industry source, adding that the obscure encryption used by the P2Pware is believed to change frequently as part of software updates.

Enjoy. Oh by the way, your hat is a little crooked.

Linky.

If you’re a Geek you are probably at least aware of Tor the anonymousizing (is that a word?) transport service. For those that are not, Tor provides a means of hiding your source point providing a level of privacy to your communications. Closest example I can think of is partyline VPN. The downside to Tor? Well it is a user space service, or was till OnionCat showed up on the scene –

Tor provides so-called “Hidden Services”. These are services which are location hidden within the Tor network. This means that not only users are hidden but also services (destination). Tor manages this by assigning virtual addresses to them, so-called .onion-URLs. Tor builds all connections based on them.

Unfortunately, access to hidden services is currently not very user-friendly which makes them unattractive although they could provide high privacy in today’s world.

OnionCat provides an IP-transparent service which does on-demand connections to designated hidden services. This is a Tor-specific virtual private network (VPN). Because of its IP-transparency any client program can use hidden services without further workarounds.

If you used Tor you generally used it per application and would have to work each connection in turn. With OnionCat the Tor network transport the IP source tunneled within its IP network. In that guise a full suite of IP client-server traffic could traverse the Tor network without any client side manipulations. Makes an interesting case for reasonably secure message trafficking among other things.

Guess I should apply a disclaimer. Tor is not perfect. If you don’t follow their rules of use your ’security’ is out the window. Nor would I consider it a replacement for business level VPN or IPSec links. But for the occasional need for a secure link Tor is a great tool. Treat it accordingly.

Chaos Conference link.
OnionCat website.

In a sad commentary of our times, we have kooks running around breaking, stealing, defacing nativity scenes. Every year I see a listing on Drudge, or a AP feed of yet another destruction. In many cases the perps are never caught or the property returned. Well one company, LighteningGPS, is assisting in eliminating the threat –

This year, LightningGPS is striking down sinners by offering a free holiday rental to schools and churches across the country through their distribution partnership with BrickHouse Security.

Their GPS Tracking Device is small enough to covertly fit inside most everyday objects. If that object is moved or tampered with, a silent alarm is triggered, alerting the owner that the object is on-the-move. At the same time, an individual or police can go online and instantly track the item on a map anywhere it goes.

BrickHouse Security is also offering custom hidden cameras in an effort to catch thieves this holiday season. “We have partnered with LightningGPS to donate hidden cameras that will catch people in the act for video proof. Along with GPS Tracking, the vandals can be prosecuted and the statues returned swiftly,” proclaimed Morris.

Kudos.

To perps who do this kind of stuff. Get a life. Some things just ought to be left alone and in defacing/stealing you strike against the very heart of everything else that makes your life possible in this country. If you get caught it should be the full extent of the law against you.

Linky.