Dave at Chenosaurus was helping out his friend and discovered that all you have to do is disable JavaScript on your browser—the device's interface is accessible anywhere on the web by default—and you'll be able to access pretty much everything on the router. TWC knows about the problem, thanks to Dave's post, and they say they've pushed out a patch while they work on a long-term solution.

Here's what Dave discovered:

The web admin for the router [model number SMC8014WG-SI] simply uses [JavaScript] to hide certain menu options when the user does not have admin privileges. By simply disabling JavaScript in the browser, I was able to access all the features of the router. With that access, I am now able to change the wifi settings, port-forwarding, etc.

Jeff Simmermon, the Director of Digital Communications at Time Warner Cable, left a comment on Dave's blog addressing the situation:

From what I understand, our QA got a list of fixes for the identified issues on Friday, and are currently testing (if not finished with testing) and preparing to hand this off to our Ops team at this very moment.

Our customer's security is of the utmost importance to us, and we are constantly working to identify and repair holes and flaws as we discover them. This is not the sort of thing where we'll roll the fix out, go "okay, done, phew," and go back to our comfy armchairs. With more than 14,000,000 devices in the field, we've always got bugs to fix and holes to secure.

We contacted Jeff to find out where TWC stands on the current status of the SMC8014WG-SI. He wrote back:

The updates [that we have applied to the router] are done remotely, without the customer getting involved.

This security issue affects roughly 67,000 out of over 14,000,000 customers. To imply that all of our customers' data is at risk would be false. We deployed a patch remotely on Tuesday [October 20th] specifically to protect affected customers' data while we QA and roll out a long-term solution. Customers with the affected routers should not have to do anything to upgrade their hardware or worry about their data.

So TWC is on the issue and planning a "long-term solution."

But here's what's puzzling: SMC deliberately made a router that only uses WEP encryption, and that "protects" admin features by using JavaScript, and that stores passwords in plain text? Unless SMC is backed by some cybercrime-loving mafia, it makes no sense. I've never heard of SMC before, but from now on I'll always remember it as the router company that is banned from my house.

"Time Warner cable modem/router major security hole" [My California Adventures via mocoNews
(Photo elements: James Cridland, Mykl Roventine, mugley, and ThisParticularGreg)

I get messages all the time over Xbox Live from people engaging in phishing scams. Thus far, I've been very annoyed because Microsoft seems completely unconcerned about it and their customer service has been very poor. I think of the people who fall for these scams and wonder why doesn't Microsoft do more.

I spoke with a customer service rep and asked about the phishing scams, and he said to file a complaint on the person in-game, which had absolutely nothing to do with phishing. He suggested I select the option to report them for cheating in-game—does that make sense? I remarked how this was confusing and that there was no option to report phishing and he said that in the next update this fall, the option would be there. I'm pretty certain he was lying. He did say, though, that it was very hard to get an account back once it was stolen, something I don't doubt he was being honest about.

Now today [October 4th, 2009], I got two messages from two different users, which are apparently audio clips of some little kid offering cheats and asking you to send a message back (during which he'll ask for your account info and steal your account). It was strange because I got identical audio from two different accounts, meaning either that these phishers are very sophisticated or that there are a lot more phishers out there than I previously realized, because there's this default phishing audio being spread around and re-used.

In the same time frame, I got another message from a different user with the same type of scam.

Frustrated with all the fraud going on, I called Xbox Live again to complain, to see if I could find some kind of fraud department, because I don't think they take these things seriously. I was a bit belligerent (but respectful) with the customer service rep., but who can blame me? Again, she told me pretty much the same nonsense the guy before told me and more. Like he said, this woman told me the same: File a complaint on their gamertag (that's their username in-game), go to the Xbox forums (where there's no real support — just other gamers like me), and so on. She then said something even more ridiculous: She suggested that I make several accounts with Xbox and use all of them to file a complaint on the same person. As with the other gentleman's remarks, I pointed how this was against the rules. It's gaming the system. She said it wasn't. I asked her why I should need several usernames to file a complaint and I told her I only pay for one account and that what she said didn't make sense. It seemed like gaming the system. I asked if she was being honest with me, because she really didn't seem like she was being honest because of how absurd it was. And then she hung up on me. Oh well.

How can Xbox not be concerned with all the fraud that goes on over their service? I've been thinking of calling Xbox Live and recording the phone conversation, then uploading it to Youtube. If I don't do it, somebody else will... Heck, even you guys over at Consumerist ought to do it because the customer service reps. seem to say the most ridiculous things. They know how the system is being manipulated and instead of fixing it, they are telling other people to just manipulate it too.

If you look on the Xbox forums, you'll see lots and lots of people complaining about "hacked" accounts and lack of support from Microsoft. Many of them either can't afford a lawyer or don't know they need one. So, many people apparently just pay for NEW ACCOUNTS on Xbox and Microsoft seems to be profiting from this phishing, which is... of course... the reason why they ignore it. Why stop people from scamming if it helps the bottom line?

(Photo: AdrianDC)

If you didn't visit nytimes.com over the weekend, here's what happened: the paper reported on Monday that they'd essentially been tricked, by someone who knew how to game their oversight policies, into displaying malicious ads to some users who visited the site.

The creator of the malicious ads posed as Vonage, the Internet telephone company, and persuaded NYTimes.com to run ads that initially appeared as real ads for Vonage. At some point, possibly late Friday, the campaign switched to displaying the virus warnings.

Because The Times thought the campaign came straight from Vonage, which has advertised on the site before, it allowed the advertiser to use an outside vendor that it had not vetted to actually deliver the ads, Ms. McNulty said. That allowed the switch to take place. "In the future, we will not allow any advertiser to use unfamiliar third-party vendors," she said.

Security consultant Dancho Danchev thinks that a particular, sophisticated crime group was behind the ad, which happens to be the same group that Microsoft filed 5 lawsuits against in Seattle's King County Superior Court earlier this week.

The lawsuits allege that an unknown number of individuals using various business names distributed malicious software through Microsoft AdManager, the company's online advertising platform.

[...]

Click Forensics, a company that tracks click fraud, on Thursday said that it had discovered a 200,000 computer botnet — a group of compromised computers harnessed to work in unison — linked to the Microsoft lawsuits. In a blog post, Steve O'Brien, VP of sales and marketing at Click Forensics called it "one of the most advanced sources of click fraud we've seen."

The botnet, known as the "Bahama botnet" because it at one time directed online traffic through computers in the Bahamas, is believed to be linked to the malicious advertising that appeared on the New York Times Web site several days ago, according to O'Brien.

Although O'Brien suggests that the cyber crime group believed to be responsible is located in Ukraine, Richard Boscovich, senior attorney at Microsoft for Internet safety enforcement, said in a phone interview that it's not clear where the people responsible are located.

"Microsoft Files Five Lawsuits To Halt Malicious Advertising" [InformationWeek]
"Times Web Ads Show Security Breach" [New York Times]

A Business Mirror story on the matter goes:

"Most advances in online privacy protection have come as a result of industry initiatives and self-regulation," Anne Toth, Yahoo!'s head of privacy, said in written testimony submitted to a joint House hearing. "Market forces drive companies like Yahoo! to bring privacy innovations to our customers quickly."

The hearing on industry practices and consumer expectations was held before the House Subcommittee on Communications, Technology and the Internet and the Subcommittee on Commerce, Trade and Consumer Protection.

The hearing concerned a debate over how companies use customers' personal information. Charter Communications Inc. halted a plan to track customers' Internet use for a targeted-ad campaign after lawmakers objected last year.

In February the Federal Trade Commission urged providers of Internet advertisements, such as Mountain View, California-based Google Inc., to gain consent before collecting personal data.

Closely held Facebook Inc., operator of the world's largest social networking site, revised privacy principles in February after users complained about a policy change that let the company keep customers' photos and content, even if users closed their accounts.

Representative Joe Barton, a Texas Republican, called loss of personal privacy "a big deal for most Americans, and it's a very big deal to me."

"People should have the option to prevent any kind of data collection in the first place," Barton told the hearing. "The public calls for action have reached a deafening pitch."

So that's why we're going deaf. It wasn't that rock and roll music (that Big Brother didn't realize we downloaded because our internet privacy is so secure) we've been listening to and playing too loud.

Yahoo! says consumer online privacy has improved [Business Mirror]
(Photo: Therrol)

Remember to always be on your guard against phishing attempts. If you consider yourself a novice when it comes to knowing what a phishing attempt might look like, try this interactive phishing quiz from Consumer Reports. For lots more information, bookmark the Consumer Reports Online Security Guide, which is full of articles and advice on how to protect yourself and your finances.

(Photo: moonjazz)

PayPal is selling the security keys directly, although they're made and maintained by Verisign. According to this technology blog, the keys "will work with many banks in the future," but Verisign makes no mention of this anywhere on its site. However, if you have begun to use an OpenID on sites like Basecamp, Zooomr, LiveJournal, Technorati, and hundreds of others, then you can create an OpenID account through Verisign and use the security key with OpenID.

If you lose the security key, PayPal says there are ways to verify your account in order to regain access, but they don't provide details on their website. So, uh, don't lose it.

[Update: Ben says if you lose your security key, you can regain access to your account by answering a few additional security questions.]

PayPal Security Key [PayPal]
"PayPal's New Security Key Opens a World of Possibilities" [CaveMonkey50]

RELATED
Entry on OpenID [Wikipedia]
Verisign Identity Protection Token [Verisign]

The report isn't the prettiest or most exciting thing to read, and the section on how to spot a fake MySpace profile is hilarious. (Wait, you mean I'm not friends with all these sexy ladies?) But it's worth a read just to bring yourself up-to-speed on the current state of the art in badware.

Their closing advice is fairly obvious: install anti-virus software, keep your operating system up to date, and stay educated. We also suggest Ad-Aware 2007, a free program that helps monitor your Windows PC for unwanted programs, and AdBlock Plus, a free cross-platform Firefox add-on that lets you block specific third-party feeds from pages you visit.

"Trends in Badware 2007" (pdf) [stopbadware.org]
"'Trends in Badware 2007' released" [stopbadware.org]

RELATED
Ad-Aware 2007 [Lavasoft]
AdBlock Plus [Mozilla.org]
(Photo: Getty)