Security tester Phil Purviance has gone public with his findings on a popular router that widely sold to consumers and small businesses. He sums it up succinctly:
…any network with an EA2700 router on it is an insecure network!
The router in question is commonly found at big box retailers like Fry’s Electronics, Best Buy and pretty much any retailer that sells consumer electronics. Purviance reported his findings to Cisco over a month ago, but the hardware giant has yet to comment or issue any fixes to the public.
What this means for you:
If you are using a Cisco Linksys EA2700 router for your internet connection, your device and any computer connected to the EA2700 is at risk. Seeing as most folks aren’t even aware that their routers have software/firmware that can be upgraded, it’s likely that even if Cisco were to fix all the vulnerabilities outlined by Purviance, those fixes are unlikely to be applied by most consumers and small businesses. At the moment, the only true fix for the EA2700 is to replace it with something else, but with what? Researchers are still playing catch-up in this space, as there are literally hundreds models of consumer-grade routers installed in the US alone.
As a business owner, you should consider upgrading to a business-class router from a major manufacturer like Dell, Cisco, Fortinet, etc. (Cisco’s business-class equipment, ironically, is typically considered a standard choice). At the very minimum, understand what you have installed, upgrade the firmware if possible, and check with your local IT professional (C2 is always there to answer your questions!) to determine if there are any widely known exploits published about your particular router model.
Consumers looking to “cut the cord” with cable and satellite providers have often been stymied by the fact that certain programming, most notably live sports and new TV shows, are often unavailable on the traditional streaming services like Hulu and Netflix. Depending on the content and the availability of a dedicated DVR box like a Tivo unit, savvy consumers could record over-the-air broadcasts using an old-fashioned TV antennae, but depending on the device (and the content!) you might be limited to watching it only on that device.
Aereo is attempting to help consumers with this last content “mile” by setting up data centers in key markets (starting in New York City) that are basically acting as cloud DVR’s that can stream (or record) over-the-air TV content to your devices for as little as $8/month. Think of it as Netflix for your local TV programming. As a matter of course, the major networks are in an uproar about the service, as it completely disrupts their current revenue models, but to little avail as US courts, up to this point, are siding with the internet startup. Not content with the rulings, the networks are planning to appeal, and are also talking about moving their content to paid networks and away from free, over-the-air broadcasts as a means to combat Aereo’s plans.
What this means for you:
Over 50 million Americans still watch TV via good, old-fashion TV antennaes, and many millions are still without proper broadband that might enable them to stream content from providers like Aereo. The content networks are in no danger of losing those folks, but their reactions to companies like Aereo may cause them to abandon broadcast TV altogether, moving all their content to services that are suddenly out of reach for a significant portion of the population. For those of us trying to cut the cord, Aereo’s disruptive influence may bring us a little closer to the next age of entertainment where, instead of buying predetermined services filled with channels we don’t watch, we can purchase and watch content on an a la carte basis, on our schedule, and on the devices we choose.
Image courtesy of digitalart / FreeDigitalPhotos.net
In an announcement that surprised pretty much no one in the technology industry, Facebook frontman Mark Zuckerberg announced the arrival of both a Facebook application suite, dubbed “Facebook Home” as well as a phone from HTC called “First” that will have Facebook Home pre-installed. It’s not an operating system, like iOS or Android, nor is the “First” a dedicated Facebook phone. Facebook Home is really a set of apps (only for Android phones at the moment) that essentially makes your phone more like Facebook and less like Android.
What this means for you:
If you live and breathe Facebook (and millions of Americans do just that), then you’ll want to give this app a try, but only if you have an Android phone. iPhone users will be out of luck for the forseeable future, as Apple does not allow the sort of access to the base operating systen that Facebook Home requires. For those of you wondering why anyone would want such a thing on your smartphone, consider this: For many, the Android OS is overwhelming and complicated. They just want to make calls, answer email, and connect with friends. These users are looking for what’s known as a “Walled Garden” experience, very similar to the way AOL offered the “internet” to millions who weren’t interested in (or bewildered by) the unfiltered and un-curated experience of the 1990’s world wide web. You could think of Facebook Home as the new “AOL” for your smartphone.
One thing to keep in mind: Facebook’s revenue model is based upon knowing as much as they can about all of their users. By using Facebook Home, it’s conceivable that Facebook will harvest much more data about you, including location data and browsing habits above and beyond what they can collect while you are sitting at home in front of a computer. If you’ve been living your life on the internet and have nothing to hide, and you don’t mind Facebook mining your smartphone activity for marketing data, Facebook Home might just give you the Facebook phone you’ve always dreamed of.
As if you didn’t have enough to worry about, the security blogosphere has dragged another bogeyman out into the daylight, and this one is ugly. Researchers from ioActive are now positing that rather than targeting businesses and their more sophisticated technology defenses, hackers could very easily begin to target consumer-grade equipment installed by internet service providers (ISP’s e.g. Time Warner or Comcast) in your home.
Why would they do this? Aside from the much flimsier technology used throughout the home-internet industry, the IP address assigned to your device is easily discoverable because the ISP’s themselves publish information about entire blocks of internet addresses that are allocated to them. This is doubly bad because not only do hackers now have an easy-to-parse list of targets, they can make assumptions about the targets based upon the ISP that services those addresses: things like the types of equipment used by the ISP (and default passwords), geographical locations, even the types of internet service (ie. DSL, cable, satellite, etc).
As part of their investigation into the feasibility of such an attack, ioActive researchers were able to compile a list of 400,000 actual devices installed in customer homes that might be vulnerable to a simple attack that could allow hackers to “own” the device and use it as a means to gain access to any computer connected to that device, ie. all the computers in your home. The basis for the attack? The simple assumption that the default administrative password was not changed since it was installed by the ISP.
What this means for you:
Having equipment installed in your home that you don’t understand and can’t personally confirm as secure is risky and negligent. It would be akin to leaving power tools lying around within reach of a child. Sadly, most ISPs have very thin (to nonexistent) policies around governing the security of the devices they install in your home, and worse, they often rely on third-party labor to do the installs, further increasing the chances that your router was installed quickly and possibly carelessly. On top of this, how many of you after having waited multiple hours for an internet install to happen, watched the installer rush out the door before learning anything about how your new equipment works, who to call for support, or how to change the password on the newly installed router?
Do yourself a favor: familiarize yourself with your internet router, WiFi access point, or any other piece of network equipment in use in your home, figure out how to log into the device(s), and then change the password to something that is hard to guess, and written down in a safe a secure place. Don’t make it easy for the hackers by continuing to ignore the backdoor into your home network!
Matt Honan, the Wired writer who had his digital identity stolen in a harrowing cyberattack last year, is back with another chilling article about yet another technology failing to protect us: this time it’s our beloved smartphones. More specifically, it’s the ones we’ve left behind, donated or possibly even sold via eBay, when we upgraded to a newer mobile device. The problem? Even though we may “wipe” the phones, the process may still leave enough information behind for the wiped phone to reveal sensitive information about their owners, including where the phone has been (geographically), what websites have been visited, and even phone numbers, addresses and other confidential data we thought erased.
What this means for you:
Depending on the type of phone you are discarding, and how it is wiped, this may or may not be an issue for you. For example, iPhones after the 3G mentioned in the article are encrypted by default, and if “reset” properly, the encryption key is destroyed, rendering any data on the phone unreadable, even if it is recovered. Most large organizations with a savvy IT department will only allow smartphones to access corporate email and files after your phone has been configured with proper security settings, up to and including an encrypted partition to store your email and any files you might access from the corporate network. Most Android phones should be able to encrypt all data (check “Settings -> Security”) depending on version of Android your phone is running, providing the same type of protection that Apple has on its late-model iPhones.
I can hear you saying, “I don’t have any data on my phone that is sensitive,” and unless you are 100% sure of this, always assume there is something on your phone you don’t want untrustworthy eyes seeing. Even older flip-phones have phone numbers, addresses and other data you might not want to share with a stranger. If you are at all in doubt, hold on to that phone until you can talk to a professional about wiping it securely. If you don’t plan on letting the phone have a second life through eBay or donation, take it to an eWaste facility or event that offers secure destruction. This process renders the phone (and any electronic device, like a hard drive) down to its basic metallic components, completely destroying any data stored in any component. Don’t have access to such a process? Drop your phone into a bowl of water for a day or, as the Wired article suggests, take a hammer to it (wear proper safety equipment please!) before disposing of it through a proper eWaste avenue. This isn’t a guaranteed method, but it will take a dedicated effort that most data scavengers will bypass in favor of the next discarded smartphone that will be an easier mark.
Analysts are predicting that Apple will iterate on its popular smartphone in June, releasing the iPhone 5s that will have minor hardware and software upgrades to entice the bleeding edge Apple faithful. If the pattern seems familiar, it’s because Apple did the same thing with the iPhone 4s which followed its predecessor, the “4” in less than a year. It’s unclear whether the iPhone 5s launch will have the same impact as the 4s, which debuted with the popular but buggy “Siri” service. More importantly, Apple-watchers are predicting that the Cupertino company will debut a “lower cost” version of their iPhone in September, specifically to combat Android’s growing market share. An unlocked iPhone typically sells well north of $600 brand new, whereas Android devices can be bought off-contract for less than $300, which is where analysts expect the budget iPhone to land in the pricing wars.
What this means for you:
While most folks are usually more than satisfied with 2-3 year-old iPhones, if you’ve been waiting to upgrade, Apple’s pattern of hardware release usually means that the “s” version of an iPhone is a good investment. If you are still rocking an iPhone 3, the 5s will be a very nice upgrade with a noticeable improvement in speed and functionality. If you are one of the few that tries to avoid AT&T’s and Verizon’s financially-questionable 2-year contracts and you don’t want to plunk down six bills or more for an unlocked 5s, hold on to that older iPhone for a couple more months to see if Apple makes good on the low-cost iPhone in September of this year.
In a move that is strongly reflective of its overseas ownership, T-Mobile has announced that its customers now have the option to purchase cellular services without having to commit to a contract. Unlike the US, a large majority of European and Asian cell phone subscribers routinely purchase cell phone services on a monthly basis as opposed to the 1 and 2-year contracts familiar to most Americans. T-Mobiles new pre-paid plans start at $50/month for unlimited voice, texting and data, with a couple of small catches: data may be unlimited, but access to T-Mobile’s high-speed data network is capped at 500MB for the $50 plan (Increased to 2GB for $60, and truly unlimited for $70/month). The other gotcha? Pre-paid plans will no longer subsidize the cost of expensive phones that can be gotten for “free” with 2-year contracts, at least not in the manner with which you may be familiar.
What this means for you:
Of the major carriers in the US, T-Mobile is in fourth place in terms of market, and they trail third-place carrier Sprint by a large margin. Lacking the marketing muscle to go head to head with Verizon and AT&T, T-Mobile is attempting to disrupt the US market by offering plans that are common-place and popular overseas, but still relatively untested in the US. Many analysts believe that the US cellular market will grow to mirror its overseas counterparts, but that convergence is still at least 2-4 years away.
One of the key differences in T-Mobile’s plan is how they plan to allow consumers to still “subsidize” the cost of new phones. In a traditional 2-year plan as offered by the major carriers, the cost of a new phone is incorporated into the monthly subscription fee, and presumably at a rate that pays off the phone in two years time. T-Mobile offers a similar deal with their pre-paid plan, but instead of offering a single monthly amount, they actually break out the cost of the monthly payment for your new phone.
Why is this important? With T-Mobile, once you have finished paying off the phone (which can be done on their 2-year schedule, or sooner should you decide to just buy out the remaining balance), your monthly bill will be reduced to just the amount owed for services. With the traditional contract offered by the big carriers, your monthly bill will stay the same even though you have paid off your phone. This is no big deal if you decide to switch carriers, but they are banking on the fact that you might not. So far, this has paid off, given the popularity of this type of contract, but maybe T-Mobile can bring disrupt enough of the market to put some strain on the Verizon/AT&T duopoly in place in the US.
(Full disclosure: I’m a T-Mobile customer on 2-year contract, paying down my brand-new Nexus 4. I’m paying approximately $80/month which includes a monthly payment of $20 for my phone.)
Apple has joined the growing ranks of digital services enabling two-factor authentication as a means to protect their customers from account theft. Two-factor authentication has long been a staple of secure corporate and government networks, and employs a basic mechanic of password plus a randomly-generated authentication code that is delivered to a device that you must have in your possession at the time of authentication. In the past, this device has traditionally taken the form of keychain fobs and cards whose sole purpose was to generate numeric keys constantly, but this same functionality can now be delivered through apps that are installable on smartphones, via SMS message to registered cell phones, or even via automated voice calls to your home or office phone.
What this means for you:
In Apple’s case (as with services like Gmail, Facebook, and many massive, multiplayer online games like World of Warcraft), two-factor authentication is an opt-in service, and is not enabled by default with your Apple ID/iTunes account. Enabling the extra security requires you register one or more cell phones with Apple that will receive your authentication code via SMS. Should you do this? If you use services that require an AppleID (iTunes, iCloud, Mac.com, etc.) with any frequency, and especially if you have iTunes credit banked, you should absolutely enable two-factor authentication, especially if the account is tied to a core service you rely on, such as a Mac.com email address, or iCloud for your iPhone and other Apple devices. Two-factor security makes your AppleID (or any other account like Gmail, etc.) that much harder to hack. There will be some inconvenience, especially if you are in a hurry to access your account and have to hassle with the extra security code entry, but imagine the alternative if your account is hacked.
With greater security comes less convenience, a fact of life in this digital age, and not something that will change in the foreseeable future without a significant evolution in security technology.
Image courtesy of Stuart Miles / FreeDigitalPhotos.net
With results that will probably surprise no one (and warming the hearts of black-hat hackers everywhere), the US Government Accountability Office has published its findings on a recent security audit of the Internal Revenue Service. The summary reads like the report card every good parent dreads, “Needs improvement.” Despite having a comprehensive security plan (the development of which was funded by your dollars!) the GAO has found that the IRS has failed to follow through in many areas of implementing and enforcing that plan in various parts of its operation, and these failures have severely compromised the overall security of the very important data the IRS collects on all American citizens.
What this means for you:
As you might expect, the 31-page GAO report is not the most exciting of page-turners. I’ll save you the dry read with the “moral” of the story: having a security policy is only as good as how well it is enforced and maintained. It does your company no good to say that “All employees must use strong passwords that are changed every 60 days” if no one is checking to see if they are actually adhering to the policy. It’s actually much worse for your company if you do have a security policy, experience a breach, and then discover that the breach was due to lack of enforcement.
Don’t get me wrong – I’m not recommending against having a security policy. You should have a security policy, especially if you handle sensitive data of any sort, and you should be making every effort to enforce, update and maintain that policy on a regular basis. A simple security breach could cause untold damage to your company’s reputation, and even more so if you have to admit that it happened because you failed to follow through on your own company’s policies.
Technology lobbyists have been pushing for reform of the 1986 Electronic Communications Privacy Act for years, primarily to address the multitude of shortcomings, loopholes that couldn’t have been predicted almost 30 years ago. Law enforcement has also jumped onto the bandwagon, having recently submitted a rider proposal that would be attached to any changes proposed to the ECPA. Their objective? To get cellular providers to retain all the text messages passing through their network, primarily for the purposes of investigating criminal activity. Currently, most providers say they do not retain the actual text messages centrally, and smartphones by default are not designed to retain text messages long term, but each provider appears to have different policies governing exactly how much data is retained, and how long. This inconsistency troubles some lawmakers, and enforcement has long held that criminals purposefully use SMS as an “untraceable, untrackable” communication method.
What this means for you:
A proposal is a long way from actual law, but many privacy advocates and watchdog groups say a rider proposal like this could hamper much needed changes to the decades-old ECPA by weighing down progressive proposals with Big Brother agendas that most technology companies find distasteful, if not diametrically opposed to in their publicy stated values – think Google’s “Do no evil” policy. The fight for privacy continues to carry into new areas everyday, but the SMS fight could be a huge battle: six billion text messages are sent everyday. Privacy issues aside, imagine having to figure out how to store this information in a way that is useful, let alone subpoenable!