David Chen exposed the hole, which allows an attacker to remotely log in to a router’s administrative interface and possibly intercept traffic. Since being exposed by Chen, the story has been picked up by Wired’s Threat Level, CNET’s InSecurity Complex, and ITKnowledgeExchange’s own Sister CISA CISSP. The latter noted another particularly spooky aspect of the tale in a follow-up post on the Time Warner security hole:

Lo and behold, I am visited and left a comment by “Adam Wood” defending SMC, and telling me/us what a wonderful job SMC is doing about this issue.

(That’s got to be a really crappy job for a lowly PR flack; surfing the Internet for comments on the SMC modem, and uploading a canned positive comment wherever he can.)

Despite “Mr. Wood’s” comments about how SMC is fixing the problem in an absolutely wonderful way, I admit to some slight cynicism. Especially after reading more from David Chen, the guy who found it in the first place.

…

It seems that a fix from Time-Warner or SMC seems to consist almost entirely of PR.

Boo! And while it would be easy to respond that users have a responsibility to change their default passwords (they do!), the story goes a little deeper: This is putting sensitive corporate data at risk.

With more and more companies pushing for remote working both as a Swine Flu precaution and a way to cut office costs, an insecure router being pushed out could easily expose data that isn’t properly secured to all sorts of attackers, even those just trolling for random open vulnerabilities, like Chen did.

Fortunately, he also provided some quick fixes as Time Warner Cable works on a fix to push out (or not). Modify slightly and pass on to your users if your employees are working in a Time Warner Cable subscription area:

• Change the default configuration of the routers to use WPA2 instead of WEP for wifi encryption.  It’s ok if you don’t want the customers to change their wifi settings, but at least use a key that’s not derived from the router’s MAC address (which is broadcasted over wifi).
• Disable access to the router’s web admin page from outside IPs.  The options are in the router (see below), a simple config change would block access to the router from the internet.
• Block traffic to port 8080, 8181, 23 (those are the ports that are open on the SMC8014 routers) at the ISP level.  This of course should be a temporary fix until the hardware can be replaced with something more secure.
• Of course the best idea would be to immediately recall those routers and issue your [users] real cable modems and decent wifi routers with good security.

Have a happy Halloween!

5. Once in awhile, shake things up. Don’t always have the same employees doing the same things. Theft often comes to light when a person stops working in his or her usual position for a few weeks and doesn’t have the opportunity to cover up any improprieties. Have a manager fill in for employees who are out sick or on vacation. Switch crews around periodically. Move managers between divisions. Enforcing mandatory vacations can be one the best tools for catching crooks.

(emphasis mine)

Mandatory vacations to catch crooks? Sounds like a win-win to me. It’s also not a bad way to make sure your disaster recovery (DR) plan has position redundancy: If Steve is the only Cisco sensei you have, you need to make sure someone else gets prepared to hold down the fort if, say, a nasty case of Swine Flu hits unexpectedly.

Any other cybercrime prevention strategies you’ve seen? Let me know in the comments, or directly at Michael@ITKnowledgeExchange.com.