So you can imagine my dismay when recently reading someone’s suggestion that the shared computing power of the “cloud” could be used to crack encryption algorithms ever so much faster. How will we address this risk?

The risks of audit and control issues, physical security and secure storage of backups, in my mind, outweigh the over hyped benefits. When I see a strong standard implemented by “cloud” vendors, subject to outside independent verification, I’ll get to wow.

Not until then. Where’s the beef?

Lo and behold, I am visited and left a comment by “Adam Wood” defending SMC, and telling me/us what a wonderful job SMC is doing about this issue.

(That’s got to be a really crappy job for a lowly PR flack; surfing the Internet for comments on the SMC modem, and uploading a canned positive comment wherever he can.)

Despite “Mr. Wood’s” comments about how SMC is fixing the problem in an absolutely wonderful way, I admit to some slight cynicism. Especially after reading more from David Chen, the guy who found it in the first place.

According to Mr. Chen, Time-Warner claimed to have pushed out a “temporary fix.” But here is his latest conclusion:

UPDATE: Finally figured out what the “patch” Time Warner deployed was. If a user tries to login with the user/user account, it simply kicks them back to the login page with javascript. All routers are still open to the internet and all still have the same default admin password.

It seems that a fix from Time-Warner or SMC seems to consist almost entirely of PR.

Here’s the link, in all its’ details, by David Chen, writing up the vulnerability, which HAS been confirmed by Time-Warner. As of this writing, Time-Warner has no plans to change or resolve the vulnerability.

Here’s the quick version:

The modem: SMC8014 series cable modem/wifi router combination

Issue 1 : Time-Warner/SMC has the modem locked down in a default mode which is not accessible to the average user. The default configuration has a default username/password and has locked WEP as the wifi encryption with a standard SSID. (You might as well make the SSID: HACK_ME_I’M_EASY)

Issue 2: Admin access to the modem is disabled via Javascript. When David Chen disabled Javascript in his browser, he could see all the admin features, including something called “Backup Configuration File.”

Issue 3: The backup configuration file comes in a plain text file, which includes the admin ID and password. In plain text.

Issue 4: By default, the web admin interface is accessible from ANYWHERE on the internet. By running a simple port scan of Time Warner IP addresses, David Chen easily found dozens of these routers, open to attack.

So you KNOW that this since this has been picked up by Wired every knucklehead out there will be looking for these routers to play with.

The resolution to this mind-boggling issue that Time-Warner says they can’t do anything about?

Replace the modem - ASAP. And, complain, complain, complain.

It sounds like a perfect solution, until you get into the mechanics. And that’s where the problems begin:

Hardware - Are all POS (Point of Sale) registers going to be able to handle the increased load of CPU cycles to encrypt and decrypt? It seems like all the vendors want you to use their hardware.

Software - Not all POS solutions are the same. What about companies that use registers AND online sales? Plus, there is currently no standard for what kind of encryption should be used. So you must go with a proprietary solution all the way through. How many companies can afford to replace so much materiel?

Location, location, location - Where does the data get stored? Can the database decrypt and re-encrypt? What about Call Centers, Fraud Management, or Marketing? They need to look at the information. Ultimately, where are the encryption keys stored and who/what has access to them?

Of the six vendors offering E2E, all of them require changes to POS systems.

And should this technology be implemented, it will not release businesses from complying with PCI. No, a report will still have to be delivered to the acquiring bank on an annual basis, signed by a C-level executive.

There’s no free lunch, it seems.

The folks there offer a free and paid version of their newsletter. I have to say that after trying their free version, I decided to spend my hard-earned shekels for their paid subscription, and have not regretted it. It’s a newsletter for savvy Windows users, (as opposed to us more technical folks on TechTarget) but I frequently find tools and tips I’d like to have. Their list of freeware tools is outstanding AND examined for malware.

The article, by Susan Bradley starts out with the headline, The ads served by Bing and Google along with your search results are linking more and more often to sites trying to infect your machine.

This is not good news.

It seems that the major search engines, Google, Yahoo and Bing are looking the other way when evil people buy up popular search terms. When you click on the link, malware is installed through your browser. The search engines are not “vetting” the ads to make sure they are clean.

Susan suggests, and I’m inclined to agree, that the search engines know about this issue, but aren’t willing to police the ads because they are making so much money.

It’s possible to become infected, simply by viewing the sites. Not too long ago, the the New York Times reported on itself because an ad they posted infected subscribers.

Time for the search engines to start policing their ads.

We tend to have the mindset that only computers store and transport personal information, but there are far more items transmitting across IP or wireless connections, or RFID that by their nature reveal information about us.

Consider the EZ Pass, common on cars throughout the US. Officials can use that to track where your car is (and presumably you, or errant offspring) by watching where you have paid your tolls. That and your phone bill tell a great deal of “where, when and who” information.

There are privacy concerns about what there is in your wallet carrying an RFID chip, and how far away that information could be captured (estimates range from 3 ft to 30 ft). Credit cards, driving license and passports give your life away to the right reader.

Transmission from webcams, security cameras, and smartcards also go across the IP network.

So, imagine my dismay upon reading my colleague Rebecca Herrold’s Blog posting on SmartGrid privacy issues.

A SmartGrid “delivers electricity from suppliers to consumers using digital technology to save energy, reduce cost and increase reliability and transparency. Such a modernized electricity network is being promoted by many governments as a way of addressing energy independence, global warming and emergency resilience issues.” (Quote from Wikipedia) The Wikipedia is a very well written article, by the way.

All this sounds very nice until you read about a utility that planned to use power utilization to target low income customers for a “pre-pay” billing cycle.

Once again, a new technology puts security and privacy last. Her table made my hair curl.

The concept is marvelous for municipalities and governments; it provides an upgrade to an infrastructure put into place 120 years ago.

However, consider one of the points that Rebecca Herrold makes:

“The meter data could reveal resident activities or uses that utility companies may then subsequently decide are inappropriate or should not be allowed. Without restrictions, if this information could then shared with local government, law enforcement, or public media outlets the residents could
suffer embarrassment, harassment, loss of vital appliances, or any number of other damaging actions.”

What happens to privacy when that information is captured during a data breach?

Neither approach is truly helpful to investigating a forensic fraud, theft or other computer-related incident. I was asked to do an exam, a few years ago, of the hard drives of a CFO who had admitted to fraud and was fired. Her computer sat on her desk, and her secretary AND the company admin both logged into the computer over the course of weeks before we were engaged.

The problem? Every time someone logs in, files get changed. The secretary checked her email; the admin was checking something else. If the company had wanted to prosecute, the evidence on her hard drive was hopelessly muddied and would not have stood up in court.

Here’s the best idea: take the computer and LOCK IT UP. Don’t let it just sit there (so the defense attorney can point out anyone could have logged in) and don’t let people use it. Yes, we might use some volatile data in memory, but many times the computer is already turned off.

If events happen quickly, the fraudster leaves the building with/out access to his/her computer for the last time and it’s still running: LOCK IT UP. If it’s in an office, secure the office and don’t let anyone into it. If it’s in an open area, that’s when you’ll need to power it down and lock it up.

Will these rules fit every situation? Probably not. But they will fit 85%. If you know it’s going to be a forensic situation ahead of time, I hope management lines up someone to come in immediately, who can capture data from a live machine. But if not, and you’re first on the scene, the two rules above are the most important.

Check out the hardware used: a modified cell phone (to call home with numbers? how convenient!) a camera and an SD card. It’s the hack of the cell phone I find the most interesting. Of course, they didn’t give us any details on that, but I would be interested to know how it was modified, wouldn’t you?

Although identitytheft.info is rather self-serving in its presentation (providing a variety of services to “victims”) they often have newsfeed videos that are very well done.

For instance, there’s another video that shows a keypad that can capture the pin (instead of a camera) as you type it in glued over the regular keypad.

They recommend notifying the bank if you discover a skimmer; I recommend notifying the police. They’ll take care of notifying the bank(s).

Given that the pump is acting as a big cash register, it makes perfect sense that skimmers could be attached the same way they are attached to an ATM.

Thieves open the pump using a skeleton key and install skimming devices to cables leading to the card reader and PIN pad that pulls data from a card’s magnetic stripe and records the cardholder’s PIN. If the PIN pad encrypts the PIN at the pump, they can attach a miniature camera to record PINS as cardholders enter them.

And this is what is significant: you can’t see the skimmer on the pump because it is inside the pump. There’s no way to know if you’re paying for gas and a little fraud, too.

The skimmers steal credit card numbers, but thieves prefer debit cards because they mean quick cash at automated teller machines. They use the information to make fake cards and hit ATMs – some across the country from the originating theft – for $200 to $800 a pop.

The money is often gone before the debit card holder knows it, and it can take time to correct the problem. One recommendation is to use the Credit rather than Debit feature when filling your tank. Debits allow immediate access to cash and don’t require a signature, two other reasons they are more attractive to criminals.

Skimming has been ramping up starting last year due to the bad economy; thieves need to access cash rather than goods they can resell elsewhere.

Thieves can leave these skimmers attached to pumps for months before removing them—and collecting data from thousands of credit cards. Then, the thieves either sell the credit card information on the internet or they make fraudulent duplicate cards with victim’s account numbers and expiration dates.

In one case, thieves left the same skimmer attached to a single gas pump in Washington for eleven months. (Did no one see this thing???) Then they came back, retrieved the device and drained hundreds of bank accounts in a single weekend.

In May 2008, an investigation was opened into a case in San Jose California in which thieves stole more than $200,000 from 180 victims. Authorities estimate that between $1 million and $3.5 million has been stolen from victims of gas pump identity theft in five states over recent months.

Best advice: If you do want to use a credit or debit card at the gas station, go inside and make the purchase there. Inconvenient, but so is losing all the money in your checking account, or having to close your credit card account.

I had just finished reading Bruce Schneier’s essay on cloud computing, (which is a great read, by the way) and was considering the following point he recently penned in his Cryptogram:

As we move more of our data onto cloud computing platforms such as Gmail and Facebook, and closed proprietary platforms such as the Kindle and the iPhone, deleting data is much harder.

You have to trust that these companies will delete your data when you ask them to, but they’re generally not interested in doing so. Sites like these are more likely to make your data inaccessible than they are to physically delete it. Facebook is a known culprit: actually deleting your data from its servers requires a complicated procedure that may or may not work. And even if you do manage to delete your data, copies are certain to remain in the companies’ backup systems. Gmail explicitly says this in its privacy notice.

What if those companies delete your data because they don’t like it? Or some copyright is at issue and they “can’t” let you keep it, such as Amazon’s now notorious “removal” of the Orwell books due to copyright issues (How ironic is it that Orwell’s books were deleted???)

So, I’m logging into Skydrive this morning because I’m building an online collection of tools I can access when I’m on the road or someplace where I don’t have my computer or USB drives with me.

I’d uploaded about 3 gigs of tools, which might be considered by some to be “hacking” tools, including Cain and Abel, which (AV constantly tries to delete). But today, those directories and programs are nowhere to be found.

Big Brother Microsoft evidently doesn’t approve. And this is why we should all consider that if our data in the “cloud” doesn’t pass the vendor’s muster, our data will be deleted.

I’ll stick with my computer, for now.