ARRIS, one of the country’s largest suppliers of cable modems, is under scrutiny after a security researcher discovered not one, but two secret “backdoors” potentially affecting more than 600,000 of the company’s installed cable modems/home gateways that could allow hackers access to a customer’s equipment and home network.

Bernardo Rodrigues published a report of the exploits on his blog, which affect ARRIS cable modem models including TG862A, TG862G, and DG860A. Rodrigues reports only ARRIS and your local cable company can fix the security problems, and neither seem to be in much of a hurry.

The ARRIS Touchstone 860, which can be identified by its model number depicted on the front lower right of the modem.

“Securing cable modems is more difficult than other embedded devices because, on most cases, you can’t choose your own device/firmware and software updates are almost entirely controlled by your ISP,” Rodrigues writes. Indeed, very few cable modems allow users to self-update their equipment with the latest firmware. To guarantee uniformity, that privilege is given exclusively to the cable company providing service, even if a customer owns their own modem outright.

“ARRIS SOHO-grade cable modems contain an undocumented library (libarris_password.so) that acts as a backdoor, allowing privileged logins using a custom password,” Rodrigues writes. “The backdoor account can be used to enable Telnet and SSH remotely via the hidden HTTP Administrative interface “http://192.168.100.1/cgi-bin/tech_support_cgi” or via custom SNMP MIBs.”

While exploring the potential security damage that backdoor could permit, Rodrigues stumbled on a second, open to additional exploitation by hackers.

“The undocumented backdoor password is based on the last five digits from the modem’s serial number,” Rodrigues wrote. “You get a full busybox shell when you log on the Telnet/SSH session using these passwords.”

ARRIS TG862

In plainer language, one or both backdoors will allow a hacker to bypass the modem’s usual security protections and provide the intruder with full remote access to the affected cable modem. Hackers have likely already identified the security lapse and have exploited it, with some suspecting access key generators are already available allowing the user to automate attempts to reach affected modems on a significant scale.

Unfortunately for consumers, neither ARRIS or cable operators appear to be rushing to update the affected firmware to eliminate the backdoors, having waited more than two months just to acknowledge Rodrigues’ report.

For now, customers using these devices exclusively as cable modems are least likely to suffer a serious security lapse. More at risk are consumers relying on these three models as both a cable modem and home gateway providing Wi-Fi access around the home. Theoretically, hackers could use one or both exploits to gain access to your home network. Consumers using one of the affected models should contact their local cable company and ask them to replace the device with an alternative, preferably from a different manufacturer.

At least one cable company reported they are working with ARRIS to correct the flawed firmware, but early efforts have not been successful. It may be prudent for some security-conscious customers not to wait.

Burn Her! T-Mobile CEO John Legere announces a data hog crackdown.

T-Mobile’s CEO has declared war on about 3,000 current customers caught “stealing data from T-Mobile” by using workarounds to avoid T-Mobile’s tethering usage allowance.

T-Mobile customers with unlimited 4G LTE plans get a fixed allowance to be used for tethering when using the Smartphone Mobile HotSpot feature, which allows laptops, tablets, and other wireless devices to share a T-Mobile wireless data connection.

“These violators are going out of their way with all kinds of workarounds to steal more LTE tethered data,” said John Legere, CEO of T-Mobile USA. “They’re downloading apps that hide their tether usage, rooting their phones, writing code to mask their activity, etc. They are ‘hacking’ the system to swipe high-speed tethered data.”

Legere claims the “clever hackers are willfully stealing for their own selfish gain” and are running up as much as two terabytes of usage a month over T-Mobile’s network. Legere thunders he won’t allow this on his watch and the company is starting a campaign of countermeasures this week to go “after a small group of users who are stealing data so blatantly and extremely that it is ridiculous.”

Legere was not specific about how T-Mobile identifies customers it considers to be abusing its network, but a new FAQ on the carrier’s website explains what will happen to those deemed to be exploiting workarounds to exceed T-Mobile’s standard 7GB tethering allowance:

We’re first warning these customers that they’re illegally using more data than they bought. We hope folks will stop on their own so they can keep their current plan. These customers are on an unlimited 4G LTE smartphone plan that includes a set amount of Smartphone Mobile HotSpot data, but they’re using workarounds to make their tethering look like smartphone usage which helps them use significantly more 4G LTE tethering than their plan includes.

Customers who continue to do this will be warned, then lose access to our Unlimited 4G LTE smartphone data plan, and be moved to an entry-level limited 4G LTE data plan.

Legere

Legere is clearly concerned the crackdown could be interpreted by the Federal Communications Commission as a Net Neutrality violation.

“These abusers will probably try to distract everyone by waving their arms about throttling data,” Legere wrote. “Make no mistake about it – this is not the same issue. Don’t be duped by their sideshow. We are going after every thief, and I am starting with the 3,000 users who know exactly what they are doing. The offenders start hearing from us tomorrow. No more abuse and no risk to the rest of our customers’ experience. It’s over. If you are interested, you can find more info in our [FAQ].”

The FCC has no rules prohibiting usage caps, but the issue of speed throttling is less settled and Legere’s comments are intended to frame the issue in terms of data theft and violations of the company’s terms and conditions.

Carriers are often less lenient with hotspot usage because desktop computers and laptops often consume much more data than portable handheld devices like tablets and smartphones. T-Mobile admits that customers who need to consume a lot of data should find another ISP:

[Wired] Broadband services would be a better solution for customers who need more high-speed for tethered devices.

While the online world is beefing up security systems with encryption and two-factor authentication to keep the hackers out, Frontier Communications’ e-mail password system harkens back to an earlier, innocent era when passwords were stored as plain text in a database practically anyone could access.

In this instance, “anyone” turned out to be a Frontier tech support agent named “Shawn,” moonlighting as Frontier’s living password reset system.

Ars Technica shares the surprising story of Andrew Silverman, a Frontier customer in Washington state who needed to reset his forgotten e-mail password. As Stop the Cap! first shared with our readers back in April, the company dumped most of its online web-based self-service functions after the company couldn’t get them to work properly.

Customers like Silverman who need their password reset now have to chat or call Frontier’s technical support. While inconvenient, Silverman was surprised to learn “Shawn” was able to get access to and share his existing password from Frontier’s customer relationship management system:

Shawn asked Silverman for some basic pieces of information—his account number or landline number, the e-mail address he was having trouble with, and the last four digits of his Social Security number. The Frontier employee then asked Silverman what password he tried to type in.

“I’m not comfortable giving out passwords. Is there a password reset page?” Silverman asked.

“I’m sorry there isn’t,” Shawn replied. “Are you OK with me posting the password in chat? It is a secure network and I have the password in front of me.”

Silverman’s password was easy to find because Frontier is storing that information in plain text format, a potentially enormous security risk. Security experts say storing passwords in a plain text format, even if access is limited to customer service representatives, make them vulnerable to hacking. A single disgruntled employee or unknown security hole in a Frontier support center could theoretically expose millions of Frontier customers to password theft. The fact Frontier also e-mails transcripts of customer chat sessions to customers also represents a potential security risk. In Silverman’s case, Frontier helpfully obscured his account number, but not his password.

Ars confirmed with Frontier the company currently lacks an online e-mail password reset system and the online chat or telephone support representatives handle password issues as Silverman described. Frontier also maintains a billing portal which appears to function independently. The billing portal does have a self-service password reset function. But the additional security there might not help if you use the same password for e-mail and account information.

A Frontier spokesperson downplayed the security risk of plain text password storage.

“Customer service reps do not have access, only tech support does and it is only revealed once the customer has provided the security code to verify identity,” the representative told Ars. “Account modification logs are kept to ensure the company knows who accessed the information.”

Ironically, after disclosing Silverman’s password, the representative shifted the call to sell him on the merits of Frontier Secure, Frontier’s antivirus, identity theft, and computer support protection suite that promises to deliver customers “peace of mind” from “hackers that can steal your identity, hijack your equipment and bombard you with malware, viruses and worse.”

Silverman declined.

A prominent story airing last week on the NBC Nightly News with Brian Williams suggested visitors to the Sochi Olympic Games in Russia should expect their Android smartphone or laptop to be infiltrated by hackers moments after being switched on. A closer examination of the story suggests NBC News reporter Richard Engel had to go out of his way to get infected with malware.

[flv]http://www.phillipdampier.com/video/NBC News Hackers at the Olympics 2-4-14.flv[/flv]

Is it really too late to protect your electronic device if you power it on at the Sochi baggage claim facility at the airport, as NBC News’ Brian Williams claims? (3:35)

Trend Micro security expert Kyle Wilhoit, who helped design the experiment based on Engel’s usage habits, admitted security holes were left wide open on the tested devices:

On all of the devices, there was no security software of any type installed. These devices merely had standard operational programs such as Java, Flash, Adobe PDF Reader, Microsoft Office 2007, and a few additional productivity programs.

When considering this experiment, there were some basic things to be considered. First was mimicking the user behavior of Richard Engel. Since these were going to be machines with fake data, it was important to accurately imitate his normal activities. I had to investigate Richard’s user habits. In addition to other information, I needed to understand what he actually did on a daily basis, and sites he commonly visits. Also, I needed to understand where he posted. Did he post information on forums? Did he post on foreign language sites?

NBC’s story implied that three new devices, including an Apple MacBook Air, an Android phone, and a Lenovo laptop running Windows 7 were all hacked within minutes of being switched on for the first time, right out of their respective boxes.

A story about hacking at the Olympics in Sochi, Russia was recorded largely in Moscow, more than 1,000 miles away.

Careful observers will notice Wilhoit is wandering around Moscow, more than 1,000 miles away from Sochi. Wilhoit would later clarify in a tweet he never visited Sochi at all. A closer look at shots of computer screens show the reporter clicking on suspicious links and visiting obviously phony Olympics-oriented websites. With no virus or malware protection and Engel’s apparent willingness to click on anything suggests you should never loan him your laptop or phone.

NBC News went over the top getting their Android phone hacked. In fact, Engel not only had to manually find and download the infected app that let the hackers in, he had to navigate a set of menus to disable Android’s built-in security, turning on permission to download apps from unknown or third-party websites not affiliated with the Google Play store. Installing a security-compromised app also brings multiple additional warning messages advising users not to proceed. Under these circumstances, Aunt Sue can rest easy her Galaxy S4 is not accidentally open season for hackers while she watches the downhill skiing events.

Media sensationalism makes for good ratings but requires a lot of truth dodging to make the story real. This is an example.

At least 34 of Comcast’s email servers have been compromised by a well-known hacker group that posted evidence, the exploit, and certain administrative passwords online to embarrass the company and expose its poor security practices.

Using a “Local File Inclusion” vulnerability, the hacker crew accessed the Zimbra LDAP and MySQL passwords and publicly shared their findings earlier today. Use of this type of exploit can potentially allow hackers to execute code remotely on the web server, allow insertion of malware through JavaScript, open the door to a Denial of Service attack which would slow Comcast’s servers to a crawl, and could also allow hackers access to sensitive customer information.

The security breach affecting Comcast’s email servers remains open and available as of early this afternoon, and Comcast has yet to publicly respond to the security threat.

In one tweet, NullCrew thanked Comcast for putting all of their password information in one convenient spot, making the security intrusion easier.

NullCrew considers itself a hacktivist group that exposes poor security practices at corporations, government agencies, and schools. As exploits are publicized, most affected companies immediately take steps to strengthen security.

NullCrew alerted Comcast four hours before publicizing the breach, but Comcast’s social media team appeared to lack an understanding of the nature of the threat.

NullCrew posted complete documentation about executing the hack on pastebin.com (since removed), opening the door to more attacks by other parties. It also included its latest manifesto:

1. Hello there beautiful people of the internet, once again; we here at NullCrew have some fun information for you.

2. This time, our target is Comcast, yet another internet service provider who proclaims to be a secured one; shall we test these claims as well?

3. What is Comcast?

4. Comcast Corporation is the largest mass media and communications company in the world by revenue.

5. It is the largest cable company and home Internet service provider in the United States, and the nation’s third largest home telephone service provider.

6. Comcast provides cable television, broadband Internet, telephone service and in some areas home security (including burglar alarms, surveillance cameras, fire alarm systems and home automation) to both residential and commercial customers in 40 states and the District of Columbia.

7. Okay!

8. So, it’s the LARGEST mass media and communications company in the world? Sweeeeet.

9. Let’s take a look at it, and see if we should be impressed.

10. Below us, we have a list of Comcast mail servers; and each of these mail servers run on something called, “Zimbra.”

11. But each of these mail servers also are vulnerable to LFi, and you know what LFi can lead to, right?