Perhaps not for long.

Time Warner Cable customers who spent hundreds or thousands of dollars in security equipment and add-ons may be left with nothing but their 18-month contract as Charter Communications considers pulling the plug on Time Warner’s IntelligentHome security service.

DSL Reports appears to have the exclusive story this morning that insiders familiar with the company’s business operations are claiming IntelligentHome may be one of the first casualties of the giant merger between Charter, Time Warner Cable, and Bright House.

As Stop the Cap! reported earlier this morning, Charter executives are performing a top-to-bottom analysis looking to wring cost savings out of the merger deal. The result will likely be the elimination of anything seen as duplicating Charter Spectrum’s own suite of products and services or going beyond Charter’s philosophy of focusing on “core services.” That could be bad news for Time Warner Cable employees managing or supporting non-conforming services as well, and at least some could be headed for the unemployment office.

A strong clue the days of IntelligentHome may be numbered is word employees are now supposed to keep it a secret:

While the source states that no formal shutdown of the service has been announced, sales and service employees are being told to no longer mention the service in call conversations or presentations with customers. The source also states that “rumblings by managers” suggests the service may not be long for this world.

Should Time Warner Cable shutter the service, the insider states that could be trouble for the customers that recently shelled out significant amounts of money for IntelligentHome hardware.

“What is particularly concerning is that many customers are in 18 month contracts and have purchased hundreds or even thousands of dollars in equipment,” states the insider.

If Time Warner does shutter the service, customers will likely be released from their contracts penalty-free, but they may also be stuck with useless equipment they can’t use with another alarm system.

Cable operators have dabbled in the home security business since the 1970s, but many early attempts were scrapped after waves of consolidation orphaned a variety of incompatible technologies with new owners that had little interest in maintaining the service. The insatiable quest for higher Average Revenue Per User (ARPU) has pushed the cable industry to find more ancillary services that could boost cable bills and keep Wall Street happy. They tried music services like Music Choice and DMX, home video game services, broadband for telecommuters, and eventually returned to home security.

Time Warner Cable first launched IntelligentHome in 2011. It immediately threatened traditional home security services from companies like ADT because IntelligentHome could manage easy remote access to control home security settings, lighting, and thermostats from a computer, tablet, or smartphone. Customers upgrading to a video-capable system could even stream camera video over the Internet through a live feed. A tablet-like touchscreen control enhanced the experience with access to current weather, news, and traffic.

Icontrol manages the software platform that powers Time Warner’s IntelligentHome, along with home security services offered by a number of other cable operators.

Time Warner Cable did not develop IntelligentHome exclusively in-house. Most large cable operators rely on connected home security system software solutions powered by a platform developed by Icontrol.

Charter Communications is one of only a few cable companies that have shown no interest in selling home security services (Cablevision is another). In 2013, it dismissed any interest in getting into the business, telling Reuters it preferred to concentrate on its “core business.” Nothing seems to have changed. As of this year, the only security protection Charter offers customers is antivirus software for their computers.

An exit from IntelligentHome could also have a major impact on Time Warner Cable’s owned-and-operated CSAA 5-Diamond Rated Emergency Response Center, which answers when it detects a break-in or when a customer hits a panic button.

Most estimates put the number of customers paying for IntelligentHome at less than 100,000 nationwide, but that select group is likely to have a substantial buy-in to the service and would definitely feel its loss.

Although Time Warner Cable advertises IntelligentHome at prices starting between $35-40 a month, that doesn’t afford much protection. Customer can choose between packages of different equipment bundles that range from $99.99 to $199.99. A la carte equipment is also available. A very basic entry-level system packages a tablet-like controller with protection for only two doors or windows and one motion detector. That might be suitable for an apartment, but homeowners often upgrade to cover more potential entry points. As a result, IntelligentHome has proven a tough sell for customers already confronted by cable bills that often approach or exceed $200 a month, before the alarm service is added.

Time Warner has attempted to change the marketing of IntelligentHome to emphasize more of its home automation and monitoring features, and routinely offers a $200 gift card to entice new customers. But it may not have worked enough to interest Charter, which shows every sign it wants to simplify the cable bundle, not clutter it up with extras. The insider told DSL Reports he hoped Charter would find a way to manage existing customers and not abandon them should the service be discontinued. If not, tens of thousands of Charter customers will have bought a lot of equipment with nothing to show for it.

DSL Reports stresses no final decision has been made.

If you own or lease a Motorola/Arris SurfBoard 5100, 6121, or 6141 cable modem, security researchers have uncovered an annoying vulnerability that could expose you to a denial of service attack.

David Longenecker first discovered the flaw with the world’s most popular cable modem — the SB-6141, a highly recommended DOCSIS 3 model. The firmware does not password protect access to the cable modem’s configuration menu, accessible by visiting 192.168.100.1 in a web browser.

In addition to technical information about the modem and the cable system’s current cable broadband configuration, there are two user accessible reset buttons, one to reboot the modem and another to reset it to its original factory settings. Rebooting the modem will disrupt your Internet connection for under a minute, but doing a factory reset could bring the modem offline until someone reaches the cable company to request the modem be reauthorized. An individual with nefarious intent can repeatedly reset the modem, bringing the user offline again and again.

SB6141 is a DOCSIS 3 modem

The Houston Chronicle explains how this could become a widespread problem:

Included within this interface is the ability to reset the modem. A user can be tricked into clicking on a simple link that will reboot the SB6141, and you can see a proof of concept here. Note that if you have one of these modems with this flaw, and you click the link, your modem WILL reboot.

Normally, you’d have to be sitting at a computer on the same network as the modem to trigger a reboot. But the link above takes advantage of the fact that you can mask a local Web page address as an image file. As Longenecker describes it:

Did you know that a web browser doesn’t really care whether an “image” file is really an image? Causing a modem to reboot is as simple as including an “image” in any other webpage you might happen to open – which is exactly the approach taken on the RebootMyModem.net proof of concept:

<img src=”http://192.168.100.1/reset.htm”>

Of course it’s not a real image, but the web browser doesn’t know that until it requests the file from the modem IP address – which of course causes the modem to reboot. Imagine creating an advertisement with that line of code, and submitting it to a widely-used ad network…

Advanced users can go into their router’s configuration page and block access to the IP address 192.168.100.1 (the modem’s configuration page) for anyone inside their network. That step prevents you or anyone else on your network from accidentally clicking a link that tricks your modem into rebooting. But most users will probably wait until Arris has distributed firmware updates that cable operators will eventually apply to correct this vulnerability. The upgrade will occur in the background and most users will never notice it.

ARRIS, one of the country’s largest suppliers of cable modems, is under scrutiny after a security researcher discovered not one, but two secret “backdoors” potentially affecting more than 600,000 of the company’s installed cable modems/home gateways that could allow hackers access to a customer’s equipment and home network.

Bernardo Rodrigues published a report of the exploits on his blog, which affect ARRIS cable modem models including TG862A, TG862G, and DG860A. Rodrigues reports only ARRIS and your local cable company can fix the security problems, and neither seem to be in much of a hurry.

The ARRIS Touchstone 860, which can be identified by its model number depicted on the front lower right of the modem.

“Securing cable modems is more difficult than other embedded devices because, on most cases, you can’t choose your own device/firmware and software updates are almost entirely controlled by your ISP,” Rodrigues writes. Indeed, very few cable modems allow users to self-update their equipment with the latest firmware. To guarantee uniformity, that privilege is given exclusively to the cable company providing service, even if a customer owns their own modem outright.

“ARRIS SOHO-grade cable modems contain an undocumented library (libarris_password.so) that acts as a backdoor, allowing privileged logins using a custom password,” Rodrigues writes. “The backdoor account can be used to enable Telnet and SSH remotely via the hidden HTTP Administrative interface “http://192.168.100.1/cgi-bin/tech_support_cgi” or via custom SNMP MIBs.”

While exploring the potential security damage that backdoor could permit, Rodrigues stumbled on a second, open to additional exploitation by hackers.

“The undocumented backdoor password is based on the last five digits from the modem’s serial number,” Rodrigues wrote. “You get a full busybox shell when you log on the Telnet/SSH session using these passwords.”

ARRIS TG862

In plainer language, one or both backdoors will allow a hacker to bypass the modem’s usual security protections and provide the intruder with full remote access to the affected cable modem. Hackers have likely already identified the security lapse and have exploited it, with some suspecting access key generators are already available allowing the user to automate attempts to reach affected modems on a significant scale.

Unfortunately for consumers, neither ARRIS or cable operators appear to be rushing to update the affected firmware to eliminate the backdoors, having waited more than two months just to acknowledge Rodrigues’ report.

For now, customers using these devices exclusively as cable modems are least likely to suffer a serious security lapse. More at risk are consumers relying on these three models as both a cable modem and home gateway providing Wi-Fi access around the home. Theoretically, hackers could use one or both exploits to gain access to your home network. Consumers using one of the affected models should contact their local cable company and ask them to replace the device with an alternative, preferably from a different manufacturer.

At least one cable company reported they are working with ARRIS to correct the flawed firmware, but early efforts have not been successful. It may be prudent for some security-conscious customers not to wait.

Less than a week after ISIS-connected terrorists is Paris allegedly killed at least 129 people in a coordinated attack, false reports continue to be spread through news services and social media. It’s enough to make you cringe.

On Sunday, media outlets began turning their attention to a “contributor” piece appearing on Forbes‘ website that suggested terrorists may have used a popular game console connected to the Internet to discuss and plan the attack:

The hunt for those responsible (eight terrorists were killed Saturday night, but accomplices may still be at large) led to a number of raids in nearby Brussels. Evidence reportedly turned up included at least one PlayStation 4 console.

Belgian federal home affairs minister Jan Jambon said outright that the PS4 is used by ISIS agents to communicate, and was selected due to the fact that it’s notoriously hard to monitor. “PlayStation 4 is even more difficult to keep track of than WhatsApp,” he said.

After nearly 500,000 views of the Forbes article, the author admitted to a gaming publication that he got his story wrong. It has since been edited to remove several serious factual errors. How could Forbes have gotten the story so wrong?

Phillip Dampier

Forbes does not strictly edit the content of its large base of online contributors, which increasingly resembles the publishing model of the Huffington Post. As a result, Forbes‘ disavows (in small print) any editorial connection to their writers, claiming their opinions do not represent the venerable business publication. But few in the media seemed to pick up that disclaimer suggested some skepticism might be appropriate. Instead, the story spread unquestioned like wildfire.

By Monday, Kotaku attempted to set the record straight, verifying Jambon’s comments were actually delivered on Nov. 10, three days before the Paris attack and only from the context of Belgium’s generally perceived security weaknesses. Claims that a PlayStation 4 was allegedly seized from an attacker’s apartment have now been declared “an editing error,” and the author has backed even further away from his inference it was used to help coordinate the attack. That is a charitable way of saying the central thesis of the Forbes‘ story about the events in Paris was entirely wrong.

“This was actually a mistake that I’ve had to edit and correct,” Forbes‘ writer Paul Tassi told Kotaku on Monday. “I misread the minister’s statement, because even though he was specifically saying that PS4 was being used by ISIS to communicate, there is no public list of evidence list of what was found in the specific recent raids. I’ve edited the post to reflect that, and it was more meant to be about discussing why or how groups like ISIS can use consoles. It’s my fault, as I misinterpreted his statement.”

The idea that ordinary Internet-connected game consoles can be used to quietly coordinate major terror attacks proved irresistible catnip for cable news. CNN and MSNBC both discussed the implications of terrorists enabled with game consoles, while Fox News further amplified the claim to suggest government agencies might not be monitoring these communications, opening a national security risk. Fox News even coined the Paris attack a “Joystick Jihad,” removing one sentence from its initial report to correct claims of a seizure of the game console, but left the rest of its story intact:

“There is no doubt that terrorists and other underground networks are using PlayStation and other non-traditional means to communicate with each other,” said Paul Martini, CEO of cyber security specialist iboss Cybersecurity, in a statement emailed to FoxNews.com. The CEO noted that the languages and protocols that PlayStation uses to communicate over the Internet are much different from those used in web browsers and other apps. “They are typically encrypted communication channels that are built on custom-designed languages built for speed and security – since PlayStation involves multi-player Internet connected users, it’s very distributed, high speed and difficult to track and monitor,” Martini added.

Videogame network or terrorist digital meeting spot?

Friday evening’s attacks are being used by a variety of interest groups to push various agendas, ranging from promoting military intervention in Syria to stopping Syrian refugees from entering the United States. But privacy groups also fear Forbes‘ story will be used to argue for extended government surveillance beyond telephone calls, text messaging, and Internet traffic, into third-party private encrypted networks like Sony’s PlayStation Network. In 2013, whistleblower Edward Snowden claimed the NSA and CIA were already there.

British newspaper The Telegraph suggested Sony’s private network has hardly proven itself an impenetrable digital Fort Knox:

Sony doesn’t exactly have a great reputation for security. A hack of PSN in 2011 saw 77 million users affected by personal data theft, and a hack emerged in December last year that saw many personal details of celebrities and other public figures leaked.

Media critics complain there is a danger that the demand for immediate news results in reporting information before it can be sufficiently sourced and verified. Elements of stories later proven wrong can remain a part of a story’s narrative, even when quickly discredited or changed as a result of newly obtained information. Examples of this are especially common on social media. Less serious examples include sharing photographs on Twitter and Facebook purporting to be from Paris that were actually taken months earlier. In other cases, depictions of solidarity with Paris from around the world were often misconstrued from other unrelated events. More serious are the false narratives that can damage a brand’s reputation, prod policy changes, or even fuel new laws, such as efforts to further extend surveillance.

While the corrections are helpful and appropriate, the rush to print first and verify later is becoming more common than ever. The Forbes’ author claimed he made a “reporting mistake” because he rushed to judgment connecting Jambon’s earlier statements to the Paris attacks. But that does not explain or justify his more important claim that a PlayStation 4 console was found as a result of the raid and his suggestion it was used to plan and coordinate a terrorist attack.

So our advice to Forbes‘ authors is simple. A story about a game console being used by terrorists was never just going to be treated as an interesting story angle. It would be used by the media, pundits, and officials to debate and discuss whether national security is at risk unless surveillance improves. Some will go as far to suggest controls on game consoles or new government authority to monitor the games and those playing them. Before we have that debate, let’s at least get the story right. We’ve seen the results of public policy changes based on flawed intelligence and erroneous media reports too often. Let’s not do that again.

Correction: Original story referenced “Kontaku,” which has been corrected to reflect the site’s actual name – Kotaku. Thanks to Mark E. for spotting the error.

While the online world is beefing up security systems with encryption and two-factor authentication to keep the hackers out, Frontier Communications’ e-mail password system harkens back to an earlier, innocent era when passwords were stored as plain text in a database practically anyone could access.

In this instance, “anyone” turned out to be a Frontier tech support agent named “Shawn,” moonlighting as Frontier’s living password reset system.

Ars Technica shares the surprising story of Andrew Silverman, a Frontier customer in Washington state who needed to reset his forgotten e-mail password. As Stop the Cap! first shared with our readers back in April, the company dumped most of its online web-based self-service functions after the company couldn’t get them to work properly.

Customers like Silverman who need their password reset now have to chat or call Frontier’s technical support. While inconvenient, Silverman was surprised to learn “Shawn” was able to get access to and share his existing password from Frontier’s customer relationship management system:

Shawn asked Silverman for some basic pieces of information—his account number or landline number, the e-mail address he was having trouble with, and the last four digits of his Social Security number. The Frontier employee then asked Silverman what password he tried to type in.

“I’m not comfortable giving out passwords. Is there a password reset page?” Silverman asked.

“I’m sorry there isn’t,” Shawn replied. “Are you OK with me posting the password in chat? It is a secure network and I have the password in front of me.”

Silverman’s password was easy to find because Frontier is storing that information in plain text format, a potentially enormous security risk. Security experts say storing passwords in a plain text format, even if access is limited to customer service representatives, make them vulnerable to hacking. A single disgruntled employee or unknown security hole in a Frontier support center could theoretically expose millions of Frontier customers to password theft. The fact Frontier also e-mails transcripts of customer chat sessions to customers also represents a potential security risk. In Silverman’s case, Frontier helpfully obscured his account number, but not his password.

Ars confirmed with Frontier the company currently lacks an online e-mail password reset system and the online chat or telephone support representatives handle password issues as Silverman described. Frontier also maintains a billing portal which appears to function independently. The billing portal does have a self-service password reset function. But the additional security there might not help if you use the same password for e-mail and account information.

A Frontier spokesperson downplayed the security risk of plain text password storage.

“Customer service reps do not have access, only tech support does and it is only revealed once the customer has provided the security code to verify identity,” the representative told Ars. “Account modification logs are kept to ensure the company knows who accessed the information.”

Ironically, after disclosing Silverman’s password, the representative shifted the call to sell him on the merits of Frontier Secure, Frontier’s antivirus, identity theft, and computer support protection suite that promises to deliver customers “peace of mind” from “hackers that can steal your identity, hijack your equipment and bombard you with malware, viruses and worse.”

Silverman declined.