A prominent story airing last week on the NBC Nightly News with Brian Williams suggested visitors to the Sochi Olympic Games in Russia should expect their Android smartphone or laptop to be infiltrated by hackers moments after being switched on. A closer examination of the story suggests NBC News reporter Richard Engel had to go out of his way to get infected with malware.

[flv]http://www.phillipdampier.com/video/NBC News Hackers at the Olympics 2-4-14.flv[/flv]

Is it really too late to protect your electronic device if you power it on at the Sochi baggage claim facility at the airport, as NBC News’ Brian Williams claims? (3:35)

Trend Micro security expert Kyle Wilhoit, who helped design the experiment based on Engel’s usage habits, admitted security holes were left wide open on the tested devices:

On all of the devices, there was no security software of any type installed. These devices merely had standard operational programs such as Java, Flash, Adobe PDF Reader, Microsoft Office 2007, and a few additional productivity programs.

When considering this experiment, there were some basic things to be considered. First was mimicking the user behavior of Richard Engel. Since these were going to be machines with fake data, it was important to accurately imitate his normal activities. I had to investigate Richard’s user habits. In addition to other information, I needed to understand what he actually did on a daily basis, and sites he commonly visits. Also, I needed to understand where he posted. Did he post information on forums? Did he post on foreign language sites?

NBC’s story implied that three new devices, including an Apple MacBook Air, an Android phone, and a Lenovo laptop running Windows 7 were all hacked within minutes of being switched on for the first time, right out of their respective boxes.

A story about hacking at the Olympics in Sochi, Russia was recorded largely in Moscow, more than 1,000 miles away.

Careful observers will notice Wilhoit is wandering around Moscow, more than 1,000 miles away from Sochi. Wilhoit would later clarify in a tweet he never visited Sochi at all. A closer look at shots of computer screens show the reporter clicking on suspicious links and visiting obviously phony Olympics-oriented websites. With no virus or malware protection and Engel’s apparent willingness to click on anything suggests you should never loan him your laptop or phone.

NBC News went over the top getting their Android phone hacked. In fact, Engel not only had to manually find and download the infected app that let the hackers in, he had to navigate a set of menus to disable Android’s built-in security, turning on permission to download apps from unknown or third-party websites not affiliated with the Google Play store. Installing a security-compromised app also brings multiple additional warning messages advising users not to proceed. Under these circumstances, Aunt Sue can rest easy her Galaxy S4 is not accidentally open season for hackers while she watches the downhill skiing events.

Media sensationalism makes for good ratings but requires a lot of truth dodging to make the story real. This is an example.

At least 34 of Comcast’s email servers have been compromised by a well-known hacker group that posted evidence, the exploit, and certain administrative passwords online to embarrass the company and expose its poor security practices.

Using a “Local File Inclusion” vulnerability, the hacker crew accessed the Zimbra LDAP and MySQL passwords and publicly shared their findings earlier today. Use of this type of exploit can potentially allow hackers to execute code remotely on the web server, allow insertion of malware through JavaScript, open the door to a Denial of Service attack which would slow Comcast’s servers to a crawl, and could also allow hackers access to sensitive customer information.

The security breach affecting Comcast’s email servers remains open and available as of early this afternoon, and Comcast has yet to publicly respond to the security threat.

In one tweet, NullCrew thanked Comcast for putting all of their password information in one convenient spot, making the security intrusion easier.

NullCrew considers itself a hacktivist group that exposes poor security practices at corporations, government agencies, and schools. As exploits are publicized, most affected companies immediately take steps to strengthen security.

NullCrew alerted Comcast four hours before publicizing the breach, but Comcast’s social media team appeared to lack an understanding of the nature of the threat.

NullCrew posted complete documentation about executing the hack on pastebin.com (since removed), opening the door to more attacks by other parties. It also included its latest manifesto:

1. Hello there beautiful people of the internet, once again; we here at NullCrew have some fun information for you.

2. This time, our target is Comcast, yet another internet service provider who proclaims to be a secured one; shall we test these claims as well?

3. What is Comcast?

4. Comcast Corporation is the largest mass media and communications company in the world by revenue.

5. It is the largest cable company and home Internet service provider in the United States, and the nation’s third largest home telephone service provider.

6. Comcast provides cable television, broadband Internet, telephone service and in some areas home security (including burglar alarms, surveillance cameras, fire alarm systems and home automation) to both residential and commercial customers in 40 states and the District of Columbia.

7. Okay!

8. So, it’s the LARGEST mass media and communications company in the world? Sweeeeet.

9. Let’s take a look at it, and see if we should be impressed.

10. Below us, we have a list of Comcast mail servers; and each of these mail servers run on something called, “Zimbra.”

11. But each of these mail servers also are vulnerable to LFi, and you know what LFi can lead to, right?

Hackers exploited poor coding practices at an Ottawa-based third-party contractor to access and eventually publish more than 20,000 usernames and passwords of Bell Canada’s small business customers on a website.

Canada’s largest phone company is being criticized for allowing the third-party contractor access to sensitive account information, which became vulnerable after IT workers introduced security holes that bypassed Bell’s own security and encryption systems. Even worse, security experts say, Bell apparently stores customer usernames and passwords in a plain text format, accessible to any hacker.

Bell has refused to comment on the security lapse or its ongoing investigation, but the hackers are talking.

“Nullcrew” claimed responsibility for the breach on Twitter, including screenshots that suggest the group used a well-known SQL (structured query language) exploit that allowed the hackers to fish for information contained in Bell’s database.

Hackers often use automated scripts to hunt sites for security exploits and often don’t know whether they will get a handful of useless data or a treasure trove like Bell’s customer records.

Trustwave Holdings, a security company based in Chicago, Ill., said in a 2013 report that poor coding practices have made the SQL injection attack a threat for more than 15 years.

“Outsourcing IT and business systems saves money only if there’s no attack,” the Trustwave report said. “Many third-party vendors leave the door open for attack, as they don’t necessarily keep client security interests top of mind.”

“Nullcrew’s” attack also discarded any pretense of encouraging clients to use passwords that are easy to remember but hard for others to guess, since Bell stored the data in an easily readable format.

Nullcrew said it alerted Bell to its security lapse more than two weeks before publishing their find online. An additional screenshot showed a Bell online customer service representative perplexed about the hacker group’s claims and likely never passed the information on to Bell’s security department.

Bell suspended the affected passwords over the weekend and is notifying customers about the security breach.

AT&T’s investment in U-verse expansion is expected to peak this year as part of its “Project VIP” effort to bring the fiber to the neighborhood service to more areas and offer faster broadband speeds to current customers.

AT&T is spending $6 billion over three years to broaden the footprint of U-verse, which now earns AT&T 57% of its total consumer revenues. In 2013, AT&T earned $13 billion in revenue from U-verse, up 28%.

AT&T’s investment in U-verse is dwarfed by the company’s efforts to benefit shareholders. In the last quarter of 2013, AT&T realized $6.9 billion in profits on revenue of $33.2 billion. For 2013, AT&T repurchased 366 million shares of its own stock for around $13 billion and paid out another $10 billion in shareholder dividends. Together, the total return for shareholders for the year was $23 billion and in the last two years AT&T achieved a new record benefiting shareholders with $45 billion in returns. In contrast, AT&T will spend just $6 billion on the current round of U-verse upgrades, with those markets left out likely pushed to wireless-only service if the company succeeds in winning approval to decommission its rural landline network.

Most of AT&T’s revenue growth is coming from its wireless business, particularly wireless data. After AT&T eliminated its flat rate plans, monetizing data usage has become very profitable — $23 billion per year and growing at 17% annually. Because increasing wireless usage forces customers to upgrade to higher cost plans offering more generous usage allowances, AT&T’s average revenue per customer increased by 3.9% — the highest in the wireless industry and the 20th consecutive quarter of customers collectively paying higher cell phone bills.

“The next steps are to make our networks even more powerful and layer on services that will drive new growth in the years ahead,” said AT&T CEO Randall Stephenson.

AT&T is counting on even higher customer bills as the company moves forward on several revenue-enhancing initiatives:

1. Moving an increasing number of customers away from subsidized handsets. AT&T Next allows wireless customers to get a new handset every year, but in return AT&T no longer subsidizes equipment purchases. Instead, most Next customers finance their current phone and will finance their next one, assuring AT&T of a constant revenue stream for equipment. AT&T expects to gradually move away from phone subsidies altogether;
2. Data plans for cars are forthcoming, as auto manufacturers install wireless capability in new vehicles. Many are signing agreements with AT&T that will make it easy for current customers to add vehicles to their existing plan, but customers of other carriers may find signing up for a new plan prohibitively expensive;
3. Internet-connected home security systems are getting a major marketing push in 2014 with advertising blitzes and other promotions. The alarm systems are connected to and use AT&T’s wireless data network;
4. AT&T customers are being pushed to wireless data plans with much higher data allowances than they need, delivering extra profits for AT&T with no impact on its wireless network;
5. AT&T wants to begin selling “sponsored data” services to companies willing to foot the bill for accessing preferred websites. AT&T calls it “toll-free data” but Net Neutrality advocates complain it monetizes data usage and establishes a unlevel playing field where deep pocketed companies can help customers avoid AT&T’s usage meter while others have to contend with customers worried about their data allowance.

[flv]http://www.phillipdampier.com/video/ATT Next – Get A New Smartphone Every Year from ATT Wireless 1-2014.flv[/flv]

AT&T explains its Next program, which lets customers upgrade to a new smartphone every 12 or 18 months. AT&T doesn’t tell you the plan is effectively a lease that benefits them by not having to pay a phone subsidy worth hundreds of dollars to discount a phone they will eventually refurbish and resell after you return it. AT&T Next, as intended, is an endless installment payment plan that never stops as long as you keep upgrading your phone. You also can’t leave AT&T until you pay your current phone off. (1:30)

A new way for AT&T to end phone subsidies.

Despite fierce competition from T-Mobile, AT&T so far has seen little impact from T-Mobile’s aggressive marketing. AT&T added 566,000 new contract customers in the last quarter and sold 1.2 million smartphones to its customer base. AT&T’s customer churn rate — the number of customers coming and going — remains very low despite T-Mobile’s latest offer to cover AT&T’s early termination fees to encourage customers to switch.

Stephenson says AT&T’s superior wireless 4G LTE network and its larger coverage area make customers think twice about taking their business to a smaller carrier.

In 2014, AT&T laid out these plans during its quarterly results conference call this week:

• U-verse will get an expanded TV Everywhere service allowing customers to view programming on smartphones and tablets inside their home and out;
• U-verse broadband speed enhancements should be available to at least two-thirds of customers, with speeds up to 45Mbps;
• LTE coverage expansion targets are expected to be ahead of schedule;
• AT&T will begin a “big effort” on network densification — adding overlapping cell towers and small cell technology in current coverage areas — to handle network congestion;
• AT&T will focus on improving its wired and wireless networks to prioritize video delivery;
• If approved by the government, AT&T will use its acquired Leap/Cricket brand for aggressive new no-contract plans marketed to customers with spotty credit without tainting or devaluing the AT&T brand;
• AT&T will use its agreements with GM, Ford, Nissan, Audi, BMW, and Tesla to offer AT&T wireless connectivity in new 2015 model year vehicles.

[flv]http://www.phillipdampier.com/video/Bloomberg ATT Latest Results Good 1-28-14.flv[/flv]

Bloomberg notes AT&T’s latest financial results are ahead of analyst expectations. Despite competition from T-Mobile, AT&T’s customer defection rate is at a historic low. (2:03)

Klobuchar

After months of fruitless discussions with cell phone carriers, the U.S. Senate is moving closer towards legislation that would stop phone companies from blocking “kill switch” technology that could disable lost or stolen phones, discouraging would-be thieves.

Sen. Amy Klobuchar (D-Minn.) sent letters this week to Verizon Wireless, AT&T, Sprint and T-Mobile asking the carriers to do more to protect customers from phone theft.

Klobuchar is concerned wireless companies may be blocking cell phone manufacturers from enabling anti-theft technology customers could activate to disable missing phones and prevent unauthorized access or reactivation without the customer’s consent.

“Mobile devices aren’t just telephones anymore – increasingly people’s livelihoods depend on them,” Klobuchar said. “That’s why we need to do more to crack down on criminals who are stealing and reselling these devices, costing consumers billions every year. The wireless industry needs to step up to the plate and address these thefts, and make sure consumers have the most advanced security technology at their fingertips.”

The technology is already widely available internationally and has dramatically reduced smartphone theft by eliminating most of the resale value of the expensive devices, which are rendered useless once the phone is disabled.

Apple has contractual control over its products unlike most cell phone manufacturers.

But American carriers have so far refused permission to allow manufacturers like Samsung to introduce the feature in North America. Apple has successfully introduced a “kill switch” on many of its latest devices thanks to favorable contractual language that limits outside interference with the software Apple develops for its wireless devices. Other manufacturers are generally required to bow to carrier demands.

“I think that this is motivated by profit,” San Francisco district attorney George Gascon told CNN. Gascon reported he had seen e-mails from carriers that rebuffed Samsung’s efforts to introduce the technology in the American market.

Companies like AT&T claim that a “kill switch” feature could be exploited by hackers and make restoring service extremely difficult. But manufacturers and proponents of kill switch technology dismiss that argument, claiming the process is easily reversible once a customer enters a correct name and password. Critics believe carriers are motivated by the potential loss of millions from the sale of insurance plans, replacement phones, and the increased revenue earned from the reactivation of stolen phones.

With more than 1.6 million smartphones stolen or lost annually, carriers sell more than $800 million of replacement phones worth at least $500 each. Wireless phone companies also profit selling insurance plans priced at $7 or more monthly that offer free or discounted, typically refurbished cell phone replacements. Most customers never use the insurance plans, earning providers an extra $84 a year in revenue per customer.

Without kill switch technology and other theft prevention measures, the incentive to steal valuable smartphones continues to increase. As the price of sophisticated smartphones continues to increase, they are a prime target in street crime incidents. In San Francisco, 67% of robberies are related to mobile devices, according to the police department. Ten percent of phone owners have had a phone stolen, according to a Harris poll.

For now, the industry has only agreed to develop a voluntary database of phones reported lost or stolen. But participating carriers are largely American, allowing crooks to bypass the list by exporting phones overseas where they are quickly reactivated.

Klobuchar wants carriers to go on the record about kill switch technology, and her letter requested a formal response to three questions:

• Whether companies received offers from handset manufacturers to install “kill switch” technology;
• Have companies introduced the technology and, if not, why not;
• How companies will introduce such technology in the future.

[flv]http://www.phillipdampier.com/video/CNN Kill Switch Smartphones 11-20-13.flv[/flv]

CNN reports American cell phone companies aren’t interested in allowing customers to remotely disable their lost or stolen cell phones. (0:43)