These days, the first rule of production computing of any type is security. Hackers, phishing schemes, identity theft, and other threats have forced companies to treat security preparedness and vulnerability assessment as “Job #1.”

Except, apparently, Time-Warner’s cable hardware division.

Today a colleague forwarded a note describing a major, and blindingly obvious vulnerability found to be present in over 65,000 routers shipped by Time-Warner to cable broadband customers. The worst thing about the vulnerability is that it’s so easy to discover and bypass. Nearly any hacker would happen across this (and probably already have) in fairly short order, and it’s hard to understand how this made it through quality control during the development process.

There’s no harm talking about the issue since a patch has already been shipped (hopefully users have actually installed it) and it’s therefore at least somewhat less critical. A software developer was helping a friend diagnose a problem, and accidentally discovered Time-Warner “had hidden administrative functions from its customers with Javascript code. By simply disabling Javascript in his browser, he was able to see those functions, which included a tool to dump the router’s configuration file.”

The most egregious factor was that the router password was also embedded in this file. So by dumping the output to a browser, anyone could discover (and therefore change) the router’s password. This means they could take control over the router itself. The implications of this are pretty obvious.

As noted, a temporary patch has already been shipped. Time-Warner is (unsurprisingly) working on a more permanent fix. In the meantime, if you or a friend has one of these routers you should obtain and install the temporary fix. Until you do, your data’s not safe and neither are your systems.

Hopefully this little incident will raise awareness of the importance of hardware security in today’s highly networked world. And no matter what router you own, be sure to change the administrative password from its default. Use a lengthy, strong password containing a mix of alphanumeric characters and whatever else your router will support. Protect your network, or get hacked. It’s that simple.

The rise of online data theft and malware that steals private data should concern everyone. Today, we bank, invest, communicate, and even view our medical records using online systems that could be hacked at the drop of a hat. Generally, banks and other sites are pretty good (though not bulletproof) in terms of security. The main concern is the home PC, which as often as not is infested with some sort of malware.

Now there’s a stark recommendation from various security pros: don’t use Windows. Period.

One of these recommendations comes from an Austrian security specialist, who flatly stated that he had two rules. The first is “never click on hyperlinks to the banking site.” The second was to “avoid Microsoft Windows.” Bet Redmond won’t be happy about that one. But it makes sense, since Windows is the most popular OS and therefore most targeted by malware vendors.

One of the suggested methods to avoid banking theft is the use of a LinuxLive CD, which is a read-only, bootable CD containing a copy of a slimmed-down Linux OS. The thing about this is that it’s nearly bulletproof (as would a read-only bootable Windows CD) since no one can write malware to the disk. Presuming the CD is clean when created, the only way anyone could attack your session is by monitoring the network itself in the hope of grabbing a password or other data.

Obviously, this is a bit inconvenient for many people. To use this solution, you’d need to shut down your usual OS, insert the bootable Linux CD, and boot your machine from it prior to running an online banking session. Then you’d shut down and reboot again from Windows to do normal work. But if the choice is between a minor inconvenience and possibly losing $100,000 or more (yes, this has happened to many people) the trade-off is worthwhile.

Data theft will just continue to worsen before it gets better. I think we all need to develop creative and interesting ways to avoid it. This is certainly another tool in the toolbox, and should be considered by anyone who banks or invests online.

One of the advantages of social networks is that they can put you in contact with old friends, schoolmates, and co-workers. With a few clicks, you can reach out to people you haven’t seen in decades (presuming you’ve been alive that long), and meet up with like-minded people.

However, one of the disadvantages of social networks is that they can put you in contact with people you’ve never met, whose profiles may be bogus, and who might not be the nicest people in the world. They’re a lot like talking over CB radio: the person on the other end of the mike might claim to be a stunningly beautiful college student (of whichever gender) living just across town. But they could turn out to be a 14-year old kid using a hijacked account, or a 50-year old stalker looking for their next victim.

This isn’t to say you should be paranoid online, but you should be careful. This is even more apparent when you take the ACLU’s Facebook Privacy Quiz and find out how much information might be accessible to people you don’t even know.

If you set up a default FB account and never adjust the privacy settings, your profile can be picked up and published externally by various search engines without your knowledge. And if you subscribe to any of the popular quizzes that frequently show up on Facebook, your profile information becomes immediately accessible to those applications. Answer some questions in the “Which Tolkien Character Are you?” quiz, and some guy in Lithuania might gain access to all your photos, posts, friend lists, and other information.

Facebook itself has a privacy policy, and claim that developers must adhere to it. But you can set yourself up as as Facebook application developer using nothing more than an email address, so how much checking really goes on? Probably very little, since hundreds of applications and quizzes pop up on a daily basis.

Take the quiz. Then follow the ACLU’s suggestions about your profile settings. Lock them down so that only friends, and friends of friends, can see your information. Don’t provide unnecessary levels of information regarding your personally identifying data to any social networking site (especially your full birthday, phone number, or other sensitive information). Protect your privacy.

Everyone is vulnerable to identity theft. Leave a utility bill, credit card receipt, or (worst of all if you’re an American) your Social Security info lying around in the wrong place, and you could be in for a world of hurt. But it’s also pretty obvious that some people are far better marks than others. The more you’re worth, the more you can lose.

I suspect many of us have an “it won’t happen to me” attitude about cyber crime, but now you can check your risk using a new Norton site that, after a few quick questions, can tell you how much you have to lose online. In a few minutes you can find out how much your online assets are worth, how much your online identity would sell for on the black market, and your overall risk of becoming a victim of identity theft.

I took the test, and got a risk level of “medium” (no idea how that was arrived at). Many of the questions are relatively obvious, asking whether you do online banking, use social networking sites, and other services that could potentially reveal information to criminals. What was appalling is that, based on my answers, I was told that a criminal would be willing to pay as little as $30.59 to obtain a copy of all my personal data. I guess I’m worth more than I thought, since I answered that they’d be willing to pay $10!

Naturally, Symantec wants to sell you some software as well. But they claim they’re not trying to instill fear or paranoia — neither of which are useful anyway. They’re trying to raise awareness, and are hoping IT managers and others will send users to the site.

I’ll say it again: security is hard. We all have to remember to lock our cars and homes, to monitor the location of our credit cards and licenses, and to shred information before putting it in the bin. The same rule applies for online security — you have to think about not revealing information on a web site that purports to represent a legitimate business entity. Don’t be paranoid, just be vigilant and careful. Remember that criminals can assemble your whole life history using bits of data gathered from multiple locations. Be careful where you click, and what you tell others.

Unless you’re Bill Gates or Warren Buffett, you’re probably not able to buy everything you need (or want). Everyone’s on a budget, especially in these days of down markets and layoffs. Thus, you may be tempted to use one of the free antivirus packages that can be found on the Internet instead of buying a full-blown suite. The good news is that yes, some of them (but not all!) are legitimate and won’t infect your machine with malware. The bad news is that they’re not nearly as full-featured as commercial applications, and they can be a lot more annoying.

First off, rule one: don’t just blindly download any package you run across on a website. If you don’t know that already, please unplug your machine from the ‘Net now and put it in the trash can. You need to make sure that (a) the package itself is legitimate, and (b) that you’re downloading it from a valid site. Many hackers today copy “download it now” buttons from legitimate websites, put these on their own sites, and link them to viruses or botnet installers. Why? Because they know they’ll catch at least a few people in this kind of trap.

Rule two: read Rule One again.

Now, it just so happens that PC World just ran an article discussing the relative merits of various free antivirus packages. The systems listed in their article are all legitimate, well-respected, and won’t plant viruses on your machine (presuming you get them from the actual vendor).

These packages all work, and will definitely help protect your machine from viruses and other threats. However, read the caveats. They’re not as full-featured as commercial suites, don’t come with any sort of software support, and many include annoying pop-up Nagware ads begging you to buy a real license.

Installing one of these packages is definitely better than having no protection at all…which is, sadly, still the norm as far as I can tell. If you’re unable to spend the money for a full-blown protection suite, at least grab one of these free alternatives. And make sure to keep it updated, otherwise it’s just taking up space on your hard drive.

A recent IBM analysis of spam trends seems to show that phishing is on the decline, with the number of mails that could be classified as such dropping significantly in the first half of the year. “IBM’s midyear security report found that phishing accounted for just 0.1 percent of all spam in the first six months of this year. In the same period in 2008, phishing made up 0.2 percent to 0.8 percent of all spam.”

This said, the overall quantity of spam sent during the same period was the same as the prior year, so this is not just a case of larger quantities of spam causing an overall percentage drop in phishing messages. And there’s no clear indication of what this trend means yet. Was phishing (as we now know it) unsuccessful in catching unwary users? Or, as the report suggests, is it “because computer users are getting smarter about identifying phony Web sites. Security software is also getting better at filtering out phishing sites before Web surfers ever seen them.”

I suspect spammers and hackers are moving on to bigger and nastier things. Botnets are now the Next Big Thing in the underground digital world. Why phish and (maybe) catch a single user’s personal data by redirecting them to one bogus site when you can make their PC into your zombie, monitor their keystrokes, and capture a whole lot more data over a longer period? This is especially true if you’re subtle about it, and don’t overtly reveal your presence by, say, publishing their keystrokes on a social networking site or drain their bank accounts.

No…infecting PCs with malware, then holding them hostage over a longer period of time is a much better strategy. Think of it in military terms: one side will gain far more knowledge and a better advantage by planting a well-hidden spy in a headquarters than by having a squad break in and ransack the building. The first is far more subtle and has long term advantages in terms of information gathering. The second immediately tells the enemy they need to lock the building down more tightly and change all their plans.

Keep your PC updated, your malware scanners active, and your firewall intact.

Data breaches, a term few people had ever heard of before half a decade ago, are now fairly common. Over the years we’ve seen numerous news stories, many of which read like a Who’s Who list of major retail companies. TJX, Marshalls, several large grocery chains, and others have been the subject of data breaches that compromised millions of credit card numbers.

Now it turns out that allegedly, many of these were orchestrated by one guy in the States, with the cooperation of two unnamed Russians whose whereabouts are unknown. Over about a three year period, this three-man mob is alleged to have hijacked numerous large sites through various means. They are said to have cased the systems by exploring websites, after which they exploited vulnerabilities in order to grab credit card data.

Then they sold this data to users all over the world, who then made fraudulent purchases. This is massive, and it’s unbelievable that all these incidents were perpetrated by such a small group. In the past, a “heist” of this magnitude would usually require a large gang. Now it’s just a matter of a couple of guys sitting in Internet cafes or their homes, poking around until they find something worth compromising.

The worst of it is that so many major sites were open to apparently easy penetration. But I’m not surprised since I’ve seen some very badly designed sites, and I’m sure that behind some of those ultra-slick user interfaces there lurks horrendously insecure code that’s just waiting to be broken. Today, many corporations hire UI designers, not seasoned developers, and seem to use lots of automated source code generation systems when creating their websites. I doubt that many actually perform serious penetration testing, or hire vendors who care enough to include serious security in their software.

Companies generally want slick, well-received sites they can produce quickly and maintain easily. Sadly, design using this paradigm doesn’t always translate to good security. Hackers love it, though. 130 million compromised identities and $400 million in damages say it all.

An interesting article released recently suggests that Microsoft’s latest version of Internet Explorer, IE8, is your best defense against current security threats that infest the Internet.

Indeed, I like IE8 overall. It’s a whole heck of a lot better than earlier releases, but not because it’s more secure. Instead, I like it because it brings IE closer to actual conformance with W3C standards. This makes software development easier, lessens the need for browser-specific code, and should help developers deliver better solutions to their customers.

But what bothers me about these testing results is that “Microsoft paid for the tests.” I always doubt the results of testing performed at the behest of a specific vendor, unless that vendor agrees in advance that it will not review or modify the results, will accept them without question, and so forth. I don’t know if Microsoft agreed to such conditions or not.

Even if they didn’t, the results appear to be pretty good in terms of security. “Internet Explorer 8 and Firefox 3 were the most consistent in the high level of protection they offered” against phishing attacks. This is known as the “average phishing URL catch rate,” and IE8 was successful 83% of the time. Firefox caught 80%.

What’s sad is that, in the same test, testing showed “Opera 10 beta at 54%, followed by Chrome 2 at 26% and Safari 4 at 2 %.” If these results are accurate, it means that Chrome and Safari have a long way to go.

What’s even worse, of course, is that developers now have to spend so much time even trying to catch and block all these threats in the first place. What we really need is for law enforcement to catch up to the 21st century, and start throwing spammers and phishing-scheme artists into jail for very long periods of time.

Or better yet, users could keep their systems updated and stop clicking on emails that infect their systems with botnet software (yeah, as if that will ever happen).

As if there aren’t enough security issues to deal with these days, it looks as if someone has come up with a fast and efficient way to make big money in a very short period of time. Several large-to-midsize organizations have been hit by ACH (Automated Clearing House) fraud scams, in which the organization’s accounts are drained through a series of bank transfers.

In one case, a school system was hit. The thieves were clever, waiting until administrators were away on holiday leave before running the scam. And “during a four-day period between Dec. 29 and Jan. 2, siphoned US$704,610.35 out of two of the school district’s bank accounts.” Some was recovered, but the rest is gone for good. In another case, a Texas company was hit for $1.2 million dollars. Most was recovered, but the thieves made $150,000 in a few minutes. Not a bad day’s work.

How do these things happen? It’s the same old story — the thieves send a “targeted phishing e-mail, aimed at whomever is in charge of the company’s checkbook. By tricking the victim into running software, opening a harmful attachment or visiting a malicious Web site, the criminals are able to install keylogging software and steal bank account passwords.”

As usual, the warning is clear. Be very, very careful when opening emails containing any sort of attachment. If you’re suspicious, don’t open the message at all. If you think it’s from a legitimate sender (i.e. you recognize the address) contact the person by phone or some other trusted means to confirm they actually sent the message. And, of course, make sure your email is monitored by either an Enterprise-wide scanning system or by individual copies of a good antivirus/anti-malware package.

Anyone can be fooled. In pre-computing days, one trick was to call someone on the phone, claiming to be from a vendor in need of bank account data. Or, a scammer would send a phony invoice in the hope of obtaining the same information on a check or other instrument. Scams mainly rely on the mark trusting the scammer, or not checking the facts. Don’t get caught.

In the security world, there are basically two types of hackers. First are the White Hats, who work “within the system” to uncover and solve security-related issues in code, infrastructure, and so forth. They don’t hack for malicious reasons. Instead they work on “ethical hacking” and try to help people improve their security posture.

Black Hats, on the other hand, are the bad guys (as one might expect). They’re the people who break into systems, steal data, and otherwise do bad things. So it’s somewhat ironic that one of the premiere security conferences held these days is known as Black Hat. It’s a multi-day extravaganza of white papers, presentations, and extremely geeky discussions around security and technology.

This year’s conference exposed some interesting defects and weaknesses, as is usually the case. They range from problems in the Linux kernel to holes in the SSL (Secure Socket Layer, widely used to send encrypted data to & from websites) and iPhone SMS implementations.

Some people see conferences like these as nothing more than a bunch of geeks showing off to one another. This may be somewhat true. As a geek, I can tell you we love street cred as much as any rapper…we just gain it in a different way. But the public exposure of weaknesses in security architectures is much better than waiting for actual thieves to find these same holes. Which they will.

In the 1980s, a Navy SEAL commander formed a team he called Red Cell. He conducted security penetration tests at military facilities, with the objective of helping base commanders improve their security posture. He was wildly successful…in some cases. Some commanders loved what he did, since it helped them find and correct problems. Others saw it as a nuisance, an embarrassment, or a total waste of time and tried to get his team disbanded.

IT security White Hats, in my experience, get exactly the same mix of responses. Some people want to find and correct holes in their systems. Others are content to cover their eyes and ears. They’re the people most likely to have their sites hacked.