Like numbers? Here's some for your morning coffee… 2,904. 10. 2.4 million.

Those numbers are integral to what federal prosecutors in Brooklyn allege occurred on February 19, when a team of eight men scattered throughout the Borough of Manhattan to make 2,904 ATM withdraws in the space of 10 hours, making off with about $2.4 million in New York alone.

The heist was part of a larger global plot implemented at the same time that raked in about $45 million, all told.

According to the indictment, the eight-person team in New York was the final stage in a process that first involved hackers gaining access to an Indian credit card processing vendor and then eliminating the limits on prepaid MasterCard accounts. Using the unlimited cards, teams around the world raided bank ATMs for cash before they financial institutions knew what hit them.

The New York Times has more details on the ATM spree, which may be a taste of what's to come as banks and credit card companies keep falling victim to criminal ingenuity.

Image courtesy of Shutterstock.

You've installed antivirus software on your computers, configured your operating system to update its security automatically and password-protected your Wi-Fi. So your home network is safe against hackers, right?

Guess again. And then take a long look at your wireless router.

What Can Happen (Hint: It's Bad)

For years, manufacturers of home routers have all but ignored security issues, at least when it comes to making sure that consumers update their firmware to close exploitable vulnerabilities. Let's put it this way: Have you ever updated the firmware on your router? If not, odds are good that it's got one or more security holes through which a properly motivated hacker could slip.

Attacks on routers aren't common, partly for logistical reasons that make them uneconomical for hackers. But that could change as technology evolves, criminal incentives shift and security tightens up in other areas. One big potential trouble spot: the embedded Web servers that many routers use for managing their settings — including, of course, security.

Router manufacturers have done a lousy job informing users about firmware updates that would patch security flaws, and are even worse making it easy for users to obtain and install those updates. Such patches are seldom available through automatic services, forcing users to look up the fixes on manufacturer websites.

"These are low-priced, low-power devices," Tod Beardsley, a researcher with application security vendor Rapid7, said. Manufacturers "may not have the margins on these devices to provide ongoing software support."

To see what can happen when a flaw remains unpatched, look no further than a major intrusion in Brazil in 2011, when hackers broke into 4.5 million home DSL modems over the Internet. The modems were reconfigured to send users to malware-carrying imposter websites, primarily so thieves could steal their online banking credentials.

From Brazil With Love

That exploit in Brazil was similar to one that application security tester Phil Purviance recently employed against a wireless Linksys EA2700, which was released about a year ago. Called a cross-site request forgery, the technique allowed Purviance to break into the router's embedded management Web site. Once in, Purviance found he could change the login information and remotely manage the hardware.

"What I found was so terrible, awful, and completely inexcusable!" Purviance wrote in his blog. "It only took 30 minutes to come to the conclusion that any network with an EA2700 router on it is an insecure network!"

Purviance found a total of five vulnerabilities in two Linksys routers, the EA2700 and WRT54GL. Separately, flaws recently found in Linux-based routers from D-Link and Netgear could enable a hacker on the network to gain access to the command prompt on the operating system, Rapid7 reported.

D-Link and Netgear didn't respond to requests for comment. Belkin, which bought Linksys from Cisco last month, said in an email sent to ReadWrite that the EA2700 was fixed in a firmware update released last June. Called Smart Wi-Fi, the firmware is available through an opt-in update service. 

What Hackers Want

Manufacturers have gotten away with sloppy security practices because breaking into wireless routers usually requires physical proximity. That made it far harder for hackers to bust into multiple computers, because they'd have to move from network to network in order to target them. Thus hackers have tended to favor blasting out malware-carrying spam from a single location over attacking individual wireless routers.

But that could change. Industrial control systems that run manufacturing operations, power grids and other critical infrastructure are increasingly under pressure from cyberespionage campaigns. Vulnerabilities in these systems are as bad as in home routers. You can see just how bad is is via the search engine Shodan,  which collects information on 500 million connected devices, such as routers, printers, webcams and servers, each month.

In time, hackers will develop better tools and malware for breaking into hardware, and this technology will eventually find its way into the criminal underground.

How To Safeguard Your Router

In other words, it makes sense to safeguard your router now. Here are a few steps you can take to make your home network a less inviting target:

• In your router security settings, make sure you've changed any default usernames and passwords. These will be the first things any hacker tries, much the way a burglar jiggles a doorknob to see if it's unlocked.
• Disable wireless access to your router's management console, which allows you to manage its settings by pointing a Web browser to an address such as 192.168.1.1. Disabling wireless access means you'll have to be physically plugged into the router in order to manage it, making it far more difficult to hack.
• If you're sufficiently technically minded, consider replacing your router's doubtless buggy internal software with an open-source alternative such as DD-WRT, Tomato or OpenWRT. While these options aren't particularly consumer friendly, their firmware is less likely to contain obvious vulnerabilities — and will probably offer you some cool new features, too.

Image courtesy of Shutterstock

Updated at 12:35pm PT to make clear that embedded Web servers, not embedded browsers, pose a security threat in many routers.

At the RSA Conference in San Francisco last week, I got the chance to sit down with Stephen Cobb, a distinguished security researcher for the IT security company ESET. We talked about a lot of things, including Android security issues and how walled gardens have their uses.

(See also In The Security World, Android Is The New Windows.)

It was a great conversation, touching on a wide variety of fascinating aspects of online and mobile security, and I wanted to share as many of them as possible.

This list seemed like the best way to do that. And while not every one of the dirty-dozen points presented here may surprise you, I can pretty much guarantee that few people will already know - or agree with - everything on the list:

1. Big Data is not new to the anti-virus industry. Turns out the anti-virus companies have been doing traffic analysis, incident sharing and code sharing for decades, Cobb claims. They just didn't call it Big Data until the term become fashionable.

2. Anti-virus companies have been practicing co-opetition since the 1980s, when they realized there was no percentage in one company being able to stop one virus while you needed another company to stop a different virus. They quietly began sharing virus signatures and other information, Cobb says.

3. All the major Web browsers share information on malware sites and other threats. Chrome, Internet Explorer, Firefox and the others all share which URLs to flag, for example. That's why when NBC.com was hacked recently and started spewing malware, everybody was able to block it almost immediately.

4. One of the hardest parts of securing Big Data is knowing where the data is actually stored. In the old days, when data was collected and stored, it didn't really move much. Now, in the cloud, Cobbs says we don't really know where data is stored. Malware creators are intent on exploiting that, but what form that will take remains to be seen.

5. One reason more high-value targets haven't been hacked is that there is still so much low-hanging fruit for the bad guys to go after. According to Cobb, so far, there hasn't been much need to try and crack the hardest targets.

6. Most attacks take the form of malware or hacking. Of the hacking attacks, Cobb says, 80% go after passwords that are either non-existent, guessed or stolen.

7. Anti-virus hasn't been about matching virus signatures for years. Some people say the anti-virus model doesn't work because so much new malware is coming out all the time that anti-virus solutions can't possibly keep up. But Cobb protests that most anti-virus software is continually detecting previously unseen malware.

8. People who know what they're doing on the Internet might be able to get by with no anti-virus software. But Cobb says people are fooling themselves when they claim: "I don't run anti-virus software and I've never been hacked." "Are you really OK telling everyone you know - your mom, for instance - not to run anti-virus software?" he asks.

9. There's still an incredible amount of spam out there. You don't see it, but it's still there. It's using a a huge amount of datacenter power to block it, but it's built into the network security appliance and you don't have to deal with it.

10. The overall trend is for increasing levels of security to be compressed into the core, to become part of a standard install. That's happened to anti-spam, to firewalls and it's happening to anti-virus, too.

11. It's a lot harder to write 64-bit malware than it is to write 32-bit malware. And that could help lower the number of attacks on 64-bit systems.

12. In many ways, hacking behavior seems to have gotten better over the years - at least in the United States, Cobb says. But we are now increasingly exposed to other, more dangerous places. The globalization of the Net has caught up with us even as the value of hacking has one way up. Today, hackers aren't just messing with us, Cobb notes, they're stealing from us. And that's a big new incentive.

For decades, Microsoft Windows was the computer platform of choice — not just for the overhwelming majority of computer users, but also for a growing legion of malware creators. As the dominant computing platform, it offered the fattest, most lucrative target, and some of its fundamental architecture decisions made it vulnerable to many kinds of malware.

With the transition to the mobile era, Windows is no longer at the center of the computing universe — for users or for hackers. That role is now occupied by Android. According to Stephen Cobb, a distinguished security researcher for the IT security company ESET, "Android is like early Windows." It's now the locus for security attacks and prevention — even if it's not getting as much attention in this regard as Windows used to.

Flying Under The Radar?

"There's so much malware on Android, you'd think it would be a huge deal," Cobb said. And the growth of is "huge," he added, "both in the number of malware exploits and their increasing sophistication. The rate of growth in Android malware is impressive, and scary."

(See also Sloppy App Development Leaves Android Owners At Risk)

At this week's RSA conference in San Francisco, ESET did a live demo on Android, downloading an infected app that roots the phone and opens it up to whatever the attacker wants to do with it — including dumping out its entire contents in a few seconds over the Internet.

Why aren't we hearing more about Android's security problems? "It's death by 1000 cuts," Cobb said. Instead of emptying the bank accounts of infected users, the malware is more often used to for premium-rate SMS fraud against mobile carriers, "which isn't bankrupting anyone immediately. They're flying under the radar."

"I don't think the criminal underground is sophisticated enough that it is holding back," Cobb said. It's just that when a mobile platform is the target, "the model is many times a smaller attack — or you can look at it as part of a larger attack."

(See also Where Has All The Mobile Malware Gone?)

For example, if a criminal wants to insert himself into a small or medium-sized business doing $40,000 bank transfers, he'd run into the fact that many online banking systems use two-factor authentication — i.e., they require a code sent to a client's mobile device in addition to a password. But a mobile hack can help defeat that.

Your Mobile Platform Does Matter

Just as on computers, which mobile platform you use really does make a difference on security. "The Apple model of a closed shop, from a security standpoint, is a very good thing," Cobb said. Apple's OS X and iOS are both pretty secure to start with, and with iOS and the App Store, "Apple is moving that from a physical environment to a software environment."

Even as Android takes the lead in global sales, it's been much less successful from a security standpoint. "We sell an anti-virus product for Android," Cobbnoted. "No one sells anti-virus for iOS."

What will it take for Android to clean up its act? "Quite frankly, I expect to see it improve when sales start getting impacted," Cobb said. That obviously hasn't happened yet on a mass scale, as Android sales continue to outstrip its smartphone competitors.

But Cobb said that "In some circles it is already having an effect… I wouldn't use an Android phone for my personal stuff."

Meanwhile, Windows Is Getting Better

Ironically, as Android's secuirty issues grow, Windows is actually getting better. "Microsoft deserves kudos for making Windows more and more secure," Cobb said. And with the move to Windows 8, Microsoft is shifting toward a more closed, more secure model, specifically by by not allowing apps unless they are from a legitimate developer.

Plus, Windows' issues over the years have had the effect of training people to be more careful. "Someone who's been using Windows for the last 10 years is probably better protected than a Mac person," Cobb joked. "They've had to learn the hard way."

The problem is in that in an ostensibly protected environment, people can get a false sense of security. They are still vulnerable to "some big hack" that overrides all the existing protections, or to "social engineering" attacks, Cobb noted. That's why many of the bad guys are changing tactics. "Instead of trying to break into the computer, they're now trying to break into the person."

Ultimately, that's only one reason Cobb thinks that concentrating on mobile malware may be the wrong angle. "What the bad guys really want," he said, "is the device out of your pocket." If they can physically get ahold of your device, they can do all sorts of bad things.

Image of Stephen Cobb by Fredric Paul.

Guest author Tomer Teller is a security evangelist at Check Point Software Technologies.

On November 6, the United States will complete the most digital Presidential election in our history. In the run up to the big day, millions Americans are flocking to the Web to inform their voting and follow campaign trails. With all the excitement, though, comes a sinister reality: Voter, candidate and campaign-related search terms can turn Web citizens into identity-theft targets and their computers into malicious bots.

New SEO Tricks

Today's cyber-criminals are no longer just reliant on spam. Instead, they use a technique as common among legitimate companies as it is in the world of cyber-crime – search engine optimization, or SEO. For years, attackers have taken advantage of popular news events to entice victims to visit malicious sites. But today's black hat SEO schemes have added some new moves to their bag of tricks.

One new trick surfaced in scams taking advantage of interest in the summer Olympics and is now being employed in the lead-up to the November elections.

Attackers looking to beat efforts by search engines and others to determine the reputation of a website by its age have taken to purchasing existing domains that are about to expire. Typically, the scammers change the content of the page only days before the start of the event they are planning to hijack. Scammers may also purchase dropped domains to bolster their own network by using them to link to their own sites, once again improving their search engine rankings.

The attackers do not need their websites to persist for long; in fact, they do not expect them to. Having their site rank high in search engine results for a day or so can be more than long enough for them to compromise enough machines to make money. 

If the goal is to get users to click on a search result, common sense would indicate that the most popular news item of the day would be the juiciest piece of low-hanging fruit. Right now, that's the Presidential election.

The Bad Guys Now Leverage Niches

But today's scammers are also increasingly moving toward leveraging niche news items and people. The idea is that less-popular subjects will have fewer legitimate search results to compete with, increasing the chances Web users will click on a malicious link. Regional ballot issues, local campaign news or write-in candidates are becoming prime targets.

Part of the key to successful search engine optimization is utilizing backlinks. Backlinks are used by search engines to help determine the popularity of a particular site. The more links to a webpage, the higher that page's page rank.

Scammers exploit this system in several ways. One is to build a profile on a high-traffic site like LiveJournal or SoundCloud - and then add a link to the profile signature. Another is to sponsor a WordPress theme. This allows an attacker to add a link to his site to the theme's template – thereby automatically linking any site where the theme is installed back to the malicious website.

Then there's keyword stuffing, filling webpage content or meta tags with keywords. Google warns that loading pages with irrelevant keywords can hurt a site's ranking, but attackers often try to circumvent this through "cloaking," where the Web server presents different content to search engine crawlers than it does to users.

Tried And True Bad Behavior

Of course, when it comes to SEO, anything that works never goes out of style. Traditional methods such as simply inserting links on user forums and in the comment section of various websites are still commonplace. Scammers also continue to make use of doorway pages, or "throwaway pages," which are designed to draw search engine users to another website.

Search engines like Google are doing their part to discourage abuses - threatening to remove sites that use throwaway pages from the search listings, for example. But responsibility for computer security ultimately lies with the user.

Be wary of search engine results with URLs with names that seem strange or out of place. Various security companies offer safety ratings of URLs. And you always need at least a two-way firewall and antivirus software on your computer.

As always, the key to avoiding threats - even election-related ones - is to stay informed and stay alert.

Sure, cybercrime headlines go to multinational conglomerates that are breached by determined, sophisticated criminals. But small firms get hit more often, a fact that no doubt surprises their owners and customers.

Mom-and-pops often take fewer precautions, and when their customers also let down their guard, they all become easy prey. It might be more time-consuming to string together access to a lot of small businesses, but the prize – fat consumer financial accounts – is just as valuable as any stolen from big firms.

Security Polices Are Lacking

A recent survey of more than 1,000 businesses with less than 250 employees shows that nine in 10 have no formal policies guiding employees on how to avoid malicious sites that download malware. Commissioned by the National Cyber Security Alliance and Symantec, the poll also found that more than seven in 10 respondents have no guidelines for using Facebook, Twitter and other social media where cybercriminals will hijack accounts to distribute malicious links.

Privacy polices were also lacking. The survey found that 60% of the businesses had no guidelines for employees to follow regarding customer or employee information.

The Security Risks Are Obvious

Oddly, small-business owners understand the importance of Internet security.

Fully 73% said using the Internet safely was critical to their business, and 46% acknowledged it was very critical. In fact, nearly nine in 10 had one or more employees using the Internet for daily operations, with seven in 10 saying they were either somewhat or very dependent on the Internet for running their company.

Nevertheless, nearly 60% of the businesses had no contingency for handling a loss of customer or employee data, credit or debit numbers or intellectual property. Yet, nearly seven in 10 manage their own sites in-house, meaning if there's trouble, the small business is liable.

Size Doesn't Matter

So why the disconnect? Michael Kaiser, executive director of security alliance, said small businesses believe hackers are more interested in breaking into large companies that would seem to have much more valuable information.

"They may think their size protects them," Kaiser said.

What many small businesses don't realize is that hackers value information no matter the size of the company. They want names and passwords of employees' email accounts in order to identify customers and send them malware or links to malicious sites.

Small businesses “may not understand how the cybercriminal system works," he said. "A list of 200 customers may be incredibly valuable."

Of course, not all small businesses operate the same way. Those working with defense and financial firms are used to tighter security requirements, for example. More small businesses will have to upgrade to similar levels.

The Easy Pickings

Software powering electronic cash registers is a popular target. Last December, four Romanians were indicted in U.S. federal court for allegedly stealing credit-, debit- and gift-card numbers from the point-of-sale systems at 150 Subway restaurants and more than 50 other franchise and small retailers. The suspects were accused of charging millions of dollars to the accounts of 80,000 customers.

Chester Wisniewski, senior security adviser for anti-virus software vendor Sophos, said small businesses tend to fall behind in software updates that patch security flaws.

"A small business is a target that doesn't necessarily have any better security than my mom and dad," Wisniewski said.

Weak security by small businesses accounts for 90% of the payment data breaches reported to Visa. A study by Verizon found that nearly three-quarters of data breaches in 2011 involved businesses with fewer than 100 employees.

Share As Little Data As Possible

Put all the facts together and a person would be wise to share as little personal information as possible with a small business.

All business owners should consider the case of hotelier Wyndham Worldwide. It was sued this year by the Federal Trade Commission for failing to have adequate security to prevent the theft of payment card information of hundreds of thousands of customers.

There’s nothing to say a small firm can’t be victimized and then sued.

"I wouldn't store my credit card with anyone," Wisniewski said.