The Wieless Industry News Portal Advertise on Wireless Industry News and reach over 300,000 potential new buyers. Click here to learn more.
Post a News Story        Resources        News Archives        Home
Install your server in Sun Hosting's modern colocation center in Montreal. Get all the details by clicking here.



Wireless Industry News is read by over 300,000 people a month. Learn how you can increase your sales by advertising on our news portal -- Click here.




Get your Linux or Windows dedicated server today.

Experts say iPad security flaw can be easily avoided

Add to del.icio.us     Digg this story Digg this

June 13, 2010

Experts say that the security flaw recently discovered on the iPad isn't serious but can be easily avoided.

Wireless security researchers say that the iPad's security hole exposed the email addresses and ICC IDs of more than 100,000 iPad 3G users, including employees at Homeland Security, the FCC and other high-level government offices.

Chenxi Wang, a security and risk management analyst at Forrester Research says "AT&T is definitely being proactive when it comes to security. It's the integrity of their application. If they had done a better job securing and testing their app, then all of this could have been easily prevented."

The attack on AT&T's Internet-based application for iPad support exposed users' information by entering random ICC IDs into the application until a valid match was found. Goatkse Security, the self-proclaimed Internet watchdog group that discovered the breach, was then able to use the valid ICC ID to find the email address connected to the code.

"It appears to be a parameter traversal attack, which is pretty low on the sophistication scale," Wang says.

Although AT&T's security flaw has attracted the attention of both the FCC and the FBI, it appears that no information beyond user's e-mail addresses and ICC IDs was compromised by the flaw in AT&T's Web application, as claimed by the company itself. But others are not so sure about that.

"ICC ID is just a security number and that information by itself isn't enough to do much. You have to put it together with a couple of different things for it to be a serious security issue," says Jamz Yaneza, a threat research manager at Trend Micro.

Josh Phillips, senior malware researcher at Kaspersky Lab, says the exposure of a user's e-mail address is not very serious in and of itself because email addresses can be easily harvested from the Internet in many different ways but it does raise some very serious concerns over the security of AT&T's Web applications, especially if the FBI, high-ranking government officials and the FCC are using them.

"I think that the more serious issue is that based on this leak of information, AT&T most likely does not have a security team reviewing their customer-facing Web apps prior to deployment," he conjectured. "And THAT is a much bigger issue!"

Yaneza added that the main concern with having an email address exposed is it opens up users to become targets for spam, virus attacks and phishing schemes. It also could compromise the security of online accounts where email addresses are used in log-ins, including social networking sites and some online banking applications.

Click here to order the best dedicated server and at a great price.

AT&T said it had closed the security hole Thursday after being informed by a "business customer" of the problem but declined to comment further on the matter. The breach became public when Goatkse Security leaked the story on the Web.

Overall, reputable security researchers typically approach a vendor first to solve security holes before going to the media and it isn't clear whether Goatkse contacted AT&T before going to the press, which is highly unusual in cases such as this.

AT&T said that the "person or group of people who discovered this security flaw didn't contact AT&T according to protocole," but the Associated Press reported that Goatkse said it had notified AT&T and waited until the breach was closed before going public.

"At many websites in the U.S., you log in with your e-mail address and a random password. That's the other piece of this threat. Users should be concerned but I give kudos to AT&T for being able to patch this particular problem in a timely fashion and without trying to pretend that there isn't a problem," said Yaneza.

Charles Miller, a security researcher at Independent Security Evaluators, says the security flaw was "really not that serious, but that it could have been a lot worse."

"So far, no sensitive data on the iPads were compromised, no serious information was lost. So if you compare this to the numerous leaks of credit card information and Social Security numbers that seem to happen to various Internet companies and even some banks, it's not that big of a deal," Miller said.

"But it does raise some very serious concerns about AT&T's Internet applications and how efficient they really are at shielding you from such attacks in the first place."

Add to del.icio.us     Digg this story Digg this

Source: Goatkse.




home | news archives | resources | advertise with us

Copyright © Wireless Industry News. All rights reserved.