Should AT&T-iPad 3G security breach worry you?

Posted by: Flirtation Creations  /  Category: Apple Inc, iPad

If you were an early adopter of the 3G-embedded version of the iPad — as in, you bought it on Day One — there’s a chance that your e-mail address and your iPad’s ICC-ID number were exposed by a group of hackers who exploited a weakness on AT&T’s website. How bad is the breach, and should you be worried?
First, a little background. Gawker broke the news late Wednesday that a group of hackers going by the name of Goatse Security managed to grab the information of more than 114,000 iPad 3G owners — including, as it turns out, such high-profile early adopters as New York City Mayor Michael Bloomberg and maybe even White House Chief of Staff Rahm Emanuel — by exploiting a wonky script on the AT&T website.
Basically, by hitting the script with an ICC-ID number (the unique identifier of an iPad 3G’s SIM card), the hackers were able to harvest the e-mail address associated with the account, according to Gawker. By methodically firing off one ICC-ID after another, the Goatse Security hackers managed to dredge up the e-mail addresses of one early iPad 3G adopter after another, including the CEOs of the New York Times, Time magazine and Dow Jones, as well as staffers at NASA and the Department of Defense.
Not good, right? Lucky for us, the hackers at Goatse Security seem more interested in revealing security holes than in exploiting them, and the group shopped around its findings to a variety of news organizations Sunday, according to Forbes, and Gawker bit. (Gawker, by the way is owned by Gawker Media, the same company that owns Gizmodo and paid for Gizmodo’s iPhone leak. Gawker says it didn’t pay for the iPad security breach story.)
In a statement to Gawker, AT&T said it learned of the security hole Monday (from a “business customer,” not Goatse Security) and had plugged it by Tuesday (a day before Gawker published its post). “We take customer privacy very seriously, and while we have fixed this problem, we apologize to our customers who were impacted,” AT&T said, adding that it would be contacting any and all customers whose e-mail and ICC-ID numbers were exposed. Apple has yet to issue a statement.
So, how did the e-mail addresses and ICC-ID numbers of iPad 3G owners end up on a publicly accessible website? As Matt Buchanan at Gizmodo explains, the problem was a “tiny convenience feature” on the iPad 3G that fills (or filled, as of Tuesday) in your e-mail address automatically when you’re checking your AT&T account from the iPad’s Settings menu. Now that AT&T has plugged the security hole, you’ll have to tap in your e-mail address every time you want to check the status of your 3G account.
So if your iPad 3G info was exposed, how worried should you be? According to Gawker, the only data that were scooped up by the hackers were e-mail addresses at the ICC-ID numbers associated with them — no phone numbers, street addresses, credit card numbers or any other personal information.
The New York Times also checked with some security experts, who note that there’s only so much someone could do with your e-mail address — hit you with a phishing attack (you know, a fake message from, say, PayPal, asking for your username and password), or flood your inbox with junk mail.
That said, “in the right hands,” your iPad 3G’s ICC-ID number could be used to track your iPad’s location, one expert told the Times, although another downplayed the threat, noting that an attacker would need “access to very secure databases that are not generally connected to the public Internet.”
Still, even if the damage to actual iPad 3G users is relatively limited (we hope), the breach is acutely embarrassing for Apple and especially AT&T, which managed to leave personal information about its customers vulnerable on a public website.
The snafu also raises the question: What other AT&T security holes are still out there, waiting to be exposed — or exploited?

Apple Releases Security Update 2010-003 for Snow Leopard and Leopard

Posted by: Flirtation Creations  /  Category: Apple Inc

Apple today released a series of security updates targeting users of Mac OS X Snow Leopard and Leopard. According to the support document for the release, the updates address a single vulnerability related to handling of embedded fonts by Apple Type Services. Discovery of the vulnerability is credited to noted cybersecurity researcher Charlie Miller, who last month disclosed his discovery of 20 new zero-day holes in Mac OS X.
- Security Update 2010-003 (Snow Leopard) (6.50 MB)
- Security Update 2010-003 (Leopard-Client) (218.6 MB)
- Security Update 2010-003 (Leopard-Server) (379.5 MB)
The Leopard versions posted to Apple’s site incorporate previous security updates, explaining their large file size relative to the Snow Leopard version.
Apple also released Server Admin Tools 10.6.3, an update to Apple’s package for installing remote administration tools to non-server machines. The update delivers 16 documented improvements

Study: Frequent password changes are useless

Posted by: Flirtation Creations  /  Category: Internet, Security, Technology

Users hate them. They’re a massive headache to network administrators. But IT departments often mandate them nonetheless: regularly scheduled password changes — part of a policy intended to increase computer security.
Now new research proves what you’ve probably suspected ever since your first pop-up announcing that your password has expired and you need to create a new one. This presumed security measure is little more than a big waste of time, the Boston Globe reports.
Microsoft undertook the study to gauge how effectively frequent password changes thwart cyberattacks, and found that the advice generally doesn’t make much sense, since, as the study notes, someone who obtains your password will use it immediately, not sit on it for weeks until you have a chance to change it. “That’s about as likely as a crook lifting a house key and then waiting until the lock is changed before sticking it in the door,” the Globe says.
On the bright side, changing your password isn’t harmful, either, unless you use overly short or obvious passwords or you’re sloppy about how you remember them. (Many users forced to change their password too frequently resort to writing them on sticky notes attached to their monitor, about the worst possible computer security behavior you can undertake.)
Rather, frequent password changes are simply a waste of time and, therefore, money. According to the Microsoft researcher’s very rough calculations: To be economically justifiable, each minute per day that computer users spend on changing passwords (or on any security measure) should yield $16 billion in annual savings from averted harm. No one can cite a real statistic on password changes’ averted losses, but few would estimate it’s anywhere approaching $16 billion a year.
Bottom line, IT departments: Drop the password-change mandates. You’re only creating extra work for yourselves and making the rest of us hate you.

If Your Password Is 123456, Just Make It HackMe

Posted by: flirtations  /  Category: Internet, Security, Social Networking, Technology, Web Development
Friday, January 22, 2010
provided by: New York Times

Back at the dawn of the Web, the most popular account password was “12345.”
Despite all the reports of Internet security breaches over the years, including the recent attacks on Google’s e-mail service, many people have reacted to the break-ins with a shrug.
According to a new analysis, one out of five Web users still decides to leave the digital equivalent of a key under the doormat: they choose a simple, easily guessed password like “abc123,” “iloveyou” or even “password” to protect their data.
“I guess it’s just a genetic flaw in humans,” said Amichai Shulman, the chief technology officer at Imperva, which makes software for blocking hackers. “We’ve been following the same patterns since the 1990s.”
Mr. Shulman and his company examined a list of 32 million passwords that an unknown hacker stole last month from RockYou, a company that makes software for users of social networking sites like Facebook and MySpace. The list was briefly posted on the Web, and hackers and security researchers downloaded it. (RockYou, which had already been widely criticized for lax privacy practices, has advised its customers to change their passwords, as the hacker gained information about their e-mail accounts as well.)
The trove provided an unusually detailed window into computer users’ password habits. Typically, only government agencies like the F.B.I. or the National Security Agency have had access to such a large password list.
“This was the mother lode,” said Matt Weir, a doctoral candidate in the e-crimes and investigation technology lab at Florida State University, where researchers are also examining the data.
Imperva found that nearly 1 percent of the 32 million people it studied had used “123456″ as a password. The second-most-popular password was “12345.” Others in the top 20 included “qwerty,” “abc123″ and “princess.”
More disturbing, said Mr. Shulman, was that about 20 percent of people on the RockYou list picked from the same, relatively small pool of 5,000 passwords.
That suggests that hackers could easily break into many accounts just by trying the most common passwords. Because of the prevalence of fast computers and speedy networks, hackers can fire off thousands of password guesses per minute.
“We tend to think of password guessing as a very time-consuming attack in which I take each account and try a large number of name-and-password combinations,” Mr. Shulman said. “The reality is that you can be very effective by choosing a small number of common passwords.”
Some Web sites try to thwart the attackers by freezing an account for a certain period of time if too many incorrect passwords are typed. But experts say that the hackers simply learn to trick the system, by making guesses at an acceptable rate, for instance.
To improve security, some Web sites are forcing users to mix letters, numbers and even symbols in their passwords. Others, like Twitter, prevent people from picking common passwords.
Still, researchers say, social networking and entertainment Web sites often try to make life simpler for their users and are reluctant to put too many controls in place.
Even commercial sites like eBay must weigh the consequences of freezing accounts, since a hacker could, say, try to win an auction by freezing the accounts of other bidders.
Overusing simple passwords is not a new phenomenon. A similar survey examined computer passwords used in the mid-1990s and found that the most popular ones at that time were “12345,” “abc123″ and “password.”
Why do so many people continue to choose easy-to-guess passwords, despite so many warnings about the risks?
Security experts suggest that we are simply overwhelmed by the sheer number of things we have to remember in this digital age.
“Nowadays, we have to keep probably 10 times as many passwords in our head as we did 10 years ago,” said Jeff Moss, who founded a popular hacking conference and is now on the Homeland Security Advisory Council. “Voice mail passwords, A.T.M. PINs and Internet passwords — it’s so hard to keep track of.”
In the idealized world championed by security specialists, people would have different passwords for every Web site they visit and store them in their head or, if absolutely necessary, on a piece of paper.
But bowing to the reality of our overcrowded brains, the experts suggest that everyone choose at least two different passwords — a complex one for Web sites were security is vital, such as banks and e-mail, and a simpler one for places where the stakes are lower, such as social networking and entertainment sites.
Mr. Moss relies on passwords at least 12 characters long, figuring that those make him a more difficult target than the millions of people who choose five- and six-character passwords.
“It’s like the joke where the hikers run into a bear in the forest, and the hiker that survives is the one who outruns his buddy,” Mr. Moss said. “You just want to run that bit faster.”

Get Adobe Flash playerPlugin by wpburn.com wordpress themes