AT&T is taking some well-deserved heat for a Web security flaw resulting in the exposure of more than 114,000 iPad 3G owners’ e-mail addresses. Apple–by proxy–has also drawn some criticism as it apparently has some culpability in defining the authentication mechanism that was exploited. It is obviously a huge embarrassment for both AT&T and Apple, but the underlying issues, and other Web security issues like it, are actually quite common.
In truth, there was nothing elite (or ‘l33t’ in hacker speak) about the iPad 3G data leak. In fact, according to an interview on CBS News by Larry Magid with Goatse Security analyst Jim Jeffers, the security researchers more or less stumbled upon the authentication glitch. Jeffers said the exploit “was almost discovered by accident. One of our employees is an iPad 3G subscriber, and he noticed it in the process of the normal user experience of this device. It was something he just noticed as he was using it.”
Sort of like how finding and taking a car with the driver’s door open, keys in the ignition, and engine on does not make one an elite car thief. The lesson for IT administrators is to be more vigilant about closing these holes and making sure that the car door isn’t open, with the keys in the ignition, and the engine on–especially for Web-facing servers.
There is an entire genre of hacking dedicated to finding sensitive or confidential data inadvertently exposed to the Web. The book Google Hacking by Johnny Long, and the accompanying online Google Hacking Database, list hundreds of search queries that can be used to ferret out juicy information not meant for public consumption. It is actually not unique to Google. It should be called “Web search hacking”, but Google is essentially synonymous with Web search and “Google hacking” has a better ring to it.
George Kurtz, McAfee CTO and proud owner of not one, but two iPads, provides a detailed analysis of the iPad 3G data leak in which he ponders, “why is there such a dust storm over the recent AT&T/Apple iPad disclosure of 114,000 iPad owners and is it warranted?”
Kurtz, one of the founders of Foundstone Security and original authors of Hacking Exposed, says that these types of information disclosure vulnerabilities are more or less routine. Kurtz goes on to explain, “However, this type of vulnerability is far from being the worst that we find…So this is less about vulnerability with the iPad and more about common problems that we routinely see when performing application security assessments.”
I spoke with Kurtz, who offers this additional guidance for IT administrators wishing to avoid being the next AT&T. “Get the internal security groups or external consultants involved in the Web application development process as soon as possible. Often we see the security team or security consultants called in during the 11th hour because someone needs to check the box before the application goes live. At that point if there are systemic or architectural vulnerabilities with the application, it is a disaster to try to retrofit good security on top of a bad application. This type of approach can delay the project and ultimately costs the business owner lot more money in the end.”