Gawker has called an information disclosure on AT&T servers “Apple’s Worst Security Breach”

Goatse Security obtained its data through a script on AT&T’s website, accessible to anyone on the internet. When provided with an ICC-ID as part of an HTTP request, the script would return the associated email address, in what was apparently intended to be an AJAX-style response within a Web application. The security researchers were able to guess a large swath of ICC IDs by looking at known iPad 3G ICC IDs, some of which are shown in pictures posted by gadget enthusiasts to Flickr and other internet sites, and which can also be obtained through friendly associates who own iPads and are willing to share their information, available within the iPad “Settings” application.

Note that the attack used predictability of cellular hardware IDs to generate a list. It then leveraged an insecure AT&T application that registered the IDs (e.g. it did not flag or block a high rate of requests).

The issue is thus really isolated to AT&T’s servers. It involves an Apple product, but seems premature to call it Apple’s worst breach.

Also, while email addresses are important and some may resist change they are not regulated data and not considered personal identity information.

I would say the most significant risk is for these email addresses is that they can be used for spear-phishing/impersonation attacks. A good example of what I mean is the attack on the law firm in the Green Dam suit with China.

Gipson Hoffman & Pancione, a Los Angeles law firm, says employees began receiving well-crafted e-mail messages that appeared to come from other company staffers. The messages tried to get the victims to either open a malicious attachment or visit a Web site that hosted attack code. “It came from e-mail addresses that people would recognize as internal to the firm, and the attempt was to make it seem like everyday stuff,” said Elliot Gipson, an attorney with the company.

Thus, extra precaution should now be taken when email is received from someone you know who purchased an iPad…but that was already good advice. :)

Here is a short list of lessons I see in this story:

1. Device IDs with low entropy makes them a weak choice for authentication
2. Registration sites/software should detect and alarm on brute force attacks
3. Registration sites/software should have rate-limits to prevent guessing
4. There is a lot of hype around the attack, but even a breach of non-regulated non-sensitive identity information is damaging to reputation and trust
5. Relying on a single email address is a bad idea — maintaining multiple email addresses is a good idea. Diversify based on trust.

Updated (10 June 2010): The BBC has just posted a report with the above analysis on spear-phishing and called it “one concern raised by security experts”.

I recently wrote about some interesting urban color maps that were created from photo geotag data. Today I noticed Doug McCune has posted an urban topographical map in a post called “If San Francisco Crime were Elevation”

I’ve been playing with different ways of representing data (see my previous night lights example) and I decided to venture into 3D representations. I’ve used a full year of crime data for San Francisco from 2009 to create these maps.

One of the conclusions of his post is that physical boundaries can be credited for “valleys” in high crime areas.

There are other consistent features in these maps, in addition to Mt. Loin and the Mission Range. There’s a valley that separates the peaks in the Mission and the peaks in the Tenderloin, which is where the freeway runs (Valley 101). You’ll also notice a division in many of the maps that separates the southeast corner. That’s the Hunter’s Point Riverbed (aka the 280 freeway).

Quick, build more freeways through San Francisco! That should help reduce crime. Just kidding. He gives a disclaimer that the maps are meant to be artistic. See for yourself:

Living like a flatlander never looked better.

I like the fact that the maps both pinpoint trouble areas but also show rates relative to each other. I think a colored bar or cylinder sitting on the map might be more clear but definitely less artistic.

Aside from being more artistic, however, there also could be value. Topographical maps of risk could be very useful when integrated with classified ads. See a home for sale? What’s the VE (vandalism elevation)? What’s the AE (assault elevation)? How does the AE compare with another home for sale? Likewise, it would be interesting to use topographical maps to represent water quality, air quality, etc. and then display an overall risk elevation for a residence or workplace.

Another risk that could be interesting to map this way is based on photo geo-tag data that I mentioned earlier. What is the likelihood of exposure, or perhaps privacy loss (locals and tourists snapping photos or surveillance cameras), in your neighborhood? Would areas that have more exposure from cameras correlate to less crime? I am curious to see a map like this for cities like London with extensive surveillance systems.

Webkit is the foundation of Apple Safari and Google Chrome. Yesterday both companies announced security patches for their browsers, many related to Webkit. Here is a sample of just one from the Apple Safari update page.

WebKit

CVE-ID: CVE-2010-1398

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2 or later, Mac OS X Server v10.6.2 or later, Windows 7, Vista, XP SP2 or later

Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution

Description: A memory corruption issue exists in WebKit’s handling of ordered list insertions. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of list insertions. Credit to wushi of team509, working with TippingPoint’s Zero Day Initiative for reporting this issue.

Compare that with the format for the same bug on the Google Chrome update page.

[43487] High Memory corruption in text transforms. Credit to wushi of team509.

That is it, just one line. 43487 looks like a tracking reference number that is internal to Google. I gathered this bug is the same one as the the one above from the credit reference to wushi. No CVE? No platform reference? I clicked on the number 43487, which points to code.google.com, so I could read more and confirm details…

Your client does not have permission to get URL /p/chromium/issues/detail?id=43487 from this server.

This is not very impressive. Moreover, it is inconsistent from earlier Chrome security notices that were done well. June 9, 2009 for example explained two WebKit security patches. Here is the first one:

Google Chrome’s Stable channel has been updated to version 2.0.172.31 to fix two security issues in WebKit.

CVE-2009-1690 Memory corruption
A memory corruption issue exists in WebKit’s handling of recursion in certain DOM event handlers. Visiting a maliciously crafted website may lead to a tab crash or arbitrary code execution in the Google Chrome sandbox. This update addresses the issue through improved memory management.

Severity: High. An attacker might be able to run arbitrary code within the Google Chrome sandbox.

Mitigations:

* A victim would need to visit a page under an attacker’s control.
* Any code that an attacker might be able to run inside the renderer process would be inside the sandbox. Click here for more details about sandboxing.

That was more like a normal patch announcement and clearly more useful.

Apple did a nice job. Why did Google switch to the weaker format and use internal links? Interesting also to note that the thing getting attention is not how little information they give but that they paid a $2000 bounty for just one flaw.

[$2000] [39985] High Cross-origin bypass in DOM methods. Credit to Sergey Glazunov.

Schools in crisis. Stretched budgets and overcrowded classrooms. Aasif Mandvi explores the risks of teaching US children Chinese culture and language: