iPad owners’ email addresses exposed: let’s stay calm
June 11, 2010 by admin
Filed under Security News
One of the hottest security news story today revolves around the news that a weakness on AT&T’s website allowed outsiders to grab the email addresses of early adopters of the Apple iPad – at least those who had chosen to subscribe via AT&T.
The news was broken as an “exclusive” by Gawker in a story entitled “Apple’s Worst Security Breach: 114,000 iPad Owners Exposed”.
As my fellow blogger Paul Ducklin points out, it’s Gawker’s lead story right now – alongside continuing coverage of Debrahlee Lorenzana, the so-called “Hottie Banker” who alleges that she was sacked from her job at Citibank because she was too sexily distracting for her male co-workers.
If you can divert yourself away from Debrahlee Lorenzana’s charms for a second to read the Gawker story you’ll find that it has some very scary things indeed to tell you:
"dozens of CEOs, military officials, and top politicians. They - and every other buyer of the cellular-enabled tablet - could be vulnerable to spam marketing and malicious hacking"
"the most exclusive email list on the planet"
"the breach will also likely unnerve customers thinking of buying iPads that connect to AT&T's cellular network"
"One affected individual was William Eldredge, 'who commands the largest operational B-1 [strategic bomber] group in the U.S. Air Force'"
and so it goes on..
Reading on in the report it appears that a group called Goatse (don’t Google it, trust me..) bombarded the AT&T website service with thousands of requests using made-up ICC-ID codes (that’s an internal code used to associate a SIM card with a particular subscriber).
The hacking group deluged the website with so many made-up requests that some were bound to reflect genuine ICC-ID codes, and effectively “stick”. When this happened the website believed them to be a genuine iPad user and revealed the associated email address.
Ok. So I can see how this embarrassing, and it shouldn’t have happened. But, as Paul Ducklin underlines, it’s just an email address and you reveal your email address everytime you send an email.
Surveillance firm sells Apple iPad spyware
May 10, 2010 by admin
Filed under Security News
Could someone be spying on the emails you send and the websites you visit on your iPad?
For many the thought that someone could be reading every email you send, secretly logging every call that you make on your mobile phone, or silently tracking your location via GPS would be the stuff of nightmares.
And yet software exists (and is sold completely legitimately online) that does exactly this for those who wish to spy on their workers, or on members of their family.
And now a firm which in the past has made surveillance software to monitor the usage of iPhones, BlackBerrys, and Android , Windows Mobile and Symbian smartphones has announced a version of its snooping software to spy on iPads.
For just $99.97 a year, Mobile Spy customers can access a website that allows them to view a list of every website visited on an iPad, every contact added to the address book, and every email sent and received.
The way that vendors get away with this is by explaining that it is almost certainly an offence to install software onto a phone or computer that monitors or spies upon the owner unless you have authorisation to install it.
So, for instance, it would be okay to spy on your employees phone, computer or iPad activity if they had agreed to such surveillance in their contract. And it would be okay to snoop upon your kids because.. well, they’re your kids, and how likely are they to take you to court?
Such software exists in the “grey” area between legitimate and illegitimate software, typically promoted as a way for wives to spy on philandering husbands, or for concerned parents to keep an eye on what their babysitter is up to, or to assist companies in enforcing acceptable use policies, rather than more traditional identity theft – but it’s clear that it can be used for a criminal purposes too.
Fortunately, Mobile Spy’s spyware for iPads only works on jailbroken devices. In other words, not only does whoever want to spy on you need access to your iPad to install the software, your iPad also needs to have been tinkered with to allow you to run software that hasn’t been given the stamp of approval by Apple.
Late last year we saw malware which targeted users of jailbroken iPhones. My expectation is that if enough iPad owners jailbreak their gizmos too that some of the hackers at least won’t be far behind.
Hat-tip: Krebs on Security
By Graham Cluley, Sophos
