Rotten Apple

A programming error on AT&T Inc.'s website exposed the e-mail addresses of 114,000 users of Apple Inc.'s iPad tablet.

The error allowed people to determine a user's e-mail address based on the users' ICC IDs, unique numbers that identify each chip in iPads that can connect to AT&T's wireless network, Gawker Media reported June 9. The security hole has since been fixed.

A script on AT&T's website was designed to permit iPad users to log in by providing their e-mail addresses if it recognized the ICC IDs of their devices. However, it also allowed any Internet user to obtain iPad owners' e-mail addresses by guessing their ICC ID codes; the flaw was discovered by a group called Goatse Security.

Some of the e-mail addresses the group found belonged to high-ranking government and military officials and top executives at many corporations, including White House Chief of Staff Rahm Emanuel and New York Mayor Michael Bloomberg, Gawker said.

Security experts debated whether the information disclosed in this exposure — not just e-mail addresses, but also confirmation of which ICC ID codes belong to which people — is cause for concern.

Some told Gawker that ICC ID codes cannot be used to spoof mobile devices, so the risk of someone using this data to impersonate Emanuel, Bloomberg or other people is low.

A MacWorld article detailed the aftermath of this disclosure: AT&T sent a letter to affected users and also claimed Goatse Security had behaved irresponsibly in the way it disclosed the flaw. Escher Auernheimer, who heads Goatse, responded by claiming that public disclosure was necessary to get AT&T to address the issue.

Gizmodo, Gawker's tech news site, said the greatest risk from the exposure might be to AT&T's reputation. According to Gizmodo, AT&T's chief executive, Randall Stephenson, said at a recent conference that "If you lose the customers' confidence once on privacy … it would be a hard issue to recover from." Gizmodo followed that quote with its own thought on the matter: "I guess we'll see."

Copy and Paste

While most hackers prefer to keep secret the passwords they steal, some are starting to post their findings in public.

In recent weeks, security experts have noticed the log files from keylogging programs being posted to pastebin.com, a public text-sharing website typically used by programmers to share code they have written, Brian Krebs reported on his "Krebs on Security" website Monday.

In most cases, keylogger data is sent to a private Web server, but security tools can be used to block uploads to those servers. BitDefender, the security company that discovered the log files on pastebin.com, said hackers may be using the text-sharing site as a way to get around those filters, since most security software would not flag uploads to pastebin.com as suspicious.

Pastebin.com told Krebs that it is working on an update to its service that would allow it to automatically block such data from being posted to its website. Meanwhile, it said users should report any such uploads so they can be removed manually.

Krebs said this approach is not likely to be a favored tactic of professional hackers. Instead, he wrote, it is likely "the work of amateurs or beginners trying out a new method," since the data Krebs observed seemed to include e-mail and chat transcripts instead of banking data.

Most hackers "couldn't care less about your everyday online conversations," he wrote. "Indeed, all of that extra data tends to quickly cause massive data storage problems for thieves," so they favor keyloggers called "form grabbers" that only log keystrokes being entered to secure websites, such as while using online banking, he wrote.

Pesky Passwords

At some websites, passwords are not really about security — they're about collecting demographic data.

According to a recent report, two researchers at University of Cambridge in the U.K. studied 150 websites to determine how seriously they take password security (such as by prohibiting the word "password" as a password and requiring special characters). As the tech news site Ars Technica put it in a June 9 article, "the results were pretty bad."

And the worse a website was about security, the better it was at something else: collecting user data, the article said.

Content providers, which had less-secure data to protect, "were far more likely to collect demographic information during account creation, and more likely to require an account validation via e-mail," the article said. "From this perspective, the username/password is just a ritual that eases the acquisition of valuable demographic data."

Many of these sites also send passwords over the Internet in plain text, rather than obfuscating them so that they cannot be observed in transit, the article said. Eighty-four percent also did not have any restriction on the number of login attempts, thus allowing scammers to guess passwords by making as many repeated guesses as they need.

This presents issues even for secure sites, Ars Technica said, as many consumers use the same passwords at multiple sites, so if a password is exposed at a less-secure site, it may compromise accounts elsewhere. Even so, the most popular websites tend to have the best security practices, Ars Technica said.

Insider Outed

A Bank of America Corp. call center employee pleaded guilty to one count of fraud for attempting to sell customer data stolen on the job.

Brian Matty Hagen was caught after trying to sell names, birth dates, phone-banking passwords and other details of B of A customers, the U.K. tech news site The Register reported June 8. Hagen's buyers turned out to be undercover Federal Bureau of Investigation agents. Though Hagen, who has not yet been sentenced, faces a potential $1 million fine and 30-year prison term, prosecutors are requesting a lower sentence because he was cooperative, the article said.

Hagen focused on stealing the data of customers with balances over $100,000, the article said. In one example, Hagen kept the data of a customer with a balance of almost $445,000 after that customer called to verify that payments to a Netflix Inc. account had been stopped.

Street Sale

Not everyone who buys and sells Social Security numbers does so online — police in Louisville arrested a man they allege was trying to buy the numbers of passersby on the street.

Police have charged Antonio F. Phillips with trafficking in stolen identities for allegedly offering $5 to strangers in exchange for their Social Security numbers, the Louisville television station WDRB reported Tuesday. Police said Phillips was also in possession of weapons and a list of Social Security numbers; Phillips has also been charged with carrying a concealed deadly weapon.

Security Watch is a weekly roundup of news and developments in data security and their impact on financial services companies.
Please e-mail us any comments, ideas, and suggestions about this column.