Explore Newsletters from ECT News Network » View Samples | Subscribe
Welcome Guest | Sign In
TechNewsWorld.com

FBI Interest Gives iPad Whodunnit a More Serious Turn

By Renay San Miguel MacNewsWorld ECT News Network
Jun 11, 2010 2:10 PM PT

AT&T's iPad security breach may have been plugged, but the questions it's raised continue to leak out to the tech press/mainstream media and the blogosphere. The story is sticking around because of issues regarding responsibility -- not just Apple and AT&T's liability in the matter; the security researchers who discovered the breach and the technology blog that told the world about it are also the subjects of inquiry.

FBI Interest Gives iPad Whodunnit a More Serious Turn

The FBI has confirmed it is investigating this week's revelation that nearly 115,000 email addresses of early adopters -- including some high-profile names in the military, political and finance worlds -- may have been accessible to anyone thanks to a flaw on AT&T's website. The company said the flaw has been fixed as of June 9. Yet did Goatse Security tell AT&T about the flaw before it gave the Valleywag blog -- owned by Gawker Media, proprietor of Gizmodo and the lost iPhone story -- the names and email addresses of the iPad owners?

Valleywag and Goatse are doing all the talking for now, unlike the FBI, Apple and AT&T.

"The FBI is aware of these possible computer intrusions and has opened an investigation to address the potential cyberthreat," Bryan Travers, public affairs officer for the FBI's Newark, N.J., office told MacNewsWorld. "No further detail beyond that will be provided."

AT&T spokesperson Mark Siegel declined comment, and Apple did not respond to a request for reaction by press time.

In a Friday post, Valleywag confirmed that the FBI has asked the blog to preserve documents given to it by Goatse Security.

Goatse's Reaction

In a blog post late Thursday, Goatse said it did not notify AT&T but did make sure somebody else tipped off the carrier so they could fix the flaw before the security firm went to Gawker Media. "We had no interest in direct contact with AT&T, but we waited nicely for them to get their house in order and get their hole plugged tight before exposing it," reads the post, which is credited only to "admin." No money changed hands, the post asserts. Only one journalist at Gawker saw the information, and it was redacted before published, Goatse said.

"All data was gathered from a public webserver with no password, accessible by anyone on the Internet. There was no breach, intrusion, or penetration, by any means of the word," the blog post reads. "We did not sell your data to spammers -- and we did not try to hack your iPads. Your iPads are safer now because of us."

The post, said Goatse, is a reaction to the criticism the group has received regarding the way the story was given to Gawker. "This disclosure needed to be made. iPad 3G users had the right to know that their email addresses were potentially public knowledge so they could take steps to mitigate the issue (like changing their email address). This was done in service of the American public. Do you really think corporate privacy breaches should stay indefinitely secret? I don't."

Who's Responsible?

Two security experts contacted MacNewsWorld say the incident is another example of a negative headline for AT&T regarding an Apple product it supports. The company needs to come up with a new way for iPad owners to register their devices on the carrier's network. "If I were at Apple, I would be upset with what happened, and I suspect that they may take greater care reviewing their carriers' enrollment processes in the future," Eric Skinner, chief technology officer for the security company Entrust, told MacNewsWorld. AT&T may have been trying to make it easier for consumers to sign onto the network, but "when you're launching a Web feature and you're thinking about convenience, you immediately need to start thinking about what security risks you're introducing. That's something for people who are building Web applications to think about. I don't think the public should be expected to change their behavior in some way."

If traditional phone companies are going to find themselves getting deeper in the data game, they had better lock down their networks, said Jamz Yaneza, threat researcher at Trend Micro. "Given that most telcos are moving into more of a data carrier space and becoming more ISP-like than actual voice companies, and given the VoIP possibilities on these devices, it's even more important for them to be able to secure everything," Yaneza told MacNewsWorld.

It's unlikely that any serious personal information was spilled, Yaneza and Skinner agreed, but even simple email addresses can help those with malicious intentions get their foot in the door. "You could use it as a base for an attack," Yaneza said. "Now you know that particular person has an iPad. People who harvest email addresses can send out targeted spam and attacks." An email claiming to have an upgrade for Apple/AT&T customers can link consumers to a phishing site, he added.

Some of the earlier media coverage might have been overblown, Skinner added. "The breach was corrected by AT&T before Gawker publicized it, so I don't think people should have any lasting concerns," he said. "It's more a lesson in how these systems should be deployed, and an embarrassment for AT&T."


Ideoclick eBook
Which type of digital advertising is most likely to attract your favorable attention?
Ads based on my interests
Ads designed to grab my attention, e.g. pop-ups, autoplay
Audio ads
Email ads from sources I've authorized to contact me
Informational articles on products/services
Social media ads
Straightforward banner ads
Video ads
Ideoclick eBook
Get your contact center ready step-by-step guide
Get your contact center ready step-by-step guide