It’s still up in the air as to whether this truly pans out as a legitimate vulnerability. Komodo says XYZ, and Verisign/Symantec says VWX.
It’s not all gloom and doom. People just need to be aware of the websites they are using and if that site is using the certificate type that is vulnerable. If it has that certificate, send a message to the webmasters of the site and to the maker of the certificate asking them to kindly fix it – FAST. And don’t use the site that is affected.
Not all sites are going to be affected mind you. Not all SSL certificates are created equally.
Remember, it’s “your” privacy that’s at risk.
I’m noticing some confusion about who is responsible for the iPad e-mail address leak in various news articles that are writing about the incident.
- AT&T is responsible and their servers leaked the information
- As per the article from the BBC, only iPads using the AT&T service is affected. (This is not a world wide issue)
The vulnerability only involved iPad users who had signed up for AT&T’s 3G wireless service, and users of the iPad outside the US are believed to be unaffected. The breach involved a feature of AT&T’s website, which would prompt users when they tried to log in to their AT&T accounts through their iPad.
On digg.com, a related article is titled ‘Apples Worst Security Breach: 114,000 iPad Owners Exposed’, with a Warning: The content in this article may be inaccurate. Surprisingly, Gawker is still running with the same title and hasn’t changed it yet (as of June 10 2010 15:00PM EST). As a side note, Gawker owns Gizmodo, who was responsible for the leak on the new iPhone.
The only data that was ‘exposed’ was a large quantity of e-mail addresses of notable politicians, celebrities and military personal, and nothing else. (Passwords, credit card numbers, social security info etc. was NOT EXPOSED)
It’s little stories like these that chip away at the perception that a company is not secure. This happened to Microsoft. I’m defending Apple in this case, because I believe in giving credit where credit is due, and in this case, it’s an AT&T technical problem not an Apple technical problem. Unfortunately the perception that has been created is that it’s an Apple security problem.
Sure, it could potentially expose people to social engineering/phishing attacks, but these people’s addresses are already out there in log files on many mail servers on the Internet, not to mention everytime someone forwards a message an address is going to be ‘exposed’.
Keep calm and carry on.
While it’s nothing new that another company is moving away from using Windows operating system software internally, Google is certainly the most popular of them all.
From the sounds of it, Google is probably very close to releasing a consumer operating system designed to compete with Windows.
There is even a Wikipedia article devoted to Linux adoption, where they list many other businesses, educational facilities and governments that have already made the switch.
Google even prefers MAC OS X over Windows, even if it is sworn enemies with Apple, in some respects. “The enemy of my enemy is my friend”.
Here are some of my random thoughts about the situation:
- Linux and MAC OS X will be new targets for those who create malware as their popularity increases. One of my previous posts on tumblr discusses spyware infecting MAC OS X.
- The operating system is not the sole defense mechanism in a computer network, there MUST be other components like firewalls, anti-virus, up to date browsers etc.
- Microsoft has long been the whipping post when it comes to security related incidents. IT administrators and hackers haven’t forgotten about the “I Love You” and “Melissa” viruses. Microsoft was the only mainstream choice available in terms of operating systems when Internet use increased in popularity. (approx. 1996 to 2003) It was natural that Microsoft became the big target.
- Microsoft had to learn how to build security into their software development processes, only after building many of its earlier products. They’ve since standardized on a Security Development Lifecycle Process for developing secure products.
- Lots of Apple and Google products have roots in open-source software, many of which were developed with security built-in, from the ground up, and not as an after thought.
- Education/Training about security, both for users and software developers, is a key factor to maintaining safe computing environments and developing secure products.
- Nothing is impenetrable. It’s only a matter of time and resources before a software exploit for any piece of software is discovered. Humans create software, and humans aren’t perfect.
Microsoft released a response about the security of Windows. Throughout the blog post, there are links to various articles that support its argument that it is a secure product, though Google isn’t directly mentioned, there was a link to the Financial Times article.
I actually found the comment section to be quite entertaining as it provided many different thoughts and perspectives to the issue. I recommend reading that as well!
Just to re-iterate, you can’t install ANYTHING on MAC OS X without entering your password first.
Your computer gets infected because they lure you with the promise of free screen savers and a converter for video files. After you’ve agreed to install them, it’s over. Hello spyware!
Remember – nothing is impenetrable.
Title sounds ridiculous doesn’t it? But it’s true!
I’m sure by now, everyone has heard how Sarah Palin had her Yahoo E-Mail account illegally accessed during the 2008 US presidential election campaign. The account was accessed by providing the correct answers to security questions presented by the password retrieval system on Yahoo E-Mail.
I won’t focus too much on the details of what happened, instead I want to focus on how this applies to everyone else.
The key take away is, this can happen to anyone. In this case, the so called ‘hacker’ wasn’t even the typical hacker you usually hear about. According to the article, he lacked in-depth knowledge about computers. All he had to do was search the Internet for the information.
You’re probably reading this thinking this could never happen to you. If you use either Twitter, Facebook, LinkedIn, discussion forums, or any other form of social networking, then think again.
Why? Because social networking sites contain a wealth of personal information about you and that information could potentially be used against you, the same way it it was used against Sarah Palin.
For example, in the article, one of Sarah Palin’s security questions asked her her birthday. David Kernell found the information on Wikipedia. While we aren’t all as famous as Sarah Palin to have a Wikipedia page, the same type information could be easily gleaned from Twitter or Facebook. Some people even announce on Twitter that it’s their birthday! Thanks!
Obviously, the one piece of information (the birthday) is likely useless on its own, but armed with other pieces of information, anything is possible. In this situation, public information was used to view a private e-mail account by answering security questions meant for retrieving a lost password.
So what are the lessons learned to avoid this bad situation?
- Always use a FAKE answer to the security questions that are part of any password retrieval system on the Internet.
- Never provide a security question with an answer that could be taken from social networking websites.
I’m not trying to say people should stop participating in online social networking. I’m just saying people just need to be careful about what information they post online. They need to think about how that information could be used against them, now or in the future.
The author of the blog has used his own blog post to demonstrate this new phishing attack. What happens?
After roughly 5 seconds of inactivity, his blog page will show the Gmail log in page instead. BUT, if you look at the address field in your browser, it will still show:
In the post, he provides exact details of what he has done and how he did it, along with the source code. The author, who indicates on his blog that he is the Creative Lead at Firefox, states that a future feature of Firefox will be able to prevent this specific type of attack.
I’ve verified that this works in the latest versions of Firefox and Safari (on OS X). I tried Chrome as well, but its not the latest update the stable release that went out earlier today. (Based on comments in the blog, the stable version of Chrome is affected by this issue)
I can see how this would easily fool a lot of people. Always remember to check the URL field in your browser to make sure you are on the correct page.
Attached in my next post will be a screen shot of the issue.