Modernizing Authentication — What It Takes to Transform Secure Access
Recent privacy scares involving Apple's iPad and Google's Street View have prompted the Federal Communications Commission to speak out, warning businesses and consumers about lax security and highlighting its current efforts to beef up oversight.
Last month, Google (NASDAQ: GOOG) revealed that its Street View cars -- deployed to collect images of cities, block-by-block -- had mistakenly captured the contents of Internet transmissions on unsecured Wi-Fi networks.
Then last week, a group of security researchers went public with a flaw in AT&T's system that they exploited to obtain the e-mail addresses of more than 100,000 owners of Apple's (NASDAQ: AAPL) iPad.
FCC officials said both incidents highlight a need for greater security awareness.
"The Google and AT&T incidents are different kinds of intrusions, each worrisome in its own way, and each with a different remedy," Joel Gurin, chief of the FCC's Consumer and Government Affairs Bureau, wrote in a blog post.
"The iPad incident appears to be a classic security breach -- the kind that could happen, and has happened, to many companies -- and is exactly the kind of incident that has led the FCC to focus on cybersecurity," he added. "Our Public Safety and Homeland Security Bureau is now addressing cybersecurity as a high priority."
Gurin said that Google's Wi-Fi gaffe highlighted the importance of encrypting wireless networks, and directed users to the Federal Trade Commission's online guide to securing networks.
Both Google and AT&T (NYSE: T) have been taking their own approach to damage control. Google has offered a public mea culpa in the form of a corporate blog post, and has been meeting with government and law-enforcement officials in the United States and several countries in Europe, where it is facing multiple criminal investigations stemming from its Street View misstep.
For its part, AT&T sent a letter over the weekend to its iPad customers apologizing for the security breach and downplaying its severity.
The vulnerability stemmed from a feature on AT&T's 3G login Web page that autopopulated iPad users' e-mail addresses. The security researchers -- or hackers, as AT&T calls them -- wrote a program that randomly generated numbers of a similar format as the unique identifiers AT&T assigns to each iPad. It then submitted them to the Website and captured an image of the screen when an e-mail address appeared each time the program entered a legitimate integrated circuit card identification (ICC-ID) number.
AT&T said it disabled the auto-population feature within hours of learning of the vulnerability.
Dorothy Attwood, AT&T's chief privacy officer, explained in the letter that only e-mail addresses were exposed, and sought to assure customers that the contents of their iPads and other account information were never at risk. She also took a shot at Goatse Security, the research firm that exposed the vulnerability.
"The hackers deliberately went to great efforts with a random program to extract possible ICC-IDs and capture customer e-mail addresses. They then put together a list of these e-mails and distributed it for their own publicity," Attwood wrote, adding that AT&T would work with law-enforcement authorities to aid any investigation of the issues and seek prosecution under the fullest extent of the law.
The Federal Bureau of Investigation is already looking into the breach.
But Goatse researcher Escher Auernheimer has a different take. In a blog post Monday, Auernheimer, known in online circles by the handle "Weev," blasted AT&T for what he called a slow response to the breach and for waiting several days to notify the affected customers, many of whom were high-profile media and government figures.
"The potential for this sort of attack and the number of iPad users on the list we saw who were stewards of major public and commercial infrastructure necessitated our public disclosure," Auernheimer wrote. "People in critical positions have a right to completely understand the scope of vulnerability immediately. Not days or weeks or months after potential intrusion."
He defended Goatse researchers' work in exposing the vulnerability, claiming that they are white-hat hackers who only went public with the vulnerability after confirming, through a third-party, that it had been patched, and then leaking the story to Gawker's Ryan Tate after agreeing that no victims' personal information would be published.
Auernheimer disputed AT&T's description of the complexity of the exploit, saying that it only took a Goatse researcher just over an hour to write the program and then set it in motion, automatically querying the AT&T Website and scraping the e-mail addresses. He argued that security research outfits, such as Goatse, help keep troves of sensitive information out of the hands of overseas hackers working in large and sophisticated criminal organizations.
"We understand that good deeds many times go punished, and AT&T is trying to crucify us over this," Auernheimer said. "The fact remains that there was not a hint of maliciousness in our disclosure."
AT&T did not respond to requests for comment on Auernheimer's charges.