Forgot your password?
typodupeerror
Communications Security

AT&T Breach May Be Worse Than Initially Thought 102

Posted by Soulskill
from the i-smell-class-action dept.
ChrisPaget writes "I'm somewhat of an authority on GSM security, having given presentations on it at Shmoocon (M4V) and CCC (I'm also scheduled to talk about GSM at this year's Defcon). This is my take on the iPad ICCID disclosure — the short version is that (thanks to a bad decision by the US cell companies, not just AT&T) ICCIDs can be trivially converted to IMSIs, and the disclosure of IMSIs leads to some very severe consequences, such as name and phone number disclosure, global tower-level tracking, and making live interception a whole lot easier. My recommendation? AT&T has 114,000 SIM cards to replace and some nasty architectural problems to fix." Reader tsamsoniw adds that AT&T has criticized the security group responsible for pointing out the flaw, while the group claims they did it 'as a service to our nation.'
This discussion has been archived. No new comments can be posted.

AT&T Breach May Be Worse Than Initially Thought

Comments Filter:
  • thanks... (Score:5, Insightful)

    by Michael Kristopeit (1751814) on Monday June 14, 2010 @05:50PM (#32571498)
    my thanks for the security team's service to me.
  • by fuzzyfuzzyfungus (1223518) on Monday June 14, 2010 @06:02PM (#32571696) Journal
    And point c) is why AT&T is bitching.

    Fixing their no-doubt-creaky-and-hideously-flawed-empire-of-security-by-obscurity will be a costly pain in the ass. Every day that they didn't have to do that was money saved, never mind the fact that the better grade of black hat could well have been doing targeted attacks against high value individuals for all that time. But now that the NYT has the story, they'll have to do something. Total bummer. Bad for shareholder value.

    This is why so many vendors use the phrase "responsible disclosure" as a polite synonym for "shut the fuck up, never tell anybody except us, and don't think that telling us entitles you to any ETA on a fix."
  • by Locutus (9039) on Monday June 14, 2010 @06:06PM (#32571760)
    screw AT&T if that is what they think. Same goes for any other company who builds and designs half-assed security measures and publicly, or even privately, blasts those for exposing how much they suck at this. It's like blaming the people who exposed Madoff.

    LoB
  • And this folks, is why everyone should support full disclosure. Full disclosure may hurt the producer (arguably they deserve to be hurt...), but responsible disclosure is just a stall tactic that hurts the consumer.

  • I'm all about telling the vendor about the security hole before publicizing it if it's known not to already be in the wild. Give them a chance to do the right thing.

    This duration of time should vary based on a variety of factors such as the companies past history in fixing exploits, public disclosure statements, severity, etc.

    With that said, there is no reason that after 30 days, any exploit should be fully disclosed to the public. If the vendor doesn't like it, well they should have fixed the problem when only a few people knew about it. If they have egg on their face, it's because they failed to correct the problem.

    A good example was the recent major DNS exploit. It was quietly fixed and then fully disclosed. That's how it should work.

  • by DJRumpy (1345787) on Monday June 14, 2010 @07:34PM (#32572768)

    A) They didn't need to download 114,000 e-mail addresses to prove it could be done. A handful would have been more than sufficient, or even a simple description of what to do to reproduce the exposure.

    B) No they didn't warn AT&T. AT&T and Goatse both stated that Goatse never tried to contact them.

    C) This one is True at least

    They entered into AT&T's network, uninvited (unless you can find somewhere where AT&T gave them procedures on how to send spoofed IMSI's to the script), and basically attacked their network.

    The proper course would have been to provide AT&T with information about the exposure. They should have destroyed all data recovered rather than forwarding it on to someone else.

  • But that isn't fair either, as anyone who has worked on any kind of complex software knows you can't just magically throw a fix out there, without breaking breaking more than you fix!

    No, the fair and responsible thing is to give a standard 90 days and then disclose. If they can't get the shit done in 90 days knowing the clock is ticking then they deserve what they get, but 90 days should be a fair and reasonable time limit. That way every vendor knows exactly how much time they have got to get it done, the ones that find the hole and report it know that after 90 days they won't be judged as douchebags (unlike that asshole at Google that told them on patch Tuesday weekend and expected them to drop all that work and magically fix it in under a week) and nobody will have any doubts as to the time frame they have to get the problem solved.

    All in all it seems like a fair and reasonable solution to me, and will be a LOT safer than just blurting everything out immediately and giving black hats even more exploits to play with, not to mention causing rushed out patches without proper QA. I mean do we really want to HELP black hats send us more spam?

"A great many people think they are thinking when they are merely rearranging their prejudices." -- William James

Working...