AT&T Breach May Be Worse Than Initially Thought 102
ChrisPaget writes "I'm somewhat of an authority on GSM security, having given presentations on it at Shmoocon (M4V) and CCC (I'm also scheduled to talk about GSM at this year's Defcon). This is my take on the iPad ICCID disclosure — the short version is that (thanks to a bad decision by the US cell companies, not just AT&T) ICCIDs can be trivially converted to IMSIs, and the disclosure of IMSIs leads to some very severe consequences, such as name and phone number disclosure, global tower-level tracking, and making live interception a whole lot easier. My recommendation? AT&T has 114,000 SIM cards to replace and some nasty architectural problems to fix."
Reader tsamsoniw adds that AT&T has criticized the security group responsible for pointing out the flaw, while the group claims they did it 'as a service to our nation.'
thanks... (Score:5, Insightful)
Re:Uh, correct me if I understood the story wrong (Score:5, Insightful)
Fixing their no-doubt-creaky-and-hideously-flawed-empire-of-security-by-obscurity will be a costly pain in the ass. Every day that they didn't have to do that was money saved, never mind the fact that the better grade of black hat could well have been doing targeted attacks against high value individuals for all that time. But now that the NYT has the story, they'll have to do something. Total bummer. Bad for shareholder value.
This is why so many vendors use the phrase "responsible disclosure" as a polite synonym for "shut the fuck up, never tell anybody except us, and don't think that telling us entitles you to any ETA on a fix."
education is a security threat to our nation (Score:4, Insightful)
LoB
Re:Uh, correct me if I understood the story wrong (Score:5, Insightful)
And this folks, is why everyone should support full disclosure. Full disclosure may hurt the producer (arguably they deserve to be hurt...), but responsible disclosure is just a stall tactic that hurts the consumer.
Re:Uh, correct me if I understood the story wrong (Score:5, Insightful)
I'm all about telling the vendor about the security hole before publicizing it if it's known not to already be in the wild. Give them a chance to do the right thing.
This duration of time should vary based on a variety of factors such as the companies past history in fixing exploits, public disclosure statements, severity, etc.
With that said, there is no reason that after 30 days, any exploit should be fully disclosed to the public. If the vendor doesn't like it, well they should have fixed the problem when only a few people knew about it. If they have egg on their face, it's because they failed to correct the problem.
A good example was the recent major DNS exploit. It was quietly fixed and then fully disclosed. That's how it should work.
Re:Uh, correct me if I understood the story wrong (Score:5, Insightful)
A) They didn't need to download 114,000 e-mail addresses to prove it could be done. A handful would have been more than sufficient, or even a simple description of what to do to reproduce the exposure.
B) No they didn't warn AT&T. AT&T and Goatse both stated that Goatse never tried to contact them.
C) This one is True at least
They entered into AT&T's network, uninvited (unless you can find somewhere where AT&T gave them procedures on how to send spoofed IMSI's to the script), and basically attacked their network.
The proper course would have been to provide AT&T with information about the exposure. They should have destroyed all data recovered rather than forwarding it on to someone else.
Comment removed (Score:5, Insightful)