Here’s a well-judged article by Paul Ducklin on data-grabbing spam taking advantage of the UK’s shift from analogue to digital landlines. Though the underlying advice works for many other scams.
David Harley
My areas of interest – let alone expertise – are infinitely narrower since I’m now only loosely attached to the security industry, so I won’t be slavishly following any particular site, let alone trying to track every current security issue.
I can, however, heartily recommend this one: Paul Ducklin combines good security writing with impressive technical knowledge.
David Harley
If you didn’t know there was such an exploit, and there is some likelihood of your using Wordpad, here’s what you need to know, courtesy of the ever-reliable Paul Ducklin.
No, I’m not going to re-post everything Paul posts. Probably just the ones that are of general interest, for now. And probably not all of those: he puts up a lot of posts, and I won’t be able to follow all of them, due to other commitments.
Here are some “alternative tips for Cybersecurity Awareness Month”.
It’s partly Paul Ducklin’s fault that I’m reformalizing my connection to the security research field, retirement notwithstanding. Paul recently left Sophos after 28.5 years, which means there’s a great opportunity for an alert cybersecurity company to engage with a first-class researcher and writer. In the meantime, he’s continuing to post security-related alerts and other material (on a wide range of topics) that some people will find essential (even if they don’t know it yet) on Facebook.
As he says, very accurately, he’s “a Cybersecurity Expert who explains even complex technical stuff in plain English – no jargon!”
David Harley
Given all the hype generated by the ridiculously titled Gawker Article about the so called ‘iPad’ hack, I’m somewhat reluctant to add to any more of the noise over what is really a pretty run of the mill story, but because I’m procrastinating on other jobs, I’ll write something. Warning: this story does involve the shocking exposure of people’s email addresses, said addresses getting revealed when they shouldn’t have been, and yes….er…well, no, that’s about it actually.
Indeed, Paul Ducklin of Sophos wrote a very nice article stating the rather important fact that, every time you send an email, that passes your email out on to the open internet. Of course, that’s not an excuse to have a poorly written web app that will spit out the email addresses of your partner company’s clientele at will. Partner company, I hear you cry, wasn’t this an Apple problem? Yes, indeed, this is absolutely nothing to do with Apple, it’s not an Apple problem, and it’s not a breach of Apple’s security, nor is it a breach of the iPad. In fact, it was solely down to a web application on AT&T’s website. It doesn’t even involve touching an iPad. But, but, you may splutter, isn’t this is an iPad disaster? No. Not even slightly; not once did the ‘attackers’ go near any one’s iPad. The ‘attack’ was purely a script that sent ICCID numbers (this links a SIM card to an email address) to the AT&T application, in sequence, to see if their database had that number with an email attached – and if so, that came back. That’s right, it’s a SIM card identifier. The only ‘iPad’ part is that the ‘attackers’ spoofed the browser in the requests, to make the app think the request was coming from an iPad.
The upshot is that, as this page rightly points out (thanks to @securityninja for the link)
“There’s no hack, no infiltration, and no breach, just a really poorly designed web application that returns e-mail address when ICCID is passed to it.”
So, the correct title of that original Gawker article might have been “Badly designed AT&T web application leaks email addresses when given SIM card ID”, but that wouldn’t be “The End Of The World As We Know It”.
In a week where one ‘journalist’ writing here (thanks to @paperghost for the link) claimed that some security people confessing to being ‘hackers’ (whatever that means) “confirms our suspicions that the whole IT insecurity industry is a self-perpetuating cesspool populated by charlatans”, it might be time for the world of the media to turn that oh so critical eye on itself and ask who is really generating the hype in the information security world?
If you’re interested in keeping up with genuine Mac/Apple related security issues, a good resource is maintained here by my good friend David Harley
UPDATE: The original ‘attackers’ have published a response to the furore here. Pretty much confirms what I was saying
“There was no breach, intrusion, or penetration, by any means of the word.”
Andrew Lee
CEO AVIEN/CTO K7 Computing
Paul Ducklin’s thoughtful blog on “Taxation scammers open the batting for 2010” highlights a tax phish that manages to get round the “why should I click on that link when that isn’t my bank?” issue by offering a choice of bank links leading to a clone site. Neat, and “transitive phishing” is a good label for it. But the answer is the same. Don’t trust a link in email (are you listening, eBay?) Go to a URL you know you can trust, and if it means typing it in by hand, do that.
Update: Dmitry Bestuzhev has pointed out to me that he blogged on this scam a day before Duck’s blog was posted. Indeed he did, but it was the two-stage site-spoofing that I found interesting, rather than the fact that it’s a tax scam. Still, he’s right that it’s worth noting in itself that there is another round of tax scams, and the Analysts Diary blog is certainly a resource worth keeping an eye on.
David Harley FBCS CITP CISSP
Chief Operations Officer, AVIEN
Director of Malware Intelligence, ESET
Also blogging at:
http://www.eset.com/threat-center/blog
http://smallbluegreenblog.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/
http://dharley.wordpress.com
The AVIEN Portal 