Category Archives: Possibly Unwanted Applications

NTEOTWAWKI

Given all the hype generated by the ridiculously titled Gawker Article about the so called ‘iPad’ hack, I’m somewhat reluctant to add to any more of the noise over what is really a pretty run of the mill story, but because I’m procrastinating on other jobs, I’ll write something. Warning: this story does involve the shocking exposure of people’s email addresses, said addresses getting revealed when they shouldn’t have been, and yes….er…well, no, that’s about it actually.

Indeed, Paul Ducklin of Sophos wrote a very nice article stating the rather important fact that, every time you send an email, that passes your email out on to the open internet. Of course, that’s not an excuse to have a poorly written web app that will spit out the email addresses of your partner company’s clientele at will. Partner company, I hear you cry, wasn’t this an Apple problem? Yes, indeed, this is absolutely nothing to do with Apple, it’s not an Apple problem, and it’s not a breach of Apple’s security, nor is it a breach of the iPad. In fact, it was solely down to a web application on AT&T’s website. It doesn’t even involve touching an iPad. But, but, you may splutter, isn’t this is an iPad disaster? No. Not even slightly; not once did the ‘attackers’ go near any one’s iPad. The ‘attack’ was purely a script  that sent ICCID numbers (this links a SIM card to an email address) to the AT&T application, in sequence, to see if their database had that number with an email attached – and if so, that came back. That’s right, it’s a SIM card identifier. The only ‘iPad’ part is that the ‘attackers’ spoofed the browser in the requests, to make the app think the request was coming from an iPad.

The upshot is that, as this page rightly points out (thanks to @securityninja for the link)

“There’s no hack, no infiltration, and no breach, just a really poorly designed web application that returns e-mail address when ICCID is passed to it.”

So, the correct title of that original Gawker article might have been “Badly designed AT&T web application leaks email addresses when given SIM card ID”, but that wouldn’t be “The End Of The World As We Know It”.

In a week where one ‘journalist’ writing here (thanks to @paperghost for the link) claimed that some security people confessing to being ‘hackers’ (whatever that means) “confirms our suspicions that the whole IT insecurity industry is a self-perpetuating cesspool populated by charlatans”, it might be time for the world of the media to turn that oh so critical eye on itself and ask who is really generating the hype in the information security world?

If you’re interested in keeping up with genuine Mac/Apple related security issues, a good resource is maintained here by my good friend David Harley

UPDATE: The original ‘attackers’ have published a response to the furore here. Pretty much confirms what I was saying

“There was no breach, intrusion, or penetration, by any means of the word.”

Andrew Lee
CEO AVIEN/CTO K7 Computing

Advertisements

About those alligators….

I don’t know what Peter Norton  is up to these days. In the anti-virus industry, he’s probably best remembered for (a) the security products marketed by Symantec that still bear his name (though not the famous pink shirt photograph), though he sold his company to Big Yellow about 20 years ago. In researcher circles, he’s also remembered for telling Insight magazine in 1988 or thereabouts that “We’re dealing with an urban myth. It’s like the story of alligators in the sewers of New York. Everyone knows about them, but no one’s ever seen them. Typically, these stories come up every three to five years.” Well, quite a few people put computer viruses in the same category as flying saucers around that time. Commodore, for instance, reacted to questions about Amiga malware by saying that it sounded like a hoax, and moved on (1) to ignoring it altogether.

Not long after that, he lent his name to Symantec’s antivirus product, which I suppose makes it the world’s first anti-hoax software.

I’ve no idea whether there really are or ever were alligators in the sewers of New York, but according to the BBC, Scotland ‘s sewage system has quite a few equally bizarre inhabitants. Notably:

  • A Mexican Kingsnake
  • A goldfish called Pooh
  • An anonymous frog
  • An equally anonymous badger (no, it wasn’t in the company of the frog: what a story that could be…)

 The above were all alive and well, if not as sanitary as one might hope. However, a sheep found in a manhole chamber and a cow found in a storm tank did not survive the experience. Other inanimate objects found included credit cards, a working iron, false teeth, jewelry, and some of the hundreds of thousands of mobile phones that Brits are alleged to flush down the loo. 

It’s not known whether the very smelly aggregation of money mules that is apparently operating out of Scotland and associated with the “London scam” described here is operating out of the same network

(1) Yes, I’m paraphrasing myself. “Viruses Revealed”, Chapter 2, published by Osborne in 2001.

David Harley FBCS CITP CISSP
Security Author/Consultant at Small Blue-Green World
Chief Operations Officer, AVIEN
ESET Research Fellow & Director of Malware Intelligence

Also blogging at:
http://avien.net/blog
http://www.eset.com/blog
http://smallbluegreenblog.wordpress.com/
http://blogs.securiteam.com
http://blog.isc2.org/
http://dharley.wordpress.com
http://macvirus.com

Lawyers in Love

One minute I was saying “…AMTSO in Prague next week…” and the next Prague was long gone, and so was AVAR in Kyoto. Hopefully, though, that was my last long trip for this year, and I’ll get into the habit of blogging regularly here. Well, I suppose once every blue moon is regular. 😉

This is a bit of a cheat, since I already blogged it for ESET, but I’m a believer in green blogging with lots of recycling. Juraj Malcho, head of ESET’s virus lab in Bratislava, did an excellent paper and presentation at VB 2009 on “Is there a lawyer in the lab?”: it’s about the complications that ensue when the authors of Possibly Unwanted Applications and other blahware try to tie up anti-malware companies in legal process for daring to detect it as Something Not Very Useful.

I think I may have just coined blahware: in this case, I’m referring not to those irritating Facebook applets that so many of my friends are addicted to, but to software which, if not actively malicious, is nevertheless of more value to its author than to anyone who’s misled into paying for it, and is distributed by semi-malicious channels such as spam or push-installations. I’d call it irrelevantware, but that’s not so catchy. And come to think of it, it probably does apply to most Facebook apps.

Anyway, the paper is at :

http://www.eset.com/download/whitepapers/Lawyer_in_the_lab.pdf,

The slide deck is at:

http://www.eset.com/download/whitepapers/is-there-a-lawyer-in-the-lab.pdf.

Well worth looking at, and we don’t ask you for your email address when you download them, either. 🙂

David Harley