Ipad's Security Breach Research Paper
iPad’s Security Breach
Assignment #4: iPad’s Security Breach BUS 508 Business Enterprise
Professor Steven Brown
Strayer University
February 27, 2011 Discuss Goatse Security firm possible objectives when they hacked into AT&T’s Website.
Goatse Security is not a security firm. This is a loose-knit, nine-person hacker group that specializes in uncovering security flaws. Its nature has been variously described as white hat, gray hat, or black hat. The group was formed in December 2009. Goatse Security derives its name from the Goatse.cx shock site. The group’s slogan is “Gaping Holes Exposed.” In 2010, it exposed vulnerabilities in the Mozilla Firefox and Apple Safari web browsers. In June 2010, Goatse Security exposed the Email addresses of 114,000 Apple iPad users. (Polom, 2010) …show more content…
For at least a few hours an obscenity-laden message on the Goatse Security site said: "I have taken the liberty of exposing your gaping hole...As you are a group of self-aggrandizing [profanity redacted].
I have also contacted the media to ensure that this incident gets the coverage it deserves. In cracking this site, I have sent specially crafted requests to the server with my browser ID spoofed to that of an iPad. Please know that while this was not instrumental in this wondrous crack, it WAS poetic in many ways. I also gave Goatsec the same warning that they gave AT&T... none at all, to patch their gaping hole. User Accounts have been deleted, and passwords changed," the note said. (Mills,
2011) CNET was contacted by someone claiming credit for the hack who declined to identify himself, saying only that he is an individual security professional at #Sigdie on the EFnet Internet Relay Chat. Asked why the site was hacked, the source said, "I felt it was appropriate to give them a taste of their own medicine. I felt some negative publicity would hopefully cool things down and force them to rethink their behavior.” (Mills, 2011)
Argue for or against computer hacking as an ethical corporate strategy for computer security firms. I am in complete agreement with the use of hacking as an ethical corporate strategy for computer security firms only when it is truly used for the betterment of that company. An ethical hacker is a computer and network expert who attacks a security system on behalf of its owners, seeking vulnerabilities that a malicious hacker could exploit. To test a security system, ethical hackers use the same methods as their less principled counterparts, but report problems instead of taking advantage of them. Ethical hacking is also known as penetration testing, intrusion testing and red teaming. An ethical hacker is sometimes called a white hat, a term that comes from old Western movies, where the "good guy" wore a white hat and the "bad guy" wore a black hat. (Ethical Hacking, 2009) One of the first examples of ethical hackers at work was in the 1970s, when the United States government used groups of experts called red teams to hack its own computer systems. According to Ed Skoudis, Vice President of Security Strategy for Predictive Systems ' Global Integrity consulting practice, ethical hacking has continued to grow in an otherwise lackluster IT industry, and is becoming increasingly common outside the government and technology sectors where it began. Many large companies, such as IBM, maintain employee teams of ethical hackers. (Ethical Hacking, 2009)
Discuss whether or not Gawker Media acted socially responsible when it reported the security breach before Apple and/or AT&T had responded to the public. Goatse was out for publicity, and they should have made a more responsible organization responsible. Not to a media outlet, especially not to an outlet that prides itself on its ‘edginess’ (in this case, Gawker Media). Gawker Media was not socially responsible as an organization which has an obligation to act to benefit society at large. (Polom, 2010) The proper way to handle situations like this (if you aren’t trying to get free publicity and truly just trying to do the right thing) is to contact AT&T directly and work with them until the vulnerability is fixed. Then you can disclose what happened. This is of course much easier than it sounds but I still don’t think that Gawker followed the right steps. (Perimeter, 2010) This responsibility can be passive, by avoiding engaging in socially harmful acts, or active, by performing activities that directly advance social goals Gawker Media never ask AT&T’s position about this issue. (Mills, 2011)
As the AT&T CEO, discuss how you would respond differently to this security breach. Here are six steps that I would respond to a security breach if I were AT&T see experts recommend eight, some have 10, but these are the ones that most authorities agree on. Oh, and they also agree on this: You should have done the first three steps before you had the breach. (Wilson, 2007)
1. Assemble an incident response team.
Before you can do anything, you need to make sure you have the right people in the room. A security breach typically isn 't handled only by the IT department it may involve legal experts, top executives, public relations people, and representatives from all of the business lines affected. If the breach involves insiders, you may need someone from human resources. If it involves money, you may need a financial officer. (Wilson, 2007)
2. Assess the initial damage and the risk for more.
Your response to a security breach will be commensurate with the risks to your business. An external attack on your public Website might not hurt much if you 're a local machine shop, but it can break your business if you 're Amazon.com. Likewise, an insider attack on the personnel database carries a different type of impact than the theft of a customer database. (Wilson, 2007)
3. Develop a notification plan.
Now that your team has a grip on the incident and its potential impact, you need to decide who to tell, and in what order. If a potential crime has been committed, law enforcement might be one of your first calls. If you are planning to bring in third-party consultants, such as security experts or a computer forensics firm, you should bring them in as early as possible. (Wilson, 2007)
4. Begin remediating the problem.
Experts can never stress it enough: Never begin remediation until you fully understand the problem and its potential impact. Many experts say you shouldn 't touch anything until a forensics team has been called in, lest you damage the evidence or make the problem worse. (Wilson, 2007)
5. Document everything.
Lack of documentation can not only make it difficult to rebuild your systems after an incident it can also hurt your chances to make a case against an attacker in court, experts say. Throughout the assessment and remediation process, you should record everything, from how the incident was first detected to how the various members of the CSIRT team responded. (Wilson, 2007)
6. Develop a strategy for stopping the next attack.
Doing a post-mortem on a security incident or developing a plan for responding to the next one may seem like longer-term activities. But if one attacker finds vulnerability, there 's a good chance that he may have accomplices or that another attacker might find the same vulnerability. It 's not unusual for attacks to come in bunches, so it 's important to permanently seal off your leaks and decide how you will alter your response process if an incident occurs again, experts say. (Wilson, 2007)
Discuss the content that you would include in a public service announcement (PSA) informing the public of the breach and your plan to resolve the issue.
Dear Valued Customer, On June 7, 2010 there was an issue that affected some of our customers with AT&T 3G service for iPad resulting in the release of their customer email addresses. An audit of our computer systems was conducted and the security breach was quickly identified by Information Technology staff and immediate action was taken to resolve this issue. We apologize for the incident and any inconvenience it may have caused. Rest assured, you can continue to use your AT&T 3G service on your iPad with confidence. AT&T is committed to making our data as secure as possible and is continually seeking ways to protect the private information of all customers. Our Information Technology Department is constantly reviewing systems and servers for break-ins, viruses or other problems. This was an isolated incident, caused by an outside source. I want to assure you that the email address and ICC-ID were the only information that was accessible. Your password, account information, the contents of your email, and any other personal information were never at risk. While the attack was limited to email address and ICC-ID data, we encourage you to be alert to scams that could attempt to use this information to obtain other data or send you unwanted email. You can learn more about phishing and this security breach by visiting the AT&T website. AT&T takes your privacy seriously and does not tolerate unauthorized access to its customers’ information or company websites. We will cooperate with law enforcement in any investigation of unauthorized system access and to prosecute violators to the fullest extent of the law. Thank you very much for your understanding, and for being an AT&T customer. In the next few days, you will also receive this information via U.S. postal mail. (The Wall Street Journal, 2010)
Works Cited
Ethical Hacking. (2009, June 9). Retrieved February 26, 2011, from Small Business Protected: http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci921117,00.htm1
Perimeter. (2010, June 22). Retrieved February 26, 2011, from Subscribers information wasn’t the only thing captured in the Apple data breach: http://perimeterusa.com/blog/tag/data-breach/
The Wall Street Journal. (2010, June 13). Retrieved February 26, 2011, from WSJ Blogs: AT&T’s Letter to iPad Users on Security Breach.: http://blogs.wsj.com/digits/2010/06/13/atts-letter-to-ipad-users-on-security-breach/
Mills, E. (2011, January 26). Site of AT&T-iPad hackers is hacked. Retrieved February 26, 2011, from cnet News: http://news.cnet.com/8301-27080_3-20029734-245.html
Polom, F. (2010, December 26). Fpolom 's Blog: Just another WordPress.com site. Retrieved February 26, 2011, from iPad 's Security Breach: http://fpolom.wordpress.com/2010/12/26/ipads-breach-security/
Wilson, T. (2007, March 23). Security Dark Reading. Retrieved February 26, 2011, from What to Do When Your Security 's Breached: http://www.darkreading.com/security/security-management/208804431/index.html
Assignment #4: iPad’s Security Breach BUS 508 Business Enterprise
Professor Steven Brown
Strayer University
February 27, 2011 Discuss Goatse Security firm possible objectives when they hacked into AT&T’s Website.
Goatse Security is not a security firm. This is a loose-knit, nine-person hacker group that specializes in uncovering security flaws. Its nature has been variously described as white hat, gray hat, or black hat. The group was formed in December 2009. Goatse Security derives its name from the Goatse.cx shock site. The group’s slogan is “Gaping Holes Exposed.” In 2010, it exposed vulnerabilities in the Mozilla Firefox and Apple Safari web browsers. In June 2010, Goatse Security exposed the Email addresses of 114,000 Apple iPad users. (Polom, 2010) …show more content…
For at least a few hours an obscenity-laden message on the Goatse Security site said: "I have taken the liberty of exposing your gaping hole...As you are a group of self-aggrandizing [profanity redacted].
I have also contacted the media to ensure that this incident gets the coverage it deserves. In cracking this site, I have sent specially crafted requests to the server with my browser ID spoofed to that of an iPad. Please know that while this was not instrumental in this wondrous crack, it WAS poetic in many ways. I also gave Goatsec the same warning that they gave AT&T... none at all, to patch their gaping hole. User Accounts have been deleted, and passwords changed," the note said. (Mills,
2011) CNET was contacted by someone claiming credit for the hack who declined to identify himself, saying only that he is an individual security professional at #Sigdie on the EFnet Internet Relay Chat. Asked why the site was hacked, the source said, "I felt it was appropriate to give them a taste of their own medicine. I felt some negative publicity would hopefully cool things down and force them to rethink their behavior.” (Mills, 2011)
Argue for or against computer hacking as an ethical corporate strategy for computer security firms. I am in complete agreement with the use of hacking as an ethical corporate strategy for computer security firms only when it is truly used for the betterment of that company. An ethical hacker is a computer and network expert who attacks a security system on behalf of its owners, seeking vulnerabilities that a malicious hacker could exploit. To test a security system, ethical hackers use the same methods as their less principled counterparts, but report problems instead of taking advantage of them. Ethical hacking is also known as penetration testing, intrusion testing and red teaming. An ethical hacker is sometimes called a white hat, a term that comes from old Western movies, where the "good guy" wore a white hat and the "bad guy" wore a black hat. (Ethical Hacking, 2009) One of the first examples of ethical hackers at work was in the 1970s, when the United States government used groups of experts called red teams to hack its own computer systems. According to Ed Skoudis, Vice President of Security Strategy for Predictive Systems ' Global Integrity consulting practice, ethical hacking has continued to grow in an otherwise lackluster IT industry, and is becoming increasingly common outside the government and technology sectors where it began. Many large companies, such as IBM, maintain employee teams of ethical hackers. (Ethical Hacking, 2009)
Discuss whether or not Gawker Media acted socially responsible when it reported the security breach before Apple and/or AT&T had responded to the public. Goatse was out for publicity, and they should have made a more responsible organization responsible. Not to a media outlet, especially not to an outlet that prides itself on its ‘edginess’ (in this case, Gawker Media). Gawker Media was not socially responsible as an organization which has an obligation to act to benefit society at large. (Polom, 2010) The proper way to handle situations like this (if you aren’t trying to get free publicity and truly just trying to do the right thing) is to contact AT&T directly and work with them until the vulnerability is fixed. Then you can disclose what happened. This is of course much easier than it sounds but I still don’t think that Gawker followed the right steps. (Perimeter, 2010) This responsibility can be passive, by avoiding engaging in socially harmful acts, or active, by performing activities that directly advance social goals Gawker Media never ask AT&T’s position about this issue. (Mills, 2011)
As the AT&T CEO, discuss how you would respond differently to this security breach. Here are six steps that I would respond to a security breach if I were AT&T see experts recommend eight, some have 10, but these are the ones that most authorities agree on. Oh, and they also agree on this: You should have done the first three steps before you had the breach. (Wilson, 2007)
1. Assemble an incident response team.
Before you can do anything, you need to make sure you have the right people in the room. A security breach typically isn 't handled only by the IT department it may involve legal experts, top executives, public relations people, and representatives from all of the business lines affected. If the breach involves insiders, you may need someone from human resources. If it involves money, you may need a financial officer. (Wilson, 2007)
2. Assess the initial damage and the risk for more.
Your response to a security breach will be commensurate with the risks to your business. An external attack on your public Website might not hurt much if you 're a local machine shop, but it can break your business if you 're Amazon.com. Likewise, an insider attack on the personnel database carries a different type of impact than the theft of a customer database. (Wilson, 2007)
3. Develop a notification plan.
Now that your team has a grip on the incident and its potential impact, you need to decide who to tell, and in what order. If a potential crime has been committed, law enforcement might be one of your first calls. If you are planning to bring in third-party consultants, such as security experts or a computer forensics firm, you should bring them in as early as possible. (Wilson, 2007)
4. Begin remediating the problem.
Experts can never stress it enough: Never begin remediation until you fully understand the problem and its potential impact. Many experts say you shouldn 't touch anything until a forensics team has been called in, lest you damage the evidence or make the problem worse. (Wilson, 2007)
5. Document everything.
Lack of documentation can not only make it difficult to rebuild your systems after an incident it can also hurt your chances to make a case against an attacker in court, experts say. Throughout the assessment and remediation process, you should record everything, from how the incident was first detected to how the various members of the CSIRT team responded. (Wilson, 2007)
6. Develop a strategy for stopping the next attack.
Doing a post-mortem on a security incident or developing a plan for responding to the next one may seem like longer-term activities. But if one attacker finds vulnerability, there 's a good chance that he may have accomplices or that another attacker might find the same vulnerability. It 's not unusual for attacks to come in bunches, so it 's important to permanently seal off your leaks and decide how you will alter your response process if an incident occurs again, experts say. (Wilson, 2007)
Discuss the content that you would include in a public service announcement (PSA) informing the public of the breach and your plan to resolve the issue.
Dear Valued Customer, On June 7, 2010 there was an issue that affected some of our customers with AT&T 3G service for iPad resulting in the release of their customer email addresses. An audit of our computer systems was conducted and the security breach was quickly identified by Information Technology staff and immediate action was taken to resolve this issue. We apologize for the incident and any inconvenience it may have caused. Rest assured, you can continue to use your AT&T 3G service on your iPad with confidence. AT&T is committed to making our data as secure as possible and is continually seeking ways to protect the private information of all customers. Our Information Technology Department is constantly reviewing systems and servers for break-ins, viruses or other problems. This was an isolated incident, caused by an outside source. I want to assure you that the email address and ICC-ID were the only information that was accessible. Your password, account information, the contents of your email, and any other personal information were never at risk. While the attack was limited to email address and ICC-ID data, we encourage you to be alert to scams that could attempt to use this information to obtain other data or send you unwanted email. You can learn more about phishing and this security breach by visiting the AT&T website. AT&T takes your privacy seriously and does not tolerate unauthorized access to its customers’ information or company websites. We will cooperate with law enforcement in any investigation of unauthorized system access and to prosecute violators to the fullest extent of the law. Thank you very much for your understanding, and for being an AT&T customer. In the next few days, you will also receive this information via U.S. postal mail. (The Wall Street Journal, 2010)
Works Cited
Ethical Hacking. (2009, June 9). Retrieved February 26, 2011, from Small Business Protected: http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci921117,00.htm1
Perimeter. (2010, June 22). Retrieved February 26, 2011, from Subscribers information wasn’t the only thing captured in the Apple data breach: http://perimeterusa.com/blog/tag/data-breach/
The Wall Street Journal. (2010, June 13). Retrieved February 26, 2011, from WSJ Blogs: AT&T’s Letter to iPad Users on Security Breach.: http://blogs.wsj.com/digits/2010/06/13/atts-letter-to-ipad-users-on-security-breach/
Mills, E. (2011, January 26). Site of AT&T-iPad hackers is hacked. Retrieved February 26, 2011, from cnet News: http://news.cnet.com/8301-27080_3-20029734-245.html
Polom, F. (2010, December 26). Fpolom 's Blog: Just another WordPress.com site. Retrieved February 26, 2011, from iPad 's Security Breach: http://fpolom.wordpress.com/2010/12/26/ipads-breach-security/
Wilson, T. (2007, March 23). Security Dark Reading. Retrieved February 26, 2011, from What to Do When Your Security 's Breached: http://www.darkreading.com/security/security-management/208804431/index.html