SlideShare a Scribd company logo

Easy security presentation 1

Download as PPTX, PDF
Michael Buschmann
Michael Buschmann
1 of 15
AT&T’s iPad Leak Incident Lesson Learned Presented by: IT Realists December 2010
A security breach has exposed iPad owners including dozens of CEOs, military officials, and top politicians.  The specific information exposed in the breach included subscribers' email addresses, coupled with an associated ID used to authenticate the subscriber on AT&T's network, known as the ICC-ID. The security incident
Impacts of the incident Customers' email addresses were exposed.  This could have led to other personal information being intercepted or the email addresses could have been spammed.  Also showed a weak link in the security of both AT&T and Apple which in turn could lead to the loss of customers and potential of gaining customers in the future. 
The security hole grew out of an effort by the carrier to make it easier for the customers to renew subscription. Customers gave AT&T their emails when they signed up for cellular service. The carrier then pre-entered those email addresses in a field on its websites as a convenience so customers wouldn't have to retype it when they renewed. Goatse uses the ICC-ID (integrated circuit card identifiers) to get the email address of the iPad user.  The ICC-ID is use to identify the SIM card of a device.  Goatse then uses uploaded pictures from the device to obtain this number.  With a poor encryption job of the ICC-ID from the device to the Internet, Goatse can then easily identified the user's ICC-ID Major findings during investigation
AT&T left a script on their public website, which when handed an ICC-ID would respond back with the email address of the subscriber. Even though AT&T is protected by firewalls and uses intrusion detection software and equipment to identify unauthorized attempts to access the network, these features have no relevance to the breach on the iPad.  Major findings during investigation (cont.)
AT&T closed the security hole as soon as they learned of the incident.  The problem was victims of the incident were not aware of it until days later.  AT&T didn't handled the incident very well with the public.  The apology letter seemed to be more focused on blaming the hackers than it did apologizing to its customers and reassuring them that their personal information and data was secure. Major findings during investigation (cont.)
A scan for vulnerability should be run immediately for all AT&T dynamic pages. We recommend purchasing the vulnerability scanning tools from Sword & Shield Enterprise Security for the following reason: There are many commercially available vulnerability scanning tools that one can purchase that will give you some indications of vulnerabilities found.  They may produce false positives and may not find all vulnerabilities.  Sword & Shield run multiple tools, eliminate false positives and create a penetration test plan to see if we can think like a hacker and using knowledge from vulnerabilities found and attempt to penetrate the network to find valuable information.  All of this work is manual and cannot be effectively done with automated tools. Estimated cost: $4,000+ Immediate actions required
Recommendations According to FCC regulation, telephone companies may use, disclose, or permit access to your customer information only in the following circumstances: 1) as required by law; 2) with your approval; or 3) in providing the service from which the customer information was obtained. It is understandable that AT&T wanted to make it easier for the iPad users to renew their subscription. But it doesn’t mean that customer information can be compromised. AT&T should strictly follow the FCC regulation and provide the necessary protection for the customer information. Telecommunications
Recommendations (cont.) Audit Recommended Changes AT&T needs a process in place to continually track the information that is listed on their website.  If there was a policy and or procedure in place then AT&T could have detected that any users were able to obtain important user information through a script.  Physical Recommended Changes We would also suggest AT&T to hire a person that continually goes through AT&T's website to check for any information that would harm both AT&T and it's users.  So for the main part, we believe AT&T needs some type of a strong monitoring system to ensure outside users are not able to access any information that could jeopardize AT&T and or it's users.  Procedures
Recommendations (cont.) One possible way to increase information privacy is to change the use of an email address.  Instead of linking the email address to the ICC-ID, a customer can create a username to replace the email address.  Furthermore, the username and a password will be use to login.  So when a customer uses their device to login, the username will appear instead of an email address.  Create an application to encrypt the ICC-ID numbers.  This will protect the ICC-ID from any hackers when uploading anything on the Internet. Software
Recommendations (cont.) With AT&T not going into detail in what they exactly are using as network intrusion detection or network hardware/software monitoring tools, there are products out there that could have supported this purpose and protection. We recommend AT&T import Fortinet’s Web Application Security Solution. The FortiWeb solution drastically reduces the time required to protect your regulated, confidential, or proprietary internet-facing data. Hardware
Recommendations (cont.) We recommend the staff to the InfoSec Institute for Intrusion Prevention training. This recommendation is based on our observation on how the IT team performed before and after this incident: The IT manager and IT team should have had this authentication page fully tested and prepped before in went into a live production environment. The IT team that set the function and authentication page up should be able to shut down the function within a quicker time period.  People
Conclusion Applications frequently use the actual name or key of an object when generating web pages. Applications don’t always verify the user is authorized for the target object. This results in an insecure direct object reference flaw. Testers can easily manipulate parameter values to detect such flaws and code analysis quickly shows whether authorization is properly verified. Such flaws can compromise all the data that can be referenced by the parameter. Unless the name space is sparse, it’s easy for an attacker to access all available data of that type.
Conclusion (cont.) Bad decision made by AT&T: information leakage, trusting sequential numbers, relying upon the security of obscurity, and not respecting the boundary between internal and external data. This risk is a good example of where security needs to get applied in layers as opposed to just a single panacea attempting to close the threat door in one go. Having said that, the core issue is undoubtedly the access control because once that’s done properly, the other defenses are largely redundant.
We believe that incident like iPad leak won’t happen again if AT&T takes our recommendations seriously!

Recommended

Jitter Bugslec
Jitter BugslecJitter Bugslec
Jitter Bugslecscottdp3
 
IT security : a five-legged sheep
IT security : a five-legged sheepIT security : a five-legged sheep
IT security : a five-legged sheepITrust - Cybersecurity as a Service
 
Cloud computing
Cloud computingCloud computing
Cloud computingAli Raza
 
Ecommerce Security
Ecommerce SecurityEcommerce Security
Ecommerce SecurityRebecca Jones
 
Dealing with Data Breaches Amidst Changes In Technology
Dealing with Data Breaches Amidst Changes In TechnologyDealing with Data Breaches Amidst Changes In Technology
Dealing with Data Breaches Amidst Changes In TechnologyCSCJournals
 
Web Application Hacking 2004
Web Application Hacking 2004Web Application Hacking 2004
Web Application Hacking 2004Mike Spaulding
 
IRJET- Ethical Hacking
IRJET- Ethical HackingIRJET- Ethical Hacking
IRJET- Ethical HackingIRJET Journal
 
Lessons Learned From the Yahoo! Hack
Lessons Learned From the Yahoo! HackLessons Learned From the Yahoo! Hack
Lessons Learned From the Yahoo! HackImperva
 

Recommended

Jitter Bugslec
Jitter BugslecJitter Bugslec
Jitter Bugslecscottdp3
 
IT security : a five-legged sheep
IT security : a five-legged sheepIT security : a five-legged sheep
IT security : a five-legged sheepITrust - Cybersecurity as a Service
 
Cloud computing
Cloud computingCloud computing
Cloud computingAli Raza
 
Ecommerce Security
Ecommerce SecurityEcommerce Security
Ecommerce SecurityRebecca Jones
 
Dealing with Data Breaches Amidst Changes In Technology
Dealing with Data Breaches Amidst Changes In TechnologyDealing with Data Breaches Amidst Changes In Technology
Dealing with Data Breaches Amidst Changes In TechnologyCSCJournals
 
Web Application Hacking 2004
Web Application Hacking 2004Web Application Hacking 2004
Web Application Hacking 2004Mike Spaulding
 
IRJET- Ethical Hacking
IRJET- Ethical HackingIRJET- Ethical Hacking
IRJET- Ethical HackingIRJET Journal
 
Lessons Learned From the Yahoo! Hack
Lessons Learned From the Yahoo! HackLessons Learned From the Yahoo! Hack
Lessons Learned From the Yahoo! HackImperva
 
Cloud Service Security using Two-factor or Multi factor Authentication
Cloud Service Security using Two-factor or Multi factor AuthenticationCloud Service Security using Two-factor or Multi factor Authentication
Cloud Service Security using Two-factor or Multi factor AuthenticationIRJET Journal
 
E-Commerce Security Workable Attacks Againest E-Commerce
E-Commerce Security Workable Attacks Againest E-CommerceE-Commerce Security Workable Attacks Againest E-Commerce
E-Commerce Security Workable Attacks Againest E-Commerceabe8512000
 
Data breaches - Is Your Law Firm in Danger
Data breaches - Is Your Law Firm in DangerData breaches - Is Your Law Firm in Danger
Data breaches - Is Your Law Firm in DangerZitaAdlTrk
 
How to Find Security Breaches Before They Sink You
How to Find Security Breaches Before They Sink YouHow to Find Security Breaches Before They Sink You
How to Find Security Breaches Before They Sink YouSkyhigh Networks
 
Securing Apps and Data in the Cloud and On-Premises with OneLogin and Duo Sec...
Securing Apps and Data in the Cloud and On-Premises with OneLogin and Duo Sec...Securing Apps and Data in the Cloud and On-Premises with OneLogin and Duo Sec...
Securing Apps and Data in the Cloud and On-Premises with OneLogin and Duo Sec...OneLogin
 
Top Positive and Negative Impacts of AI & ML on Cybersecurity
Top Positive and Negative Impacts of AI & ML on CybersecurityTop Positive and Negative Impacts of AI & ML on Cybersecurity
Top Positive and Negative Impacts of AI & ML on CybersecurityPixel Crayons
 
50120130406020
5012013040602050120130406020
50120130406020IAEME Publication
 
Why Passwords are not strong enough
Why Passwords are not strong enoughWhy Passwords are not strong enough
Why Passwords are not strong enoughEMC
 
E-commerce Security
E-commerce SecurityE-commerce Security
E-commerce SecurityLindsey Landolfi
 
What you need to know about cyber security
What you need to know about cyber securityWhat you need to know about cyber security
What you need to know about cyber securityCarol Meng-Shih Wang
 
IRJET- Honeywords: A New Approach for Enhancing Security
IRJET- Honeywords: A New Approach for Enhancing SecurityIRJET- Honeywords: A New Approach for Enhancing Security
IRJET- Honeywords: A New Approach for Enhancing SecurityIRJET Journal
 
Seattle Biz-Tech Summit 10-2015 CyberSecurity and the Board
Seattle Biz-Tech Summit 10-2015 CyberSecurity and the BoardSeattle Biz-Tech Summit 10-2015 CyberSecurity and the Board
Seattle Biz-Tech Summit 10-2015 CyberSecurity and the BoardLERNER Consulting
 
Cybersecurity Powerpoint Presentation Slides
Cybersecurity Powerpoint Presentation SlidesCybersecurity Powerpoint Presentation Slides
Cybersecurity Powerpoint Presentation SlidesSlideTeam
 
Information security
Information securityInformation security
Information securityLaxmiprasad Bansod
 
Managing data security and privacy in call centres ankur gupta
Managing data security and privacy in call centres ankur guptaManaging data security and privacy in call centres ankur gupta
Managing data security and privacy in call centres ankur guptaAankur Gupta
 
Analyst Report: The Digital Universe in 2020 - China
Analyst Report: The Digital Universe in 2020 - ChinaAnalyst Report: The Digital Universe in 2020 - China
Analyst Report: The Digital Universe in 2020 - ChinaEMC
 
The top 5 basics fundamentals of network security cyberhunter solutions
The top 5 basics fundamentals of network security cyberhunter solutionsThe top 5 basics fundamentals of network security cyberhunter solutions
The top 5 basics fundamentals of network security cyberhunter solutionsCyberhunter Cyber Security
 
Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber Securitykailash shaw
 
Healthcare Industry Security Whitepaper
Healthcare Industry Security WhitepaperHealthcare Industry Security Whitepaper
Healthcare Industry Security WhitepaperCasey Lucas
 
Scribd
ScribdScribd
ScribdPier Giorgio Ferrantini
 
Treinamento Serviços Internos e Desenvolvimento do Quadro Associativo
Treinamento Serviços Internos e Desenvolvimento do Quadro AssociativoTreinamento Serviços Internos e Desenvolvimento do Quadro Associativo
Treinamento Serviços Internos e Desenvolvimento do Quadro AssociativoJoão Paulo Elizei Zati
 
Gills Onions LLC
Gills Onions LLCGills Onions LLC
Gills Onions LLCselenbenli
 

More Related Content

What's hot

Cloud Service Security using Two-factor or Multi factor Authentication
Cloud Service Security using Two-factor or Multi factor AuthenticationCloud Service Security using Two-factor or Multi factor Authentication
Cloud Service Security using Two-factor or Multi factor AuthenticationIRJET Journal
 
E-Commerce Security Workable Attacks Againest E-Commerce
E-Commerce Security Workable Attacks Againest E-CommerceE-Commerce Security Workable Attacks Againest E-Commerce
E-Commerce Security Workable Attacks Againest E-Commerceabe8512000
 
Data breaches - Is Your Law Firm in Danger
Data breaches - Is Your Law Firm in DangerData breaches - Is Your Law Firm in Danger
Data breaches - Is Your Law Firm in DangerZitaAdlTrk
 
How to Find Security Breaches Before They Sink You
How to Find Security Breaches Before They Sink YouHow to Find Security Breaches Before They Sink You
How to Find Security Breaches Before They Sink YouSkyhigh Networks
 
Securing Apps and Data in the Cloud and On-Premises with OneLogin and Duo Sec...
Securing Apps and Data in the Cloud and On-Premises with OneLogin and Duo Sec...Securing Apps and Data in the Cloud and On-Premises with OneLogin and Duo Sec...
Securing Apps and Data in the Cloud and On-Premises with OneLogin and Duo Sec...OneLogin
 
Top Positive and Negative Impacts of AI & ML on Cybersecurity
Top Positive and Negative Impacts of AI & ML on CybersecurityTop Positive and Negative Impacts of AI & ML on Cybersecurity
Top Positive and Negative Impacts of AI & ML on CybersecurityPixel Crayons
 
Why Passwords are not strong enough
Why Passwords are not strong enoughWhy Passwords are not strong enough
Why Passwords are not strong enoughEMC
 
What you need to know about cyber security
What you need to know about cyber securityWhat you need to know about cyber security
What you need to know about cyber securityCarol Meng-Shih Wang
 
IRJET- Honeywords: A New Approach for Enhancing Security
IRJET- Honeywords: A New Approach for Enhancing SecurityIRJET- Honeywords: A New Approach for Enhancing Security
IRJET- Honeywords: A New Approach for Enhancing SecurityIRJET Journal
 
Seattle Biz-Tech Summit 10-2015 CyberSecurity and the Board
Seattle Biz-Tech Summit 10-2015 CyberSecurity and the BoardSeattle Biz-Tech Summit 10-2015 CyberSecurity and the Board
Seattle Biz-Tech Summit 10-2015 CyberSecurity and the BoardLERNER Consulting
 
Cybersecurity Powerpoint Presentation Slides
Cybersecurity Powerpoint Presentation SlidesCybersecurity Powerpoint Presentation Slides
Cybersecurity Powerpoint Presentation SlidesSlideTeam
 
Managing data security and privacy in call centres ankur gupta
Managing data security and privacy in call centres ankur guptaManaging data security and privacy in call centres ankur gupta
Managing data security and privacy in call centres ankur guptaAankur Gupta
 
Analyst Report: The Digital Universe in 2020 - China
Analyst Report: The Digital Universe in 2020 - ChinaAnalyst Report: The Digital Universe in 2020 - China
Analyst Report: The Digital Universe in 2020 - ChinaEMC
 
The top 5 basics fundamentals of network security cyberhunter solutions
The top 5 basics fundamentals of network security cyberhunter solutionsThe top 5 basics fundamentals of network security cyberhunter solutions
The top 5 basics fundamentals of network security cyberhunter solutionsCyberhunter Cyber Security
 
Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber Securitykailash shaw
 
Healthcare Industry Security Whitepaper
Healthcare Industry Security WhitepaperHealthcare Industry Security Whitepaper
Healthcare Industry Security WhitepaperCasey Lucas
 

What's hot (19)

Cloud Service Security using Two-factor or Multi factor Authentication
Cloud Service Security using Two-factor or Multi factor AuthenticationCloud Service Security using Two-factor or Multi factor Authentication
Cloud Service Security using Two-factor or Multi factor Authentication
 
E-Commerce Security Workable Attacks Againest E-Commerce
E-Commerce Security Workable Attacks Againest E-CommerceE-Commerce Security Workable Attacks Againest E-Commerce
E-Commerce Security Workable Attacks Againest E-Commerce
 
Data breaches - Is Your Law Firm in Danger
Data breaches - Is Your Law Firm in DangerData breaches - Is Your Law Firm in Danger
Data breaches - Is Your Law Firm in Danger
 
How to Find Security Breaches Before They Sink You
How to Find Security Breaches Before They Sink YouHow to Find Security Breaches Before They Sink You
How to Find Security Breaches Before They Sink You
 
Securing Apps and Data in the Cloud and On-Premises with OneLogin and Duo Sec...
Securing Apps and Data in the Cloud and On-Premises with OneLogin and Duo Sec...Securing Apps and Data in the Cloud and On-Premises with OneLogin and Duo Sec...
Securing Apps and Data in the Cloud and On-Premises with OneLogin and Duo Sec...
 
Top Positive and Negative Impacts of AI & ML on Cybersecurity
Top Positive and Negative Impacts of AI & ML on CybersecurityTop Positive and Negative Impacts of AI & ML on Cybersecurity
Top Positive and Negative Impacts of AI & ML on Cybersecurity
 
50120130406020
5012013040602050120130406020
50120130406020
 
Why Passwords are not strong enough
Why Passwords are not strong enoughWhy Passwords are not strong enough
Why Passwords are not strong enough
 
E-commerce Security
E-commerce SecurityE-commerce Security
E-commerce Security
 
What you need to know about cyber security
What you need to know about cyber securityWhat you need to know about cyber security
What you need to know about cyber security
 
IRJET- Honeywords: A New Approach for Enhancing Security
IRJET- Honeywords: A New Approach for Enhancing SecurityIRJET- Honeywords: A New Approach for Enhancing Security
IRJET- Honeywords: A New Approach for Enhancing Security
 
Seattle Biz-Tech Summit 10-2015 CyberSecurity and the Board
Seattle Biz-Tech Summit 10-2015 CyberSecurity and the BoardSeattle Biz-Tech Summit 10-2015 CyberSecurity and the Board
Seattle Biz-Tech Summit 10-2015 CyberSecurity and the Board
 
Cybersecurity Powerpoint Presentation Slides
Cybersecurity Powerpoint Presentation SlidesCybersecurity Powerpoint Presentation Slides
Cybersecurity Powerpoint Presentation Slides
 
Information security
Information securityInformation security
Information security
 
Managing data security and privacy in call centres ankur gupta
Managing data security and privacy in call centres ankur guptaManaging data security and privacy in call centres ankur gupta
Managing data security and privacy in call centres ankur gupta
 
Analyst Report: The Digital Universe in 2020 - China
Analyst Report: The Digital Universe in 2020 - ChinaAnalyst Report: The Digital Universe in 2020 - China
Analyst Report: The Digital Universe in 2020 - China
 
The top 5 basics fundamentals of network security cyberhunter solutions
The top 5 basics fundamentals of network security cyberhunter solutionsThe top 5 basics fundamentals of network security cyberhunter solutions
The top 5 basics fundamentals of network security cyberhunter solutions
 
Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber Security
 
Healthcare Industry Security Whitepaper
Healthcare Industry Security WhitepaperHealthcare Industry Security Whitepaper
Healthcare Industry Security Whitepaper
 

Viewers also liked

Treinamento Serviços Internos e Desenvolvimento do Quadro Associativo
Treinamento Serviços Internos e Desenvolvimento do Quadro AssociativoTreinamento Serviços Internos e Desenvolvimento do Quadro Associativo
Treinamento Serviços Internos e Desenvolvimento do Quadro AssociativoJoão Paulo Elizei Zati
 
Gills Onions LLC
Gills Onions LLCGills Onions LLC
Gills Onions LLCselenbenli
 
Slideshow for turkey ppl
Slideshow for turkey pplSlideshow for turkey ppl
Slideshow for turkey pplcalvinmcgovern
 
Slideshow for turkey ppl
Slideshow for turkey pplSlideshow for turkey ppl
Slideshow for turkey pplcalvinmcgovern
 
On the Parallel Complexity of Minimum Sum of Diameters clustering
On the Parallel Complexity of Minimum Sum of Diameters clusteringOn the Parallel Complexity of Minimum Sum of Diameters clustering
On the Parallel Complexity of Minimum Sum of Diameters clusteringNopadon Juneam
 
Gills Onions LLC
Gills Onions LLCGills Onions LLC
Gills Onions LLCselenbenli
 
Paisagens
PaisagensPaisagens
Paisagensmagamel
 
Semester Progress Report 2/2013
Semester Progress Report 2/2013Semester Progress Report 2/2013
Semester Progress Report 2/2013Nopadon Juneam
 
Wellness present-ecti-con-2014-v3
Wellness present-ecti-con-2014-v3Wellness present-ecti-con-2014-v3
Wellness present-ecti-con-2014-v3Nopadon Juneam
 
Basic Problems and Solving Algorithms
Basic Problems and Solving AlgorithmsBasic Problems and Solving Algorithms
Basic Problems and Solving AlgorithmsNopadon Juneam
 

Viewers also liked (18)

Scribd
ScribdScribd
Scribd
 
Treinamento Serviços Internos e Desenvolvimento do Quadro Associativo
Treinamento Serviços Internos e Desenvolvimento do Quadro AssociativoTreinamento Serviços Internos e Desenvolvimento do Quadro Associativo
Treinamento Serviços Internos e Desenvolvimento do Quadro Associativo
 
Gills Onions LLC
Gills Onions LLCGills Onions LLC
Gills Onions LLC
 
Montage
MontageMontage
Montage
 
Pol
PolPol
Pol
 
Slideshow for turkey ppl
Slideshow for turkey pplSlideshow for turkey ppl
Slideshow for turkey ppl
 
Prova filmati
Prova filmatiProva filmati
Prova filmati
 
Slideshow for turkey ppl
Slideshow for turkey pplSlideshow for turkey ppl
Slideshow for turkey ppl
 
Flickr
FlickrFlickr
Flickr
 
On the Parallel Complexity of Minimum Sum of Diameters clustering
On the Parallel Complexity of Minimum Sum of Diameters clusteringOn the Parallel Complexity of Minimum Sum of Diameters clustering
On the Parallel Complexity of Minimum Sum of Diameters clustering
 
Montage
MontageMontage
Montage
 
Gills Onions LLC
Gills Onions LLCGills Onions LLC
Gills Onions LLC
 
Paisagens
PaisagensPaisagens
Paisagens
 
Montage
MontageMontage
Montage
 
Semester Progress Report 2/2013
Semester Progress Report 2/2013Semester Progress Report 2/2013
Semester Progress Report 2/2013
 
Wellness present-ecti-con-2014-v3
Wellness present-ecti-con-2014-v3Wellness present-ecti-con-2014-v3
Wellness present-ecti-con-2014-v3
 
Programa congreso mindfulness 2016
Programa congreso mindfulness 2016 Programa congreso mindfulness 2016
Programa congreso mindfulness 2016
 
Basic Problems and Solving Algorithms
Basic Problems and Solving AlgorithmsBasic Problems and Solving Algorithms
Basic Problems and Solving Algorithms
 

Similar to Easy security presentation 1

IRJET- Detecting Data Leakage and Implementing Security Measures in Cloud Com...
IRJET- Detecting Data Leakage and Implementing Security Measures in Cloud Com...IRJET- Detecting Data Leakage and Implementing Security Measures in Cloud Com...
IRJET- Detecting Data Leakage and Implementing Security Measures in Cloud Com...IRJET Journal
 
How to build a highly secure fin tech application
How to build a highly secure fin tech applicationHow to build a highly secure fin tech application
How to build a highly secure fin tech applicationnimbleappgenie
 
IRJET- Securing the Transfer of Confidential Data in Fiscal Devices using Blo...
IRJET- Securing the Transfer of Confidential Data in Fiscal Devices using Blo...IRJET- Securing the Transfer of Confidential Data in Fiscal Devices using Blo...
IRJET- Securing the Transfer of Confidential Data in Fiscal Devices using Blo...IRJET Journal
 
IRJET - Effective Authentication of Medical IoT Devices using Authentication ...
IRJET - Effective Authentication of Medical IoT Devices using Authentication ...IRJET - Effective Authentication of Medical IoT Devices using Authentication ...
IRJET - Effective Authentication of Medical IoT Devices using Authentication ...IRJET Journal
 
Case 11. What exactly occurred Twitter is one of popular soci.docx
Case 11. What exactly occurred Twitter is one of popular soci.docxCase 11. What exactly occurred Twitter is one of popular soci.docx
Case 11. What exactly occurred Twitter is one of popular soci.docxtidwellveronique
 
IRJET- Multifactor Authentication in IoT Devices for Ensuring Secure Cloud St...
IRJET- Multifactor Authentication in IoT Devices for Ensuring Secure Cloud St...IRJET- Multifactor Authentication in IoT Devices for Ensuring Secure Cloud St...
IRJET- Multifactor Authentication in IoT Devices for Ensuring Secure Cloud St...IRJET Journal
 
10.1.1.436.3364.pdf
10.1.1.436.3364.pdf10.1.1.436.3364.pdf
10.1.1.436.3364.pdfmistryritesh
 
IoT Referenceshttpswww.techrepublic.comarticlehow-to-secur.docx
IoT Referenceshttpswww.techrepublic.comarticlehow-to-secur.docxIoT Referenceshttpswww.techrepublic.comarticlehow-to-secur.docx
IoT Referenceshttpswww.techrepublic.comarticlehow-to-secur.docxmariuse18nolet
 
Elementary-Information-Security-Practices
Elementary-Information-Security-PracticesElementary-Information-Security-Practices
Elementary-Information-Security-PracticesOctogence
 
Comptia security+ (sy0-601) exam dumps 2022
Comptia security+ (sy0-601) exam dumps 2022Comptia security+ (sy0-601) exam dumps 2022
Comptia security+ (sy0-601) exam dumps 2022SkillCertProExams
 
Nt1310 Unit 1 Assignment 1
Nt1310 Unit 1 Assignment 1Nt1310 Unit 1 Assignment 1
Nt1310 Unit 1 Assignment 1Lisa Brown
 
The Internet of Things: the 4 security dimensions of smart devices
The Internet of Things: the 4 security dimensions of smart devicesThe Internet of Things: the 4 security dimensions of smart devices
The Internet of Things: the 4 security dimensions of smart devicesWavestone
 
IRJET- Verbal Authentication for Personal Digital Assistants
IRJET- Verbal Authentication for Personal Digital AssistantsIRJET- Verbal Authentication for Personal Digital Assistants
IRJET- Verbal Authentication for Personal Digital AssistantsIRJET Journal
 
IRJET- Highly Secure Data Chip for Highly Sensitive Data
IRJET- Highly Secure Data Chip for Highly Sensitive DataIRJET- Highly Secure Data Chip for Highly Sensitive Data
IRJET- Highly Secure Data Chip for Highly Sensitive DataIRJET Journal
 
Final Research Project - Securing IoT Devices What are the Challe.docx
Final Research Project - Securing IoT Devices What are the Challe.docxFinal Research Project - Securing IoT Devices What are the Challe.docx
Final Research Project - Securing IoT Devices What are the Challe.docxvoversbyobersby
 
Defcon9 Presentation2001
Defcon9 Presentation2001Defcon9 Presentation2001
Defcon9 Presentation2001Miguel Ibarra
 
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Jeremiah Grossman
 
IoT security presented in Ada's List Conference
IoT security presented in Ada's List ConferenceIoT security presented in Ada's List Conference
IoT security presented in Ada's List ConferenceCigdem Sengul
 

Similar to Easy security presentation 1 (20)

IRJET- Detecting Data Leakage and Implementing Security Measures in Cloud Com...
IRJET- Detecting Data Leakage and Implementing Security Measures in Cloud Com...IRJET- Detecting Data Leakage and Implementing Security Measures in Cloud Com...
IRJET- Detecting Data Leakage and Implementing Security Measures in Cloud Com...
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
How to build a highly secure fin tech application
How to build a highly secure fin tech applicationHow to build a highly secure fin tech application
How to build a highly secure fin tech application
 
IRJET- Securing the Transfer of Confidential Data in Fiscal Devices using Blo...
IRJET- Securing the Transfer of Confidential Data in Fiscal Devices using Blo...IRJET- Securing the Transfer of Confidential Data in Fiscal Devices using Blo...
IRJET- Securing the Transfer of Confidential Data in Fiscal Devices using Blo...
 
IRJET - Effective Authentication of Medical IoT Devices using Authentication ...
IRJET - Effective Authentication of Medical IoT Devices using Authentication ...IRJET - Effective Authentication of Medical IoT Devices using Authentication ...
IRJET - Effective Authentication of Medical IoT Devices using Authentication ...
 
Securing Applications
Securing ApplicationsSecuring Applications
Securing Applications
 
Case 11. What exactly occurred Twitter is one of popular soci.docx
Case 11. What exactly occurred Twitter is one of popular soci.docxCase 11. What exactly occurred Twitter is one of popular soci.docx
Case 11. What exactly occurred Twitter is one of popular soci.docx
 
IRJET- Multifactor Authentication in IoT Devices for Ensuring Secure Cloud St...
IRJET- Multifactor Authentication in IoT Devices for Ensuring Secure Cloud St...IRJET- Multifactor Authentication in IoT Devices for Ensuring Secure Cloud St...
IRJET- Multifactor Authentication in IoT Devices for Ensuring Secure Cloud St...
 
10.1.1.436.3364.pdf
10.1.1.436.3364.pdf10.1.1.436.3364.pdf
10.1.1.436.3364.pdf
 
IoT Referenceshttpswww.techrepublic.comarticlehow-to-secur.docx
IoT Referenceshttpswww.techrepublic.comarticlehow-to-secur.docxIoT Referenceshttpswww.techrepublic.comarticlehow-to-secur.docx
IoT Referenceshttpswww.techrepublic.comarticlehow-to-secur.docx
 
Elementary-Information-Security-Practices
Elementary-Information-Security-PracticesElementary-Information-Security-Practices
Elementary-Information-Security-Practices
 
Comptia security+ (sy0-601) exam dumps 2022
Comptia security+ (sy0-601) exam dumps 2022Comptia security+ (sy0-601) exam dumps 2022
Comptia security+ (sy0-601) exam dumps 2022
 
Nt1310 Unit 1 Assignment 1
Nt1310 Unit 1 Assignment 1Nt1310 Unit 1 Assignment 1
Nt1310 Unit 1 Assignment 1
 
The Internet of Things: the 4 security dimensions of smart devices
The Internet of Things: the 4 security dimensions of smart devicesThe Internet of Things: the 4 security dimensions of smart devices
The Internet of Things: the 4 security dimensions of smart devices
 
IRJET- Verbal Authentication for Personal Digital Assistants
IRJET- Verbal Authentication for Personal Digital AssistantsIRJET- Verbal Authentication for Personal Digital Assistants
IRJET- Verbal Authentication for Personal Digital Assistants
 
IRJET- Highly Secure Data Chip for Highly Sensitive Data
IRJET- Highly Secure Data Chip for Highly Sensitive DataIRJET- Highly Secure Data Chip for Highly Sensitive Data
IRJET- Highly Secure Data Chip for Highly Sensitive Data
 
Final Research Project - Securing IoT Devices What are the Challe.docx
Final Research Project - Securing IoT Devices What are the Challe.docxFinal Research Project - Securing IoT Devices What are the Challe.docx
Final Research Project - Securing IoT Devices What are the Challe.docx
 
Defcon9 Presentation2001
Defcon9 Presentation2001Defcon9 Presentation2001
Defcon9 Presentation2001
 
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"
 
IoT security presented in Ada's List Conference
IoT security presented in Ada's List ConferenceIoT security presented in Ada's List Conference
IoT security presented in Ada's List Conference
 

Easy security presentation 1

  • 1. AT&T’s iPad Leak Incident Lesson Learned Presented by: IT Realists December 2010
  • 2. A security breach has exposed iPad owners including dozens of CEOs, military officials, and top politicians.  The specific information exposed in the breach included subscribers' email addresses, coupled with an associated ID used to authenticate the subscriber on AT&T's network, known as the ICC-ID. The security incident
  • 3. Impacts of the incident Customers' email addresses were exposed.  This could have led to other personal information being intercepted or the email addresses could have been spammed.  Also showed a weak link in the security of both AT&T and Apple which in turn could lead to the loss of customers and potential of gaining customers in the future. 
  • 4. The security hole grew out of an effort by the carrier to make it easier for the customers to renew subscription. Customers gave AT&T their emails when they signed up for cellular service. The carrier then pre-entered those email addresses in a field on its websites as a convenience so customers wouldn't have to retype it when they renewed. Goatse uses the ICC-ID (integrated circuit card identifiers) to get the email address of the iPad user.  The ICC-ID is use to identify the SIM card of a device.  Goatse then uses uploaded pictures from the device to obtain this number.  With a poor encryption job of the ICC-ID from the device to the Internet, Goatse can then easily identified the user's ICC-ID Major findings during investigation
  • 5. AT&T left a script on their public website, which when handed an ICC-ID would respond back with the email address of the subscriber. Even though AT&T is protected by firewalls and uses intrusion detection software and equipment to identify unauthorized attempts to access the network, these features have no relevance to the breach on the iPad.  Major findings during investigation (cont.)
  • 6. AT&T closed the security hole as soon as they learned of the incident.  The problem was victims of the incident were not aware of it until days later.  AT&T didn't handled the incident very well with the public.  The apology letter seemed to be more focused on blaming the hackers than it did apologizing to its customers and reassuring them that their personal information and data was secure. Major findings during investigation (cont.)
  • 7. A scan for vulnerability should be run immediately for all AT&T dynamic pages. We recommend purchasing the vulnerability scanning tools from Sword & Shield Enterprise Security for the following reason: There are many commercially available vulnerability scanning tools that one can purchase that will give you some indications of vulnerabilities found.  They may produce false positives and may not find all vulnerabilities.  Sword & Shield run multiple tools, eliminate false positives and create a penetration test plan to see if we can think like a hacker and using knowledge from vulnerabilities found and attempt to penetrate the network to find valuable information.  All of this work is manual and cannot be effectively done with automated tools. Estimated cost: $4,000+ Immediate actions required
  • 8. Recommendations According to FCC regulation, telephone companies may use, disclose, or permit access to your customer information only in the following circumstances: 1) as required by law; 2) with your approval; or 3) in providing the service from which the customer information was obtained. It is understandable that AT&T wanted to make it easier for the iPad users to renew their subscription. But it doesn’t mean that customer information can be compromised. AT&T should strictly follow the FCC regulation and provide the necessary protection for the customer information. Telecommunications
  • 9. Recommendations (cont.) Audit Recommended Changes AT&T needs a process in place to continually track the information that is listed on their website.  If there was a policy and or procedure in place then AT&T could have detected that any users were able to obtain important user information through a script.  Physical Recommended Changes We would also suggest AT&T to hire a person that continually goes through AT&T's website to check for any information that would harm both AT&T and it's users.  So for the main part, we believe AT&T needs some type of a strong monitoring system to ensure outside users are not able to access any information that could jeopardize AT&T and or it's users.  Procedures
  • 10. Recommendations (cont.) One possible way to increase information privacy is to change the use of an email address.  Instead of linking the email address to the ICC-ID, a customer can create a username to replace the email address.  Furthermore, the username and a password will be use to login.  So when a customer uses their device to login, the username will appear instead of an email address.  Create an application to encrypt the ICC-ID numbers.  This will protect the ICC-ID from any hackers when uploading anything on the Internet. Software
  • 11. Recommendations (cont.) With AT&T not going into detail in what they exactly are using as network intrusion detection or network hardware/software monitoring tools, there are products out there that could have supported this purpose and protection. We recommend AT&T import Fortinet’s Web Application Security Solution. The FortiWeb solution drastically reduces the time required to protect your regulated, confidential, or proprietary internet-facing data. Hardware
  • 12. Recommendations (cont.) We recommend the staff to the InfoSec Institute for Intrusion Prevention training. This recommendation is based on our observation on how the IT team performed before and after this incident: The IT manager and IT team should have had this authentication page fully tested and prepped before in went into a live production environment. The IT team that set the function and authentication page up should be able to shut down the function within a quicker time period.  People
  • 13. Conclusion Applications frequently use the actual name or key of an object when generating web pages. Applications don’t always verify the user is authorized for the target object. This results in an insecure direct object reference flaw. Testers can easily manipulate parameter values to detect such flaws and code analysis quickly shows whether authorization is properly verified. Such flaws can compromise all the data that can be referenced by the parameter. Unless the name space is sparse, it’s easy for an attacker to access all available data of that type.
  • 14. Conclusion (cont.) Bad decision made by AT&T: information leakage, trusting sequential numbers, relying upon the security of obscurity, and not respecting the boundary between internal and external data. This risk is a good example of where security needs to get applied in layers as opposed to just a single panacea attempting to close the threat door in one go. Having said that, the core issue is undoubtedly the access control because once that’s done properly, the other defenses are largely redundant.
  • 15. We believe that incident like iPad leak won’t happen again if AT&T takes our recommendations seriously!