recommended reading

This Time, Citizens Collect Feds’ Communications Metadata

Joel Page/AP file photo

As recently as August, a Verizon glitch exposed government officials' text message histories in a way that would have allowed anyone to discern their inner circles, according to security researchers. The vulnerability was fixed after a non-government customer pointed out the danger to the company this summer. 

Attackers could simply type their target's phone number into a URL to see a spreadsheet of text message contacts, timestamps and dates, according to researchers. The content of the messages was not visible. 

"This was a very basic Web application security flaw that was trivial to exploit. All you need is a browser, no special hacking tool," said Johannes B. Ullrich, dean of research for the SANS Technology Institute. 

According to a report by Kaspersky Lab on Monday, "Modifying the digits at the end, which represent the subscriber’s phone number, would grant the attacker access to whatever account he chose.”

Verizon Communications, as of September, was the largest telecommunications supplier to the federal government.

Verizon officials said no government users, or any other users, were affected by the bug. "No customer information was impacted," company spokesman Kevin Irland said. "Verizon takes customer privacy seriously.  As soon as this was brought to the attention of our security teams, we addressed it."

Ullrich, however, said customer data must have been impacted, unless Verizon checked every Web log to rule out the possibility that an outsider had viewed the user’s information. Irland did not respond when asked whether the company examined all communication records.

Verizon would not be the first mobile carrier to accidentally display customer data.  

"Sadly, these authentication bypass flaws are very common," Ullrich said. 

This error somewhat resembles one triggered on AT&T’s site in 2010, leading to the exposure of personal information belonging to about 120,000 iPad owners, according to Kaspersky researchers.

Andrew Auernheimer, nicknamed “Weev,” shared the data with the media, was convicted of data theft and other crimes, and now is serving more than three years in prison.

Compared to the AT&T iPad situation, Ullrich said, "I think the Verizon leak was worse, maybe they just got lucky that nobody exploited it."

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

    Download
  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

    Download
  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

    Download
  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

    Download
  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.

    Download

When you download a report, your information may be shared with the underwriters of that document.