recommended reading

This Time, Citizens Collect Feds’ Communications Metadata

Joel Page/AP file photo

As recently as August, a Verizon glitch exposed government officials' text message histories in a way that would have allowed anyone to discern their inner circles, according to security researchers. The vulnerability was fixed after a non-government customer pointed out the danger to the company this summer. 

Attackers could simply type their target's phone number into a URL to see a spreadsheet of text message contacts, timestamps and dates, according to researchers. The content of the messages was not visible. 

"This was a very basic Web application security flaw that was trivial to exploit. All you need is a browser, no special hacking tool," said Johannes B. Ullrich, dean of research for the SANS Technology Institute. 

According to a report by Kaspersky Lab on Monday, "Modifying the digits at the end, which represent the subscriber’s phone number, would grant the attacker access to whatever account he chose.”

Verizon Communications, as of September, was the largest telecommunications supplier to the federal government.

Verizon officials said no government users, or any other users, were affected by the bug. "No customer information was impacted," company spokesman Kevin Irland said. "Verizon takes customer privacy seriously.  As soon as this was brought to the attention of our security teams, we addressed it."

Ullrich, however, said customer data must have been impacted, unless Verizon checked every Web log to rule out the possibility that an outsider had viewed the user’s information. Irland did not respond when asked whether the company examined all communication records.

Verizon would not be the first mobile carrier to accidentally display customer data.  

"Sadly, these authentication bypass flaws are very common," Ullrich said. 

This error somewhat resembles one triggered on AT&T’s site in 2010, leading to the exposure of personal information belonging to about 120,000 iPad owners, according to Kaspersky researchers.

Andrew Auernheimer, nicknamed “Weev,” shared the data with the media, was convicted of data theft and other crimes, and now is serving more than three years in prison.

Compared to the AT&T iPad situation, Ullrich said, "I think the Verizon leak was worse, maybe they just got lucky that nobody exploited it."

Threatwatch Alert

Software vulnerability

Google Discloses Another Unpatched Microsoft Bug

See threatwatch report

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

    Download
  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

    Download
  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

    Download
  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

    Download
  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

    Download
  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.

    Download

When you download a report, your information may be shared with the underwriters of that document.