recommended reading

This Time, Citizens Collect Feds’ Communications Metadata

Joel Page/AP file photo

As recently as August, a Verizon glitch exposed government officials' text message histories in a way that would have allowed anyone to discern their inner circles, according to security researchers. The vulnerability was fixed after a non-government customer pointed out the danger to the company this summer. 

Attackers could simply type their target's phone number into a URL to see a spreadsheet of text message contacts, timestamps and dates, according to researchers. The content of the messages was not visible. 

"This was a very basic Web application security flaw that was trivial to exploit. All you need is a browser, no special hacking tool," said Johannes B. Ullrich, dean of research for the SANS Technology Institute. 

According to a report by Kaspersky Lab on Monday, "Modifying the digits at the end, which represent the subscriber’s phone number, would grant the attacker access to whatever account he chose.”

Verizon Communications, as of September, was the largest telecommunications supplier to the federal government.

Verizon officials said no government users, or any other users, were affected by the bug. "No customer information was impacted," company spokesman Kevin Irland said. "Verizon takes customer privacy seriously.  As soon as this was brought to the attention of our security teams, we addressed it."

Ullrich, however, said customer data must have been impacted, unless Verizon checked every Web log to rule out the possibility that an outsider had viewed the user’s information. Irland did not respond when asked whether the company examined all communication records.

Verizon would not be the first mobile carrier to accidentally display customer data.  

"Sadly, these authentication bypass flaws are very common," Ullrich said. 

This error somewhat resembles one triggered on AT&T’s site in 2010, leading to the exposure of personal information belonging to about 120,000 iPad owners, according to Kaspersky researchers.

Andrew Auernheimer, nicknamed “Weev,” shared the data with the media, was convicted of data theft and other crimes, and now is serving more than three years in prison.

Compared to the AT&T iPad situation, Ullrich said, "I think the Verizon leak was worse, maybe they just got lucky that nobody exploited it."

Threatwatch Alert

Network intrusion / Stolen credentials

85M User Accounts Compromised from Video-sharing Site Dailymotion

See threatwatch report

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

    Download
  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

    Download
  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

    Download
  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

    Download
  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

    Download
  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security

    Download

When you download a report, your information may be shared with the underwriters of that document.