Entrepreneurial_Leadership

iPad’s Security Breach Zul-Jalaal Abdullah Strayer University Shelby Oaks campus Business Enterprise-508 April 21, 2011 Dr. Carolyn Tippett Discuss Goatse Security firm possible objective when they hacked into AT&T’s Website. Here’s what happened: Goatse Security discovered a rather stupid vulnerability on the AT&T site that returned a customer email if a valid serial number for the iPAD sim card was entered. (Arrington, 2010, para. 2). An invalid number returned nothing, a valid number returned a customer email address. Goatse created a script and quickly downloaded 114,000 customer emails. It was then turned over to Gawker, after, they say, AT&T was notified and the vulnerability was closed (Arrington, 2010, para. 2). Gawker published some of the data with the emails removed. Stated Goatse: “All data was gathered from a public web server with no password, accessible by anyone on the Internet. There was no breach, intrusion, or penetration, by any means of the word. ”(Arrington, 2010, para. 2). AT&T is characterizing the incident as “unauthorized computer “hackers” maliciously exploited a function designed to make your iPad log-in process faster by pre-populating an AT&T authentication page with the email address you used to register your iPad for 3G service (Arrington, 2010, para. 3). ”We don’t see much hacking here, and we don’t see anything really malicious (Arrington, 2010, para. 3). AT&T was effectively publishing the information on the open Internet, and if there’s an FBI investigation, it should be focused on them, not Goatse. The fact is that Goatse was performing a public service by discovering and publishing the vulnerability – they made the Internet slightly safer by doing so. I agree completely with their blog post responding to the AT&T letter. Unless additional facts come out suggesting that Goatse has used the information inappropriately, such as selling it, or has otherwise done some act hasn’t yet been alleged, they are completely in the right here. Argue for or against computer hacking as an ethical corporate strategy for computer security firms: We don’t see much hacking here, and we don’t see anything really malicious. AT&T was effectively publishing the information on the open Internet, and if there’s an FBI investigation, it should be focused on them, not Goatse. The fact is that Goatse was performing a public service by discovering and publishing the vulnerability – they made the Internet slightly safer by doing so. I agree completely with their blog post responding to the AT&T letter. Unless additional facts come out suggesting that Goatse has used the information inappropriately, such as selling it, or has otherwise done some bad act hasn’t yet been alleged, they are completely in the right here. In fact, companies like AT&T should offer people a reward for discovering vulnerabilities like this, although they’d probably ask that the information be given to them privately after discovered. But by shaming AT&T publicly other companies may take security marginally more seriously, which is good for users. And AT&T customers need to know that AT&T is so careless about security. And AT&T customers need to know that AT&T is so careless about security. we we’re doing something we’ve never done before – awarding Goatse a Crunchie award for public service – a beautiful 14 inch tall custom designed gorilla statue celebrating technology. Until now we’ve only given these awards at our annual Crunchies award ceremony.(“,Tech Cruch”,2011pare3). Discuss whether or not Gawker Media acted socially responsible when it reported the security breach before Apple and /or AT&T had responded to the public AT&T is doing what they can to both fix what’s happened and ensure that it doesn’t happen again in the future. In the meantime, here’s your chance to ask questions about your commenting accounts, vent, or just help each other with issues you have. We’ll drop in as much as we can, and you have a right to be. We’re upset, as well, and deeply embarrassed about the breach. Rest assured between dealing with all the issues that have surfaced in the last 24 hours. “AT&T was informed by a business customer on Monday of the potential exposure of their iPad ICC IDS. The only information that can be derived from the ICC IDS is the e-mail address attached to that device. This issue was escalated to the highest levels of the company and was corrected by Tuesday; and we have essentially turned off the feature that provided the e-mail addresses. The person or group who discovered this gap did not contact AT&T. We are continuing to investigate and will inform all customers whose e-mail addresses and ICC IDS may have been obtained. We take customer privacy very seriously and while we have fixed this problem, we apologize to our customers who were impacted.(“,http://gawker.com”,2011, para. 3 ). As the AT&T CEO, discuss how you would respond differently to this security breach June 13, 2010. Dear Valued AT&T Customer, Recently there was an issue that affected some of our customers with AT&T 3G service for iPad resulting in the release of their customer email addresses. I am writing to let you know that no other information was exposed and the matter has been resolved. AT&T apologize for the incident and any inconvenience it may have caused. Rest assured, you can continue to use your AT&T 3G service on your iPad with confidence. Here’s some additional detail: On June 7AT&T learned that unauthorized computer “hackers” maliciously exploited a function designed to make your iPad log-in process faster by pre-populating an AT&T authentication page with the email address you used to register your iPad for 3G service. The self-described hackers wrote software code to randomly generate numbers that mimicked serial numbers of the AT&T SIM card for iPad – called the integrated circuit card identification (ICC-ID) – and repeatedly queried an AT&T web address. When a number generated by the hackers matched an actual ICC-ID, the authentication page log-in screen was returned to the hackers with the email address associated with the ICC-ID already populated on the log-in screen. The hackers deliberately went to great efforts with a random program to extract possible ICC-IDs and capture customer email addresses. They then put together a list of these emails and distributed it for their own publicity. As soon as we became aware of this situation, we took swift action to prevent any further unauthorized exposure of customer email addresses. Within hours, AT&T disabled the mechanism that automatically populated the email address. Now, the authentication page log-in screen requires the user to enter both their email address and their password. I want to assure you that the email address and ICC-ID were the only information that was accessible. Your password, account information, the contents of your email, and any other personal information were never at risk. The hackers never had access to AT&T communications or data networks, or your iPad. AT&T 3G service for other mobile devices was not affected. While the attack was limited to email address and ICC-ID data, we encourage you to be alert to scams that could attempt to use this information to obtain other data or send you unwanted email. You can learn more about phishing by visiting the AT&T website. A T&T takes your privacy seriously and does not tolerate unauthorized access to its customers’ information or company websites. We will cooperate with law enforcement in any investigation of unauthorized system access and to prosecute violators to the fullest extent of the law. AT&T acted quickly to protect your information – and we promise to keep working around the clock to keep your information safe. Thank you very much for your understanding, and for being an AT&T customer. Sincerely, Dorothy Attwood Senior Vice President, Public Policy and Chief Privacy Officer for AT&T. (“Arrington M, 2010, para1).being an AT&T customer. Sincerely, Dorothy AttwoodSenior Vice President, Public Policy and Chief Privacy Officer for AT&T. (“Arrington M, 2010, para1). Discuss the content that you would include in a public service announcement (PSA) informing the public of the breach and your plan to resolve the issue. Dear Valued Customer of AT&T There was an issue which have affected AT&T: customers surrounding the AT&T 3G service iPad. This resulted from some release of some customers e-mail address. This letter is being written to let you know that the report that AT&T had not received no other information that had been exposed and the matter has been resolved. AT&T apologizes for this incident that has brought a lot of inconvenience to a lot AT&T customers. The AT&T customers can rest assure that they can continue to use their AT&T 3G service on their iPad with great confidence. Here is some additional information. June the 7th learned that unauthorized computer hackers had maliciously exploited a function that was designed for your log-in process which made it faster , by pre-populating authentication page with the e-mail address that you used to register the iPad that you use for the 3G service. This self described hacker wrote the codes to randomly generate numbers that appeared the same as the serial numbers of the AT&T SIM card for the iPad – which is called the integrated circuit card identification (ICC-ID) – and continue to queried an AT&T web address. The numbers that were generated by the hackers did match and the match ICC-IDnumbers on the page had been authenticated the log- in screen had returned the e-mail address associated with the ICC-ID that had already been on the screen. While the attack was limited to email address and ICC-ID data, we encourage you to be alert to scams that could attempt to use this information to obtain other data or send you unwanted email. You can learn more about hacking by visiting the AT&T ebsite. other data or send you unwanted email. You can learn more about hacking by visiting the AT&T ebsite. AT&T ebsite. other data or send you unwanted email. You can learn more about hacking by visiting the AT&T ebsite. References Ryan, T. (2010). AT&T fights spreading iPad Fear. Retrieved February12, 2011 from http://valleywag.gawker.com/#!5559725/att-fights-spreading-ipad-fear Rayan, T.(2010). Apple’s Worst Security Breach: 114,000 iPad Owners Exposed. Retrieved March 16, 2011 from http://gawker.com/ (“Tech Crunch”, 2010 Citrin,Jim. (2006). Leadership, Steve Case Style. Retrieved 01/19/11 from http://au.pfinance. yahoo.com/b/leadership/6/leadership-steve-case-style para2).