Top Security Hacks of 2011

We’re just about halfway through the year but I’m calling it now: 2011 is the year of the hacker. Grim?  Maybe.  Just about every week there has been a new story about a company being hacked and it’s costing companies millions of dollars and even more for their brand reputation.

While only two of these hacks really impacted a company I use heavily, I thought I’d do a quick countdown on the top hacks of 2011 and the associated costs.

7) DropBox
The file-sharing site opened the doors for four hours this week, allowing anyone with a login to access other accounts.  It turns out that it was a self-inflicted wound and DropBox broke their own authentication system.  While the finacial impact probably won’t be released, just browse through the 600+ customer comments to see how the issue and their response impacted their brand.  It’s a bug, not a hack, but certainly something that could have been avoidable with ample testing prior to a full launch.

Responsible: Themselves.

Cost: A self reported “much less than 1%” of their more than 25 million users were impacted to an undisclosed extent.

6) MovableType / PBS.org
In a pure retaliation a group of hackers targeted PBS.org in response to an episode of Frontline’s portrayal of of WikiLeaks leaker Bradley Manning.  The hackers gained control of PBS.org and republished false information.  PBS was not able to immediately regain control and was forced to utilize their Facebook page as their primary news source.

Responsible: LulzSec.

Cost: One of their Sr. Correspondents, Judy Woodruff, wrote a post on “Calculating the Cost of an Attempt to Silence the Press”.  While they didn’t disclose any financial costs or specific user information loss, it has certainly been a struggle for them to regain control of their site and all of their content.

Continue Reading

Do Math, Win the Lotto

Who wouldn’t like the idea of cracking the lottery? Just figure out the code, and incredible riches can be yours! But the lottery is unbreakable – audited by governments, contractors, corporations, and independent agencies; or at least that’s what they want you to think.

A professional statistician named Mohan Srivastava managed to discover a flaw in certain kinds of scratch-off lottery games that  allow a player to get a winning edge by doing some simple math. Wired has the whole story, and it’s well worth reading. The summary is this:

Scratch-off lottery tickets aren’t totally random. A computer prints the tickets so that a certain number are guaranteed to win – thus meeting the odds requirements set by the laws of different states. That means that a computer program has to spit out both winning and non-winning scratch-off lottery tickets. The game that Mr. Srivastava cracked had two components – a visible grid of numbers and a scratch-off section with more numbers. You play the game by scratching off the hidden section and looking for for tic-tac-toe patterns in the grid.

What Mr. Srivastava realized is that the winning tickets had a slightly different statistical distribution of data in the grid section than non-winning tickets. Knowing this, he could pick out winning tickets with 90% certainty, all without scratching a single lottery ticket.

What are some lessons for testers?

Continue Reading

2010 Word of The Year: Privacy

I recently attended a marketing conference that discussed emerging technology trends.  When the panel was asked what was the single-word topic of 2010 they almost all said, “mobile”.  I didn’t think of it at the time but I’d argue that the word of the year is “privacy”.  That thought, coupled with a current email-based discussion I’m having with a luddite friend (he’s not on Facebook or LinkedIn), got me thinking about some of the privacy issues that we — as a global population of netizens — will face in 2011 and beyond.

Concern about privacy is hardly a new topic.  Back in 1999 Scott McNealy, then the CEO of Sun Microsystems notoriously said, “you have zero privacy.  Get over it.”  I love the brevity, Scott, but that is not going to get you on a Hallmark card anytime soon.  Yes, the web brought on a change in the level of privacy that users may expect, but the role of marketing has always been to predict the intent of potential customers by tracking user behavior.  Computers and the internet, however, have yielded a seismic shift in the cost, speed, availability and sheer amount of data – perhaps changing at a rate faster than humans can conceptually deal with, and thus creating debates about how to strike a balance in this brave new world.

In 2010, however, we’ve seen more information about the reconciliation of online and offline data. From cars, to finances, to the recent announcements about the TSA’s new full-body scanners, it’s no longer just our web browsing history that’s available to evil marketers like myself.  Here’s a quick rundown of a few privacy issues, how they can be exploited, and what you should know about protecting yourself:

Continue Reading

Just “Checking-In” — Are We Taking LBS Privacy & Security Risks Seriously?

The impact of check-in services, like Foursquare, on personal privacy and security is yet again making top headlines. If you remember our most recent bug battle (The Check-In Challenge), more than 80% of respondents responded “Yes” when asked if they were concerned about how location-based services (LBS) could impact their personal privacy and safety. And 49% chose “privacy/security concerns” as the top reason they don’t use check-in services more often.

Yesterday, the security company WebRoot came out with a study discovering similar results. After surveying 1,500+ social network users with geolocation-ready mobile devices, WebRoot found that more than half (55%) of respondents fear the loss of security and privacy, and 45% are very concerned about letting potential burglars know when they’re away from home (ah yes, the now shut down PleaseRobMe experiment comes to mind).

What’s most interesting to us is that 39% of those surveyed by Webroot said they use geolocation services, but take a look at the number of people that have fallen prey to social network cyber-criminals:

  • Nearly a quarter of respondents (22.4 percent) were victims of a phishing attempt to steal their social network password.
  • About one in six (16 percent) reported a malware infection in the past year that originated from a social networking site.
  • One in nine reported at least one of their social network accounts had been compromised or hijacked.

Even in the face of these risks, many consumers admitted to engaging in risky behaviors:

Continue Reading

Best Seller or Best Set Up? 400 iTunes Accounts Hacked

This past weekend, Vietnamese developer, Thuat Nguyen, hacked into 400 iTunes accounts to catapult his apps to best seller status. Nguyen accomplished this by buying his own Books apps — using the hacked iTunes accounts — which boosted his app ratings and launched his apps to the top of the list. The result? 42 of Nguyen’s apps were among the ‘Top 50 Books’ and up to $500 was deducted from each iTunes account.

After tracking down Alex Brie, a developer who first discovered the issues, PC World reported:

“After Brie’s calculations, Nguyen would have needed at least 3,000 hacked iTunes accounts to reach the ranking he had on Sunday in the App Store…[and] Brie speculates that to achieve such high ratings for his apps, Nguyen had to hack into Apple’s iTunes servers and skip the normal security steps, or run an automated scripted program.”

According to Engadget, Apple responded last night:

The developer Thuat Nguyen and his apps were removed from the App Store for violating the developer Program License Agreement, including fraudulent purchase patterns…

I was under the impression that the App Store approval process was brutal. So, how did this rogue developer get through? What additional security measures and tests need to be put into place to prevent account fraud?

Security Bugs – Blame the Hackers?

News has been all over the web the past few days about the AT&T and iPad security breach.  If you haven’t heard the details, in short a group of hackers discovered a vulnerability in AT&T’s private web APIs where one could send the ICC-ID from an iPad SIM card and AT&T’s servers would send back the corresponding owner’s email address – no authentication required. Since the ICC-IDs for the iPad are somewhat predictable, it was trivial for the hackers to send in thousands of semi-random guesses and collect any email addresses that came back. Some of those addresses were for people with addresses from domains like faa.gov and us.army.mil.

The hackers claim they reported the flaw to AT&T before sending their discovery to the fine folks at Gawker. AT&T, on the other hand, was not pleased to see their security problems appear in a popular tech blog at all, and had this to say in an email to their iPad customers:

On June 7 we learned that unauthorized computer “hackers” maliciously exploited a function designed to make your iPad log-in process faster by pre-populating an AT&T authentication page with the email address you used to register your iPad for 3G service.

The hackers deliberately went to great efforts with a random program to extract possible ICC-IDs and capture customer email addresses.

So who’s to blame for a problem like this? Is it AT&T, or do the hackers themselves deserve some of the blame for the public way they handled their disclosure? Give us your thoughts below.

Non-Latin URLs – Are You Ready for Testing?

Up until last week, Internet domain names were a pretty mature business.  Then the folks at ICANN decided to shake things up by enabling non-Latin character ccTLDs (country code Top Level Domains – like .co.il and .co.uk ).  What does that mean for you?  Well, here’s a quick test.  Try visiting this URL: http://موقع.وزارة-الأتصالات.مصر/.

What you’re looking at is an Internationalized Domain Name, or IDN for short.  It doesn’t contain western or “Latin” letters, and chances are everything you know about URLs is about to get turned backwards (in this case, literally).  What’s worse is that different browsers handle this kind of domain name differently, and there’s no one right answer.

Are you a software tester?  Then your ship has come in because IDNs open up a whole new category of software bugs.  Let’s take a look at a few big trouble areas, but hang on tight because this gets goofy fast.

Continue Reading

Facebook, South Park and the Value of User Feedback

For most software companies, user feedback generally comes in the form of emails, surveys, bug reports and the like. For Facebook, it recently came in the form of an entire South Park episode (warning: spoiler alert!).

Earlier this week, South Park lampooned the social media giant (along with Jim Cramer, chat roulette, Tron and Yahtzee) in an episode with major usability undertones. You can watch the entire episode here, but in case you’re at work, here’s brief synopsis from Wikipedia:

When Kyle, Cartman and Kenny make Stan a Facebook profile without his knowledge, he becomes frustrated with everyone asking him for friend requests. After he gets fed up with Facebook, Stan tries to delete his profile but is sucked into a virtual Facebook world. Meanwhile, Kyle starts trying to find ways to get more friends on Facebook after he drastically starts losing them due to his befriending of a third-grade friendless Facebook user, who everyone thinks is a loser.

Compared to other South Park “guests”, Facebook made it through the episode relatively unscathed, and for that they should be thankful. That said, it’s still South Park, a place where weaknesses must be exploited. So, here are a few feedback items I was able to relate to typical user feedback:

Continue Reading

T.W.I.T: The Heart Hacker – Pacemakers Vulnerable to Wireless Attacks

Before I get into the story of this fascinating bug, I wanted to take a moment to introduce you to T.W.I.T. We liked the “bug-iversary” concept so much here at uTest that we decided to make it a recurring column, called T.W.I.T. or This Week In Testing (also noting the happy coincidence that the word “twit” is synonymous with “fool” and “dope,” words that characterize many of these bug follies ;-)).

But I digress! So, this week in testing brings us an interesting heart device bug discovered March 12, 2008.

A team of computer security researchers were able to gain wireless access to a combination heart defibrillator and pacemaker. According to the New York Times,

[The researchers] were able to reprogram it to shut down and to deliver jolts of electricity that would potentially be fatal. The researchers said they had also been able to glean personal patient data by eavesdropping on signals from the tiny wireless radio embedded in the implant as a way to let doctors monitor and adjust it without surgery.

Full report and more after the bump!

Continue Reading

Post to Twitter, Get Robbed

Sometimes new technologies can inflame old problems.  For example, consider location based social networks.  Many sites like Twitter and Foursquare make it easy to post both what you’re doing and your current location.  This is a great concept, and as technologies go there are huge possibilities for combining location information with social networking.  But there’s just one catch: if you’re out and Tweeting about it, then you’re probably not at home.  And that makes your home a perfect target for robbery.

To help people become more aware about the ramifications of announcing that their plasma TV is unguarded, a new site has appeared called Please Rob Me.  Using the magic of social search, they track various networks and then list the posts from people who are clearly not at home.  Of course, this has caused quite a stir online as many have wondered whether or not something like this is legal, ethical, or even right?

Continue Reading