Tag Archives | security

Do Math, Win the Lotto

Who wouldn’t like the idea of cracking the lottery? Just figure out the code, and incredible riches can be yours! But the lottery is unbreakable – audited by governments, contractors, corporations, and independent agencies; or at least that’s what they want you to think.

A professional statistician named Mohan Srivastava managed to discover a flaw in certain kinds of scratch-off lottery games that  allow a player to get a winning edge by doing some simple math. Wired has the whole story, and it’s well worth reading. The summary is this:

Scratch-off lottery tickets aren’t totally random. A computer prints the tickets so that a certain number are guaranteed to win – thus meeting the odds requirements set by the laws of different states. That means that a computer program has to spit out both winning and non-winning scratch-off lottery tickets. The game that Mr. Srivastava cracked had two components – a visible grid of numbers and a scratch-off section with more numbers. You play the game by scratching off the hidden section and looking for for tic-tac-toe patterns in the grid.

What Mr. Srivastava realized is that the winning tickets had a slightly different statistical distribution of data in the grid section than non-winning tickets. Knowing this, he could pick out winning tickets with 90% certainty, all without scratching a single lottery ticket.

What are some lessons for testers?

Continue Reading →

Continue Reading

2010 Word of The Year: Privacy

I recently attended a marketing conference that discussed emerging technology trends.  When the panel was asked what was the single-word topic of 2010 they almost all said, “mobile”.  I didn’t think of it at the time but I’d argue that the word of the year is “privacy”.  That thought, coupled with a current email-based discussion I’m having with a luddite friend (he’s not on Facebook or LinkedIn), got me thinking about some of the privacy issues that we — as a global population of netizens — will face in 2011 and beyond.

Concern about privacy is hardly a new topic.  Back in 1999 Scott McNealy, then the CEO of Sun Microsystems notoriously said, “you have zero privacy.  Get over it.”  I love the brevity, Scott, but that is not going to get you on a Hallmark card anytime soon.  Yes, the web brought on a change in the level of privacy that users may expect, but the role of marketing has always been to predict the intent of potential customers by tracking user behavior.  Computers and the internet, however, have yielded a seismic shift in the cost, speed, availability and sheer amount of data – perhaps changing at a rate faster than humans can conceptually deal with, and thus creating debates about how to strike a balance in this brave new world.

In 2010, however, we’ve seen more information about the reconciliation of online and offline data. From cars, to finances, to the recent announcements about the TSA’s new full-body scanners, it’s no longer just our web browsing history that’s available to evil marketers like myself.  Here’s a quick rundown of a few privacy issues, how they can be exploited, and what you should know about protecting yourself:

Continue Reading →

Continue Reading

Just “Checking-In” — Are We Taking LBS Privacy & Security Risks Seriously?

The impact of check-in services, like Foursquare, on personal privacy and security is yet again making top headlines. If you remember our most recent bug battle (The Check-In Challenge), more than 80% of respondents responded “Yes” when asked if they were concerned about how location-based services (LBS) could impact their personal privacy and safety. And 49% chose “privacy/security concerns” as the top reason they don’t use check-in services more often.

Yesterday, the security company WebRoot came out with a study discovering similar results. After surveying 1,500+ social network users with geolocation-ready mobile devices, WebRoot found that more than half (55%) of respondents fear the loss of security and privacy, and 45% are very concerned about letting potential burglars know when they’re away from home (ah yes, the now shut down PleaseRobMe experiment comes to mind).

What’s most interesting to us is that 39% of those surveyed by Webroot said they use geolocation services, but take a look at the number of people that have fallen prey to social network cyber-criminals:

  • Nearly a quarter of respondents (22.4 percent) were victims of a phishing attempt to steal their social network password.
  • About one in six (16 percent) reported a malware infection in the past year that originated from a social networking site.
  • One in nine reported at least one of their social network accounts had been compromised or hijacked.

Even in the face of these risks, many consumers admitted to engaging in risky behaviors:

Continue Reading →

Continue Reading

Best Seller or Best Set Up? 400 iTunes Accounts Hacked

This past weekend, Vietnamese developer, Thuat Nguyen, hacked into 400 iTunes accounts to catapult his apps to best seller status. Nguyen accomplished this by buying his own Books apps — using the hacked iTunes accounts — which boosted his app ratings and launched his apps to the top of the list. The result? 42 of Nguyen’s apps were among the ‘Top 50 Books’ and up to $500 was deducted from each iTunes account.

After tracking down Alex Brie, a developer who first discovered the issues, PC World reported:

“After Brie’s calculations, Nguyen would have needed at least 3,000 hacked iTunes accounts to reach the ranking he had on Sunday in the App Store…[and] Brie speculates that to achieve such high ratings for his apps, Nguyen had to hack into Apple’s iTunes servers and skip the normal security steps, or run an automated scripted program.”

According to Engadget, Apple responded last night:

The developer Thuat Nguyen and his apps were removed from the App Store for violating the developer Program License Agreement, including fraudulent purchase patterns…

I was under the impression that the App Store approval process was brutal. So, how did this rogue developer get through? What additional security measures and tests need to be put into place to prevent account fraud?

Continue Reading

Security Bugs – Blame the Hackers?

News has been all over the web the past few days about the AT&T and iPad security breach.  If you haven’t heard the details, in short a group of hackers discovered a vulnerability in AT&T’s private web APIs where one could send the ICC-ID from an iPad SIM card and AT&T’s servers would send back the corresponding owner’s email address – no authentication required. Since the ICC-IDs for the iPad are somewhat predictable, it was trivial for the hackers to send in thousands of semi-random guesses and collect any email addresses that came back. Some of those addresses were for people with addresses from domains like faa.gov and us.army.mil.

The hackers claim they reported the flaw to AT&T before sending their discovery to the fine folks at Gawker. AT&T, on the other hand, was not pleased to see their security problems appear in a popular tech blog at all, and had this to say in an email to their iPad customers:

On June 7 we learned that unauthorized computer “hackers” maliciously exploited a function designed to make your iPad log-in process faster by pre-populating an AT&T authentication page with the email address you used to register your iPad for 3G service.

The hackers deliberately went to great efforts with a random program to extract possible ICC-IDs and capture customer email addresses.

So who’s to blame for a problem like this? Is it AT&T, or do the hackers themselves deserve some of the blame for the public way they handled their disclosure? Give us your thoughts below.

Continue Reading

Non-Latin URLs – Are You Ready for Testing?

Up until last week, Internet domain names were a pretty mature business.  Then the folks at ICANN decided to shake things up by enabling non-Latin character ccTLDs (country code Top Level Domains – like .co.il and .co.uk ).  What does that mean for you?  Well, here’s a quick test.  Try visiting this URL: http://موقع.وزارة-الأتصالات.مصر/.

What you’re looking at is an Internationalized Domain Name, or IDN for short.  It doesn’t contain western or “Latin” letters, and chances are everything you know about URLs is about to get turned backwards (in this case, literally).  What’s worse is that different browsers handle this kind of domain name differently, and there’s no one right answer.

Are you a software tester?  Then your ship has come in because IDNs open up a whole new category of software bugs.  Let’s take a look at a few big trouble areas, but hang on tight because this gets goofy fast.

Continue Reading →

Continue Reading

Facebook, South Park and the Value of User Feedback

For most software companies, user feedback generally comes in the form of emails, surveys, bug reports and the like. For Facebook, it recently came in the form of an entire South Park episode (warning: spoiler alert!).

Earlier this week, South Park lampooned the social media giant (along with Jim Cramer, chat roulette, Tron and Yahtzee) in an episode with major usability undertones. You can watch the entire episode here, but in case you’re at work, here’s brief synopsis from Wikipedia:

When Kyle, Cartman and Kenny make Stan a Facebook profile without his knowledge, he becomes frustrated with everyone asking him for friend requests. After he gets fed up with Facebook, Stan tries to delete his profile but is sucked into a virtual Facebook world. Meanwhile, Kyle starts trying to find ways to get more friends on Facebook after he drastically starts losing them due to his befriending of a third-grade friendless Facebook user, who everyone thinks is a loser.

Compared to other South Park “guests”, Facebook made it through the episode relatively unscathed, and for that they should be thankful. That said, it’s still South Park, a place where weaknesses must be exploited. So, here are a few feedback items I was able to relate to typical user feedback:

Continue Reading →

Continue Reading

T.W.I.T: The Heart Hacker – Pacemakers Vulnerable to Wireless Attacks

Before I get into the story of this fascinating bug, I wanted to take a moment to introduce you to T.W.I.T. We liked the “bug-iversary” concept so much here at uTest that we decided to make it a recurring column, called T.W.I.T. or This Week In Testing (also noting the happy coincidence that the word “twit” is synonymous with “fool” and “dope,” words that characterize many of these bug follies ;-)).

But I digress! So, this week in testing brings us an interesting heart device bug discovered March 12, 2008.

A team of computer security researchers were able to gain wireless access to a combination heart defibrillator and pacemaker. According to the New York Times,

[The researchers] were able to reprogram it to shut down and to deliver jolts of electricity that would potentially be fatal. The researchers said they had also been able to glean personal patient data by eavesdropping on signals from the tiny wireless radio embedded in the implant as a way to let doctors monitor and adjust it without surgery.

Full report and more after the bump!

Continue Reading →

Continue Reading

Post to Twitter, Get Robbed

Sometimes new technologies can inflame old problems.  For example, consider location based social networks.  Many sites like Twitter and Foursquare make it easy to post both what you’re doing and your current location.  This is a great concept, and as technologies go there are huge possibilities for combining location information with social networking.  But there’s just one catch: if you’re out and Tweeting about it, then you’re probably not at home.  And that makes your home a perfect target for robbery.

To help people become more aware about the ramifications of announcing that their plasma TV is unguarded, a new site has appeared called Please Rob Me.  Using the magic of social search, they track various networks and then list the posts from people who are clearly not at home.  Of course, this has caused quite a stir online as many have wondered whether or not something like this is legal, ethical, or even right?

Continue Reading →

Continue Reading

Are You Updating IE Today? You Should!

Around 1:00 PM EST today, Microsoft will release an emergency patch for all versions of Internet Explorer.  They’re issuing the patch today instead of on their usual timeline because of the recent security issues involving Google.  It seems that hackers were able to target a previously unknown bug in IE as part of their attack against several accounts with Google.  ZDNet quotes a spokesman from Microsoft saying:

(W)e will be releasing MS10-002  (on) January 21, 2010. We are planning to release the update as close to 10:00 a.m. PST as possible. This is a standard cumulative update, accelerated from our regularly scheduled February release, for Internet Explorer with an aggregate severity rating of Critical. It addresses the vulnerability related to recent attacks against Google and a small subset of corporations, as well as several other vulnerabilities. Once applied, customers are protected against the known attacks that have been widely publicized. We recommend that customers install the update as soon as it is available. For customers using automatic updates, this update will automatically be applied once it is released.”

If you run Internet Explorer (and statistics say that 62% of you do) run Microsoft Update a little after 10:00 AM PST and make sure you grab this update.  And if you run an IT department, you should consider deploying the patch to your users as soon as you can.

Continue Reading

SSL Bug Slaps Twitter

He's not dead, he's just pining for the fjords!When your app gets hacked because of a bug in your code, that’s pretty bad.  But when your app gets hacked because of a bug in an underlying protocol that’s a building block of the Internet, then you’re looking at a really serious problem.

Such is the case with Twitter, which last week was shown to be vulnerable to a bug in the SSL standard.  SSL is the protocol that encrypts data going back and forth on the web, keeping our credit card numbers, usernames, passwords, and everything else safe and secure.  The trouble is, it’s broken and has been since the mid-1990s.

Right now, the IETF (the standards setting body for the Internet and the closest thing to an Internet Illuminati) has started drafting an update for SSL, but such things take time.  In the mean time, sites like Twitter are suffering the consequences.

Continue Reading →

Continue Reading

Security Threats To Rise For Mobile Apps

smartphonesMobile is the next great frontier for games, music, media and more.  In fact, Gartner says that  more than 139 million smartphones were sold last year.  And the phone makers aren’t slowing down:  Apple is planning to launch the iPhone into the Chinese market and a more affordable Android handset expected to hit the market by the end of ’09.  But haven’t we all learned that big markets make big targets — for VC dollars, for advertisers, for media coverage… and for hackers.

Doug Gross wrote a very interesting article over at CNN Tech about the one trend that could threaten to derail the otherwise unstoppable mobile movement.

Security analysts say they’ve already seen all of the major online threats — Trojan horses, viruses, worms — spreading on smartphones, often through e-mail attachments sent to the phones.

And as mobile apps have evolved from games and tip to calculators to company email, financial transactions and other mission-critical activities, the risk of security exploits grows considerably for mobile users and their employers.

The good news, experts say, is that phones present problems for hackers and other bad guys that traditional computers don’t.

Most viruses and other malware are designed for Windows, because that’s the most popular operating system. Since smartphones use a variety of different platforms, someone writing malicious software needs to pick and choose.

Wow, getting code to work across mobile platforms is so hard that even the hackers are having trouble!

Continue Reading →

Continue Reading