September 6, 2001 (Computerworld) --
Security experts discovered a flaw this week in the Web site operated by Verizon Wireless that potentially exposed the private customer information of those who used the Web site to view their personal cell phone bills.
Marc Slemko, a Seattle-based software developer, posted the warning Sept. 1 on the BugTraq security mailing list after notifying Verizon of the problem on Aug. 19 and receiving no response. Half a dozen other security experts later confirmed his findings.
The privacy hole affected users who logged on to the Verizon Wireless Web site and used the My Account feature to view or change their cell phone billing and account information. The Web site address for the feature assigns session identifications sequentially as each user logs in. The IDs are valid until the user logs out or the session times out. However, because it's the only session ID used, Slemko said it's easy to manually access the account of other users by guessing their session IDs. In addition, "automated tools [can] grab this information in bulk as users login over time," he wrote.
The vulnerability put at risk such information as names, addresses, records of calls placed and received, along with the phone number and approximate location of the user when the call was made, according to Slemko and others.
Brian Wood, a spokesman for Bedminster, N.J.-based Verizon Wireless, said IT workers at the company fixed the hole as of 5 a.m. EDT yesterday. When asked why it took Verizon so long to act on Slemko's Aug. 19 alert, Wood said Slemko didn't properly "escalate" his query.
"You have five different options to contact us on the Web site. His e-mail apparently went into the normal e-mail box and was handled by a front-line customer service representative," said Wood. "It kind of got bogged down in the system." However, Wood also said previous security tests run by Verizon on the site hadn't uncovered the flaw.
Wood said the flaw affected only a portion of the users who signed up for online billing. The hole was never an issue for former customers of Bell Atlantic Mobile, GTE Wireless, AirTouch Cellular or PrimeCo Personal Communications -- the companies that now make up Verizon Wireless.
"We've not seen any evidence that someone might have taken advantage of this hole," he said.
However, Verizon, which serves more than 28 million wireless customers, isn't alone in suffering from predictable online session IDs, according to a study presented at last month's 10th annual Usenix security conference by Kevin Fu and two other researchers at the MIT Laboratory for Computer Science. Of the 27 sites they investigated, many were found to
"Well, this malware attack approach is a new one to me. If you're like a lot of people, copying and..."
Read more...
"Angelina Jolie pregnancy was not a hoax; John McCain is not going to Vietnam as part of his presidential campaign;..."
Read more... Read more Security posts or See all Blogs
The x86's lineage can be traced back to 1968, to a design on a napkin drawn by Austin O. "Gus" Roche, an all-but-forgotten engineer in Texas who was obsessed with creating a personal computer.
Why SaaS is Vital to Email and Web Security Download this free webcast, for a limited time, compilments of Webroot Software! Go to the webcast
Computerworld Executive Bulletin: Building a Robust Antivirus Defense
Download this Executive Bulletin (a $49.95 value) for free, compliments of MessageLabs. (Source: MessageLabs) Antivirus software alone isn't enough to prevent today's speedy, sophisticated virus attacks. Security managers should consider multitiered approaches that include behavior scanning, appliances that check e-mail for worms, and restricting user access to dangerous Web sites. Download this Executive Bulletin (a $49.95 value) for free, compliments of MessageLabs, to learn more. Download this executive briefing
Windows® Enterprise Data Protection with Symantec Backup Exec™
Get this white paper now! (Source: Symantec) With data protection becoming more distributed and IT resources increasingly constrained, businesses need a centralized data protection strategy that can manage multiple backup and recovery jobs. Learn how to address these critical enterprise challenges with dynamic disk-based data protection. Download this white paper
White Papers
Read up on the latest ideas and technologies from companies that sell hardware, software and services.
In Security Stripping away the trappings of applications, systems and networks, information is the core asset of most organizations. Our columnist describes how asserting the importance of information governance is crucial to making that asset tangible, addressable and protected.
Click here to read the latest column by Jon Espenschied
Computerworld Technology Briefing: Super-charging the Data Center Virtualization is about a lot more than just lowering total cost of ownership. In fact users that have taken an open source path to virtualization have realized the additional, mission-critical benefit of markedly reduced IT complexity, as well as a more flexible infrastructure that is easier to change to meet shifting, often unpredictable business requirements. Download this briefing