It looks like you're using an Ad Blocker.

Please white-list or disable AboveTopSecret.com in your ad-blocking tool.

Thank you.

 

Some features of ATS will be disabled while you continue to use an ad-blocker.

 

AP Exclusive: Network flaw causes scary Web error

page: 1
8

log in

join
share:

posted on Jan, 15 2010 @ 08:43 PM
link   

AP Exclusive: Network flaw causes scary Web error


hosted.ap.org...

By JORDAN ROBERTSON
AP Technology Writer

SAN FRANCISCO (AP) -- A Georgia mother and her two daughters logged onto Facebook from mobile phones last weekend and wound up in a startling place: strangers' accounts with full access to troves of private information.

The glitch - the result of a routing problem at the family's wireless carrier, AT&T - revealed a little known security flaw with far reaching implications for everyone on the Internet, not just Facebook users.
(visit the link for the full news article)



[edit on 15/1/10 by ProtoplasmicTraveler]




posted on Jan, 15 2010 @ 08:43 PM
link   
Now this is just a very interesting story indeed. Two women in Georgia attempting to sign into their Face Book accounts using three brand new Nokia cellular phones using AT & T were logged in and taken directly into other Face Book user’s accounts without using that users account name or password.

Evidently AT & T claims it was because their servers routed the wrong cookies to their phones that contained other Face Book user’s account names and passwords that then automatically signed them into those accounts simply by trying to access Face Book itself.

AT & T has admitted to the error after confronted with the evidence by the Associated Press with the evidence that this was actually occurring and occurring more than once.

It begs the question is how safe are the cookies being stored on servers that have our account user names and passwords?


hosted.ap.org
(visit the link for the full news article)

Mod Edit - To Fix Link.

[edit on Fri, 15 Jan 2010 20:53:55 -0600 by MemoryShock]



posted on Jan, 15 2010 @ 08:49 PM
link   

In each case, the Internet lost track of who was who, putting the women into the wrong accounts. It doesn't appear the users could have done anything to stop it. The problem adds a dimension to researchers' warnings that there are many ways online information - from mundane data to dark secrets - can go awry.


You can say that again. AT & T is claiming this is not really a threat if hackers figure out how to do this as they would be only able to access one account at a time by utilizing this errant cookie method. That the most sensitive sites are encrypted anyway and that encryption would prevent a hacker using the errant cookie method of being able to access such secure encrypted sites.

I really wonder though.




posted on Jan, 15 2010 @ 08:53 PM
link   
Doesn't matter facebook sells your information to 3rd parties all day everyday if you got a account delete it myspace is more secure



posted on Jan, 15 2010 @ 09:12 PM
link   

Originally posted by OpTiMuS_PrImE
Doesn't matter facebook sells your information to 3rd parties all day everyday if you got a account delete it myspace is more secure


As someone past the age of 40 I believe that Congress should stop renaming Post Offices and Airports for dead politicians and wealthy contributors, or be trying to botch health care...instead they should pass a laws like...

No one older than 40 can have a Face Book or My Space Account.

Anyone older than 40 should be excempt from having to text message anyone ever!

And no one who used to be a Cheif U.N. Weapons Inspector should be allowed anywhere near the Internet or teenage girls!

Is that too much to ask for?

Thanks for posting.



posted on Jan, 17 2010 @ 09:31 AM
link   
The whole point of a cookie is not to be on a server, I have never before heard of such an idiotic thing.

That means that highly sensitive data such as usernames and passowords are stored on *some* 3rd party remote servers without knowledge of their owners.

I cannot even begin to fathom what other reason besides spying on people's accounts would there be.

Let me explain how a very BASIC identification process goes:


  1. Person chooses a password for his account
  2. Password is sent via a HTT secure protocol (HTTPS) to a facebook server
  3. Facebook server-side software encrypts the password via 1-way algorithm so that it can never be decrypted again
  4. Encrypted password or so called cryptogram is stored on facebook secured server database
  5. User attempts to login to his account by entering his password which is then sent over a secure HTTPS protocol all over again
  6. Facebook encrypts the attempted password and compares the generated cryptogram against one stored in the database
  7. If matching passes, facebook sends secure-sensitive data back (eg user profile). If it fails, facebook sends error data.
  8. Should user forget his password, since facebook cannot decrypt the cryptogram it generates a new one and sends the new password via email. It is very recommended that user changes the password because if someone hacks the email account - he would know the new password.


What the "remote cookie" did in this process is CAPTURE/STEAL user entered password via malicious ways and store it in a 2-way cryptogram, which means it can be UNENCRYPTED. The cryptogram is STORED on a ROGUE non-facebook server database - eg. someone's USB disc as far as you're concerned.

The company responsible for this act should face serious charges by Facebook and/or its users.

Personally: I think the reason behind this "error" could be made up to cover some greater evil.



posted on Jan, 17 2010 @ 09:48 AM
link   
This is another hit piece on the Internet. Fear mongering in hopes the people themselves call for a "new, more secure Internet" (read a more easily controllable, where no one has any privacy, Internet).

It's obvious the problem here isn't the Internet or even the infrastructure, unlike what the article claims. This was a problem with cookies, it had nothing to do with the Internet itself. This is a problem with either Facebook, AT&T or the phones.

More and more we've been hearing about the problems of the Internet, and how easy it is for hackers to take over the electric grid and other catastrophic scenarios, shaping the public's perception and opinion in hopes they willingly relinquish all the (few) privacy and freedom they currently still can enjoy.



posted on Jan, 17 2010 @ 09:55 AM
link   
Wait... what???
Cookies can only be read by the web server(domain) issuing the cookie, what would AT&T do with someone else's cookie.

So wait.. here we are not talking about a server-side cookie but a completely different animal, we are talking about a parent ISP issuing a cookie? What the hell are they doing with cookies and what are they able to do with it?



Misconfigured equipment, poorly written network software or other technical errors could have caused AT&T to fumble the information flowing from the Sawyers' phones to Facebook and back.

hmmmmm.... I don't see how this is possible.
Something doesn't seem right here



Fortunately, Hamiel said, the vulnerability would be of limited use to a hacker interested in pulling off widespread mayhem, because this hole would let him access only one account at a time. To do more damage the criminal would have to pull off the unlikely feat of gaining full control of the piece of equipment that routes Internet traffic to individual users.

Untrue, if the cookies are decryptable than a hacker could just write a script and automate the "only one account a time" and gain so many usernames and passwords within minutes, perhaps seconds depending on security issues.

DNS Spoofing anyone?



posted on Jan, 17 2010 @ 09:55 AM
link   

Originally posted by ProtoplasmicTraveler

Originally posted by OpTiMuS_PrImE
Doesn't matter facebook sells your information to 3rd parties all day everyday if you got a account delete it myspace is more secure


As someone past the age of 40 I believe that Congress should stop renaming Post Offices and Airports for dead politicians and wealthy contributors, or be trying to botch health care...instead they should pass a laws like...

No one older than 40 can have a Face Book or My Space Account.

Anyone older than 40 should be excempt from having to text message anyone ever!

And no one who used to be a Cheif U.N. Weapons Inspector should be allowed anywhere near the Internet or teenage girls!

Is that too much to ask for?

Thanks for posting.
they should ad the rule that you can only be elected 3 times .



posted on Jan, 17 2010 @ 10:22 AM
link   
reply to post by SassyCat
 




Personally: I think the reason behind this "error" could be made up to cover some greater evil.



I think you are correct there my friend. As you factually laid out the process and how it is supposed to work that explanation exposes what therefore must be a lie in AT & T’s description of how it happened.

Why AT & T is lying may be extremely important but it would seem regardless of that importance they are in fact lying about how these occurrences happened.

The women that this happened too were pretty smart to send emails to their real accounts from the secure accounts that they were rerouted too so it could be proven and to take it directly to the press.

Now the next question is why didn’t the press though consult with a independent technical expert to challenge AT & T’s lie?




top topics



 
8

log in

join