AT&T's Apple iPad security breach: Is Goatse the bad guy?
Summary: AT&T has fleshed out its response about an Apple iPad flaw that exposed customer email addresses and may just make matters worse.
AT&T has fleshed out its response about an Apple iPad flaw that exposed customer email addresses and may just make matters worse.
Last week, Goatse Security said it obtained the email addresses of 114,000 Apple iPad users, including a few in the White House. AT&T in a letter to customers, apologized to customers---including our own Michael Krigsman--- but then painted Goatse as the bad guy in a move that could backfire. Why? The apology just looks hollow when you try and throw Goatse under the bus. AT&T wrote:
On June 7 we learned that unauthorized computer “hackers” maliciously exploited a function designed to make your iPad log-in process faster by pre-populating an AT&T authentication page with the email address you used to register your iPad for 3G service. The self-described hackers wrote software code to randomly generate numbers that mimicked serial numbers of the AT&T SIM card for iPad – called the integrated circuit card identification (ICC-ID) – and repeatedly queried an AT&T web address. When a number generated by the hackers matched an actual ICC-ID, the authentication page log-in screen was returned to the hackers with the email address associated with the ICC-ID already populated on the log-in screen.
The hackers deliberately went to great efforts with a random program to extract possible ICC-IDs and capture customer email addresses. They then put together a list of these emails and distributed it for their own publicity.
Goatse, which initially gave its findings to Gawker, wasn't pleased. In a blog post, Goatse said:
AT&T mailing so much of their subscriber base exposes a potential I have been suspicious of. They were likely not logging their httpd and had no idea how to verify the true scope of the disclosure, so they had to mail a huge number of customers. If not for our firm talking about the exploit to third parties who subsequently notified them, they would have never fixed it and it would likely be exploited by the RBN or the Chinese, or some other criminal organization or government (if it wasn’t already).
AT&T had plenty of time to inform the public before our disclosure. It was not done. Post-patch, disclosure should be immediate– within the hour. Days afterward is not acceptable.
Often, researchers that find vulnerabilities go to the company first so that's where AT&T gets its malicious hacker charge. Goatse said that it didn't go to great efforts to exploit vulnerabilities and that its disclosure was "a service to our nation." "We disclosed only to a single journalist and destroyed the data afterward. We did the right thing," said Goatse.
As Dancho Danchev noted, the security risk to iPad users is generally small. But the incident reveals how third parties are often the front door for vulnerabilities.
In any case, AT&T's attempt to paint Goatse as the bad guy may backfire in the perception game.
Also:
- The security and privacy ramifications of AT&T's iLeak
- AT&T iPad data breach hits home
- FBI launches probe over AT&T’s iPad breach
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
RE: AT&T's Apple iPad security breach: Is Goatse the bad guy?
RE: AT&T's Apple iPad security breach: Is Goatse the bad guy?
But the more serious issue is that it was an actual attack by them on a live production system, wherein they didn't just complete intrusion tests, they completed intrusion activities, and then shared the results with a 3rd party. In layman terms, I walk by your car, try the door, door opens, rather than telling you, i go inside your car, grab the contents of your car, then go to another person that has nothing to do with you, and rather then them telling you that your car door was open, they post a sign on the interstate saying YOUR car was open and here are the contents. If that happened to you, would you say that they were justified?
How does that help anyone exactly? Plain and simple, the personal/professional ethics of the perpetrators are lacking, if not, completely non-existent. They deserve any and all negative repercussions they experience.
RE: AT&T's Apple iPad security breach: Is Goatse the bad guy?
Your allegories and layman's terms really only detail your personal opinion of the event, not the event itself.
The event itself details how ATT, in an effort to say "we are fastest" circumvented security protocols.
The general public doesn't know, and doesn't want to know the details of how their magic boxes work. This event bring it home on a personal level, and causes the outrage that such lack of regard for one's privacy and security should entail.
RE: AT&T's Apple iPad security breach: Is Goatse the bad guy?
Just curious, do you work for or represent AT&T?
RE: AT&T's Apple iPad security breach: Is Goatse the bad guy?
Both AT&T and Apple Should Be Grateful!
After AT&T didn't notify their customers, they felt that this needed to be made public. So they took their info to Gawker and told their story. AT&T still waited too long to notify their customers of this gaping hole in their security, that exposed private information linking their Name, specific Apple Device and the private email address linked to their AT&T account. Meaning that this email address is the one they most likely use for banking as well! ....if it was me, I'd be upset and I'd have a right to be!!!
AT&T are guilty of a major lapse in best practices security and Apple are just as guilty of not following up on their customer's purchase after the sale. If I'm a Real Estate Agent I have a fiduciary responsibility to ensure the safety of my client's privacy and personal information that I collect during the sale and after the sale for years. In buying a device that is tied to a Partner's Services, that doesn't ever release me from that fiduciary responsibility if I was compensated for it. The same for Apple!
Apple is in a partnership with AT&T to deliver a device and service in a contract where they both benefit from the transaction. Therefore they have a fiduciary obligation to protect the purchaser's information and privacy even after the sale is complete. Apple is making money off the service plan not just the sale of the device. So they are just as responsible as AT&T!!!
They are lucky Goatse found it and not some black hats!
RE: AT&T's Apple iPad security breach: Is Goatse the bad guy?
RE: AT&T's Apple iPad security breach: Is Goatse the bad guy?
Is Goatse the bad guy?
AT&T is incompetent.
Agreed, it's AT&T's fault
AT&T, customers and the Feds should be thanking Goatse for exposing the stupidity.
RE: AT&T's Apple iPad security breach: Is Goatse the bad guy?
RE: AT&T's Apple iPad security breach: Is Goatse the bad guy?
When you think that you can sell a device in a fashion wherein there are security holes that expose customer data you are not only incompetent but you are wrecklessly endangering the personal data of those that have trusted you to maintain their privacy.
RE: AT&T's Apple iPad security breach: Is Goatse the bad guy?
it must be Apple's fault!
RE: AT&T's Apple iPad security breach: Is Goatse the bad guy?
---
http://www.eccouncil.org/certification/certified_ethical_hacker.aspx
Hacking is a felony in the United States and most other countries. When it is done by request and under a contract between an Ethical Hacker and an organization, it is legal. The most important point is that an Ethical Hacker has authorization to probe the target.
---
For just a moment, if you forget that AT&T and/or Apple are involved (as their is often strong emotion one way or another with those companies), is hacking for profit and without permission legal? Should it be? Is that not malicious?
Hitting an HTTP server hacking now
RE: AT&T's Apple iPad security breach: Is Goatse the bad guy?
It sounds as though perhaps some might have the opinion that: if it is a web service, and without consent you are successful in probing it for data by spoofing another's identity (in this case with a random number generator), whether that is ethical or a malicious act is purely dependent on the protocol employed and the difficulty encountered.
Let's assume that is a true statement, only for the sake of extending the ethics analysis.
Is it then also ethical and non-malicious to do so for profit, in this case to sell a story? Would it have been more ethical to first privately warn the owner of the web service that the vulnerability exists, if only for a very brief period before publishing the story? Regarding owners of iPads, does it "serve them right" only because it was SOAP and easy?
I'll refrain from comparing this to someone leaving their keys in the car. If it is easy to steal, then it is ethical and not malicious.
iPad Security Breach???
This headline screams of sensationalism...
RE: AT&T's Apple iPad security breach: Is Goatse the bad guy?
RE: AT&T's Apple iPad security breach: Is Goatse the bad guy?
And why would that be?