AT&T's Apology for Massive Security Breach
AT&T sent out emails to all iPad 3G users apologizing for a recent security breach uncovered by Goatse Security. The email called those who uncovered the vulnerability 'malicious' and Goatse Security wasn't at all happy with that.
Last week, a group calling themselves Goatse Security identified a massive hole in AT&T's system that allowed for the harvesting of more than 100,000 email addresses of iPad 3G owners. Included on the list were White House Chief of Staff, Rahm Emanuel and Mayor Michael Bloomberg. The group said that they had shared the exploit and a third party notified AT&T. However, because they had shared details of the security breach with third parties, Goatse said it wasn't sure who had information about the exploit and who could have had taken advantage before AT&T patched things up.
Given the high profile names included on the list of emails, the FBI said Thursday that it had opened an investigation into the breach, calling it a potential cyberthreat. Over the weekend AT&T sent out an email to all iPad 3G users, apologizing for the breach.
June 13, 2010
Dear Valued AT&T Customer,
Recently there was an issue that affected some of our customers with AT&T 3G service for iPad resulting in the release of their customer e-mail addresses. I am writing to let you know that no other information was exposed and the matter has been resolved. We apologize for the incident and any inconvenience it may have caused. Rest assured, you can continue to use your AT&T 3G service on your iPad with confidence.
Here’s some additional detail:
On June 7 we learned that unauthorized computer “hackers” maliciously exploited a function designed to make your iPad log-in process faster by pre-populating an AT&T authentication page with the e-mail address you used to register your iPad for 3G service. The self-described hackers wrote software code to randomly generate numbers that mimicked serial numbers of the AT&T SIM card for iPad – called the integrated circuit card identification (ICC-ID) – and repeatedly queried an AT&T web address. When a number generated by the hackers matched an actual ICC-ID, the authentication page log-in screen was returned to the hackers with the e-mail address associated with the ICC-ID already populated on the log-in screen.
The hackers deliberately went to great efforts with a random program to extract possible ICC-IDs and capture customer e-mail addresses. They then put together a list of these e-mails and distributed it for their own publicity.
As soon as we became aware of this situation, we took swift action to prevent any further unauthorized exposure of customer email addresses. Within hours, AT&T disabled the mechanism that automatically populated the e-mail address. Now, the authentication page log-in screen requires the user to enter both their e-mail address and their password.
I want to assure you that the e-mail address and ICC-ID were the only information that was accessible. Your password, account information, the contents of your e-mail, and any other personal information were never at risk. The hackers never had access to AT&T communications or data networks, or your iPad. AT&T 3G service for other mobile devices was not affected.
While the attack was limited to e-mail address and ICC-ID data, we encourage you to be alert to scams that could attempt to use this information to obtain other data or send you unwanted email. You can learn more about phishing by visiting the AT&T website.
AT&T takes your privacy seriously and does not tolerate unauthorized access to its customers’ information or company websites. We will cooperate with law enforcement in any investigation of unauthorized system access and to prosecute violators to the fullest extent of the law.
AT&T acted quickly to protect your information – and we promise to keep working around the clock to keep your information safe. Thank you very much for your understanding, and for being an AT&T customer.
Sincerely,
Dorothy Attwood
Senior Vice President, Public Policy and Chief Privacy Officer for AT&T
However, Goatse Security isn't exactly pleased about being called 'malicious.' The group responded to the letter with a blog post saying they loved America and disclosed the exploit because "the idea of the Russians or Chinese being able to subvert American infrastructure is a nightmare."
"In addition AT&T says the person responsible for this went “to great efforts”. I’ll tell you this, the finder of the AT&T email leak spent just over a single hour of labor total (not counting the time the script ran with no human intervention) to scrape the 114,000 emails. If you see this as “great efforts”, so be it. I know that the RBN has literally thousands of people working full-time to exploit software vulnerabilities. At any given moment, whatever efforts us researchers are making are dwarfed by those in the thrall of evil. So get real. You fucked up, we helped you that figure out and informed the public. You should thank us, but you can keep on shit-talking if you want. We know what we did was right.
When we disclosed this, we did it as a service to our nation. We love America and the idea of the Russians or Chinese being able to subvert American infrastructure is a nightmare. We understand that good deeds many times go punished, and AT&T is trying to crucify us over this. The fact remains that there was not a hint of maliciousness in our disclosure. We disclosed only to a single journalist and destroyed the data afterward. We did the right thing, and I will stand by the actions of my team and protect the finder of this bug no matter what the cost."
To read the full post, click here.
- Microsoft Kinect: Games and Video Chat Revealed
- Students Commit Suicide Using Laptop Injection
- Verizon's Droid 2 Specs Leaked
- Judge Places Limits on Airport Laptop Searches
- 3D Glasses Are Disgusting; Please Bring Your Own
- Rock Band 3 Packs 102-button Pro-Guitar
- No Porn for Windows Phone 7 Users Either
- FBI Launches Investigation into AT&T iPad Breach
- Law Firm Offers to Defend 'Hurt Locker' Pirates
- VIDEO: Kinect to Hit November, Looks Exhausting
- Microsoft's Kinect Looks Great, But Still No Price
- YouTube's E3 Channel Streams Entire Event
- Restaurant Replaces Paper-Based Menus with iPads
- Experts: Naked Scanners Will Miss a Lot of Things
- Microsoft Launches Super Glossy Xbox 360 Slim
- It's About Time: Briefcase with Fingerprint Reader
- SE Xperia X8 Shakira Pics Leaked
- News Corp Attempts to Compete With iPad
- AT&T Blocks Non-Market Apps From Androids
great work, people point a a potential problem they are pointed out as being harmful.
Next time I get a home inspection, and a fire hazard is found, I'm calling my inspector a potential arsonist for being able to notice it.
Can AT&T or Apple do anything with 3rd parties that doesn't make them look like closed minded, egotistical idiots?
whats RBN?
Goatse security?... sounds like an awesome company.
"Given the high profile names included on the list of emails, the FBI said Thursday that it had opened an investigation into the breach, calling it a potential cyberthreat."
I guess it wouldn't have been a cyberthreat and FBI worthy if it wouldn't have affected "high profile" people.
Well if i understand it correctly. Goetse security found the adresses and then published them openly.
It seems like it would be best for them to contact ATT/Apple, tell them of the flaw and then prove it with the addresses all with only disclosing to the public that a major security flaw was found, what it did, and then that it had been fixed.
Assuming thats correct, Goatse security is in the wrong
ordcestus - I had the same thought. A professional white hat security company would work that way - unless there is more to the story we're missing. You'd probably see less profanity in the response, as well.
Goatse Security? Really? Would be hard to take them seriously on name alone.
Goatse security?... sounds like an awesome company.
hahahaha...you and I, with our sick twisted minds
Goatse security? >_>
Goatse security?... sounds like an awesome company.
I wonder who on earth thought that was a good name for a company
Goatse Security identified a massive hole in AT&T's system...
Goatse Security discovered the gaping hole in AT&T's system, did they?
^^ what he said. There was no need to publish e-mails.
[citation]Goatse Security discovered the gaping hole in AT&T's system, did they?[/citation]
Brilliant.
ordcestus - I had the same thought. A professional white hat security company would work that way - unless there is more to the story we're missing. You'd probably see less profanity in the response, as well.
yeah the response sounds like it was written by a college student with a temper. Probably just a kid getting his jollies breaking into computer systems under the veil of legitamacy.
If Goatse didn't want to appear malicious, they should have contacted AT&T directly. Instead they shared the info with god knows who, and it wasn't until a third party notified AT&T that it was able to be patched. IMHO, that makes Goatse malicious.
What a bunch of morons! Hey, I only shot you in the leg because you were about to walk out into oncoming traffic. You would have been run over! You should thank me for shooting you!
For anyone who thinks this activity is acceptable, just think what would happen if "research companies" like this took YOUR identity for a joy ride. Rake up thousands of dollars in your name and then sent you a notice telling you "See, your identity can be stolen". You would not be thanking them which is why this action is considered illegal.
Goatse Security needs to fire that idiot for his response and instead of being subversive about this mess they should agree to work with AT&T further (if they really cared about America). But hey, I guess there are limits to how much one (company) really cares.
whats RBN?
Russian Business Network.
http://en.wikipedia.org/wiki/Russian_Business_Network
AT&T has never been a company that I would admire from its history of illegal wiretaps and handing over account information to RIAA and US Copright Group. This is just par for the course.
I don't get it. whats so funny about the name? Goatse... Goat as in the animal Goat? What am I missing?
The article doesn't make clear a very important issue in this.
Did Goatse "share details of the security breach with third parties"? Which would make it seem malicious indeed.
OR
Did Goatse "disclosed only to a single journalist and destroyed the data afterward"? At which point they do seem like they did a service to AT&T
great work, people point a a potential problem they are pointed out as being harmful.Next time I get a home inspection, and a fire hazard is found, I'm calling my inspector a potential arsonist for being able to notice it.Can AT&T or Apple do anything with 3rd parties that doesn't make them look like closed minded, egotistical idiots?
I agree with points 1 and 2, however this has nothing to do with Apple, this is solely AT&T's problem. Although it IS an Apple product, Apple is not even mentioned the article once and has nothing to do with the security breach. Stop assuming Apple is to blame.
Looks like AT&T is shooting the messenger.
P.S., for all you confused about the word "goatse"--Google it.
Whether Goatse did the right thing or not, why are they the ones being tagged as "morons?" It's not like they're the ones who left the door to the email database wide open! So what if their response to AT&T's propoganda sounds like it was written by an 18 year old? That just means that an 18 year old moron was able to harvest 100,000+ high-value email addresses using just over an hours worth of script coding. Goatse are not the morons here, and AT&T is not the injured party.
Whether Goatse did the right thing or not, why are they the ones being tagged as "morons?" It's not like they're the ones who left the door to the email database wide open! So what if their response to AT&T's propoganda sounds like it was written by an 18 year old? That just means that an 18 year old moron was able to harvest 100,000+ high-value email addresses using just over an hours worth of script coding. Goatse are not the morons here, and AT&T is not the injured party.
The issue is that Goatse apparently published the emails for all to see. that was exceptionally inappropriate. The behavior of the company makes them seem like they were out to get AT&T and for that they can and should be prosecuted as malicious hackers. Their ability with computers makes no difference but the company exhibits no professionalism with that letter and especially with their name now that i've researched it. Do you have some sort of connection with the company? because if you don't you really shouldn't use their name
You idiots saying they should go straight to AT&T, it's been done by non company groups. All it gets is a lawsuit and the same response.
Lawers are not tech savvy, these guys did the right thing. And screw apple.
Got to love corporate PR responses "...Rest assured, you can continue to use your AT&T 3G service on your iPad with confidence." - that means about as much as a $5 hooker telling you to rest assured there's no need for a condom. For a telecommunications compeny, AT&T seems to be lacking in many things, and if I were their customer (thankfully I am not), I would look elsewhere and use this breach of trust as a means to get out of a contract.
In a reputable security company (and I work for one) this behavior would get you fired. Security is built on trust, and obviously you can trust these guys as far as you can throw Manhattan.
You can't say exposing all that data made anyone more secure.
Notify AT&T, provide them with a demo if they request it, but grabbing customer data and using it to make a point? These guys should be sued out of existence, and if thats not possible they should be boycotted out of existence.
Obviously is AT&T's fault for not restricting the # of lookup requests per IP address.
What a bunch of morons! Hey, I only shot you in the leg because you were about to walk out into oncoming traffic. You would have been run over! You should thank me for shooting you!For anyone who thinks this activity is acceptable, just think what would happen if "research companies" like this took YOUR identity for a joy ride. Rake up thousands of dollars in your name and then sent you a notice telling you "See, your identity can be stolen". You would not be thanking them which is why this action is considered illegal. Goatse Security needs to fire that idiot for his response and instead of being subversive about this mess they should agree to work with AT&T further (if they really cared about America). But hey, I guess there are limits to how much one (company) really cares.
You sir are an idiot. They didn't take anyone's identity "for a ride" or "rack or thousands of dollars of debt". They found the flaw, informed a tech journalist and AT&T and now AT&T wants to make them look like the bad guy.
So check it out moron, if they were truly malicious they would never have told anyone and just tried to use the e-mails for a phishing scam involving AT&T account info or something else relevant. Not tell everyone about it so that the exploit gets patched.
Trust me, if a security researcher is finding the exploit hundreds of other more malicious people have discovered the exploit.
But hey, for some people ignorance is bliss.
P.S., for all you confused about the word "goatse"--Google it.
Just don't do it at work.
Well if i understand it correctly. Goetse security found the adresses and then published them openly.It seems like it would be best for them to contact ATT/Apple, tell them of the flaw and then prove it with the addresses all with only disclosing to the public that a major security flaw was found, what it did, and then that it had been fixed.Assuming thats correct, Goatse security is in the wrong
They never published the E-mails. They informed a reporter about they had done to make sure the word got out. They apparently destroyed the data after. Dont let the spin on it confuse you.