"Apple's Worst Security Breach: 114,000 iPad Owners Exposed"

[Ethersync]

Quote:

Apple's Worst Security Breach: 114,000 iPad Owners Exposed



Apple has suffered another embarrassment. A security breach has exposed iPad owners including dozens of CEOs, military officials, and top politicians. They?and every other buyer of the wireless-enabled tablet?could be vulnerable to spam marketing and malicious hacking.

The breach, which comes just weeks after an Apple employee lost an iPhone prototype in a bar, exposed the most exclusive email list on the planet, a collection of early-adopter iPad 3G subscribers that includes thousands of A-listers in finance, politics and media, from New York Times Co. CEO Janet Robinson to Diane Sawyer of ABC News to film mogul Harvey Weinstein to Mayor Michael Bloomberg. It even appears that White House Chief of Staff Rahm Emanuel's information was compromised.

It doesn't stop there. According to the data we were given by the web security group that exploited vulnerabilities on the AT&T network, we believe 114,000 user accounts have been compromised, although it's possible that confidential information about every iPad 3G owner in the U.S. has been exposed. We contacted Apple for comment but have yet to hear back. We also reached out to AT&T for comment. A call to the Emanuel's office at the White House has not be returned.

AT&T closed the security hole in recent days, but the victims have been unaware, until now. For a device that has been shipping for barely two months, and in its wireless configuration for barely one, the compromise is a rattling development. The slip up appears to be AT&T's fault at the moment, and it will complicate the company's already fraught relationship with Apple. But it will also likely unnerve customers thinking of buying iPads that connect to AT&T's cellular network.

It will also do so at a pivotal moment, with the iPad 3G early in its sales cycle. Brisk sales for the original wi-fi iPad had promised to turn the 3G model into a similar profit machine. But further questions about AT&T, already widely ridiculed for its bad service, are going to make people think twice about spending up to $830 and $25 per month on the iPad 3G.

The specific information exposed in the breach included subscribers' email addresses, coupled with an associated ID used to authenticate the subscriber on AT&T's network, known as the ICC-ID. ICC-ID stands for integrated circuit card identifier and is used to identify the SIM cards that associate a mobile device with a particular subscriber.

Breach details: Who did it, and how

The subscriber data was obtained by a group calling itself Goatse Security. Though the group is steeped in off-the-wall, 4chan-style internet culture?its name is a reference to a famous gross-out Web picture?it has previously highlighted real security vulnerabilities in the Firefox and Safari Web browsers, and attracted media attention for finding what it said were flaws in Amazon's community ratings system.

Goatse Security obtained its data through a script on AT&T's website, accessible to anyone on the internet. When provided with an ICC-ID as part of an HTTP request, the script would return the associated email address, in what was apparently intended to be an AJAX-style response within a Web application. The security researchers were able to guess a large swath of ICC IDs by looking at known iPad 3G ICC IDs, some of which are shown in pictures posted by gadget enthusiasts to Flickr and other internet sites, and which can also be obtained through friendly associates who own iPads and are willing to share their information, available within the iPad "Settings" application.

To make AT&T's servers respond, the security group merely had to send an iPad-style "User agent" header in their Web request. Such header identify users' browser types to websites.

The group wrote a PHP script to automate the harvesting of data. Since a member of the group tells us the script was shared with third-parties prior to AT&T closing the security hole, it's not known exactly whose hands the exploit fell into and what those people did with the names they obtained. A member tells us it's likely many accounts beyond the 114,000 have been compromised.

Goatse Security notified AT&T of the breach and the security hole was closed.

We were able to establish the authenticity of Goatse Security's data through two people who were listed among the 114,000 names. We sent these people the ICC ID contained in the document?and associated with the person's iPad 3G account?and asked them to verify in an iPad control panel that this was the correct ICC ID. It was.

Victims: Some big names

Then we began poring through the 114,067 entries and were stunned at the names we found. The iPad 3G, released less than two months ago, has clearly been snapped up by an elite array of early adopters.

Within the military, we saw several devices registered to the domain of DARPA, the advanced research division of the Department of Defense, along with the major service branches. To wit: One affected individual was William Eldredge, who "commands the largest operational B-1 [strategic bomber] group in the U.S. Air Force."



In the media and entertainment industries, affected accounts belonged to top executives at the New York Times Company, Dow Jones, Condé Nast, Viacom, Time Warner, News Corporation, HBO and Hearst. In finance, accounts belonged to companies from Goldman Sachs to JP Morgan to Citigroup to Morgan Stanley. Dozens of venture capital and private firms made appearances as well.



In government, affected accounts included a GMail user who appears to be Rahm Emanuel and staffers in the Senate, House of Representatives, Department of Justice, NASA, Department of Homeland Security, FAA, FCC, and National Institute of Health.

MORE...

Read it all here: http://gawker.com/5559346/

[Ethersync]

Quote:

AT&T website hack leaks iPad 3G user emails

Black hat hackers have exploited a security flaw on AT&T's web servers which enabled them to obtain email addresses from the SIM card addresses of iPad 3G users.

http://www.appleinsider.com/articles...er_emails.html

[fatfoo]

"Enabled them to obtain emails" - sounds like the emails could be used for spam purposes.

That is unfortunate.

[DateDoc]

So it was AT&T's error or Apple's?

[Marcus Aurelius]

Quote:

Originally Posted by Ethersync

Goatse Security

[$5 submissions]

SPAMMERS' wet dream come true!

I would be surprised if the list hasn't been pimped over L337 IRC channels and blackhat wm chatboards already

[Phoenix]

goatse security eh

someone here?

[Phoenix]

Quote:

Originally Posted by $5 submissions

SPAMMERS' wet dream come true!

I would be surprised if the list hasn't been pimped over L337 IRC channels and blackhat wm chatboards already

i dont think so.

more like bait for spammers

you dont want to be spamming people at the doj..or anyone with a .mil email address..lol


it was probably micro fag trying to make apple look bad

[SBJ]

oh noes!! I'm going to get even more spam now that i have a iPad?? Glad that mentioned the iPad 3G cause i have the non 3G

[Quagmire]

bullshit. You can't hack an apple and it can't get a virus. This is nothing more than a communist plot to start the downfall of capitalism. I call shenanigans.

[dav3]

Clearly Microsoft, Google, and Adobe have colluded to destroy Apple's good name.

[ProG]

Quote:

Originally Posted by Phoenix

it was probably micro fag trying to make apple look bad

Apple products are now being targeted by Chinese and Russian hackers. You can thank Google for that. Have fun Mac lovers, this is only the tip of the iceberg!

[dav3]

Quote:

Originally Posted by ProG

Apple products are now being targeted by Chinese and Russian hackers. You can thank Google for that. Have fun Mac lovers, this is only the tip of the iceberg!

Why thank Google for that? Just curious.

[ProG]

Quote:

Originally Posted by dav3

Why thank Google for that? Just curious.

You must have missed the article about Google banning Windows.

[papill0n]

Goatse Security !!!! FUCKING ROFFFFFLLLL !

[Catalyst]

Quote:

Originally Posted by ProG

You must have missed the article about Google banning Windows.

google is switching all pc.. to either mac or linux.. ( unless you special approval to have a pc)

[rowan]

Reminds me of a particular adult program (can't remember who now) that used sequential numeric IDs, and displayed the email address it was sending to when someone selected the forgot password function. All that was needed was a program to walk up the ID numbers and harvest the returned email address for each one...