FBI Investigating AT&T iPad 3G Security Breach

[ericinboston]

Let's assume that a HTTP roundtrip takes 100 ms. That's a pretty optimistic number. Let's also assume that they get a hit for each request. That's also pretty optimistic. That is about 3 hrs.

Anyway, it's a stupid argument. Of course they knew what they were doing. There is simply no reason to harvest unless the company doesn't take you seriously, of course. In any case, you shouldn't report the confidential data to a third party.

1)who said they only used 1 computer to hit the site? Either way, this could have been done very quickly given the speed and cheapness of technology of 2010.

2)Who said they handed over the email list? As far as I've heard/read from other articles, the hackers simply stated they had a list of emails...maybe they showed it to X # of people but I don't think they actually GAVE it to some in electronic or paper form.

Some day down the road we'll hear 99% of the full story from some reputable news outlet.

-Eric

 

[ThirteenXIII]

The FBI is looking into this rather than solve much more serious problems that exist in this country?

i really hope youre not that absent minded.
do you realize how big the FBI is? they do things on all levels and thankfully they do.
they work more relative than that...and i dont see how this isnt a serious issue?
Its like Apple turning away customers saying, youre problem isnt big enough for us at the moment were looking into fixing other tech issues at the moment. etc etc

 

[ericinboston]

There is no problem.

You take reasonable actions to contact the proper department. If you contact AT&T's security department and they blow you off, well you contacted the right folks.

This is exactly my point earlier...there is almost no way for us (consumers) to find the Security Department at ATT. Go ahead...give it a shot...please reply to this thread when you find the URL, email, and/or DIRECT phone #.

I firmly believe that all websites should have a "Contact our Security Dept" link at the bottom of every web page to report hacks or security problems. 99% of all buildings you walk into allow you to immediately talk to a human and report a security problem (back door wide open, car being stolen in parking lot, theft, window smashed, loitering, etc). But in the online world, it's like .0001% of consumer websites that have any direct and meaningful (and easy) way to get in touch and be a good citizen and report a problem.

I have come across numerous problems on sites that I purchase from...credit card websites, a retailer, etc...and after trying to report the problem numerous times to all of them I either a)got a generic bull**** email auto-reply or b)they never took action.

Shame on them. Shame on ATT. And shame on Apple for partnering with a company (they have others to choose from ya know) that promotes such an obvious "attack". Apple should be ripping mad at ATT...Apple is likely getting most of the blame for this problem when it was ATT who was "hacked".

Isn't the iPad magical?

-Eric

 

[rjohnstone]

How would it be Apples fault at all? It's AT&T's system that houses the information. This is why it would be great (just dreaming here) if Apple would build their own infrastructure as far as communications. I betcha it would run smooth as silk and prices would be fair. Oh, no that would mean every one would rely mostly on Apple for things. They have music locked down, books and mags in a couple years . . Guess that's what happens when you run an honest establishment that is mostly out for the consumer instead of being greedy.

I can't stop laughing at this post.
Apple, not greedy... Apple an "honest company"... LMAO.
How naive are you?
I dig their products, but I will still lump them in with any corporation.
Profits first, customer second or last in most cases.

 

[jettredmont]

They're not investigating AT&T, they're investigating the people who "hacked" into AT&T. AT&T didn't do anything wrong.

Running an unsecured website which serves confidential data is a violation of every single company's confidentiality policies. I think you meant "illegal" What AT&T did was thoroughly wrong, and they deserve a black eye in the public's perception of their security.

 

[jettredmont]

why people are so worried about this? Okay, they do have your emails now but what they can do with them? Pretty much nothing except spam that you can receive from anywhere else that you register your email at.

Even emails of those important people you can find very easily online. E.g georgebush@whitehouse.gov or email of wall street journal ceo and whatnot ceo@wsj.com

Because, generally, people who care about spam have multiple email addresses, and are much more likely to use their "real" email address when registering with a "secure" company like Apple and/or AT&T. I know my Apple registrations always go to my core email account, not the ones I use for various web sites and only check when I'm expecting something.

 

[macsmurf]

1)who said they only used 1 computer to hit the site? Either way, this could have been done very quickly given the speed and cheapness of technology of 2010.

So you're saying they used clustering but simply didn't realize that they would be harvesting a lot of info? Riiight.

2)Who said they handed over the email list? As far as I've heard/read from other articles, the hackers simply stated they had a list of emails...maybe they showed it to X # of people but I don't think they actually GAVE it to some in electronic or paper form.

Ah, so you haven't actually bothered to read the original article. That explains a lot.

 

[Mark Booth]

I am not saying that it is good thing that emails were exposed. I am saying that this is not anywhere close to huge "situation/problem" that media and other people pretend it to be.

It's not a huge situation/problem for YOU because it wasn't your sensitive or private E-mail address that might have been exposed.

I'm not suggesting that every E-mail that was exposed is the most important E-mail address in the world. But that's not the hacker's nor AT&T's nor your nor my decision to make. EVERY person's E-mail address is THEIR business and every person deserves to have their privacy respected. It is THEIR decision whether that E-mail address is revealed or exposed and how. It doesn't matter how important or unimportant that E-mail address happens to be. It is THEIR decision, not some bunch of jackasses with too much time on their hands.

Mark

 

[rjohnstone]

You are correct, however an act of Congress does not equal Constitutional by any stretch of the imagination.

Well the SCOTUS hasn't called for the FBI to be disbanded, so your claim of them being unconstitutional goes out the window.
Remember... SCOTUS determines the constitutionality of laws enacted by congress.

The FBI falls under the control of the DOJ and they take all direction from the U.S. Attorney General who takes his direction from the President and Congress.
They are the investigative arm of the DOJ which makes them very legal and constitutional.

 

[macsmurf]

I have come across numerous problems on sites that I purchase from...credit card websites, a retailer, etc...and after trying to report the problem numerous times to all of them I either a)got a generic bull**** email auto-reply or b)they never took action.

Shame on them. Shame on ATT. And shame on Apple for partnering with a company (they have others to choose from ya know) that promotes such an obvious "attack". Apple should be ripping mad at ATT...Apple is likely getting most of the blame for this problem when it was ATT who was "hacked".

AT&T actually took action. Calm down.

 

[macsmurf]

Because this is MacRumors.com, where everything's AT&T's, or Adobe's fault.

This is not true. It is also Google's fault, somehow.

(Actually, in this case it really isn't Apple's fault)

 

[ericinboston]

So you're saying they used clustering but simply didn't realize that they would be harvesting a lot of info? Riiight.



Ah, so you haven't actually bothered to read the original article. That explains a lot.

My gosh...can you and others please make more assumptions?

1)I never said they were UNAWARE that they were harvesting info. I said they let the script/code run for awhile. Period. I also stated that the code likely just dumped to a text file everything that was a non-error. Please go re-read my posts. Having said this, the group (nor I) is trying to state they came up with 114,000 emails by accident...it was purely on purpose.

2)Um, like, I did read this article...and this news story is on every website in the world today. Again, nowhere have I personally read in ANY of the articles, has the group said it GAVE the email list away. If you've read otherwise, please post a URL to the article and tell me what paragraph the statement is in.


Sheeeeeeez.

 

[jettredmont]

Why is this not Apple's fault? This service allowed for the iPad to have a field pre-filled with the user's email address. Clearly, this is what Apple wanted and they should have known about the security exposure.

IMHO, the problem is not that you could go to the AT&T website with one random iPad id and get one email address. This is not a major security breach because a single verified email address has vanishingly low black market value.

The problem with AT&T's implementation of this convenience feature is that (1) they didn't rely on any secondary identifier (a cookie of some sort kept on the iPad) to retrieve semi-confidential information, (2) they allowed multiple hits from the same source IP address with no throttling or ip-based lockout whatsoever, (3) they didn't lock out IP addresses which began spewing invalid iPad identifiers their way, and (4) they didn't notice the flood of invalid ids being sent their way.

Because they failed in all four of those areas, the result was that a black-hat hacker may well have obtained hundreds of thousands of verified (and high-value) email addresses. This has serious value in the black market, and so is a very serious security concern.

Internet security isn't exactly easy to get right. There's a lot of college-level stuff out there. But this was failing the single-digit addition level of security. Absolute basics. The only thing they could have done worse was put the source database up on their site for download.

 

[macsmurf]

:
2)Um, like, I did read this article...and this news story is on every website in the world today. Again, nowhere have I personally read in ANY of the articles, has the group said it GAVE the email list away. If you've read otherwise, please post a URL to the article and tell me what paragraph the statement is in.

Here you go: http://gawker.com/5559346/

"it doesn't stop there. According to the data we were given by the web security group that exploited vulnerabilities on the AT&T network, we believe 114,000 user accounts have been compromised, although it's possible that confidential information about every iPad 3G owner in the U.S. has been exposed."

"A call to Rahm Emanuel's office at the White House has not been returned."

"We were able to establish the authenticity of ****** Security's data through two people who were listed among the 114,000 names."

"Then we began poring through the 114,067 entries and were stunned at the names we found."

etc.

Of course, this doesn't mean that they simply gave the list away. They could've sold it.

 

[Surreal]

2)Um, like, I did read this article...and this news story is on every website in the world today. Again, nowhere have I personally read in ANY of the articles, has the group said it GAVE the email list away. If you've read otherwise, please post a URL to the article and tell me what paragraph the statement is in.

Sheeeeeeez.

The gosh darned GAWKER article:

Victims: Some big names
Then we began poring through the 114,067 entries and were stunned at the names we found. The iPad 3G, released less than two months ago, has clearly been snapped up by an elite array of early adopters.

how do you 'pore through' a list that you don't have?

EDIT: beat'd - but i keep it here for emphasis of the fact that it was just that easy to find

 

[jettredmont]

Absolutely! Why my computer is just crawling with written random number generator scripts... sheesh...



So after collecting over 100,000 names they went public... Hmm, don't know about that. You know, if I stand in front of one of those baseball pitching machines and get beaned in the head. It's only going to take a couple of times before I get smart and take a step left or right to get out of the way.

That is if I am still conscious...

If they had been able to only get a few email addresses before AT&T security cut them off then that would not have been a security breach. The security breach here is definitely one of volume, not kind.

Had AT&T security been absolutely on the ball they wouldn't have gotten a single email address.

Had AT&T security taken industry standard precautions, the hackers would not have been able to attempt more than 2 ids per minute after the first dozen failures and obtaining 114k valid email addresses (assuming a sparse id population where 1/100 is valid) would have taken 264 days to finish.

Had AT&T security been reasonably competent, they would have been shut down and tracked down within 15 minutes of the start of the attack (perhaps allowing 1-10k attempts, allowing 10-100 valid emails).

Instead, AT&T security was over in the corner eating paste while 114k email addresses were downloaded. Again, 1-2 email addresses, even 100 email addresses, would not have shown the full level of incompetence at play here.

 

[marksman]

At least Gawker has become the goto site for criminals... They got that going for them!

 

[ericinboston]

"Then we began poring through the 114,067 entries and were stunned at the names we found."

Ok...my bad...didn't see the sentence above...so my apologies. I do, however, also stand by my claim that other news articles I've read on this topic do not mention that the list was handed over.

Anyway...I stand corrected.

-Eric

 

[marksman]

Idiots? They have a valid point, they didn't bypass anything to get the information, I don't even know if you can call it hacking- they just wrote a random number generator.

The fact that they went public with the fact that they did it instead of selling the information tells me that I DON'T want these guys in trouble. They did us a favor by catching the problem.

Actually writing a random number generator and doing all that to get email addresses is hacking.

I am not sure what they or you think hacking is. Just because you didn't have to crack a password doesn't mean they were not illegally accessing data on another computer.

The fact that they wrote a script to farm data from a website is pretty much all the evidence anyone needs.

The funny part is much like the previous Gawker described criminal enterprise, these people also put all their information out in the public.

I was defending these guys initially, but now it seems like they went way past where they could have gone. If they wanted to find a whole and get AT&T to fix it, they only needed a handful of addresses, and then they needed to contact AT&T. Not Gawker.

 

[Black Macbook]

What a bunch of dumb hackers with an even dumber excuse.

Let's see some heads roll! FBI, go get 'em! And treat them like terrorists! Waterboard them if necessary.

 

[res1233]

If they're right, and the only people that they shared the info with is gawker, and we all know how much gawker loves apple... Then there's the possibility that Gawker was actually the one who sold/distributed the e-mail addresses after they got them.
Sounds a bit paranoid, but, it would fit their story, and quite frankly, fit Gawker.

 

[macsmurf]

IMHO, the problem is not that you could go to the AT&T website with one random iPad id and get one email address. This is not a major security breach because a single verified email address has vanishingly low black market value.

The problem with AT&T's implementation of this convenience feature is that (1) they didn't rely on any secondary identifier (a cookie of some sort kept on the iPad) to retrieve semi-confidential information, (2) they allowed multiple hits from the same source IP address with no throttling or ip-based lockout whatsoever, (3) they didn't lock out IP addresses which began spewing invalid iPad identifiers their way, and (4) they didn't notice the flood of invalid ids being sent their way.

Because they failed in all four of those areas, the result was that a black-hat hacker may well have obtained hundreds of thousands of verified (and high-value) email addresses. This has serious value in the black market, and so is a very serious security concern.

Internet security isn't exactly easy to get right. There's a lot of college-level stuff out there. But this was failing the single-digit addition level of security. Absolute basics. The only thing they could have done worse was put the source database up on their site for download.

You're right that it is pretty basic but basic stuff get overlooked. What you mention as solutions are pretty much designed to be reactions to hacking rather than solving the actual problem. These solutions frequently carry their own caveats.

The core of the problem is that the user authenticates himself by an ID that is easy to brute force. What they probably should have done is let the user authenticate himself via something else, such as his iTunes credentials. Several solutions exist where AT&T doesn't have to know your iTunes credentials but still can authenticate you based on them.

 

[Floris]

Why would anybody even consider Gawker as a media source again.
Their title is to slander Apple Inc. just because their paying for trade secrets backfired on them. It has nothing to do with Apple Inc, despite it being an iPad. This is on AT&T (no surprise there).

There is nothing special about what happened. This is just yet another story that is taken out of proportion. The FBI knows about how emails are harvested without the need of an iPad or AT&T, right? Facebook is a recent example. Or just dumb windows users who use outlook at To: <complete address book>, or anything else where date is shared or distributed due to ignorance.

I am rambling, sorry for bothering everybody. I am just tired of hearing about Gawker media and their poor blogging skills.

 

[slolifesux]

this is ATT's bad, not the "hacker". a company the size of ATT has no excuse for this. going after the "hackers" is a smoke screen to get ATT outa trouble.


be happy these guys did it and not the Russian and Chinese mafia. they will exploit you!

 

[slolifesux]

Why would anybody even consider Gawker as a media source again.
Their title is to slander Apple Inc. just because their paying for trade secrets backfired on them. It has nothing to do with Apple Inc, despite it being an iPad. This is on AT&T (no surprise there).

There is nothing special about what happened. This is just yet another story that is taken out of proportion. The FBI knows about how emails are harvested without the need of an iPad or AT&T, right? Facebook is a recent example. Or just dumb windows users who use outlook at To: <complete address book>, or anything else where date is shared or distributed due to ignorance.

I am rambling, sorry for bothering everybody. I am just tired of hearing about Gawker media and their poor blogging skills.

Or just dumb windows users who use outlook at To: <complete address book>, or anything else where date is shared or distributed due to ignorance.

absolutely perfect quote! people have no clue how their email gets spammed out. i had a car dealership do exactly that. warned them several times what they were doing, finally i went ahead and sent an email to every person on that list warning what that car dealership was doing. i took some heat as a spammer, but opened the eyes of A LOT of people.