AT&T on data breach – it was the hackers’ fault

From PC World:

AT&T issued an apology on Sunday for a hack that exposed thousands of iPad customers' e-mail addresses last week and vowed to work with law enforcement to prosecute those responsible.

A hacking group called Goatse Security obtained about 114,000 e-mail addresses of people such as White House Chief of Staff Rahm Emanuel and New York Mayor Michael Bloomberg by exploiting an authentication page on AT&Ts Web site.

The name Goatse Security is a play on words.  It’s a long running “gag” referring to an Internet site many years ago,, or goat sex.  Clearly, whoever was behind the breach was familiar with this as the abbreviation of Goatse Security is Goatse Sec, or goat sec(s).

The group found that entering a correct serial number for the iPad's SIM card, called an integrated circuit card identification (ICC-ID), the log-in page would return an e-mail address associated with that iPad. They wrote code that would randomly generate those serial numbers and queried the Web site until an e-mail addresses were returned, according to AT&T.

AT&T designed the site to automatically populate the e-mail field in order to make it easier for its customers to log in. AT&T has since changed the page to require an e-mail address and password to be entered.

"The hackers deliberately went to great efforts with a random program to extract possible ICC-IDs and capture customer e-mail addresses," wrote Dorothy Attwood, AT&T's chief privacy officer, in an e-mail sent to affected customers. "They then put together a list of these e-mails and distributed it for their own publicity."

This is an example of a brute force attack and is very common in DNS security.  It’s a bit like having the lock to a safe where you have a combination lock and have to enter in a sequence of three numbers (turn left, turn right, turn left) until you get the right sequence.  Given enough patience, the most numbers you have to try (on a lock with 36 numbers like I had in Junior High) is 36 x 36 x 36 = 46,656.

While it is true that the hackers were using it to boast about their own awesomeness (for lack of a better word – I’m in a hurry as I type this), it’s not as if AT&T was following good security practices.  Many web pages have maximum trial attempts before forcing the user to either wait 15 minutes or temporarily shutting down their account due to too many login attempts.  Obviously, AT&T had no such provisions.  All an attacker had to do was keep randomly guessing entries and eventually everything would be unlocked for them.  Had AT&T implemented some security policies, they could have logged the IP addresses that were accessing their pages and performed rate limiting on those who were attempting to log in over and over.  They also should have logged the number of failures from this set of IPs.  If the hackers really wanted to show off, they could used only a small set of IP addresses, or even a single IP address.  Doing so would be the ultimate insult to AT&T’s security team.  The reason is that low tech attacks like that, if you keep logs of it, are not all that difficult to detect.  It’s the hacker’s way of showing that nobody is watching the gate.

Comments (2)
  1. Janice Taylor-Gaines says:

    This is a GREAT article despite the dismay of breaches.  Everyone needs to be a mini-Security Officer in the organization today.  Most individuals and organizations enjoy Security largely as a matter of luck.  For some free insight , check out this blog, “The Business-Technology Weave” – you can Google to it, or search on the site IT Knowledge Exchange which hosts it.  Anyone else here reading I.T. WARS?  It reflects much of what is said  here.   I had to read portions of this book as part of my employee orientation at a new job.  The book talks about a whole new culture as being necessary – an eCulture – for a true understanding of security, being that most identity/data breaches are due to simple human errors.  It has great chapters on security, as well as risk, content management, project management, acceptable use, various plans and policies, and so on.  Just Google IT WARS – check out a couple links down and read the interview with the author David Scott at Boston’s Business Forum. (Full title is I.T. WARS:  Managing the Business-Technology Weave in the New Millennium).  “In the realm of risk, unmanaged possibilities become probabilities.”  Keep “security” front and center!  Great stuff.

  2. Raj says:

    The one problem with rate limiting would be – when people try and register from Apple and AT&T stores. On some days I am sure the number of registrations at these locations could get very high and the error rate could be high too.

    In this case, it might be good to keep track of the number of successful vs unsuccesful registration attempts and send an alert when a certain threshold is breached.

    As always hind-sight is always 20/20. But this is a good post. Always good to learn from other's mistake.

Comments are closed.

Skip to main content