From PC World:
AT&T issued an apology on Sunday for a hack that exposed thousands of iPad customers’ e-mail addresses last week and vowed to work with law enforcement to prosecute those responsible.
A hacking group called Goatse Security obtained about 114,000 e-mail addresses of people such as White House Chief of Staff Rahm Emanuel and New York Mayor Michael Bloomberg by exploiting an authentication page on AT&Ts Web site.
The name Goatse Security is a play on words. It’s a long running “gag” referring to an Internet site many years ago, goatse.cx, or goat sex. Clearly, whoever was behind the breach was familiar with this as the abbreviation of Goatse Security is Goatse Sec, or goat sec(s).
The group found that entering a correct serial number for the iPad’s SIM card, called an integrated circuit card identification (ICC-ID), the log-in page would return an e-mail address associated with that iPad. They wrote code that would randomly generate those serial numbers and queried the Web site until an e-mail addresses were returned, according to AT&T.
AT&T designed the site to automatically populate the e-mail field in order to make it easier for its customers to log in. AT&T has since changed the page to require an e-mail address and password to be entered.
"The hackers deliberately went to great efforts with a random program to extract possible ICC-IDs and capture customer e-mail addresses," wrote Dorothy Attwood, AT&T’s chief privacy officer, in an e-mail sent to affected customers. "They then put together a list of these e-mails and distributed it for their own publicity."
This is an example of a brute force attack and is very common in DNS security. It’s a bit like having the lock to a safe where you have a combination lock and have to enter in a sequence of three numbers (turn left, turn right, turn left) until you get the right sequence. Given enough patience, the most numbers you have to try (on a lock with 36 numbers like I had in Junior High) is 36 x 36 x 36 = 46,656.
While it is true that the hackers were using it to boast about their own awesomeness (for lack of a better word – I’m in a hurry as I type this), it’s not as if AT&T was following good security practices. Many web pages have maximum trial attempts before forcing the user to either wait 15 minutes or temporarily shutting down their account due to too many login attempts. Obviously, AT&T had no such provisions. All an attacker had to do was keep randomly guessing entries and eventually everything would be unlocked for them. Had AT&T implemented some security policies, they could have logged the IP addresses that were accessing their pages and performed rate limiting on those who were attempting to log in over and over. They also should have logged the number of failures from this set of IPs. If the hackers really wanted to show off, they could used only a small set of IP addresses, or even a single IP address. Doing so would be the ultimate insult to AT&T’s security team. The reason is that low tech attacks like that, if you keep logs of it, are not all that difficult to detect. It’s the hacker’s way of showing that nobody is watching the gate.