From: security curmudgeon (jerichoattrition.org)
Date: Thu Jun 10 2010 - 15:54:57 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.computerworld.com/s/article/9177921/_Brute_force_script_snatched_iPad_e_mail_addresses

'Brute force' script snatched iPad e-mail addresses
'No hack, no infiltration, no breach,' say security experts, just sloppy AT&T software
By Gregg Keizer
June 10, 2010 06:44 AM ET

The harvesting of over 100,000 iPad 3G owners' e-mail addresses was not a
hack or a classic data breach, but a brute-force attack of a minor feature
AT&T offered to Apple customers, experts said Wednesday.

According to New York-based Praetorian Security Group, which obtained a
copy of the PHP script used to scrape e-mail addresses from AT&T's
servers, the attack succeeded because the mobile carrier used poorly
designed software.

A nine-person hacking group known as Goatse Security claimed
responsibility for the script, which amassed 114,000 e-mail addresses.

"There's no hack, no infiltration, and no breach, just a really
poorly-designed Web application that returns e-mail address when ICC-ID is
passed to it," Praetorian said in a late Wednesday entry on its security
blog.

An ICC-ID (Integrated Circuit Card Identifier) is the unique number
assigned to each SIM card. A mobile device's SIM stores information that
identifies the specific wireless customer to his or her carrier. The iPad
3G contains a SIM card.

[..]
_______________________________________________
Dataloss Mailing List (datalossdatalossdb.org)
Archived at http://seclists.org/dataloss/

Get business, compliance, IT and security staff on the same page with
CREDANT Technologies: The Shortcut Guide to Understanding Data Protection
from Four Critical Perspectives. The eBook begins with considerations
important to executives and business leaders.
http://www.credant.com/campaigns/ebook-chpt-one-web.php

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]