Spotlight On Woeful Web Security In iPad Hacking Case

If a Web site leaves sensitive data hanging out in the open, can you still be accused of hacking when you grab it? Turns out, the answer is “hell, yeah!” But lots of people still do it. 

If a Web site leaves sensitive data hanging out in the open, can you still be accused of hacking when you grab it? Turns out, the answer is “hell, yeah!” But lots of people still do it. 

OK – you’re walking down the street and you come upon this apple tree in some one’s front yard. It’s a lovely tree, full of ripe apples. And, just by standing on the street, you can reach into the yard and jiggle the branch of this apple tree and these lovely, ripe apples just drop to your feet. Are you stealing the apples by shaking the branch and then walking away with the fruit that falls off? Or, how about this: you’re at this vending machine and the dude who was servicing it just left the door to the machine wide open, so you can reach in and take the bag of Funyuns without paying for them. Is that stealing?

Turns out, the answer is both cases is “hell yeah!” But most of us might see these types of scenarios as more ambiguous than the cut and dry “throw-the-brick-through-the-window, snatch-the-diamond-necklace-and-run-away” kind of property crime. And those ambiguities are going to be front and center in the case of the two men who were arrested, this week, and charged in the high profile hack of a server holding the account information of VIP iPad owners.

Like the vending machine with its door swinging wide open, woefully lax security on the AT&T server hosting the iPad accounts left the data in question all but out in the open. And that will raise thorny issues about who is and who isn’t “hacking,” and shine a light on the spotty privacy and data security practices that abound on the Internet, experts say.

A criminal complaint filed in the U.S. District Court for the District of New Jersey on Tuesday charged two men, Daniel Spitler and Andrew Auernheimer  for their compromise of a server operated by AT&T. The server held the device identifiers and e-mail addresses for more than 100,000 VIPs – including prominent journalists, politicians, celebrities and members of the military – who were given pre-release copies of the iPad.

The complaint charges Spitler and Auernheimer, both affiliated with the online mischief making organization GOATSE Security, with violations of U.S. federal law and New Jersey State law for what the U.S. Attorney describes as a “brute force” attack on AT&T’s servers that yielded pairings of iPad identifiers and e-mail addresses for members of the media, government and U.S. military. The men face fines of $250,000 if convicted, and prison sentences of up to five years for their actions.

The men are accused of using a specialized PHP script, dubbed the “Account Slurper” (what else!?), to mimic the behavior of an iPad and query the server with ranges of valid ICC-ID values – the unique device identifiers used by iPads. In the end, as we know, the two made off with more than 100,000 e-mail addresses and turned them over to the media (after debating using them for spam runs and spear phishing attacks, we now learn.)

We know that the stolen data could have been used for more than just spamming, and that AT&T wrote a new chapter in the book on ‘How Not To Respond To Data Breaches’ in its handling of the incident. But lax security practices by AT&T will likely be front and center in this case, with attention to the loose practices that allowed the two men to harvest e-mail addresses from a publicly accessible server simply by figuring out how to generate correct iPad device identifier, known as the ICC-ID.

Though spectacular, the hack by the GOATSE members didn’t require the compromise of any authentication and was simple enough that one of the defendents wondered, in an online chat obtained by the U.S. Attorney, whether what they were doing really constituted hacking.

“If you use some one’s ICCID on the iPad service site, it gives you their address,” Spitler writes in an online exchange with Auernheimer from June 5, 2010. “(I) dunno how legal this is or if they could sue for damages” Spitler wonders in a later exchange.

While Spitler, who used the online handle “JacksonBrown” was assured by his compatriots in GOATSE that what he was doing was illegal and that he could, in fact, face criminal or civil charges for it, he was still dubious. “why isn’t it (criminal) why don’t you think it is” writes a GOATSE member using the online handle Rucas in an online exchange with Spitler, who replied “cause I ddnt (sp) hack anything”. ”

Jeremiah Grossman, CTO of Web application security company Whitehat said that what Spitler and Auernheimer were doing was clearly crossing the line.

“I would never recommend that someone do what they did without permission,” Grossman told Threatpost. “It can be hard to say what’s legal and illegal, but its probably a bad idea.”

But Grossman and others said the kind of language used to describe their actions – the complaint refers repeatedly to a “brute force” attack on AT&T’s server – stretches the commonly accepted definition for that term. “I tend to think of brute force attacks in the context of encryption keys or passwords,” he said.

The federal Computer Fraud and Abuse Act (CFAA) under which the men are charged (in part) make it illegal to intentionally access a computer “without authorization” or to “exceed authorized access” on a computer. But semantics matter, and the definition of “without authorization” isn’t defined specifically. Past cases seem to set the definition of “without authorization” to mean a “reasonable expectation” of conduct – a broad concept that might mean “any use of the computer that’s other than what its owner intended.” Others argue for a narrower definition that would prohibit uses totally unrelated to the function of the computer. In either case, the GOATSE case would seem to run afoul of the CFAA But prior cases, and previous cases, like EF Cultural Travel BV v. Exploirca Inc., from 2001, explicitly prohibit the kinds of Web site scraping, slurping and related forms of automated data skimming that GOATSE engaged in.

Alas, that kind of activity is quite common online – and not just by shadowy hacking and trolling groups. Grossman points to recent reports about Bloomberg’s use of automated slurping of the kind GOATSE engages in to grab publicly accessible but unpublished earnings reports hours before their official release. The techniques for grabbing that information aren’t significantly different from GOATSE’s trawling of AT&T servers for iPAD IDs and e-mails, but no charges have been pressed against Bloomberg for what’s seen as heads up reporting.

“If the legal definition (of brute force attacks) is expanded to such a degree, then Bloomberg better watch out, they pretty much did/do the same thing,” Grossman wrote.

The sad truth is that the kind of lax security exhibited by AT&T is common online, Grossman said, where even large corporations fail to build Web applications securely, leaving data at risk. “Bugs are a fact of life, but that means that you should go out and hack yourself first,” he said.

Firms like Google and Mozilla now pay bounties for vulnerabilities of the type the GOATSE crew ginned up. Had the GOATSE hackers gone to AT&T with their findings, rather than the press, they probably would have been thanked, rather than sued. Experts like Grossman worry that a stiff judgement against the iPad hackers may have a chilling effect: with good citizens will be reluctant to disclose holes that they find, while cyber criminals continue to keep their findings to themselves.

Suggested articles

Discussion

  • Alex on

    I think that what GOATSE did is different than what Bloomberg did.  Either way it shows poor information security practices on the part of the other companies, but Bloomberg just accessed a document posted online.  GOATSE initiated a connection to the website and presented forged iPad credentials.  That seems more like legitimate fraud.

    Still, if they'd gone to AT&T and said "Here's the problem and here's the proof", they could've actually acted like the legitimate security company they claim to be.

  • Anonymous on

    API's are a simple quid pro quo system.  I give you something.  You give me something back.  AT&T clearly does not value its customer data as something important enough to be protected by hashes or other forms of authentication.  Personally I think the waters are muddy enough on this one that it should be a civil matter rather than a criminal one. 

  • Ben on

    I think the apple and vending machine scenarios are off. A better scenario would be, someone invites you into their house and says, feel free to look around. In looking around you see a cool painting and take a picture of that painting. Did you go anywhere that you were told to not go? No. Did you damage any of the property at the house? No. Did you take anything from the owner that caused them to not posses that object any longer? No. As Jeremiah Grossman (@jermiahg) said, could you be accused? Yes, but that is much different than having done anything wrong.

  • bobbobbobber on

    A word to the wise, do not treat Goatse Security as an individual body, its more of a PR campaign for GNAA. This is indeed reflected by the origins of its creation and the associations of all its of its members to a trolling troop who use, hate, spam, malware, libel as tools to get some laughs.

    Linking back to GNAA, a site currently hosting libel based on the Arizona shooting, on the Goatse site:
    Goatse.fr --> GNAA.eu http://www.webcitation.org/5vt6y0JGF
    http://www.gnaa.eu/wiki/pr/2011-01-09-gnaa-kunwon http://www.webcitation.org/5vrtbdjNU

    The 'security' site is on the same infrastructure that is used for hosting malware and content used in spam campaigns: http://www.robtex.com/dns/goatse.fr.html http://www.webcitation.org/5vt7Sjyj1
    http://www.robtex.com/dns/gnaa.eu.html http://www.webcitation.org/5vt7vJyo8

    Same user roster for both groups, including those involved in planning and executing the libel, malware hosting, spam campaigns aimed at directing traffic to the malware:

    Goatse Security roll-call here: http://seclists.org/fulldisclosure/2010/Jul/153 http://www.webcitation.org/5vt82Eclb

    Many users involved with GNAA named here in their own coding work, including Rucas: http://www.gnaa.eu/browser/trollforge http://www.webcitation.org/5vt8PmbAA

    Rucas likes to spam, so much so he helped write up ASIAN or Automated Synchronous IRC Assault Network, some code made to flood Internet Relay Chat networks with spam, some of it malicious content hosted on GNAA's infrastructure.
    http://wepump.in/proxy/arab-3.0 http://www.webcitation.org/5vtBMtXmg
    Here you can see what Rucas aka Nick Price's mind is usually dwelling on:
    http://www.gnaa.eu/browser/trollforge/rucas/ http://www.webcitation.org/5vtC6qYLY

    Of course what would code be without a use for it? Here is Nick taking part in some spamming, also JacksonBrown aka Spitler was there:
    <&Rucas> about to demolish irc.financialchat.com #activetrader
    <&Rucas> if ne1 wants 2 watch
    <+JacksonBrown> Rucas: ne freenode
    <&Rucas> did it already
    <&Rucas> all klined

    Goatse Security, a means to get the word 'goatse' out there, while exposing the 'gaping' security flaws they come across. Promoting divisiveness by use of racial stereotypes under the name GNAA for some laughs. Either label used by this one group hints at the attention they crave from their actions. Its only proper to give them  the attention that they want, but not in the form they wish for. To engage them otherwise would only be pandering to their desires.

    We can thank the confidental informant for providing both of the defendant's own words to prosecutors, along with the unwitting confessions of all the others involved. No doubt more snitches are waiting in the wings for their chance to troll the trolls.

  • Anonymous on

    The articles analogies aren't perfect, but are certainly better than the silly "taking a picture" analogy. This assumes that data has no real owner and that that digital bits, because they can be copied without necessarily effecting the original bits, can't be stolen.  What if that same visitor took a picture of your tax return with your SSN and made off with it?  Is that still okay?

    Analogies suck, but maybe a better one is parking your car on a public street or parking lot.  If you don't lock the doors, is it ethical and legal for someone to take things out of it?  Yes, you're a dummy for not locking your doors, but that doesn't mean it should be a free-for-all.  Maybe it's okay though if you rationalize that your teaching them a valuable lesson about locking their car doors...it's dangerous out there afterall.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.