iPad / AT&T Follow-up - Technical information

[security curmudgeon <jericho () attrition org>]

http://www.computerworld.com/s/article/9177921/_Brute_force_script_snatched_iPad_e_mail_addresses

'Brute force' script snatched iPad e-mail addresses
'No hack, no infiltration, no breach,' say security experts, just sloppy AT&T software
By Gregg Keizer
June 10, 2010 06:44 AM ET

The harvesting of over 100,000 iPad 3G owners' e-mail addresses was not a 
hack or a classic data breach, but a brute-force attack of a minor feature 
AT&T offered to Apple customers, experts said Wednesday.

According to New York-based Praetorian Security Group, which obtained a 
copy of the PHP script used to scrape e-mail addresses from AT&T's 
servers, the attack succeeded because the mobile carrier used poorly 
designed software.

A nine-person hacking group known as Goatse Security claimed 
responsibility for the script, which amassed 114,000 e-mail addresses.

"There's no hack, no infiltration, and no breach, just a really 
poorly-designed Web application that returns e-mail address when ICC-ID is 
passed to it," Praetorian said in a late Wednesday entry on its security 
blog.

An ICC-ID (Integrated Circuit Card Identifier) is the unique number 
assigned to each SIM card. A mobile device's SIM stores information that 
identifies the specific wireless customer to his or her carrier. The iPad 
3G contains a SIM card.

[..]
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/

Get business, compliance, IT and security staff on the same page with
CREDANT Technologies: The Shortcut Guide to Understanding Data Protection
from Four Critical Perspectives. The eBook begins with considerations
important to executives and business leaders.
http://www.credant.com/campaigns/ebook-chpt-one-web.php