Connect with us

Mobile

Who’s the Goat? AT&T or Goatse?

Published

on

The security breach that revealed 114,000 emails of iPad users last week is turning into an even uglier “he said, she said” PR fight between AT&T and Goatse Security, the outfit that exposed the flaw. AT&T sent out a letter to its iPad customers apologizing for the incident, and from what I’m reading it looks like it went out to more than the 114,000. In the letter (you can read it below) AT&T is pointing the finger at Goatse as the bad guy.

Of course Goatse isn’t taking this lying down, issuing a response to AT&T’s apology hitting hard at AT&T and also raising the prospect of another security flaw in Safari that Apple recently patched on the desktop, but not on the iPad.

Who is wrong and who is right? Tough to tell, and in these incidents consumers will never really know as the PR machines crank up. On the surface, AT&T looks to be blaming Goatse for discovering the hole and is calling Goatse’s behavior malicious hacking. Of course Goatse is saying that the front door was left open by AT&T and all they were doing was exposing the weakness so that it couldn’t be exploited by those with true malicious intent. Keep in mind that the FBI is investigating the security breach given the high powered government and Pentagon officials who ended up being among those caught up in the breech.

The only thing that seems for certain is that this story isn’t going to go away for awhile.

June 13, 2010

Dear Valued AT&T Customer,

Recently there was an issue that affected some of our customers with AT&T 3G service for iPad resulting in the release of their customer email addresses. I am writing to let you know that no other information was exposed and the matter has been resolved. We apologize for the incident and any inconvenience it may have caused. Rest assured, you can continue to use your AT&T 3G service on your iPad with confidence.

Here’s some additional detail:

On June 7 we learned that unauthorized computer “hackers” maliciously exploited a function designed to make your iPad log-in process faster by pre-populating an AT&T authentication page with the email address you used to register your iPad for 3G service. The self-described hackers wrote software code to randomly generate numbers that mimicked serial numbers of the AT&T SIM card for iPad – called the integrated circuit card identification (ICC-ID) – and repeatedly queried an AT&T web address. When a number generated by the hackers matched an actual ICC-ID, the authentication page log-in screen was returned to the hackers with the email address associated with the ICC-ID already populated on the log-in screen.

The hackers deliberately went to great efforts with a random program to extract possible ICC-IDs and capture customer email addresses. They then put together a list of these emails and distributed it for their own publicity.

As soon as we became aware of this situation, we took swift action to prevent any further unauthorized exposure of customer email addresses. Within hours, AT&T disabled the mechanism that automatically populated the email address. Now, the authentication page log-in screen requires the user to enter both their email address and their password.

I want to assure you that the email address and ICC-ID were the only information that was accessible. Your password, account information, the contents of your email, and any other personal information were never at risk. The hackers never had access to AT&T communications or data networks, or your iPad. AT&T 3G service for other mobile devices was not affected.

While the attack was limited to email address and ICC-ID data, we encourage you to be alert to scams that could attempt to use this information to obtain other data or send you unwanted email. You can learn more about phishing by visiting the AT&T website.

AT&T takes your privacy seriously and does not tolerate unauthorized access to its customers’ information or company websites. We will cooperate with law enforcement in any investigation of unauthorized system access and to prosecute violators to the fullest extent of the law.

AT&T acted quickly to protect your information – and we promise to keep working around the clock to keep your information safe. Thank you very much for your understanding, and for being an AT&T customer.

Sincerely,

Dorothy Attwood
Senior Vice President, Public Policy and Chief Privacy Officer for AT&T

5 Comments

5 Comments

  1. Eric

    06/14/2010 at 5:10 pm

    That is absurd. Pointing the blame so they don’t look stupid…

  2. GoodThings2Life

    06/14/2010 at 8:45 pm

    Both sides can point the finger all they want, but Goatse was irresponsible and wreckless, and so was AT&T. This is why the industry has responsible security reporting practices… if you can’t abide by polite reporting, you’re an ass; if you can’t fix your holes when reported, you’re incompetent; if you blame others instead of working to fix an issue, you’re just plain worthless…

  3. Tim

    06/14/2010 at 11:57 pm

    While the debate of blame is interesting, I’m much more interested in the fact that there’s actually a computing company named Goatse.

    All I’m saying.

  4. BillieGonono

    07/02/2011 at 12:16 am

    Companies are out here to make as much buck as possible. With this economy, it’s even worst. Competition is high right now, so groups like Goatse threaten to chase customers off by exposing what the companies lack/do not do to protect their customers interest of privacy. These groups are then treated as criminals for their legitimate concerns.
    Eventually I wouldn’t be surprise if groups do discover flaws that they’ll take advantage of it instead of exposing it to fix the flaws in the first place. Companies want groups like Goatse to “shut up”

  5. BillieGonono

    07/02/2011 at 12:19 am

    With all the internet activity that has been buzzing this year and last, don’t be surprise if there’s more harsher penalties and stricter regulations for online usage.

Leave a Reply

Your email address will not be published.

As an Amazon Associate I earn from qualifying purchases.