Last week I wrote about AT&T’s parsimonious data plan (all-you-can-eat is dead, Jim) and its chowder-headed attempt to silence an angry customer who sent CEO Randall Stephenson two mildly angry emails by threatening to send him a cease and desist letter. On voice mail. Which the customer promptly posted on Tumblr for all the world to hear.
This week of course, there’s the iSpill. A few days ago Gawker reported that hackers working at Goatse Security (more on them in a minute) had managed to steal the email addresses of 114,000 iPad owners via a flaw in AT&T’s Web site. The blog equivalent of a Level 5 hurricane erupted.
Gawker called it "Apple’s worst security breach… expos[ing] the most exclusive email list on the planet." Even the Feds are investigating.
Before I go any further, let me do some disclosure. I’m an AT&T survivor. Last January I ditched Ma Bell’s twisted little offspring after more than two miserable years. About five seconds after my contract was up I was gone, never to return. Because when I make a phone call, I really like to be able to hear what the other person is saying, and vice versa. I’m just funny that way. So every opportunity for payback is something I relish.
That’s why it pains me to say the following: the iSpill was not actually that bad — and even security eggheads like Sophos’ Graham Cluley agree with me. It’s certainly not as bad as Gawker and all the sites that rehashed its report made it sound. Though it’s never good when your service provider just coughs up your email address on demand to a crew of hackers, it’s not exactly BPgate; this is not the Deepwater Horizon of data spills.
Here’s what happened, as I understand it. Like many Web sites, AT&T’s iPad portal was set up to automatically recognize data plan subscribers and fill in the first half of their log on — their email address. No big deal. But to identify these users, AT&T relied upon the unique 20-digit code assigned to the SIM card inside the iPad, a number that was also used in the URL of their landing page.
So the bright boys at Goatse, who judging by their names and their Web site all appear to be between 14 and 18 years old, began bombarding the AT&T site with URL requests featuring random 20-digit codes. When they hit a match, the site spit out an email address, which Goatse collected.
I’m guessing Goatse continued to do this until they ran out of 20-digit numbers or simply got bored. They then trotted this information out to the media — using the email addresses of iPad-owning journalists they’d weaseled out of AT&T as bait — in an attempt to get coverage. Apparently, Gawker bit first.
Here’s the deal. Spammers do this kind of thing all the time. It’s called a "brute force" attack (or sometimes a "dictionary" attack), during which a bot repeatedly pings a corporate email server with random email addresses, discards those that bounce, and collects the ones that are legitimate. You can visit a spammers’ forum and download a program that will do this for you for $20, if not totally free.
The difference? Goatse got two more pieces of information than most spammers collect: that 20-digit ID (fairly useless, unless you’re doing a brute force attack on a Web site) and the fact these people, like 2 million others, own an iPad. I’m not seeing huge damage potential here. Am I missing something?
Goatse (and Gawker) also made a big deal over the fact that many of the email addresses belonged to people in the White House, US Military, NASA and major corporations, as well as celebrities like Diane Sawyer and Michael Bloomberg.
And it’s true, an especially devious scammer could use this information to target an individual with bogus emails — what’s known as ‘spear phishing’ — in an attempt to get him or her to give up passwords or other valuable information.
But you really don’t need AT&T’s help here either. Many of these same organizations put their employees’ email addresses on their Web sites. Even if they don’t, it’s pretty simple to guess what someone’s email address is, once you know their domain. There are only so many ways it’s done — tyan@, dtynan@, dan_tynan@, dan.tynan@, tynand@, or if they’re a teensy company and he’s their first employee, dan@. That’s about it. So you could launch your own brute force attack, one name at a time, if you really wanted to.
AT&T has since turned off that feature that spit out your email address when you log on. And that’s probably where the matter should end. Should AT&T be spanked for this? Sure. But we’re a long way from data Armageddon. Google’s egregious WiFi data snooping and even Facebook’s plans to butter your personal information all over the InterWebs are far worse, in my opinion.
Too bad. Because I was really looking forward to whacking AT&T one more time.
Can any company be trusted with your data? Who do you trust? Post your thoughts below or email me: firstname.lastname@example.org.
This post originally appeared on InfoWorld.