AT&T Takes Heat for iPad Who’s-Who List Leak

The email addresses and device IDs of more than 100,000 owners of 3G-enabled iPads have been exposed in a security breach, according to wireless provider AT&T.

Victims apparently include at least one member of the U.S. President Barack Obama’s cabinet, heads of large corporations and other prominent people.

AT&T has since shut down the feature thought to be responsible for the leak.

Cracking the iPad Owner’s Data

The breach was apparently discovered by a group of security advisers that calls itself “Goatse Security.”

Goatse obtained iPad owners’ emails through a script on AT&T’s website that was accessible over the Internet. An iPad owner would provide an ICC-ID — an identification number for the device — in an HTTP request to the site. The site would then return the email address associated with that ICC-ID number.

That gave the hackers the email addresses of iPad owners whose ICC-IDs they had identified.

An ICC-ID is an integrated circuit card identifier. It identifies a subscriber identity module (SIM) card in a mobile telephony device. Owners of these devices can change their devices by removing the SIM card from their existing device and putting it into another.

The ICC-ID includes an issuer identification number, a major industry identifier, a country code, an issuer identifier, and an individual account identification number.

Testing that information lets one know who owns the device and which country the owner is in.

Goatse’s experts managed to guess a large number of ICC-IDs by looking at known iPad 3G ICC-IDs. Some of these were in pictures of the iPad posted by owners on the Internet. The experts then wrote a PHP script to automate the harvesting of data.

Goatse reportedly shared the script with third parties and notified AT&T of the breach, though AT&T has denied it had been notified by the group. Goatse did not respond to requests for comment by press time.

Reaching for the Sky

Some of the iPad’s earliest adopters include high-profile individuals in positions of power who presumably would want their personal email addresses kept private. Victims of the breach include White House Chief of Staff Rahm Emmanuel, as well as staffers in the U.S. Senate and other major government departments, according to a post on the blog Gawker.

Others apparently work for the Defense Advanced Research Projects Agency (DARPA) and other major branches of the United States’ armed services. Other victims include top executives of The New York Times and Dow Jones; high-level staff at Google, Amazon and Microsoft; and staff at financial industry companies like Goldman Sachs and JP Morgan.

There are at least 114,000 victims in the United States alone, Gawker reported.

Could Apple be partly responsible for the breach because it requires iPad owners to provide their email addresses in order to get service?

No, David Harley, director of malware intelligence at ESET, told the E-Commerce Times. “AT&T is hardly a mom-and-pop operation, and it wasn’t unreasonable for Apple to expect professionalism and expertise from the partnership with AT&T.”

Apple did not respond to requests for comment by press time.

AT&T Clamps Down

AT&T has shut off the feature that provided iPad owners’ email addresses in response to HTTP requests.

“We have essentially turned off the feature that provided the email addresses,” AT&T spokesperson Mark Siegel told the E-Commerce Times.

He disputed reports that Goatse had notified AT&T of the breach.

“The person or group who discovered this gap did not contact AT&T,” Siegel said. “AT&T was informed by a business customer on Monday of the potential exposure of their iPad ICC-IDs.”

AT&T is still investigating the breach and will inform all customers whose email addresses and ICC-IDs may have been breached.

All Sizzle, No Steak?

The breach is a tempest in a teacup, Carl Howe, director of anywhere research at the Yankee Group, told the E-Commerce Times.

“People can find out your email address. Who knew?” Howe said. “Most people are sending their email addresses to hundreds of people every day and don’t worry about security.”

“Activation and registration that requires an email address is very common in the software industry,” ESET’s Harley pointed out. “Its use in terms of the iPad is entirely consistent with Apple’s security model which is, in many ways, very effective.”

Hackers won’t get much out of the information gleaned from the attack, Howe said.

“You can’t do anything with the iPad serial number, it’s not terribly useful to anyone else other than A&T,” Howe remarked. “The hackers have the serial numbers of iPads and their owners’ email addresses, and that’s all,” he said.

“It’s a design flaw, certainly, but its impact is mostly in terms of bad public relations,” ESET’s Harley said. “It’s mostly AT&T’s bad luck that it was picked up by a group that saw an easy way to get some publicity. It seems to me that the risk has been somewhat overstated.”

The real impact of the hack will be inconvenience for iPad owners, Howe said.

“AT&T were trying to make it easier to buy services by automatically filling in users’ email addresses when they ordered, say, an iPad app,” Howe explained. “Now you’ll have to type in your email address when you order something for the iPad on AT&T’s website.”

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by Richard Adhikari
More in Cybercrime

Which device do you use most for digital communication?
Loading ... Loading ...

E-Commerce Times Channels

PII of Many Fortune 1000 Execs Exposed at Data Broker Sites

Research released Monday by a cybersecurity services provider reveals how widespread the risks are to executives and the organizations they ramrod from data brokers collecting sensitive data about them.

The provider, BlackCloak, published in a blog the results of an analysis of 750 of its customers, most of them executives and board members at Fortune 1000 or other large institutions. Among the company’s findings:

  • 99% of our executives have their personal information available on more than three dozen online data broker websites, with a large percentage listed on more than 100;
  • 70% of executive profiles found on data broker websites contained personal social media information and photos, most commonly from LinkedIn and Facebook;
  • 95% of executive profiles contained personal and confidential information about their family, relatives, and neighbors;
  • On average, online data brokers maintained more than three personal email addresses for every executive record.

“While maintaining data on three personal email addresses may not seem that significant to the novice eye, access to any personal email address raises the risks of unauthorized access, fraud and impersonation emails, among other digital threats,” wrote BlackCloak Director of Marketing Evan Goldberg.

Home as Soft Underbelly

The research also found that 40% of online data brokers had the IP address of an executive’s home network. “Not only could you use address information held by the broker to physically go to an executive’s home, but you could use the IP address to digitally break into their home from anywhere in the world,” observed BlackCloak Founder and CEO Chris Pierson.

“We see corporate executives targeted all the time in their personal lives,” he told TechNewsWorld. “If you’re targeting the CEO of GE, are you going to hack him at his GE email address, where he’s protected by corporate cybersecurity, or are you going to target him at his Gmail account or his wife’s account or his kids’ accounts, and get a foothold in his home?”

“Because everyone has been working from home for the past two years, it’s created the home as the soft underbelly of the corporation,” he said.

“Data broker information has been leveraged to commit identify theft and unemployment fraud over the past two years,” he added.

Some of the risks cited by BlackCloak are overblown, maintained Daniel Castro, vice president of the Information Technology & Innovation Foundation, a research and public policy organization in Washington, D.C.

“Data brokers are often selling data that is already public, such as information on voting records or campaign contributions,” he told TechNewsWorld.

“Similarly,” he continued, “information that is publicly accessible on social networks or on websites is not particularly sensitive.”

However, he acknowledged that cybercriminals can use that information to perpetrate phishing attacks and impersonate an executive.

Danger to Top Brass

“The reality is that data brokers present fertile grounds for hackers, abusers and stalkers,” observed Liz Miller, vice president and a principal analyst at Constellation Research, a technology research and advisory firm in Cupertino, Calif.

“Where else could you pay $29 for a complete dossier on an ex-girlfriend including current address and phone number, current associates residing in the same location and basic detail about that person?” she told TechNewsWorld. “When you actually think about what this intensely sensitive data can mean in the hands of someone with no moral or ethical compass, it should terrify people.”

Data brokers have only one reason for being, noted Greg Sterling, co-founder of Near Media, a news, commentary and analysis website. “Their raison d’etre is to collect as much data on as many households and people as possible,” he told TechNewsWorld.

“By definition then, they expose and transfer information that individuals might not want exposed or sold, or that might be sold non-consensually or without knowledge of the individuals involved.”

Armen Najarian, chief identity officer at Outseer, a provider of payment fraud protection solutions in Bedford, Mass. maintained that data brokers present significant risks to executives. “In the digital era, data is power,” he told TechNewsWorld. “It’s dangerous for any company to have such detailed profiles of highly influential business professionals.”

“Often these profiles will include highly personal information, like income and assets, which are used by cybercriminals to target and steal a victim’s identity,” he continued.

“By studying the online behavior of these executives, fraudsters have an intimate look at what’s going on in these individuals’ lives, making it easier for them to deploy highly targeted attacks,” he added.

Not So Anonymous Anonymity

Some data brokers and applications justify their voracious appetite for data by claiming they only share anonymized information, a claim disputed by the Electronic Frontier Foundation in a July 2021 article on its website written by Gennie Gebhart and Bennett Cyphers.

“Data brokers sell rich profiles with more than enough information to link sensitive data to real people, even if the brokers don’t include a legal name,” they wrote. “In particular, there’s no such thing as ‘anonymous’ location data. Data points like one’s home or workplace are identifiers themselves, and a malicious observer can connect movements to these and other destinations.”

“Another piece of the puzzle is the ad ID, another so-called ‘anonymous’ label that identifies a device,” they added. “Apps share ad IDs with third parties, and an entire industry of ‘identity resolution’ companies can readily link ad IDs to real people at scale.”

While governments in some other regions of the world have taken a harder line toward data brokers, that hasn’t been the case in the U.S. “It’s an area where the laws in the United States are not as robust as they could be,” Pierson said. “Over time, there have been a number of different legal proposals, but there have been no meaningful restrictions in what data brokers can do in the United States.”

“The best way to regulate data brokers would be to create a federal data privacy law that establishes basic consumer data rights, especially for sensitive personal data,” Castro advised. “Federal law is the best way to ensure that Americans have control of their information and avoids creating a complicated state-by-state patchwork of laws.”

“The U.S. government should absolutely consider enacting legislation to regulate data brokers,” added Najarian. “This is an issue that extends beyond Fortune 1000 executives. It affects every single person who uses the internet.”

John P. Mello Jr. has been an ECT News Network reporter since 2003. His areas of focus include cybersecurity, IT issues, privacy, e-commerce, social media, artificial intelligence, big data and consumer electronics. He has written and edited for numerous publications, including the Boston Business Journal, the Boston Phoenix, Megapixel.Net and Government Security News. Email John.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
More by John P. Mello Jr.
More in Privacy

US-Led Seizure of RaidForums May Defy Lasting Effect on Security

The U.S. Department of Justice on Tuesday announced it seized the website and user database for RaidForums, a popular English-language cybercrime forum that sold access to more than 10 billion consumer records stolen in some of the world’s largest data breaches since 2015.

The DOJ also charged the alleged administrator of RaidForums — 21-year-old Diogo Santos Coelho, of Portugal — with six criminal counts, including conspiracy, access device fraud, and aggravated identity theft.

Coelho was arrested in the United Kingdom on Jan. 31, at the request of U.S. officials. He remains in custody pending the resolution of his extradition proceedings.

Court records unsealed Tuesday indicate that the United States recently obtained judicial authorization to seize three domains that long hosted the RaidForums website. These domains were “raidforums.com,” “Rf.ws,” and “Raid.lol.”

Officials unsealed a six-count indictment against Coelho in the Eastern District of Virginia in connection with his role as the chief administrator of RaidForums. According to the indictment, between Jan. 1, 2015, and on or about Jan. 31, 2022, Coelho allegedly controlled and served as the chief administrator of RaidForums, which he operated with the help of other website administrators.

Illegal Online Marketplace

Coelho and his co-conspirators are alleged to have designed and administered the platform’s software and computer infrastructure, established and enforced rules for its users, and created and managed sections of the website dedicated to promoting the buying and selling of contraband. They included a subforum titled “Leaks Market” that described itself as “[a] place to buy/sell/trade databases and leaks.”

According to the affidavit filed in support of these seizures, from in or around 2016 through February 2022, RaidForums served as a major online marketplace for individuals to buy and sell hacked or stolen databases containing sensitive personal and financial information of victims in the U.S. and elsewhere. The data included stolen bank routing and account numbers, credit card information, login credentials, and social security numbers.

“The takedown of this online market for the resale of hacked or stolen data disrupts one of the major ways cybercriminals profit from the large-scale theft of sensitive personal and financial information,” said Assistant Attorney General Kenneth A. Polite, Jr. of the Justice Department’s Criminal Division.

“This is another example of how working with our international law enforcement partners has resulted in the shutdown of a criminal marketplace and the arrest of its administrator,” he added.

Massive International Take Down

Prior to its seizure, RaidForums members used the platform to offer for sale hundreds of databases of stolen data containing more than 10 billion unique records for individuals residing in the United States and internationally.

At the time of its founding in 2015, RaidForums also operated as an online venue for organizing and supporting forms of electronic harassment, including by “raiding” — posting or sending an overwhelming volume of contact to a victim’s online communications medium — or “swatting” — the practice of making false reports to public safety agencies of situations that would necessitate a significant, and immediate armed law enforcement response.

The seizure of these domains by the government will prevent RaidForums members from using the platform to traffic in data stolen from corporations, universities, and governmental entities in the United States and elsewhere, including databases containing the sensitive, private data of millions of individuals around the world, according to the DOJ.

“Our interagency efforts to dismantle this sophisticated online platform — which facilitated a wide range of criminal activity — should come as a relief to the millions victimized by it, and as a warning to those cybercriminals who participated in these types of nefarious activities,” said U.S. Attorney Jessica D. Aber for the Eastern District of Virginia.

“Online anonymity was not able to protect the defendant in this case from prosecution, and it will not protect other online criminals either,” she asserted.

The law enforcement actions against RaidForums and Coelho resulted from an ongoing criminal investigation by the FBI’s Washington Field Office and the U.S. Secret Service.

Seizure of the RaidForums website and the charges against the marketplace’s administrator show the strength of the FBI’s international partnerships, noted Assistant Director in Charge Steven M. D’Antuono of the FBI’s Washington Field Office.

RaidForums Seized notice

U.S. officials credited support from Joint Cybercrime Action Taskforce (Europol), National Crime Agency (U.K.), Swedish Police Authority (Sweden), Romanian National Police (Romania), Judicial Police (Portugal), Internal Revenue Service Criminal Investigation, Federal Criminal Police Office (Germany) and other law enforcement partners.

“Cybercrime transcends borders, which is why the FBI is committed to working with our partners to bring cybercriminals to justice — no matter where in the world they live or behind what device they try to hide,” said D’Antuono.

Operational Expertise Disclosed

To profit from the illicit activity on the platform, RaidForums charged escalating prices for membership tiers that offered greater access and features. The pricing structure included a top-tier “God” membership status.

RaidForums also sold “credits” that provided members access to privileged areas of the website and enabled members to “unlock” and download stolen financial information, means of identification, and data from compromised databases, among other items. Members could also earn credits through other means, such as by posting instructions on how to commit certain illegal acts.

According to the indictment, Coelho also personally sold stolen data on the platform and directly facilitated illicit transactions by operating a fee-based “Official Middleman” service. For that service, Coelho allegedly acted as a trusted intermediary between RaidForums members seeking to buy and sell contraband on the platform, including hacked data.

Notably, to create confidence among transacting parties, the Official Middleman service enabled purchasers and sellers to verify the means of payment and contraband files being sold prior to executing the transaction.

Long-Term Impact Questioned

The massive takedown of RaidForums might have little real impact against the large volume of hackers operating worldwide, according to Casey Ellis, founder and CTO at crowdsourced cybersecurity firm Bugcrowd.

“I question the long-term impact of this action on the cybercriminal industry. Cybercrime and its supporting criminal services are, by and large, incredibly successful, and profitable for those who operate them. Business models like this tend to find a way to continue to exist,” he told TechNewsWorld.

It definitely provides a deterrent aspect to people considering launching similar forums and marketplaces, he added. However, he suspects they will simply evolve the techniques used to maintain operational security and avoid detection.

“The other counter-intuitive consequence of this action is that it essentially burns a valuable tool used by those in CTI, who infiltrate forums like this one, build fake personas, and use them to gather tactical breach and risk intelligence,” he said.

Still, the arrest and seizure are important in as much as they disrupt a marketplace and create additional difficulty and cost for cybercriminals who are looking to monetize their services and stolen data.

“It is also a clear signal to other forum operators that they are in the DOJ’s crosshairs,” he said.

Disruption May Be Key Deterrent

The takedown of RaidForums will cause a natural power vacuum within the cybercriminal community. Many of Raid’s members are likely to flock to alternative platforms, suggested Chris Morgan, senior cyber threat intelligence analyst at risk protection firm Digital Shadows.

“The takedown of RaidForums is unlikely to result in a major disruption to overall cybercriminal activity. Cybercriminals are well versed to platforms being taken down by LEAs and so they remain agile and fluid as to where their next forum of choice is likely to pop-up,” he told TechNewsWorld.

The seizure of an individual forum will not have much long-term impact, agreed John Bambenek, principal threat hunter at digital IT and security operations firm Netenrich.

“However, if the justice department can keep up the pace of operations against many of these forums, it will provide a very strong disruption to the overall cybercrime ecosystem,” he predicted. “Just like a crime wave is not solved with individual prosecutions, cybercrime is no different.”

Jack M. Germain has been an ECT News Network reporter since 2003. His main areas of focus are enterprise IT, Linux and open-source technologies. He is an esteemed reviewer of Linux distros and other open-source software. In addition, Jack extensively covers business technology and privacy issues, as well as developments in e-commerce and consumer electronics. Email Jack.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
More by Jack M. Germain
More in Cybercrime