Goatse Security

Gaping Holes Exposed

Goatse Security Press Release

8 Comments »

June 20th, 2010 ― Goatse Security is dismayed at AT&T’s effort to co-opt the authority of the FBI to absolve themselves of their responsibility in a massive security vulnerability which disclosed private and secure information of its customers. Indeed, this vulnerability was 100% avoidable, and 100% AT&T’s fault. By co-opting the FBI, the private lives of Goatse Security volunteers has been invaded, and destroyed by what was at best a blunt instrument: the raid, by force, of the Goatse Security spokesperson’s private residence.

Goatse Security, in terms both clear and public, deplores this use of force to solve what is, in the end, AT&T’s PR problem. Goatse Security took measures beyond the norm to contact AT&T and assist them in patching the vulnerability before publishing it, or allowing any related media story to be published. It is our belief, and AT&T’s brash and public actions re-enforce this belief that:

  • Without large numbers of compromised customers, and without the headlines that go with them, this vulnerability would have gone unpublished, and AT&T customers unprotected. AT&T, as has been demonstrated in this instance, grossly irresponsible with the private data of its customers. We have no reasonable belief that AT&T would have taken action, would have warned anyone of this vulnerability. Instead, they would have simply swept it under the rug.
  • Full disclosure, the immediate public release of a vulnerability, is justified when companies act in their own self-interest, instead of protecting their customers’ privacy. Indeed, AT&T, instead of respecting its customers’ privacy, violated ours. This is unacceptable. Further vulnerabilities developed against AT&T will continue to be developed utilizing the best common practices (BCP) for developing such exploits, but will no longer be privately given to AT&T prior to their release. All future releases of AT&T related vulnerabilities will occur under “Full Disclosure” practices.

Goatse Security is relieved that Andrew has been released from his incarceration and is mostly unharmed, but condemns the violent, subversive, and unnecessary actions taken against him by both AT&T and the FBI. We wish Andrew the best in coming days as he picks up his front door, and his life, both pointlessly shattered by the FBI.
Goatsec is dismayed at AT&T’s effort to co-opt the authority of the FBI to absolve themselves of their responsibility in a massive security vulnerability which disclosed private and secure information of it’s customers. Indeed, this vulnerability was 100% avoidable, and 100% AT&T’s fault. By co-opting the FBI, the private lives of Goatsec volunteers has been invaded, and destroyed by what was at best a blunt instrument, the raid, by force, of the head of Goatsec’s private residence.
Goatsec, in terms both clear and public, deplores this use of force to solve what is, in the end, AT&T’s PR problem. Goatsec took measures beyond the norm to contact AT&T and assist them in patching the vulnerability before publishing it, or allowing any related media story to be published. It is our belief, and AT&T’s brash and public actions re-enforce this belief, that:
without large numbers of compromised customers, and without the headlines that go with them, that this vulnerability would have gone unpublished, and AT&T customers unprotected. AT&T, as has been demonstrated in this instance, grossly irresponsible with the private data of it’s customers. We have no reasonable belief that AT&T would have taken action, would have warned anyone of this vulnerability. Instead, they would have simply swept it under the rug.
Full Disclosure, the immediate public release of a vulnerability, is justified when companies act in their own self-interest, instead of protecting their customers privacy. Indeed, AT&T, instead of respecting it’s customers’ privacy, violated ours. This is unacceptable. Further vulnerabilities developed against AT&T will continue to be developed utilizing the best common practices (BCP) for developing such exploits, but will no longer be privately given to AT&T prior to their release. All future releases of AT&T related vulnerabilities will occur under “Full Disclosure” practices.
Goatsec is relieved that Andrew has been released from his incarceration and is mostly unharmed, but condemns the violent, subversive, and unnecessary actions taken against him by both AT&T and the FBI. We wish Andrew the best in coming days as he picks up his front door, and his life, both pointlessly shattered by the FBI.

I see what you did there, Barack Obama

10 Comments »

Most of the media coverage on the AT&T leak is a mix of factual information and spokesperson quotes. Journalists ask us questions, which we are glad to answer because it means our opinion somewhat matters. But in the end, we mostly see the old full disclosure debate, and the attempt at labelling us white hats, black hats or brown hats. Yet I think there is something new here.

Gawker identified many high profile people in the list of emails leaked by AT&T. They could easily tell them from other individuals, because they had nifty .gov or .mil addresses. At DARPA, in the EUCOM, at the White House, NASA, DoJ, the FAA… So many government employees who really, really needed an iPad.

I hope there are still a few investigative journalists out there who will certainly be thrilled to try to answer the taxpayers’ question of who exactly paid for all those government officials’ iPads. But this is not what worries me the most here.

I graduated from a pretty elite engineering school. People from that school don’t usually end up plotting funny hoaxes or working for the entertainment industry (though my favourite one actually did). They often occupy high level positions in large corporations or government agencies. When I was studying there, people from the secret services came several times to teach us about the risks of information theft. They were very serious about it. If you were going to work for the government or a top national company, you would have to learn not to write down your password under your coffee mug, but also to be wary about data protection, cell phone eavesdropping, foreign agents, including more intimate spying techniques. The message was clear: information is power, you will have it, and others will want it.

Later I worked for a state-owned company. The IT people there were using an antique version of Microsoft Exchange and disallowed the use of Firefox because it had not been approved by the security people yet. I found that extremely annoying, especially since my previous works at several security companies led me to different conclusions about the products being used, but at least it showed that they cared about security, even for average employees. I was willing to give up convenience for security.

But Barack Obama disagreed. In early 2009, he fought to keep using his BlackBerry device, against the objections of secret services and government lawyers. Barack Obama wanted convenience over security. The country’s security. And by doing so, he gave tacit clearance to every fucking idiot in the government or the military to get the latest cool electronic gadget and use it with their government email account.

Since not so long ago, UK ministers can no longer use iPhones due to security concerns. Now I hear the FBI is going to… come for Goatse? Please, someone at the NSA wake up and give a good spanking to those US government idiots using a device with a public 3-month old unfixed security vulnerability with their military or government email account. And everyone else who let them.

A response to AT&T’s letter — We have an iPad exploit and all iPads are vulnerable.

81 Comments »

So, AT&T calls us malicious in their letter to their customers. I think this calls for a statement to clear the air.

AT&T had plenty of time to inform the public before our disclosure. It was not done. Post-patch, disclosure should be immediate– within the hour. Days afterward is not acceptable. It is theoretically possible that in the span of a day (particularly after a hole was closed) that a criminal organization might decide to use an old dataset to exploit users before the users could be enlightened about the vulnerability.

Even in this disclosure, which I feel they would not have made if we hadn’t publicized this vulnerability, AT&T is being dishonest about the potential for harm.

I had previously thought that only an attacker who could crack the secret Ki key (I believe but am not certain that David Hulton and Skyper could based on information I have received about their presentation in Dubai, and if they have figured it out who knows who else has) could use the ICCIDs in this breach. Later, two security researchers from iSec Partners revealed that an attacker of much lower sophistication could use the ICC-IDs to determine iPad owner location.

iSec is a well-established name in the security industry and is known for its absolute integrity. I had the good fortune of meeting iSec hacker Josha Bronson at a convention. His abilities were second to none. I have no reason to doubt iSec’s claims.

Beyond that, AT&T is not highlighting the potential for a skilled attacker to use a Safari exploit, or other iPad application exploit based on this dataset to takeover the iPad. A complete list of iPad 3G customers (which could have been generated from this vulnerability) would have the ideal bit of data for those in the RBN with zero-day Safari exploits to acquire.

I released a semantic integer overflow exploit for Safari through Goatse Security in March– it was patched on Apple’s desktop Safari but has yet to be patched on the iPad. This bug we crafted allows the viewer of a webpage to become a proxy (behind corporate and government firewalls!) for spamming, exploit payloads, password bruteforce attacks and other undesirables. The kicker is that this attack cannot be detected by any current IDS/IPS system. We released this in March, mind you, and Apple still hasn’t got around to patching this on the iPad! I know through personal experience that the patch time for an iPad vulnerability is over two months and counting. Given that, the number of parties which probably have active iPad exploits likely numbers in the hundreds, if not the thousands. The iPad simply is not a safe platform for those that require a secure environment.

Robert “RSnake” Hansen, one of the world’s foremost web application security researchers and the author of “Detecting Malice”, talked a little about our March release on his blog.

The potential for this sort of attack and the number of iPad users on the list we saw who were stewards of major public and commercial infrastructure necessitated our public disclosure. People in critical positions have a right to completely understand the scope of vulnerability immediately. Not days or weeks or months after potential intrusion.

In addition AT&T says the person responsible for this went “to great efforts”. I’ll tell you this, the finder of the AT&T email leak spent just over a single hour of labor total (not counting the time the script ran with no human intervention) to scrape the 114,000 emails. If you see this as “great efforts”, so be it. I know that the RBN has literally thousands of people working full-time to exploit software vulnerabilities. At any given moment, whatever efforts us researchers are making are dwarfed by those in the thrall of evil. So get real. You fucked up, we helped you figure that out and informed the public. You should thank us, but you can keep on shit-talking if you want. We know what we did was right.

When we disclosed this, we did it as a service to our nation. We love America and the idea of the Russians or Chinese being able to subvert American infrastructure is a nightmare. We understand that good deeds many times go punished, and AT&T is trying to crucify us over this. The fact remains that there was not a hint of maliciousness in our disclosure. We disclosed only to a single journalist and destroyed the data afterward. We did the right thing, and I will stand by the actions of my team and protect the finder of this bug no matter what the cost.

-Escher Auernheimer

On disclosure ethics

63 Comments »

There’s some buzz about that the FBI is getting involved with this iPad email leak. Sean Sullivan at F-Secure said “the disclosure was completely irresponsible.” AT&T says we never contacted them. I want to make some things clear.
 
On the AT&T matter and the accusations of irresponsible disclosure, the timeline of the disclosure speaks for itself. AT&T itself admits the problem was closed Tuesday. The Goatse Security analyst responsible for the discovery personally verified this hole was closed Tuesday and no longer a threat to the public before we went to Ryan Tate at Gawker with the dataset and attack details. Ryan Tate was the only one to receive our dataset, and what results from it he published were redacted to prevent the compromise of those involved.
 
I want to summarize this explicitly:
  • All data was gathered from a public webserver with no password, accessible by anyone on the Internet. There was no breach, intrusion, or penetration, by any means of the word.
  • The dataset was not disclosed until we verified the problem was fixed by the vendor.
  • The only person to receive the dataset was Gawker journalist Ryan Tate who responsibly redacted it.
 
We were much nicer to AT&T than say, HD Moore was to Apple when he published exploits for unpatched flaws in the iPhone:
 
We did not contact AT&T directly, but we made sure that someone else tipped them off and waited for them to patch until we gave anything to Gawker. This is as “nice guy” as it gets. We had no interest in direct dialogue with AT&T, but we waited nicely for them to get their house in order and get their hole plugged tight before exposing it.
 
This disclosure needed to be made. iPad 3G users had the right to know that their email addresses were potentially public knowledge so they could take steps to mitigate the issue (like changing their email address). This was done in service of the American public. Do you really think corporate privacy breaches should stay indefinitely secret? I don’t. If you’re potentially on a list of exploit targets because someone has an iPad Safari vulnerability and they scraped you in a gigantic list of emails it is best that you are informed of that sooner than later (after you’ve been successfully exploited). We did this to help you.
 
I think most people’s problem with our disclosure was not the actual disclosure process, but the rhetoric and tone which accompanied it. Also they seem to take issue with how we went to Gawker first. I’ve had multitudes of reporters tell me that “Gawker has problems”. I don’t think that is true. When Valleywag has messed up in the past, I’ve always seen them do a whole new post to print their retraction which always appears at the same level of visibility of the original post. Unlike their competition, where a frontpage mistake is retracted in fine print on page C20 two weeks later. It is funny, because some of the news outlets telling me Gawker has issues were ignoring me when I tried to break this story to them.
 
The rhetoric, tone, and outlet we chose for our disclosure is free speech, plain and simple.
 
I’ve also heard the insinuation in a lot of Internet comments that Gawker paid us for this scoop. This is positively false. None of us made any money off of this disclosure. We did it in public interests. Seriously, we are not poor and do not need handouts from blogging companies.
 
Anyways, there was no illegal activity or unauthorized access, this was not a shady backroom hookers and blow deal with Nick Denton as revenge for the iPhone raid (though that would be totally sweet), we did not sell your data to spammers (on the contrary, we destroyed it after Ryan used it; it had served its purpose to us) and we did not try to hack your iPads. Your iPads are safer now because of us.

There’s some buzz about that the FBI is getting involved with this iPad email leak. Sean Sullivan at F-Secure said “the disclosure was completely irresponsible.” AT&T says we never contacted them. I want to make some things clear.
 
On the AT&T matter and the accusations of irresponsible disclosure, the timeline of the disclosure speaks for itself. AT&T itself admits the problem was closed Tuesday. The Goatse Security analyst responsible for the discovery personally verified this hole was closed Tuesday and no longer a threat to the public before we went to Ryan Tate at Gawker with the dataset and attack details. Ryan Tate was the only one to receive our dataset, and what results from it he published were redacted to prevent the compromise of those involved.
 
I want to summarize this explicitly:
  • All data was gathered from a public webserver with no password, accessible by anyone on the Internet. There was no breach, intrusion, or penetration, by any means of the word.
  • The dataset was not disclosed until we verified the problem was fixed by the vendor.
  • The only person to receive the dataset was Gawker journalist Ryan Tate who responsibly redacted it.
 
We were much nicer to AT&T than say, HD Moore was to Apple when he published exploits for unpatched flaws in the iPhone:
 
We did not contact AT&T directly, but we made sure that someone else tipped them off and waited for them to patch until we gave anything to Gawker. This is as “nice guy” as it gets. We had no interest in direct dialogue with AT&T, but we waited nicely for them to get their house in order and get their hole plugged tight before exposing it.
 
This disclosure needed to be made. iPad 3G users had the right to know that their email addresses were potentially public knowledge so they could take steps to mitigate the issue (like changing their email address). This was done in service of the American public. Do you really think corporate privacy breaches should stay indefinitely secret? I don’t. If you’re potentially on a list of exploit targets because someone has an iPad Safari vulnerability and they scraped you in a gigantic list of emails it is best that you are informed of that sooner than later (after you’ve been successfully exploited). We did this to help you.
 
I think most people’s problem with our disclosure was not the actual disclosure process, but the rhetoric and tone which accompanied it. Also they seem to take issue with how we went to Gawker first. I’ve had multitudes of reporters tell me that “Gawker has problems”. I don’t think that is true. When Valleywag has messed up in the past, I’ve always seen them do a whole new post to print their retraction which always appears at the same level of visibility of the original post. Unlike their competition, where a frontpage mistake is retracted in fine print on page C20 two weeks later. It is funny, because some of the news outlets telling me Gawker has issues were ignoring me when I tried to break this story to them.
 
The rhetoric, tone, and outlet we chose for our disclosure is free speech, plain and simple.
 
I’ve also heard the insinuation in a lot of Internet comments that Gawker paid us for this scoop. This is positively false. None of us made any money off of this disclosure. We did it in public interests. Seriously, we are not poor and do not need handouts from blogging companies.
 
Anyways, there was no illegal activity or unauthorized access, this was not a shady backroom hookers and blow deal with Nick Denton as revenge for the iPhone raid (though that would be totally sweet), we did not sell your data to spammers (on the contrary, we destroyed it after Ryan used it; it had served its purpose to us) and we did not try to hack your iPads. Your iPads are safer now because of us.

Switch to our mobile site