backtop


Print 36 comment(s) - last by lukasbradley.. on Jun 17 at 11:33 AM


Apple's Safari has gone wrong on the iPad, says Goatse Security, which says that .  (Source: Warner Brothers)

The flaw could be used to target attacks on corporate networks which bypass firewall protections.  (Source: My Bank Tracker)
Group says Apple and AT&T are threatening national security and customers with their negligence

You've just conducted perhaps the biggest info leak in AT&T's recent history, you're under FBI investigation, and you have Apple and AT&T breathing down your necks.  What do you do next?

Well if you're Goatse Security, which prides itself at making "gaping holes exposed" (which happens to be its slogan),  the answer is apparently to discuss more attacks on the iPad.

In response to AT&T's claim that the security researchers at Goatse Security were "malicious" "hackers" who "attacked" AT&T's servers, Goatse has issued the second emphatic response in just a couple days, arguing that AT&T and Apple are doing too little to protect iPad customers from harm

Goatse Security's Escher Auernheimer writes that the ICC-IDs garnered by freely querying AT&T's website could be used to determine iPad owners' locations.

Furthermore, Auernheimer says the exploit in Apple's Safari browser he published in March has not been patched on the iPad yet and could be combined with the ICC-ID data to perform targeted attacks.  The exploit uses an integer overflow exploit, which gives access to proxy connections over banned ports, allowing all sorts of ill purposes including spewing spam and malware deliveries to locally networked machines.

Goatse Security calls AT&T's delay in publishing notice to its customers about the website flaw, after it was fixed last week, unacceptable.  It writes:

AT&T had plenty of time to inform the public before our disclosure. It was not done. Post-patch, disclosure should be immediate– within the hour. Days afterward is not acceptable. It is theoretically possible that in the span of a day (particularly after a hole was closed) that a criminal organization might decide to use an old dataset to exploit users before the users could be enlightened about the vulnerability.

And it says Apple and AT&T are engaging in more of the same with the Safari flaw.  It writes:

The potential for this sort of attack and the number of iPad users on the list we saw who were stewards of major public and commercial infrastructure necessitated our public disclosure. People in critical positions have a right to completely understand the scope of vulnerability immediately. Not days or weeks or months after potential intrusion.

If Apple and AT&T do not patch this flaw and fast, the iPad could soon become the tool of choice for attacking corporate networks.  All you would have to do is gain access to the network itself (which can be accomplished via a variety of techniques either social engineering or otherwise) and then jump on and carry out attacks -- bypassing all firewall protections.  Even better yet, imagine if you were on site -- you could easily snatch someone's iPad lying around their office and use its preconfigured wireless to wreak havoc on local networks, without even needing to gain network access.

Goatse Security is arguing that it's doing nothing wrong and is doing the public a service with its announcements.  It says it is the negligence of Apple and AT&T that is a threat, both to customers and to national security.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

Hire Them
By transamdude95 on 6/15/2010 10:46:50 AM , Rating: 2
Maybe Apple and AT&T should hire Goatse? They could at least keep their security flaws under wraps then...




RE: Hire Them
By Ristogod on 6/15/2010 10:52:26 AM , Rating: 5
How much do you want to bet that that isn't going to happen?

AT&T and Apple are going to do what they always do. They are going to attempt to cover up any issues and ignore it as long as possible. And they are going to fault everyone and anything other than themselves and relinquish all responsibility pertaining to the issue.


RE: Hire Them
By goodsyntax on 6/15/2010 11:13:54 AM , Rating: 5
AT&T and Apple are going to do what they always do...

Sue.


RE: Hire Them
By yomamafor1 on 6/15/2010 11:55:56 AM , Rating: 5
+1

After all, that's what they're best at, instead of actually providing better quality service.


RE: Hire Them
By muhahaaha on 6/15/2010 1:29:10 PM , Rating: 5
AT&T and Apple are going to do what they always do...

suck steve's 455h0l3


RE: Hire Them
By muhahaaha on 6/15/2010 7:20:53 PM , Rating: 2
his "i"455H0l3111!!!


RE: Hire Them
By MrBlastman on 6/15/2010 11:19:06 AM , Rating: 5
It'll never happen. It is very clear Apple doesn't care about their security issues as they don't "have" any, at least according to their commercials.

quote:
Furthermore, Auernheimer says the exploit in Apple's Safari browser he published in March has not been patched on the iPad yet and could be combined with the ICC-ID data to perform targeted attacks.


March. He let them know in March and nothing has been done.

They certainly have exposed Steve's hole--the gaping one that has become of his rectum due to all the crap he's shat out on the public over the past few years.


RE: Hire Them
By Performance Fanboi on 6/15/2010 2:01:20 PM , Rating: 2
You're bang on. Good thing for Apple that their typical customer won't hear anything about this and wouldn't 'get it' if they did.


RE: Hire Them
By lukasbradley on 6/17/2010 11:33:53 AM , Rating: 2
And pay them in COCAINE.


Jobs
By InvertMe on 6/15/2010 11:31:14 AM , Rating: 4
I wonder is Steve Jobs has a pile of babies to punch and puppies to kick when stories like this come out. Something tells me he does...




RE: Jobs
By muhahaaha on 6/15/2010 1:38:59 PM , Rating: 3
my anus is sitting on a shelf some where at apple


RE: Jobs
By muhahaaha on 6/15/2010 2:57:25 PM , Rating: 3
I just got a call from Steve Jobs and he promises to return it, albeit in slightly used condition


RE: Jobs
By Methusela on 6/15/2010 3:50:37 PM , Rating: 1
Definitely! It's much easier to buy a pile of babies and puppies to abuse than it was to buy your way to the front of the organ donor list.


LOL
By wuZheng on 6/15/2010 11:10:15 AM , Rating: 3
quote:
"making gaping holes exposed"


Cute reference. ;)




RE: LOL
By AstroCreep on 6/15/2010 2:50:05 PM , Rating: 2
I find the title "Goatse Reveals Another Gaping Hole..." to be both funny and nostalgic.

Ah, the Internet; entertaining and repulsing at the same time!


RE: LOL
By Runiteshark on 6/15/2010 4:33:01 PM , Rating: 2
I said it in the other thread, and I'll say it in this one. These guys are clearly internet superheros.


RE: LOL
By CrazyBernie on 6/16/2010 3:31:41 AM , Rating: 2
They match the gaping holes in Apple customers' wallets and the backsides of their pants.


Isreal
By metaltoiletry on 6/15/2010 11:27:17 AM , Rating: 2
I wonder if these are the sorts of issues Isreal was banning the use of iPads for? I'm not sure if they are still banned in Isreal or not, but they were confiscating them from people.




RE: Isreal
By omnicronx on 6/15/2010 11:41:05 AM , Rating: 2
North American bound iPads are banned in israel because they do not conform to Israels wireless laws.

Simply put, they have not tested it to their standards (which are similar to european standards) because the device was designed for North American standards.

There is no reason to believe that once it is more widely available in Europe (or perhaps even purchasable in Israel), that they will not be allowed.

Kind of overblown, the same can be said for a lot of wireless products being brought overseas.


RE: Isreal
By Smilin on 6/15/2010 3:17:53 PM , Rating: 2
Israel already relaxed the restriction some time ago and returned iPads confiscated at customs.


WTH?
By bhieb on 6/15/10, Rating: 0
RE: WTH?
By Shadowself on 6/15/2010 4:48:58 PM , Rating: 2
I'd rate this a 10 out of five if I could.

If you lose physical security over devices -- be they iPads, laptops, or any other electronic, networked device -- the perpetrator can do considerable damage if they want to do so.

Anyone who claims this is an iPad issue is an idiot. Physical security is the first hurdle. If you fail at that, you fail. Period. Nothing else matters.


RE: WTH?
By R3T4rd on 6/16/2010 4:10:44 AM , Rating: 2
Um, I think what Jason was getting to is that if you can get ur hands on a Laptop within a company's network, ur most likely locked out. Most standard users and accounts that are wide open logged-in at said company have limited power and cannot do anything much. Even CEO's and High Mgmnt have just a tad bit more power than your typical UCA type accounts. However, playing devil's advocate, if you were able to get ur hands on one of the System Administrator's or IT Tech's Laptop for said company with his/her logon already intact, thats a different story.

An iPad on the other hand, with so many flaws and open security holes like the stary night sky, is differnt. If you can steal one in said company's network and it had access to said company's network, is more susceptible to being able to be hacked into and used as a tool to hack into said company's network. I don't even think the iPad being based on the iPhone's OS, has any security layers like a UCA type.

It just goes to show you why Apple will never gain enterprise acceptability. Why would some companies and even our elected moronic leaders even use any Apple products is beyond my comprehension.


RE: WTH?
By muhahaaha on 6/16/2010 10:51:21 AM , Rating: 2
...
By Brandon Hill (blog) on 6/15/2010 10:44:58 AM , Rating: 4
quote:
You've just conducted perhaps the biggest info leak in AT&T's recent history, you're under FBI investigation, and you have Apple and AT&T breathing down your necks. What do you do next?


"I'm going to Disney World!"




Jason Mick sensationalizes yet again
By W00dmann on 6/15/10, Rating: 0
RE: Jason Mick sensationalizes yet again
By TennesseeTony on 6/15/10, Rating: 0
RE: Jason Mick sensationalizes yet again
By Donkeyshins on 6/16/2010 11:42:57 AM , Rating: 2
quote:
The Secret Service had sense enough to take away Hussein's Smart-phone until they found a way to encrypt/secure it.


Who?

Oh, you must mean President Obama. Please respect the office, if not the person.


By xkrakenx on 6/17/2010 9:39:09 AM , Rating: 2
phht, when did that kick in? people have been bashing the figurehead of the executive branch since I was a wee one.


Mick needs practice typing on his smartphone?
By AssBall on 6/15/10, Rating: 0
By AssBall on 6/15/2010 12:33:04 PM , Rating: 2
Also, that shot from Ace Ventura 2 is packed full of win and awesome.


give this man a medal
By inperfectdarkness on 6/15/2010 12:37:56 PM , Rating: 2
i haven't even read the article yet; but the title & the picture of ace ventura are enough to warrant inclusion in the hall of fame.




Why don't they pay?
By rsmech on 6/15/2010 11:48:22 PM , Rating: 2
Why do I have to pay to protect my identity? These companies require personal information from us yet they can't protect it. My information wasn't this vulnerable until they decided to connect their computers with my information to the net. Oil spills we hold BP or other oil companies responsible, forest fires we hold those who started them responsible, ect. Why am I responsible for their mistakes? Why don't they pay everytime their systems are compromised, not just when I get hit but pay for identity theft services for every customer they compromised? These services were not required until they became negligent. And to top it off they try & prosecute those who try to protect us, try to expose their negligence. Am I the only one who thinks we are footing the bill for their responsabilities. Every company that has a breach in private information should be required to put money into a pool to pay for identity theft, it's their fault not mine.




who uses safari?
By spathotan on 6/15/2010 12:10:12 PM , Rating: 1
Really .




Safari has bugs?
By muhahaaha on 6/15/10, Rating: 0
RE: Safari has bugs?
By muhahaaha on 6/15/10, Rating: 0
"We can't expect users to use common sense. That would eliminate the need for all sorts of legislation, committees, oversight and lawyers." -- Christopher Jennings














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki