Movatterモバイル変換

[0]ホーム
URL:

Jump to content
WikipediaThe Free Encyclopedia
Search

Goatse Security

From Wikipedia, the free encyclopedia
Hacker group

Goatse Security
aka GoatSec[1][2]
Logo
FormationDecember 2009; 15 years ago (2009-12)[3]
PurposeHacking
MembershipAndrew "weev" Auernheimer[4][5]
Sam Hocevar[4][6][7]
Daniel Spitler[4][8]
Leon Kaiser[2][4]
Nick "Rucas" Price[4][9][10]
Products
Clench[11][12]
Websitesecurity.goatse.fr (defunct)

Goatse Security (GoatSec) was a loose-knit, nine-person[13]grey hat[14]hacker group[15] that specialized in uncovering security flaws.[3][16] It was a division of the anti-bloggingInternet trolling organization known as theGay Nigger Association of America (GNAA).[2] The group derives its name from theGoatse.cxshock site,[5] and it chose "Gaping Holes Exposed" as itsslogan.[17] The website has been abandoned without an update since May 2014.[18]

In June 2010, Goatse Security obtained theemail addresses of approximately 114,000 Apple iPad users. This led to anFBI investigation and the filing of criminal charges against two of the group's members.

Founding

[edit]

The GNAA had several security researchers within its membership. According to Goatse Security spokesperson Leon Kaiser, the GNAA could not fully utilize their talents since the group believed that there would not be anyone who would take security data published by the GNAA seriously. In order to create a medium through which GNAA members can publish their security findings, the GNAA created Goatse Security in December 2009.[2][3]

Discovery of browser vulnerabilities

[edit]

In order to protect its web browser frominter-protocol exploitation,Mozilla blocked severalports thatHTML forms would not normally have access to. In January 2010, the GNAA discovered that Mozilla's blocks did not coverport 6667, which left Mozilla browsers vulnerable to cross-protocol scripts. The GNAA crafted aJavaScript-basedexploit in order tofloodIRC channels. AlthoughEFnet andOFTC were able to block the attacks,Freenode struggled to counteract the attacks. Goatse Security exposed the vulnerability, and one of its members, Andrew Auernheimer, aka "weev," posted information about the exploit onEncyclopedia Dramatica.[19][20][21]

In March 2010, Goatse Security discovered aninteger overflow vulnerability within Apple's web browser,Safari, and posted an exploit on Encyclopedia Dramatica.[22] They found out that a person could access a blocked port by adding 65,536 to the port number.[23][24] This vulnerability was also found inArora,[25]iCab,[26]OmniWeb,[27] and Stainless.[28] Although Apple fixed the glitch for desktop versions of Safari in March, the company left the glitch unfixed in mobile versions of the browser.[22][29] Goatse Security claimed that a hacker could exploit the mobile Safari flaw in order to gain access and cause harm to the AppleiPad.[22][29]

AT&T/iPad email address leak

[edit]

In June 2010, Goatse Security uncovered a vulnerability within theAT&T website.[30][31] AT&T was the only provider of3G service forApple'siPad in theUnited States at the time.[32] When signing up for AT&T's 3G service from an iPad, AT&T retrieves theICC-ID from the iPad'sSIM card and associates it with the email address provided during sign-up.[30][33] In order to ease the log-in process from the iPad, the AT&T website receives the SIM card's ICC-ID and pre-populates the email address field with the address provided during sign-up.[30][33] Goatse Security realized that by sending aHTTP request with a valid ICC-ID embedded inside it to the AT&T website, the website would reveal the email address associated with that ICC-ID.[30][33]

On June 5, 2010, Daniel Spitler, aka "JacksonBrown", began discussing this vulnerability and possible ways to exploit it, includingphishing, on an IRC channel.[8][34][35] Goatse Security constructed aPHP-basedbrute force script that would send HTTP requests with random ICC-IDs to the AT&T website until a legitimate ICC-ID is entered, which would return the email address corresponding to the ICC-ID.[30][33] This script was dubbed the "iPad 3G Account Slurper."[35]

Goatse Security then attempted to find an appropriate news source to disclose the leaked information, with Auernheimer attempting to contactNews Corporation andThomson Reuters executives, includingArthur Siskind, about AT&T's security problems.[36] On June 6, 2010, Auernheimer sent emails with some of the ICC-IDs recovered in order to verify his claims.[34][36] Chat logs from this period also reveal that attention and publicity may have been incentives for the group.[37]

Contrary to what it first claimed, the group initially revealed the security flaw toGawker Mediabefore notifying AT&T[37] and also exposed the data of 114,000 iPad users, including those of celebrities, the government and the military. These tactics re-provoked significant debate on the proper disclosure of IT security flaws.[38]

Auernheimer has maintained that Goatse Security used common industry standard practices and has said that, "We tried to be the good guys".[38][39]Jennifer Granick of theElectronic Frontier Foundation has also defended the tactics used by Goatse Security.[38]

On June 14, 2010,Michael Arrington ofTechCrunch awarded the group a Crunchie award for public service. This was the first time a Crunchie was awarded outside the annual Crunchies award ceremony.[40][41]

TheFBI then opened an investigation into the incident,[42] leading to a criminal complaint in January 2011[10] and a raid on Auernheimer's house. The search was related to the AT&T investigation and Auernheimer was subsequently detained and released on bail[43] on state drug charges,[44] later dropped.[45] After his release on bail, he broke agag order to protest and to dispute the legality of the search of his house and denial of access to apublic defender. He also asked for donations viaPayPal, to defray legal costs.[15][46] In 2011 the Department of Justice announced that he will be charged with one count of conspiracy to access a computer without authorization and one count of fraud.[45] A co-defendant, Daniel Spitler, was released on bail.[47][48]

On November 20, 2012, Auernheimer was found guilty of one count of identity fraud and one count of conspiracy to access a computer without authorization,[49] andtweeted that he would appeal the ruling.[50] Alex Pilosov, a friend who was also present for the ruling, tweeted that Auernheimer would remain free on bail until sentencing, "which will be at least 90 days out."[51]

On November 29, 2012, Auernheimer authored an article inWired Magazine entitled "Forget Disclosure - Hackers Should Keep Security Holes to Themselves," advocating the disclosure of anyzero-day exploit only to individuals who will "use it in the interests of social justice."[52]

On April 11, 2014, the Third Circuit issued an opinion vacating Auernheimer's conviction, on the basis that venue in New Jersey was improper.[53][54] The judges did not address the substantive question on the legality of the site access.[55] He was released from prison late on April 11.[56]

Other accomplishments

[edit]

In May 2011, aDoS vulnerability affecting severalLinux distributions was disclosed by Goatse Security, after the group discovered that a lengthyAdvanced Packaging Tool URL would causecompiz to crash.[57]

In September 2012, Goatse Security was credited byMicrosoft for helping to secure their online services.[9]

References

[edit]
  1. ^Tate, Ryan (June 9, 2010)."AT&T Fights Spreading iPad Fear".Valleywag.Gawker Media. Archived fromthe original on July 15, 2010. RetrievedOctober 17, 2010.
  2. ^abcdKaiser, Leon (January 19, 2011)."Interview: Goatse Security on FBI Charges Following AT&T iPad Breach".DailyTech (Interview: Transcript). Interviewed by Mick Jason. Archived fromthe original on March 31, 2014. RetrievedJanuary 21, 2011.
  3. ^abcDowell, Andrew (June 17, 2010)."Programmer Detained After FBI Search".The Wall Street Journal.Dow Jones & Company, Inc. RetrievedOctober 11, 2010.
  4. ^abcde"Team".Goatse Security. June 14, 2010. Archived fromthe original on September 30, 2010. RetrievedSeptember 22, 2010.
  5. ^abChokshi, Niraj (June 10, 2010)."Meet One of the Hackers Who Exposed the iPad Security Leak".The Atlantic. The Atlantic Monthly Group. RetrievedSeptember 16, 2010.
  6. ^Keizer, Gregg (June 17, 2010)."iPad hacker arrested on multiple drug charges after FBI search".Computerworld. Computerworld Inc. RetrievedSeptember 16, 2010.
  7. ^Mick, Jason (June 14, 2010)."AT&T Apologizes to iPad Customers, We Reveal Hackers' Locales".DailyTech. DailyTech LLC. Archived fromthe original on August 20, 2010. RetrievedSeptember 16, 2010.
  8. ^abBilton, Nick; Wortham, Jenna (January 18, 2011)."Two Are Charged With Fraud in iPad Security Breach".The New York Times. RetrievedJanuary 21, 2011.
  9. ^ab"Security Researcher Acknowledgments for Microsoft Online Services". Microsoft. RetrievedOctober 19, 2012.
  10. ^abUnited States District Court — District Court of New Jersey, Docket: MAG 11-4022 (CCC). Filed with the court January 13, 2011
  11. ^"Clench, our way of saying "screw you" to SSL PKI forever".Goatse Security. September 8, 2010. Archived fromthe original on September 11, 2010. RetrievedOctober 29, 2010.
  12. ^Lawson, Nate (September 8, 2010)."Clench is inferior to TLS+SRP".root labs rdist. Nate Lawson. RetrievedOctober 29, 2010.
  13. ^Eunjung Cha, Ariana (June 12, 2010)."Apple's iPad security breach reveals vulnerability of mobile devices".Washington Post. RetrievedApril 6, 2011.
  14. ^Kirsch, Cassandra (2014)."The Grey Hat Hacker: Reconciling Cyberspace Reality and the Law"(PDF).Northern Kentucky Law Review.41: 386.[dead link]
  15. ^abAT&T iPad 'hacker' breaks gag order to rant at copsThe Register, John Leyden. July 7, 2010
  16. ^Tate, Ryan (June 10, 2010)."Apple's iPad Breach Raises Alarms".All Things Considered (Interview: audio / transcript). Interviewed byMelissa Block.National Public Radio. RetrievedSeptember 16, 2010.
  17. ^Ragan, Steve (June 10, 2010)."AT&T loses 114,000 e-mail addresses via scripting error".The Tech Herald. WOTR Limited. Archived fromthe original on November 18, 2011. RetrievedSeptember 28, 2010.
  18. ^"Compiz vulnerability « Goatse Security". Archived fromthe original on July 24, 2019. RetrievedOctober 15, 2019.
  19. ^Constantin, Lucian (January 30, 2010)."Firefox Bug Used to Harass Entire IRC Network".Softpedia. Softpedia. RetrievedSeptember 19, 2010.
  20. ^Goodin, Dan (January 30, 2010)."Firefox-based attack wreaks havoc on IRC users".The Register. Situation Publishing. RetrievedSeptember 19, 2010.
  21. ^Goodin, Dan (June 9, 2010)."Security gaffe exposes addresses of elite iPaders".The Register. Situation Publishing. RetrievedSeptember 19, 2010.
  22. ^abcKeizer, Gregg (June 14, 2010)."AT&T 'dishonest' about iPad attack threat, say hackers".Computerworld. Computerworld Inc. RetrievedSeptember 18, 2010.
  23. ^Ragan, Steve (June 14, 2010)."Goatse Security tells AT&T: 'You f---ed up'".The Tech Herald. WOTR Limited. p. 2. Archived fromthe original on October 3, 2011. RetrievedOctober 6, 2010.
  24. ^"CVE-2010-1099".National Vulnerability Database.NIST. March 24, 2010. RetrievedOctober 6, 2010.
  25. ^"CVE-2010-1100".National Vulnerability Database.NIST. March 24, 2010. RetrievedOctober 6, 2010.
  26. ^"CVE-2010-1101".National Vulnerability Database.NIST. March 24, 2010. RetrievedOctober 6, 2010.
  27. ^"CVE-2010-1102".National Vulnerability Database.NIST. March 24, 2010. RetrievedOctober 6, 2010.
  28. ^"CVE-2010-1103".National Vulnerability Database.NIST. March 24, 2010. RetrievedOctober 6, 2010.
  29. ^abGoldman, David (June 14, 2010)."Hackers say iPad has more security holes".CNNMoney.com.CNN. RetrievedSeptember 18, 2010.
  30. ^abcdeKeizer, Gregg (June 10, 2010)."'Brute force' script snatched iPad e-mail addresses".Computerworld. Computerworld Inc. RetrievedSeptember 18, 2010.
  31. ^Tate, Ryan (June 9, 2010)."Apple's Worst Security Breach: 114,000 iPad Owners Exposed".Valleywag.Gawker Media. Archived fromthe original on July 26, 2010. RetrievedSeptember 16, 2010.
  32. ^Ante, Spencer E. (June 10, 2010)."AT&T Discloses Breach of iPad Owner Data".The Wall Street Journal.Dow Jones & Company, Inc. RetrievedSeptember 26, 2010.
  33. ^abcdBuchanan, Matt (June 9, 2010)."The Little Feature That Led to AT&T's iPad Security Breach".Gizmodo.Gawker Media. RetrievedSeptember 22, 2010.
  34. ^abCriminal ComplaintArchived January 25, 2011, at theWayback Machine. United States District Court – District Court of New Jersey, Docket: MAG 11-4022 (CCC). Filed with the court January 13, 2011
  35. ^abVoreacos, David (January 18, 2011)."U.S. Announces Charges for Alleged Hack Into AT&T Servers Via iPad Users".Bloomberg.com.Bloomberg L.P. RetrievedJanuary 21, 2011.
  36. ^abMcMillan, Robert (December 15, 2010)."AT&T IPad Hacker Fought for Media Attention, Documents Show".PC World. PC World Communications, Inc. RetrievedDecember 16, 2010.[permanent dead link]
  37. ^abForesman, Chris (January 19, 2011)."Goatse Security trolls were after "max lols" in AT&T iPad hack".Ars Technica. RetrievedJanuary 22, 2011.
  38. ^abcWorthen, Ben; Spencer E. Ante (June 14, 2010)."Computer Experts Face Backlash".WSJ.com.
  39. ^Leydon, John (July 7, 2010)."AT&T iPad 'hacker' breaks gag order to rant at cops".The Register. RetrievedFebruary 16, 2011.
  40. ^Arrington, Michael (June 14, 2010)."We're Awarding Goatse Security A Crunchie Award For Public Service".Tech Crunch. RetrievedMarch 31, 2010.
  41. ^Patterson, Ben (June 14, 2010)."AT&T apologizes for iPad breach, blames hackers".Yahoo! News. RetrievedMarch 31, 2010.
  42. ^Tate, Ryan (June 9, 2010)."Apple's Worst Security Breach: 114,000 iPad Owners Exposed".Gawker.com.Gawker Media. Archived fromthe original on June 12, 2010. RetrievedJune 13, 2010.
  43. ^Emspak, Jesse; Perna, Gabriel (June 17, 2010)."Arrested Hacker's Web Site Reveals Extremist Views".International Business Times.International Business Times. Archived fromthe original on March 6, 2020. RetrievedJuly 11, 2010.
  44. ^Dowell, Andrew (June 17, 2010)."Programmer Detained After FBI Search".The Wall Street Journal.
  45. ^ab"Criminal charges filed against AT&T iPad attackers — Computerworld". January 18, 2011. Archived fromthe original on October 10, 2012. RetrievedApril 18, 2011.
  46. ^weev."Hypocrites and Pharisees". Goatse.fr. Archived fromthe original on May 24, 2017. RetrievedApril 18, 2011.
  47. ^Voigt, Kurt (January 21, 2011)."No bail for 2nd iPad e-mail address theft suspect".MSNBC.com. Associated Press. RetrievedFebruary 15, 2011.[dead link]
  48. ^Porter, David (February 28, 2011)."Suspect in iPad Data Theft Released on Bail in NJ".ABC News. Associated Press. RetrievedMarch 2, 2011.
  49. ^Zetter, Kim (November 20, 2012)."Hacker Found Guilty of Breaching AT&T Site to Obtain iPad Customer Data | Threat Level | Wired.com".
  50. ^"Twitter status, 3:38 PM - 20 Nov 12".
  51. ^"Twitter status, 3:32 PM - 20 Nov 12".
  52. ^Bierend, Doug (November 29, 2012)."Forget Disclosure — Hackers Should Keep Security Holes to Themselves".Wired.
  53. ^Case: 13-1816 Document: 003111586090
  54. ^Kravets, David (April 11, 2014)."Appeals court reverses hacker/troll "weev" conviction and sentence".Ars Technica. RetrievedApril 11, 2014.
  55. ^Hill, Kashmir (April 11, 2014)."Weev Freed, But Court Punts On Bigger 'Hacking vs. Security Research' Question".Forbes. RetrievedApril 11, 2014.
  56. ^Voreacos, David (April 14, 2014)."AT&T Hacker 'Weev' Parties and Tweets as Case Still Looms".Bloomberg. RetrievedApril 14, 2014.
  57. ^Constantin, Lucian (May 16, 2011)."Dangerous Linux Denial of Service Vulnerability Disclosed as 0-Day". Softpedia. RetrievedMarch 25, 2014.

External links

[edit]
Hacking in the 2010s
Major incidents
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
Hacktivism
Groups
Individuals
Majorvulnerabilities
publiclydisclosed
Malware
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
Retrieved from "https://en.wikipedia.org/w/index.php?title=Goatse_Security&oldid=1260169181"
Categories:
Hidden categories:
[8]ページ先頭
©2009-2025 Movatter.jp