Remember this Attack?

If this story sounds familiar to you, it should. This summer, the news spread like wildfire around the Web, not just because of the hack attempt itself, but also because of the name of the so-called "security firm" itself, which refers to a decidedly NSFW (not safe for work) Web prank. The news story was broken by Gawker originally. For a refresher, you can read all the details here.

The security firm, really just a group of hackers calling itself a firm, exploited a security flaw on AT&T's Web servers which allowed them to obtain email addresses from the SIM cards of iPad 3G users. This hack did not affect users of Wi-Fi only iPads.

At the time of the original report, the number of comprised accounts was said to be around 114,000. Today, it seems that number was just a bit higher: 120,000.

How the Attack Worked

The hackers had used a specially formatted HTTP request, which would return a user's ICC-ID, that is, their iPad 3G SIM card address. This number, which stands for "integrated circuit card identifier" is used to identify SIM cards by associating a mobile subscriber with their device. A script on AT&T's website allowed anyone to submit an ICC-ID and it would then return the subscriber's email address.

The hackers found the ICC-ID's thanks to many public photos hosted on the photo-sharing website Flickr and other similar sites. They were also able to guess a large number of ICC-ID's just by looking at known IDs and making educated guesses.

To harvest the data from the AT&T servers, the hackers wrote an automated PHP script which would send a request to the website that made it appear as if the request came from a specific iPad user's device.

Goatse Security said it notified AT&T of the breach, but only after sharing the script with an unknown number of third-parties. AT&T closed the security hole shortly after being notified.

Who Was Affected?

Among the users affected were many high-profile government officials and military personnel. Based on the email addresses gathered, the hackers had managed to snoop out accounts from the major service branches of the military, NASA, the FCC, DARPA, the Senate, the House of Representatives, the Department of Justice, the Department of Homeland Security and the National Institute of Health.

In other industries, the affected individuals included top executives from The New York Times Company, Dow Jones, Condé Nast, Viacom, Time Warner, News Corporation, HBO, Hearst as well as others from Google, Amazon, AOL, Microsoft, Goldman Sachs, JP Morgan, Citigroup and Morgan Stanley.

AT&T said it would inform customers whose email address had been obtained through this attack, but generally downplayed the breach saying "the only information that can be derived from the ICC-ID's is the email address attached to that device."

From Reuters' report, it sounds as if there is other personal data involved, too. However, we may not know if that's an accurate statement until this afternoon's press conference.

Soon after the attack occurred, the FBI announced it would open an investigation into the iPad breach. Today's charges are the result of that investigation. We imagine that with a name like "Goatse," this hacker group wasn't too hard to track down.

According to Retuers, the defendants Daniel Spitler and Andrew Auernheimer were each charged with one count of fraud and one count of conspiracy to access a computer without authorization. Spitler will appear in federal court in Newark, New Jersey on Tuesday and Aurenheimer will appear in an Arkansas federal court.

Although Google's politely-worded blog post doesn't come out and directly blame the Chinese government for these attacks, many have suspected that is the case, including, apparently, Secretary of State Hillary Clinton. Now even more sources are coming out to confirm the Chinese government's involvement. According to Verisign, their sources within the defense-contracting and intelligence-consulting communities also believe "agents of the Chinese state or proxies thereof" are to blame for these recent attacks.

Google has stated that the attackers unsuccessfully attempted to access the Gmail accounts of Chinese human rights activists. However, only two Gmail accounts were accessed and only account information and the email subject lines were seen, not the content of the emails themselves. The company also said that at least 20 other large companies were attacked as well. Now Verisign reports that number is 33.

In light of these attacks, Google boldly declared they are reconsidering their decision to do business in China - a surprising turn for the Internet giant who once claimed that operating in China didn't violate the company's motto, "Don't be evil," despite the fact that it required censoring search results according to the Chinese government's wishes. That controversial act, though hotly debated at the time, was not all that surprising. Many Western firms ultimately have to cave in to Chinese demands in order to gain access to the 300 million plus Internet users the country holds. Google, for all their proclaimed high ideals, appeared to be no exception.

Until now.

The company has changed its course, stating that they will no longer censor the search results for their Chinese portal google.cn, launched in 2006 with the lofty goal of providing reliable access to information, albeit filtered information, for millions of Chinese citizens. Google is leaving the next move up to the Chinese government. If officials do not accept Google's decision to provide unfiltered information, Google says they will have to withdraw from the country.

Policy Change Hints at Government Involvement in Attacks

So what has changed between then and now? The Chinese government hasn't altered their position on Internet censorship, nor have they asked Google to make any changes to the agreement already in place. Many immediately suspected that the sole reason for Google's decision has to do with the attacks themselves - attacks that hint at government involvement.

According to Verisign's sources, that does appear to be the case. The company says they've confirmed with two independent sources that both the source IPs and drop server (the server used to host malicious code and store the stolen files) of the attack correspond to a single foreign entity consisting of either agents of the Chinese state or those acting on their behalf.

Verisign also notes that these recent attacks resemble a similar July 2009 incident against 100 or so IT-focused companies. At that time, the hacks involved an emailed PDF file that contained an unpatched Adobe Reader vulnerability, which allowed the attackers to deliver the malicious code. That vulnerability remained unpatched until just yesterday, notes Rick Howard, director of security intelligence for VeriSign iDefense.

While July's attacks were detected early and were largely uneventful, December's attacks did find some success. In addition, these same sources claim that the files in both cases share similar characteristics. For example, both attacks used a backdoor Trojan in the form of a Windows DLL, and both share two similar hosts for the command-and-control (C&C) communication. In layman's terms, if the cyberattack was a ground assault during a war, the C&C would be the general barking out the orders. Also in both incidents, the IP addresses used for C&C are in the same subnet and only six addresses apart from each other. That means both attacks are likely to have been instigated by the same entity and may imply that the recent victims' technology infrastructure has been compromised since July.

While none of these findings are a true smoking gun pointing to the Chinese government, it is believed that China encourages their hacker community to attack foreign entities while publicly denying any involvement in such attacks. That may be the case now. Or it could be that this time, the attacks are not just being state-permitted, they're being state-directed.

"In iDefense's press announcement regarding the recently discovered Silicon Valley compromises, we stated that the attack vector was likely "malicious PDF file attachments delivered via email" and suggested that a vulnerability in Adobe Reader appeared to have been exploited in these attacks. Upon further review, we are retracting our initial assessment regarding the likely use of Adobe vulnerabilities. There are currently no confirmed instances of a vulnerability in Adobe technologies being used in these attacks. We continue to investigate this issue."

In yesterday's attack, the list of comprised Hotmail accounts were limited to those where the usernames started with the letter "A" or "B." However, that seemed to imply that the posted portion might actually be a part of a bigger list containing even more login/password combinations. At the time, a Microsoft spokesperson said that the company determined "this was not a breach of internal Microsoft data and initiated our standard process of working to help customers regain control of their accounts." Instead, claimed the spokesperson, those users whose credentials were revealed were likely to be victims of an online phishing attack where a third-party website was involved.

Phishing attacks are typically carried out via email messages where the attacker tricks the recipient into revealing their username and password by pretending to be some sort of trustworthy entity such as the user's bank, IT administrator, a popular website, or an online service. In the case of the stolen Hotmail passwords, it's possible that the attacker sent emails which claimed to be from the end user's email provider. If the user then followed the link contained within the malicious email, they would have ended up not on the actual email provider's site, but on a third-party site whose sole purpose was to capture their username and password when entered.

Beyond Hotmail: More Webmail Providers Affected

According to a story in today's BBC News, the most recent list of compromised accounts, which includes login credentials for Gmail, Yahoo, AOL, Earthlink, and Comcast users, contains some accounts that appear to be old, unused, or fake. However, many others listed are, in fact, genuine.

There's no way to be sure at this point that the new list is a part of the same phishing attack as yesterday's or if it's a new and separate scam.

The website where the accounts were posted - pastebin.com - is now "down for maintenance." Visitors to the site today will receive a message that reads:

Pastebin.com is getting an unprecedented amount of traffic due to a news story in which some leaked Hotmail passwords have been pasted on this site

Pastebin.com was intended as a tool to aid software developers, not for distributing this sort of material. Filters have been put in place to prevent reoccurrence, but the current traffic level is unsustainable.

Pastebin.com is just a fun side project for me, and today it's not fun. It will remain offline all day while I make some further modifications

Paul Dixon

Regardless of whether or not you think your account was compromised, today would be a good day to change the password on whichever webmail service you currently use. Better safe than sorry!

As we now roll into day two of the "great social media outage of 2009," you may be surprised to learn that it's not over yet. Although Facebook and LJ have recovered, Twitter is still having issues. Not only was the site down once again early this morning, Twitter developers using the API are complaining that the company is sending mixed messages by reporting that they're "back up" - when in reality many Twitter applications are still unusable.

Twitter Developers Want Communication, Too

In a recent discussion thread in the Twitter Development Group, Twitter developer Jesse Stay of the popular SocialToo application asked:

Other developers quickly chimed in agreeing, noting that Twitter has yet to communicate the API status to developers, leaving them in the dark as to when their apps will work again. It seems that some developers have been experiencing issues with everything from oAuth sign-ins to timeouts to applications being completely down. Paul Kinlan, developer of the Twollo application, an app that helps you find followers with similar interests, even said that he had to refund a paying customer because of the situation. No doubt he is not alone.

While the developers are generally sympathetic to the situation and understand that fighting off the attack is priority number one, what they're finding hard to deal with is the lack of communication. Throughout the attack, Twitter has updated their Status Blog with notes about the service itself, but nothing about the API. Developers are frustrated and unsure of how to address the situation with their users given that Twitter has not provided any official information to them either through the blog or their own Twitter account.

We know that Twitter's architecture has made it more vulnerable to this type of attack than Google or even Facebook, but in situations like this, communication is key. Hopefully today Twitter will do one of two things: either (preferably) stabilize its service and API or (at the very least) let developers know the status.

Update: Looks like Twitter listened: http://status.twitter.com/post/157979213/restoring-api-and-sms.

Update 2: See also our coverage of Cyxymu, the apparent target for these attacks.

The attack, posted online here, first displays a warning message and then posts Secure Science's test code "@XSSExploits I just got owned!" to the victim's profile. But if a hacker wanted to use this technique to compromise users' PCs, they could remove the warning screen and combine the link with a sensational message which users couldn't help but click. Add in some browser attack code, and before you know it, clicking a Twitter link could allow a hacker access to your computer. This, says James, "would just tear the cr*p out of Twitter." He adds, "I'm holding my breath, hoping no one does something stupid at this moment."

According to Secure Science researchers, this particular bug can be eliminated by fixing the cross-site scripting flaw, but if another similar bug were to show up on the site, users would soon face the same problem all over again.

Still, one has to wonder, why are they publishing this information publicly instead of alerting Twitter directly? Apparently, it's because the research company is concerned Twitter is not taking security seriously enough. James says he hopes this demonstration will push Twitter into making it more of a priority.

The State of Twitter Security

It's easy to see why security professionals may be worrying about the state of security at Twitter - the company has had some rather high-profile incidents as of late. Only last month, a second clickjacking attack was revealed after the company had just finished patching one that was unveiled in January. Also in January, the accounts of 33 high profile Twitter users including Britney Spears, CNN news reporter Rick Sanchez, and Barack Obama, were compromised by hackers who defaced their accounts with embarrassing and offensive messages.

At the time, Graham Cluley, senior technology consultant at Sophos advised Twitter "to take a long hard look at its security to ensure that this never happens again, and regain the confidence of its members." Yet since then, more potential attack vectors have been revealed.

Staying Safe on Twitter Keeps Getting Harder

If Twitter is indeed replacing, or at the very least, augmenting email for interpersonal communications, then perhaps it's time for us to apply those same age-old rules that once applied to email - be careful what you click. Now that it's finally been drilled into people's heads that email attachments aren't always safe, it seems like we have to start again educating Twitter users that the same goes for links.

But when a service goes mainstream - like Twitter is doing now - it's going to become filled with people who won't give a second thought to security concerns such as these. Instead, without intervention on the part of Twitter to address these issues, consumers are going to end up learning "the hard way" - by becoming victims.

The security problem only gets worse when you think about how easy it is for people to create fake celebrity accounts not to mention how easy it is for Twitter spammers to join the service. Since Twitter doesn't authenticate new accounts via email, anyone can post any message from any address, real or fake. There are even opt-in services that Twitter spammers can join to quickly accumulate large numbers of followers quickly in an attempt to appear more legit.

Although Twitter is attempting to fight spam on several fronts (they're now disabling accounts that automate re-following for instance), it seems as if more and more Twitter spammers are creating accounts every day. (How many of those SEO advisors and 'life coaches' are for real, I wonder?)

As Twitter explodes into the mainstream, it may be time for them to work on addressing some of these issues before they focus on enhancements to the site like the relatively new "suggested users" section or the in-house ads - features which a few folks suspect may have something to do with Twitter's supposedly soon-to-be-revealed business model. While we understand the service needs to develop their business plan, they recently closed a $35-million financing round, which added even more cash to their previous round ($15 million). Given that they only have 20 employees, they're (in theory) only burning through around $5 million a year. We're not sure what Twitter is doing with all that money, but we would like to suggest that they use some of it to hire security professionals to help make the service safer...before it's too late.