Goatse Security

Last updated

Goatse Security
aka GoatSec [1] [2]
FormationDecember 2009;14 years ago (2009-12) [3]
Purpose Hacking
Membership
Andrew "weev" Auernheimer [4] [5]
Sam Hocevar [4] [6] [7]
Daniel Spitler [4] [8]
Leon Kaiser [2] [4]
Nick "Rucas" Price [4] [9] [10]
Products
Clench [11] [12]
Website security.goatse.fr (defunct)

Goatse Security (GoatSec) was a loose-knit, nine-person [13] grey hat [14] hacker group [15] that specialized in uncovering security flaws. [3] [16] It was a division of the anti-blogging Internet trolling organization known as the Gay Nigger Association of America (GNAA). [2] The group derives its name from the Goatse.cx shock site, [5] and it chose "Gaping Holes Exposed" as its slogan. [17] The website has been abandoned without an update since May 2014. [18]

Contents

In June 2010, Goatse Security obtained the email addresses of approximately 114,000 Apple iPad users. This led to an FBI investigation and the filing of criminal charges against two of the group's members.

Founding

The GNAA had several security researchers within its membership. According to Goatse Security spokesperson Leon Kaiser, the GNAA could not fully utilize their talents since the group believed that there would not be anyone who would take security data published by the GNAA seriously. In order to create a medium through which GNAA members can publish their security findings, the GNAA created Goatse Security in December 2009. [2] [3]

Discovery of browser vulnerabilities

In order to protect its web browser from inter-protocol exploitation, Mozilla blocked several ports that HTML forms would not normally have access to. In January 2010, the GNAA discovered that Mozilla's blocks did not cover port 6667, which left Mozilla browsers vulnerable to cross-protocol scripts. The GNAA crafted a JavaScript-based exploit in order to flood IRC channels. Although EFnet and OFTC were able to block the attacks, Freenode struggled to counteract the attacks. Goatse Security exposed the vulnerability, and one of its members, Andrew Auernheimer, aka "weev," posted information about the exploit on Encyclopedia Dramatica. [19] [20] [21]

In March 2010, Goatse Security discovered an integer overflow vulnerability within Apple's web browser, Safari, and posted an exploit on Encyclopedia Dramatica. [22] They found out that a person could access a blocked port by adding 65,536 to the port number. [23] [24] This vulnerability was also found in Arora, [25] iCab, [26] OmniWeb, [27] and Stainless. [28] Although Apple fixed the glitch for desktop versions of Safari in March, the company left the glitch unfixed in mobile versions of the browser. [22] [29] Goatse Security claimed that a hacker could exploit the mobile Safari flaw in order to gain access and cause harm to the Apple iPad. [22] [29]

AT&T/iPad email address leak

In June 2010, Goatse Security uncovered a vulnerability within the AT&T website. [30] [31] AT&T was the only provider of 3G service for Apple's iPad in the United States at the time. [32] When signing up for AT&T's 3G service from an iPad, AT&T retrieves the ICC-ID from the iPad's SIM card and associates it with the email address provided during sign-up. [30] [33] In order to ease the log-in process from the iPad, the AT&T website receives the SIM card's ICC-ID and pre-populates the email address field with the address provided during sign-up. [30] [33] Goatse Security realized that by sending a HTTP request with a valid ICC-ID embedded inside it to the AT&T website, the website would reveal the email address associated with that ICC-ID. [30] [33]

On June 5, 2010, Daniel Spitler, aka "JacksonBrown", began discussing this vulnerability and possible ways to exploit it, including phishing, on an IRC channel. [8] [34] [35] Goatse Security constructed a PHP-based brute force script that would send HTTP requests with random ICC-IDs to the AT&T website until a legitimate ICC-ID is entered, which would return the email address corresponding to the ICC-ID. [30] [33] This script was dubbed the "iPad 3G Account Slurper." [35]

Goatse Security then attempted to find an appropriate news source to disclose the leaked information, with Auernheimer attempting to contact News Corporation and Thomson Reuters executives, including Arthur Siskind, about AT&T's security problems. [36] On June 6, 2010, Auernheimer sent emails with some of the ICC-IDs recovered in order to verify his claims. [34] [36] Chat logs from this period also reveal that attention and publicity may have been incentives for the group. [37]

Contrary to what it first claimed, the group initially revealed the security flaw to Gawker Media before notifying AT&T [37] and also exposed the data of 114,000 iPad users, including those of celebrities, the government and the military. These tactics re-provoked significant debate on the proper disclosure of IT security flaws. [38]

Auernheimer has maintained that Goatse Security used common industry standard practices and has said that, "We tried to be the good guys". [38] [39] Jennifer Granick of the Electronic Frontier Foundation has also defended the tactics used by Goatse Security. [38]

On June 14, 2010, Michael Arrington of TechCrunch awarded the group a Crunchie award for public service. This was the first time a Crunchie was awarded outside the annual Crunchies award ceremony. [40] [41]

The FBI then opened an investigation into the incident, [42] leading to a criminal complaint in January 2011 [10] and a raid on Auernheimer's house. The search was related to the AT&T investigation and Auernheimer was subsequently detained and released on bail [43] on state drug charges, [44] later dropped. [45] After his release on bail, he broke a gag order to protest and to dispute the legality of the search of his house and denial of access to a public defender. He also asked for donations via PayPal, to defray legal costs. [15] [46] In 2011 the Department of Justice announced that he will be charged with one count of conspiracy to access a computer without authorization and one count of fraud. [45] A co-defendant, Daniel Spitler, was released on bail. [47] [48]

On November 20, 2012, Auernheimer was found guilty of one count of identity fraud and one count of conspiracy to access a computer without authorization, [49] and tweeted that he would appeal the ruling. [50] Alex Pilosov, a friend who was also present for the ruling, tweeted that Auernheimer would remain free on bail until sentencing, "which will be at least 90 days out." [51]

On November 29, 2012, Auernheimer authored an article in Wired Magazine entitled "Forget Disclosure - Hackers Should Keep Security Holes to Themselves," advocating the disclosure of any zero-day exploit only to individuals who will "use it in the interests of social justice." [52]

On April 11, 2014, the Third Circuit issued an opinion vacating Auernheimer's conviction, on the basis that venue in New Jersey was improper. [53] [54] The judges did not address the substantive question on the legality of the site access. [55] He was released from prison late on April 11. [56]

Other accomplishments

In May 2011, a DoS vulnerability affecting several Linux distributions was disclosed by Goatse Security, after the group discovered that a lengthy Advanced Packaging Tool URL would cause compiz to crash. [57]

In September 2012, Goatse Security was credited by Microsoft for helping to secure their online services. [9]

Related Research Articles

<span class="mw-page-title-main">Computer security</span> Protection of computer systems from information disclosure, theft or damage

Computer security is the protection of computer systems and networks from threats that may result in unauthorized information disclosure, theft of hardware, software, or data, as well as from the disruption or misdirection of the services they provide.

goatse.cx, often spelled without the .cx top-level domain as Goatse, is an internet domain that originally housed an Internet shock site. Its front page featured a picture entitled hello.jpg, showing a close-up of a hunched-over naked man using both hands to stretch open his anus and expose his red rectum lit by the camera flash.

A grey hat is a computer hacker or computer security expert who may sometimes violate laws or typical ethical standards, but usually does not have the malicious intent typical of a black hat hacker.

<span class="mw-page-title-main">Sam Hocevar</span> French software and video game developer (born 1978)

Samuel Hocevar is a French software and video game developer. He was the project leader of the Debian operating system from 17 April 2007 to 16 April 2008, and one of the founding members of Goatse Security.

Trellix is a privately held cybersecurity company that was founded in 2022. It has been involved in the detection and prevention of major cybersecurity attacks. It provides hardware, software, and services to investigate cybersecurity attacks, protect against malicious software, and analyze IT security risks.

weev Internet troll and hacker (born 1985)

Andrew Alan Escher Auernheimer, best known by his pseudonym weev, is an American computer hacker and professional Internet troll. Affiliated with the alt-right, he has been described as a neo-Nazi, white supremacist, and antisemitic conspiracy theorist. He has used many aliases when he has contacted the media, but most sources state that his real first name is Andrew.

<span class="mw-page-title-main">JailbreakMe</span> Series of iOS jailbreaks

JailbreakMe is a series of jailbreaks for Apple's iOS mobile operating system that took advantage of flaws in the Safari browser on the device, providing an immediate one-step jailbreak, unlike more common jailbreaks, such as Blackra1n and redsn0w, that require plugging the device into a computer and running the jailbreaking software from the desktop. JailbreakMe included Cydia, a package management interface that serves as an alternative to the App Store. Although it does not support modern devices, it can still be used and the site is up.

The Gay Nigger Association of America (GNAA) was an internet trolling group. They targeted several prominent websites and internet personalities including Slashdot, Wikipedia, CNN, Barack Obama, Alex Jones, and prominent members of the blogosphere. They also released software products, and leaked screenshots and information about upcoming operating systems. In addition, they maintained a software repository and a wiki-based site dedicated to internet commentary.

Kiteworks, formerly known as Accellion, Inc., is an American technology company that secures sensitive content communications over channels such as email, file share, file transfer, managed file transfer, web forms, and application programming interfaces. The company was founded in 1999 in Singapore and is now based in San Mateo, California.

<span class="mw-page-title-main">ImmuniWeb</span> Swiss application security company

ImmuniWeb is a global application security company headquartered in Geneva, Switzerland. ImmuniWeb develops machine learning and AI technologies for SaaS-based application security solutions provided via its proprietary ImmuniWeb AI Platform.

Ryan Ackroyd, a.k.a.Kayla and also lolspoon, is a former black hat hacker who was one of the six core members of the computer hacking group "LulzSec" during its 50-day spree of attacks from 6 May 2011 until 26 June 2011. Throughout the time, Ackroyd posed as a female hacker named "Kayla" and was responsible for the penetration of multiple military and government domains and many high profile intrusions into the networks of Gawker in December 2010, HBGaryFederal in 2011, PBS, Sony, Infragard Atlanta, Fox Entertainment and others. He eventually served 30 months in prison for his hacking activities.

<span class="mw-page-title-main">Shellshock (software bug)</span> Security bug in the Unix Bash shell discovered in 2014

Shellshock, also known as Bashdoor, is a family of security bugs in the Unix Bash shell, the first of which was disclosed on 24 September 2014. Shellshock could enable an attacker to cause Bash to execute arbitrary commands and gain unauthorized access to many Internet-facing services, such as web servers, that use Bash to process requests.

<span class="mw-page-title-main">Have I Been Pwned?</span> Consumer security website and email alert system

Have I Been Pwned? is a website that allows Internet users to check whether their personal data has been compromised by data breaches. The service collects and analyzes hundreds of database dumps and pastes containing information about billions of leaked accounts, and allows users to search for their own information by entering their username or email address. Users can also sign up to be notified if their email address appears in future dumps. The site has been widely touted as a valuable resource for Internet users wishing to protect their own security and privacy. Have I Been Pwned? was created by security expert Troy Hunt on 4 December 2013.

<span class="mw-page-title-main">Troy Hunt</span> Australian web security expert

Troy Adam Hunt is an Australian web security consultant known for public education and outreach on security topics. He created and operates Have I Been Pwned?, a data breach search website that allows users to see if their personal information has been compromised. He has also authored several popular security-related courses on Pluralsight, and regularly presents keynotes and workshops on security topics. He created ASafaWeb, a tool that formerly performed automated security analysis on ASP.NET websites.

Billboard hacking or billboard hijacking is the practice of altering a billboard without the consent of the owner. It may involve physically pasting new media over the existing image, or hacking into the system used to control electronic billboard displays. The aim is to replace the programmed video with a different video or image. The replaced media may be displayed for various reasons, including culture jamming, shock value, promotion, activism, political propaganda, or simply to amuse viewers.

Numbered Panda is a cyber espionage group believed to be linked with the Chinese military. The group typically targets organizations in East Asia. These organizations include, but are not limited to, media outlets, high-tech companies, and governments. Numbered Panda is believed to have been operating since 2009. However, the group is also credited with a 2012 data breach at the New York Times. One of the group's typical techniques is to send PDF files loaded with malware via spear phishing campaigns. The decoy documents are typically written in traditional Chinese, which is widely used in Taiwan, and the targets are largely associated with Taiwanese interests. Numbered Panda appears to be actively seeking out cybersecurity research relating to the malware they use. After an Arbor Networks report on the group, FireEye noticed a change in the group's techniques to avoid future detection.

EternalBlue is a computer exploit software developed by the U.S. National Security Agency (NSA). It is based on a vulnerability in Microsoft Windows that allowed users to gain access to any number of computers connected to a network. The NSA knew about this vulnerability but did not disclose it to Microsoft for several years, since they planned to use it as a defense mechanism against cyber attacks. In 2017, the NSA discovered that the software was stolen by a group of hackers known as the Shadow Brokers. Microsoft was informed of this and released security updates in March 2017 patching the vulnerability. While this was happening, the hacker group attempted to auction off the software, but did not succeed in finding a buyer. EternalBlue was then publicly released on April 14, 2017.

BlueBorne is a type of security vulnerability with Bluetooth implementations in Android, iOS, Linux and Windows. It affects many electronic devices such as laptops, smart cars, smartphones and wearable gadgets. One example is CVE-2017-14315. The vulnerabilities were first reported by Armis, the asset intelligence cybersecurity company, on 12 September 2017. According to Armis, "The BlueBorne attack vector can potentially affect all devices with Bluetooth capabilities, estimated at over 8.2 billion devices today [2017]."

A global wave of cyberattacks and data breaches began in January 2021 after four zero-day exploits were discovered in on-premises Microsoft Exchange Servers, giving attackers full access to user emails and passwords on affected servers, administrator privileges on the server, and access to connected devices on the same network. Attackers typically install a backdoor that allows the attacker full access to impacted servers even if the server is later updated to no longer be vulnerable to the original exploits. As of 9 March 2021, it was estimated that 250,000 servers fell victim to the attacks, including servers belonging to around 30,000 organizations in the United States, 7,000 servers in the United Kingdom, as well as the European Banking Authority, the Norwegian Parliament, and Chile's Commission for the Financial Market (CMF).

References

  1. Tate, Ryan (June 9, 2010). "AT&T Fights Spreading iPad Fear". Valleywag . Gawker Media. Archived from the original on July 15, 2010. Retrieved October 17, 2010.
  2. 1 2 3 4 Kaiser, Leon (January 19, 2011). "Interview: Goatse Security on FBI Charges Following AT&T iPad Breach". DailyTech (Interview: Transcript). Interviewed by Mick Jason. Archived from the original on March 31, 2014. Retrieved January 21, 2011.
  3. 1 2 3 Dowell, Andrew (June 17, 2010). "Programmer Detained After FBI Search". The Wall Street Journal . Dow Jones & Company, Inc. Retrieved October 11, 2010.
  4. 1 2 3 4 5 "Team". Goatse Security. June 14, 2010. Archived from the original on September 30, 2010. Retrieved September 22, 2010.
  5. 1 2 Chokshi, Niraj (June 10, 2010). "Meet One of the Hackers Who Exposed the iPad Security Leak". The Atlantic . The Atlantic Monthly Group. Retrieved September 16, 2010.
  6. Keizer, Gregg (June 17, 2010). "iPad hacker arrested on multiple drug charges after FBI search". Computerworld . Computerworld Inc. Retrieved September 16, 2010.
  7. Mick, Jason (June 14, 2010). "AT&T Apologizes to iPad Customers, We Reveal Hackers' Locales". DailyTech . DailyTech LLC. Archived from the original on August 20, 2010. Retrieved September 16, 2010.
  8. 1 2 Bilton, Nick; Wortham, Jenna (January 18, 2011). "Two Are Charged With Fraud in iPad Security Breach". The New York Times . Retrieved January 21, 2011.
  9. 1 2 "Security Researcher Acknowledgments for Microsoft Online Services". Microsoft. Retrieved October 19, 2012.
  10. 1 2 United States District Court — District Court of New Jersey, Docket: MAG 11-4022 (CCC). Filed with the court January 13, 2011
  11. "Clench, our way of saying "screw you" to SSL PKI forever". Goatse Security. September 8, 2010. Archived from the original on September 11, 2010. Retrieved October 29, 2010.
  12. Lawson, Nate (September 8, 2010). "Clench is inferior to TLS+SRP". root labs rdist. Nate Lawson. Retrieved October 29, 2010.
  13. Eunjung Cha, Ariana (June 12, 2010). "Apple's iPad security breach reveals vulnerability of mobile devices". Washington Post. Retrieved April 6, 2011.
  14. Kirsch, Cassandra (2014). "The Grey Hat Hacker: Reconciling Cyberspace Reality and the Law" (PDF). Northern Kentucky Law Review. 41: 386.[ dead link ]
  15. 1 2 AT&T iPad 'hacker' breaks gag order to rant at cops The Register, John Leyden. July 7, 2010
  16. Tate, Ryan (June 10, 2010). "Apple's iPad Breach Raises Alarms". All Things Considered (Interview: audio / transcript). Interviewed by Melissa Block. National Public Radio . Retrieved September 16, 2010.
  17. Ragan, Steve (June 10, 2010). "AT&T loses 114,000 e-mail addresses via scripting error". The Tech Herald. WOTR Limited. Archived from the original on November 18, 2011. Retrieved September 28, 2010.
  18. "Compiz vulnerability « Goatse Security". Archived from the original on July 24, 2019. Retrieved October 15, 2019.
  19. Constantin, Lucian (January 30, 2010). "Firefox Bug Used to Harass Entire IRC Network". Softpedia . Softpedia. Retrieved September 19, 2010.
  20. Goodin, Dan (January 30, 2010). "Firefox-based attack wreaks havoc on IRC users". The Register . Situation Publishing. Retrieved September 19, 2010.
  21. Goodin, Dan (June 9, 2010). "Security gaffe exposes addresses of elite iPaders". The Register . Situation Publishing. Retrieved September 19, 2010.
  22. 1 2 3 Keizer, Gregg (June 14, 2010). "AT&T 'dishonest' about iPad attack threat, say hackers". Computerworld . Computerworld Inc. Retrieved September 18, 2010.
  23. Ragan, Steve (June 14, 2010). "Goatse Security tells AT&T: 'You f---ed up'". The Tech Herald. WOTR Limited. p. 2. Archived from the original on October 3, 2011. Retrieved October 6, 2010.
  24. "CVE-2010-1099". National Vulnerability Database . NIST. March 24, 2010. Retrieved October 6, 2010.
  25. "CVE-2010-1100". National Vulnerability Database . NIST. March 24, 2010. Retrieved October 6, 2010.
  26. "CVE-2010-1101". National Vulnerability Database . NIST. March 24, 2010. Retrieved October 6, 2010.
  27. "CVE-2010-1102". National Vulnerability Database . NIST. March 24, 2010. Retrieved October 6, 2010.
  28. "CVE-2010-1103". National Vulnerability Database . NIST. March 24, 2010. Retrieved October 6, 2010.
  29. 1 2 Goldman, David (June 14, 2010). "Hackers say iPad has more security holes". CNNMoney.com . CNN . Retrieved September 18, 2010.
  30. 1 2 3 4 5 Keizer, Gregg (June 10, 2010). "'Brute force' script snatched iPad e-mail addresses". Computerworld . Computerworld Inc. Retrieved September 18, 2010.
  31. Tate, Ryan (June 9, 2010). "Apple's Worst Security Breach: 114,000 iPad Owners Exposed". Valleywag . Gawker Media. Archived from the original on July 26, 2010. Retrieved September 16, 2010.
  32. Ante, Spencer E. (June 10, 2010). "AT&T Discloses Breach of iPad Owner Data". The Wall Street Journal . Dow Jones & Company, Inc. Retrieved September 26, 2010.
  33. 1 2 3 4 Buchanan, Matt (June 9, 2010). "The Little Feature That Led to AT&T's iPad Security Breach". Gizmodo . Gawker Media . Retrieved September 22, 2010.
  34. 1 2 Criminal Complaint Archived January 25, 2011, at the Wayback Machine . United States District Court – District Court of New Jersey, Docket: MAG 11-4022 (CCC). Filed with the court January 13, 2011
  35. 1 2 Voreacos, David (January 18, 2011). "U.S. Announces Charges for Alleged Hack Into AT&T Servers Via iPad Users". Bloomberg.com . Bloomberg L.P. Retrieved January 21, 2011.
  36. 1 2 McMillan, Robert (December 15, 2010). "AT&T IPad Hacker Fought for Media Attention, Documents Show". PC World . PC World Communications, Inc. Retrieved December 16, 2010.[ permanent dead link ]
  37. 1 2 Foresman, Chris (January 19, 2011). "Goatse Security trolls were after "max lols" in AT&T iPad hack". Ars Technica . Retrieved January 22, 2011.
  38. 1 2 3 Worthen, Ben; Spencer E. Ante (June 14, 2010). "Computer Experts Face Backlash". WSJ.com.
  39. Leydon, John (July 7, 2010). "AT&T iPad 'hacker' breaks gag order to rant at cops". The Register. Retrieved February 16, 2011.
  40. Arrington, Michael (June 14, 2010). "We're Awarding Goatse Security A Crunchie Award For Public Service". Tech Crunch. Retrieved March 31, 2010.
  41. Patterson, Ben (June 14, 2010). "AT&T apologizes for iPad breach, blames hackers". Yahoo! News. Retrieved March 31, 2010.
  42. Tate, Ryan (June 9, 2010). "Apple's Worst Security Breach: 114,000 iPad Owners Exposed". Gawker.com . Gawker Media. Archived from the original on June 12, 2010. Retrieved June 13, 2010.
  43. Emspak, Jesse; Perna, Gabriel (June 17, 2010). "Arrested Hacker's Web Site Reveals Extremist Views". International Business Times . International Business Times. Archived from the original on March 6, 2020. Retrieved July 11, 2010.
  44. Dowell, Andrew (June 17, 2010). "Programmer Detained After FBI Search". The Wall Street Journal.
  45. 1 2 "Criminal charges filed against AT&T iPad attackers — Computerworld". January 18, 2011. Archived from the original on October 10, 2012. Retrieved April 18, 2011.
  46. weev. "Hypocrites and Pharisees". Goatse.fr. Archived from the original on May 24, 2017. Retrieved April 18, 2011.
  47. Voigt, Kurt (January 21, 2011). "No bail for 2nd iPad e-mail address theft suspect". MSNBC.com. Associated Press. Retrieved February 15, 2011.[ dead link ]
  48. Porter, David (February 28, 2011). "Suspect in iPad Data Theft Released on Bail in NJ". ABC News. Associated Press. Retrieved March 2, 2011.
  49. Zetter, Kim (November 20, 2012). "Hacker Found Guilty of Breaching AT&T Site to Obtain iPad Customer Data | Threat Level | Wired.com".
  50. "Twitter status, 3:38 PM - 20 Nov 12".
  51. "Twitter status, 3:32 PM - 20 Nov 12".
  52. Bierend, Doug (November 29, 2012). "Forget Disclosure Hackers Should Keep Security Holes to Themselves". Wired.
  53. Case: 13-1816 Document: 003111586090
  54. Kravets, David (April 11, 2014). "Appeals court reverses hacker/troll "weev" conviction and sentence". Ars Technica . Retrieved April 11, 2014.
  55. Hill, Kashmir (April 11, 2014). "Weev Freed, But Court Punts On Bigger 'Hacking vs. Security Research' Question". Forbes . Retrieved April 11, 2014.
  56. Voreacos, David (April 14, 2014). "AT&T Hacker 'Weev' Parties and Tweets as Case Still Looms". Bloomberg . Retrieved April 14, 2014.
  57. Constantin, Lucian (May 16, 2011). "Dangerous Linux Denial of Service Vulnerability Disclosed as 0-Day". Softpedia. Retrieved March 25, 2014.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.