Risk
1/18/2011
06:43 PM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

Two Arrested For AT&T iPad Network Breach

One of the men charged argues it's AT&T that should be blamed.

Top 10 Security Stories Of 2010
(click image for larger view)
Slideshow: Top 10 Security Stories Of 2010

United States Attorney Paul J. Fishman on Tuesday announced the arrest of "two self-described Internet 'trolls'" for their alleged involvement in the harvesting of e-mail addresses from some 120,000 Apple iPad users in June, 2010.

Andrew Auernheimer, 25, of Fayetteville, Ark., and Daniel Spitler, 26, of San Francisco, Calif., were arrested on Tuesday by FBI agents on charges that they conspired to hack into AT&T's servers and that they were in possession of information obtained from those servers.

The complaint against the two men says that they created a script called "iPad 3G Account Slurper" to harvest data from AT&T's servers. Prior to June, 2010, AT&T associated the e-mail addresses of subscribers to its iPad 3G data plan with an Integrated Circuit Card Identifier (“ICC-ID”). The company kept this information confidential but unwittingly exposed ICC-ID numbers in URLs associated with its Web site.

The Account Slurper script was designed to look like an iPad 3G to AT&T's servers. It presented a series ICC-ID numbers as a brute force attack and received paired e-mail addresses when the guessed ICC-ID number was valid.

Between June 5 and 9, 2010, Auernheimer and Spitler are said to have obtained 120,000 e-mail addresses associated with iPad users. The pair then provided this information to Gawker.com, which called the incident "Apple's worst security breach," even as it conceded in the article that "[t]he slip up appears to be AT&T's fault..." (One reason for this may be that articles with "Apple" in the headline tend to get more visitor traffic than articles with "AT&T" in the headline.)

The breach exposed the e-mail addresses of a number of prominent people, including television journalist Diane Sawyer, film mogul Harvey Weinstein, New York Mayor Michael Bloomberg, and former White House Chief of Staff Rahm Emanuel.

The Gawker article says the data was provided by Goatse Security, a group in which Auernheimer and Spitler participated, claim government investigators. The government describes the group as "a loose association of Internet hackers and self-professed Internet 'trolls.'"

"Hacking is not a competitive sport, and security breaches are not a game," said U.S. Attorney Fishman in a statement. "Companies that are hacked can suffer significant losses, and their customers made vulnerable to other crimes, privacy violations, and unwanted contact."

Fishman stated that breaking into computers and spreading malicious code is a threat to national, corporate, and personal security, and warned that such activities have real-world consequences.

In an e-mail sent to the U.S. Attorney's Office in New Jersey on November 17, 2010, Auernheimer argued that AT&T should be blamed for inadequately securing its network. "AT&T needs to be held accountable for their insecure infrastructure as a public utility and we must defend the rights of consumers, over the rights of shareholders," he wrote.

Each of the two charges faced by both defendants carries a penalty of as much as five years in prison and a fine of as much as $250,000.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0485
Published: 2014-09-02
S3QL 1.18.1 and earlier uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object in (1) common.py or (2) local.py in backends/.

CVE-2014-3861
Published: 2014-09-02
Cross-site scripting (XSS) vulnerability in CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted reference element within a nonXMLBody element.

CVE-2014-3862
Published: 2014-09-02
CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to discover potentially sensitive URLs via a crafted reference element that triggers creation of an IMG element with an arbitrary URL in its SRC attribute, leading to information disclosure in a Referer log.

CVE-2014-5076
Published: 2014-09-02
The La Banque Postale application before 3.2.6 for Android does not prevent the launching of an activity by a component of another application, which allows attackers to obtain sensitive cached banking information via crafted intents, as demonstrated by the drozer framework.

CVE-2014-5136
Published: 2014-09-02
Cross-site scripting (XSS) vulnerability in Innovative Interfaces Sierra Library Services Platform 1.2_3 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.