06:43 PM
Connect Directly

Two Arrested For AT&T iPad Network Breach

One of the men charged argues it's AT&T that should be blamed.

Top 10 Security Stories Of 2010
(click image for larger view)
Slideshow: Top 10 Security Stories Of 2010

United States Attorney Paul J. Fishman on Tuesday announced the arrest of "two self-described Internet 'trolls'" for their alleged involvement in the harvesting of e-mail addresses from some 120,000 Apple iPad users in June, 2010.

Andrew Auernheimer, 25, of Fayetteville, Ark., and Daniel Spitler, 26, of San Francisco, Calif., were arrested on Tuesday by FBI agents on charges that they conspired to hack into AT&T's servers and that they were in possession of information obtained from those servers.

The complaint against the two men says that they created a script called "iPad 3G Account Slurper" to harvest data from AT&T's servers. Prior to June, 2010, AT&T associated the e-mail addresses of subscribers to its iPad 3G data plan with an Integrated Circuit Card Identifier (“ICC-ID”). The company kept this information confidential but unwittingly exposed ICC-ID numbers in URLs associated with its Web site.

The Account Slurper script was designed to look like an iPad 3G to AT&T's servers. It presented a series ICC-ID numbers as a brute force attack and received paired e-mail addresses when the guessed ICC-ID number was valid.

Between June 5 and 9, 2010, Auernheimer and Spitler are said to have obtained 120,000 e-mail addresses associated with iPad users. The pair then provided this information to Gawker.com, which called the incident "Apple's worst security breach," even as it conceded in the article that "[t]he slip up appears to be AT&T's fault..." (One reason for this may be that articles with "Apple" in the headline tend to get more visitor traffic than articles with "AT&T" in the headline.)

The breach exposed the e-mail addresses of a number of prominent people, including television journalist Diane Sawyer, film mogul Harvey Weinstein, New York Mayor Michael Bloomberg, and former White House Chief of Staff Rahm Emanuel.

The Gawker article says the data was provided by Goatse Security, a group in which Auernheimer and Spitler participated, claim government investigators. The government describes the group as "a loose association of Internet hackers and self-professed Internet 'trolls.'"

"Hacking is not a competitive sport, and security breaches are not a game," said U.S. Attorney Fishman in a statement. "Companies that are hacked can suffer significant losses, and their customers made vulnerable to other crimes, privacy violations, and unwanted contact."

Fishman stated that breaking into computers and spreading malicious code is a threat to national, corporate, and personal security, and warned that such activities have real-world consequences.

In an e-mail sent to the U.S. Attorney's Office in New Jersey on November 17, 2010, Auernheimer argued that AT&T should be blamed for inadequately securing its network. "AT&T needs to be held accountable for their insecure infrastructure as a public utility and we must defend the rights of consumers, over the rights of shareholders," he wrote.

Each of the two charges faced by both defendants carries a penalty of as much as five years in prison and a fine of as much as $250,000.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-08-22
Unspecified vulnerability on IBM Power 7 Systems 740 before 740.70 01Ax740_121, 760 before 760.40 Ax760_078, and 770 before 770.30 01Ax770_062 allows local users to gain Service Processor privileges via unknown vectors.

Published: 2014-08-22
Multiple cross-site scripting (XSS) vulnerabilities in framework/common/webcommon/includes/messages.ftl in Apache OFBiz 11.04.01 before 11.04.05 and 12.04.01 before 12.04.04 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, which are not properly handled in a (1)...

Published: 2014-08-22
Unspecified vulnerability in Apache Traffic Server and 5.x before 5.0.1 has unknown impact and attack vectors, possibly related to health checks.

Published: 2014-08-22
Multiple unspecified vulnerabilities in Salt (aka SaltStack) before 2014.1.10 allow local users to have an unspecified impact via vectors related to temporary file creation in (1) seed.py, (2) salt-ssh, or (3) salt-cloud.

Published: 2014-08-22
Integer overflow in the cdf_read_property_info function in cdf.c in file through 5.19, as used in the Fileinfo component in PHP before 5.4.32 and 5.5.x before 5.5.16, allows remote attackers to cause a denial of service (application crash) via a crafted CDF file. NOTE: this vulnerability exists bec...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.