Risk
1/18/2011
06:43 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Two Arrested For AT&T iPad Network Breach

One of the men charged argues it's AT&T that should be blamed.

Top 10 Security Stories Of 2010
(click image for larger view)
Slideshow: Top 10 Security Stories Of 2010

United States Attorney Paul J. Fishman on Tuesday announced the arrest of "two self-described Internet 'trolls'" for their alleged involvement in the harvesting of e-mail addresses from some 120,000 Apple iPad users in June, 2010.

Andrew Auernheimer, 25, of Fayetteville, Ark., and Daniel Spitler, 26, of San Francisco, Calif., were arrested on Tuesday by FBI agents on charges that they conspired to hack into AT&T's servers and that they were in possession of information obtained from those servers.

The complaint against the two men says that they created a script called "iPad 3G Account Slurper" to harvest data from AT&T's servers. Prior to June, 2010, AT&T associated the e-mail addresses of subscribers to its iPad 3G data plan with an Integrated Circuit Card Identifier (“ICC-ID”). The company kept this information confidential but unwittingly exposed ICC-ID numbers in URLs associated with its Web site.

The Account Slurper script was designed to look like an iPad 3G to AT&T's servers. It presented a series ICC-ID numbers as a brute force attack and received paired e-mail addresses when the guessed ICC-ID number was valid.

Between June 5 and 9, 2010, Auernheimer and Spitler are said to have obtained 120,000 e-mail addresses associated with iPad users. The pair then provided this information to Gawker.com, which called the incident "Apple's worst security breach," even as it conceded in the article that "[t]he slip up appears to be AT&T's fault..." (One reason for this may be that articles with "Apple" in the headline tend to get more visitor traffic than articles with "AT&T" in the headline.)

The breach exposed the e-mail addresses of a number of prominent people, including television journalist Diane Sawyer, film mogul Harvey Weinstein, New York Mayor Michael Bloomberg, and former White House Chief of Staff Rahm Emanuel.

The Gawker article says the data was provided by Goatse Security, a group in which Auernheimer and Spitler participated, claim government investigators. The government describes the group as "a loose association of Internet hackers and self-professed Internet 'trolls.'"

"Hacking is not a competitive sport, and security breaches are not a game," said U.S. Attorney Fishman in a statement. "Companies that are hacked can suffer significant losses, and their customers made vulnerable to other crimes, privacy violations, and unwanted contact."

Fishman stated that breaking into computers and spreading malicious code is a threat to national, corporate, and personal security, and warned that such activities have real-world consequences.

In an e-mail sent to the U.S. Attorney's Office in New Jersey on November 17, 2010, Auernheimer argued that AT&T should be blamed for inadequately securing its network. "AT&T needs to be held accountable for their insecure infrastructure as a public utility and we must defend the rights of consumers, over the rights of shareholders," he wrote.

Each of the two charges faced by both defendants carries a penalty of as much as five years in prison and a fine of as much as $250,000.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2970
Published: 2014-07-31
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-5139. Reason: This candidate is a duplicate of CVE-2014-5139, and has also been used to refer to an unrelated topic that is currently outside the scope of CVE. This unrelated topic is a LibreSSL code change adding functionality ...

CVE-2014-0914
Published: 2014-07-30
Cross-site scripting (XSS) vulnerability in IBM Maximo Asset Management 6.2 through 6.2.8 and 6.x and 7.x through 7.5.0.6, Maximo Asset Management 7.5 through 7.5.0.3 and 7.5.1 through 7.5.1.2 for SmartCloud Control Desk, and Maximo Asset Management 6.2 through 6.2.8 for Tivoli IT Asset Management f...

CVE-2014-0915
Published: 2014-07-30
Multiple cross-site scripting (XSS) vulnerabilities in IBM Maximo Asset Management 6.2 through 6.2.8, 6.x and 7.1 through 7.1.1.2, and 7.5 through 7.5.0.6; Maximo Asset Management 7.5 through 7.5.0.3 and 7.5.1 through 7.5.1.2 for SmartCloud Control Desk; and Maximo Asset Management 6.2 through 6.2.8...

CVE-2014-0947
Published: 2014-07-30
Unspecified vulnerability in the server in IBM Rational Software Architect Design Manager 4.0.6 allows remote authenticated users to execute arbitrary code via a crafted update site.

CVE-2014-0948
Published: 2014-07-30
Unspecified vulnerability in IBM Rational Software Architect Design Manager and Rational Rhapsody Design Manager 3.x and 4.x before 4.0.7 allows remote authenticated users to execute arbitrary code via a crafted ZIP archive.

Best of the Web
Dark Reading Radio