06:43 PM
Connect Directly

Two Arrested For AT&T iPad Network Breach

One of the men charged argues it's AT&T that should be blamed.

Top 10 Security Stories Of 2010
(click image for larger view)
Slideshow: Top 10 Security Stories Of 2010

United States Attorney Paul J. Fishman on Tuesday announced the arrest of "two self-described Internet 'trolls'" for their alleged involvement in the harvesting of e-mail addresses from some 120,000 Apple iPad users in June, 2010.

Andrew Auernheimer, 25, of Fayetteville, Ark., and Daniel Spitler, 26, of San Francisco, Calif., were arrested on Tuesday by FBI agents on charges that they conspired to hack into AT&T's servers and that they were in possession of information obtained from those servers.

The complaint against the two men says that they created a script called "iPad 3G Account Slurper" to harvest data from AT&T's servers. Prior to June, 2010, AT&T associated the e-mail addresses of subscribers to its iPad 3G data plan with an Integrated Circuit Card Identifier (“ICC-ID”). The company kept this information confidential but unwittingly exposed ICC-ID numbers in URLs associated with its Web site.

The Account Slurper script was designed to look like an iPad 3G to AT&T's servers. It presented a series ICC-ID numbers as a brute force attack and received paired e-mail addresses when the guessed ICC-ID number was valid.

Between June 5 and 9, 2010, Auernheimer and Spitler are said to have obtained 120,000 e-mail addresses associated with iPad users. The pair then provided this information to Gawker.com, which called the incident "Apple's worst security breach," even as it conceded in the article that "[t]he slip up appears to be AT&T's fault..." (One reason for this may be that articles with "Apple" in the headline tend to get more visitor traffic than articles with "AT&T" in the headline.)

The breach exposed the e-mail addresses of a number of prominent people, including television journalist Diane Sawyer, film mogul Harvey Weinstein, New York Mayor Michael Bloomberg, and former White House Chief of Staff Rahm Emanuel.

The Gawker article says the data was provided by Goatse Security, a group in which Auernheimer and Spitler participated, claim government investigators. The government describes the group as "a loose association of Internet hackers and self-professed Internet 'trolls.'"

"Hacking is not a competitive sport, and security breaches are not a game," said U.S. Attorney Fishman in a statement. "Companies that are hacked can suffer significant losses, and their customers made vulnerable to other crimes, privacy violations, and unwanted contact."

Fishman stated that breaking into computers and spreading malicious code is a threat to national, corporate, and personal security, and warned that such activities have real-world consequences.

In an e-mail sent to the U.S. Attorney's Office in New Jersey on November 17, 2010, Auernheimer argued that AT&T should be blamed for inadequately securing its network. "AT&T needs to be held accountable for their insecure infrastructure as a public utility and we must defend the rights of consumers, over the rights of shareholders," he wrote.

Each of the two charges faced by both defendants carries a penalty of as much as five years in prison and a fine of as much as $250,000.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-04-28
The HWP filter in LibreOffice before 4.3.7 and 4.4.x before 4.4.2 and Apache OpenOffice before 4.1.2 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted HWP document, which triggers an out-of-bounds write.

Published: 2015-04-28
Heap-based buffer overflow in wpa_supplicant 1.0 through 2.4 allows remote attackers to cause a denial of service (crash), read memory, or possibly execute arbitrary code via crafted SSID information in a management frame when creating or updating P2P entries.

Published: 2015-04-28
Xen 4.2.x through 4.5.x does not initialize certain fields, which allows certain remote service domains to obtain sensitive information from memory via a (1) XEN_DOMCTL_gettscinfo or (2) XEN_SYSCTL_getdomaininfolist request.

Published: 2015-04-27
Multiple cross-site request forgery (CSRF) vulnerabilities in the (1) DataMappingEditorCommands, (2) DatastoreEditorCommands, and (3) IEGEditorCommands servlets in IBM Curam Social Program Management (SPM) 5.2 SP6 before EP6, 6.0 SP2 before EP26, 6.0.3 before iFix8, 6.0.4 before iFix...

Published: 2015-04-27
IBM Curam Social Program Management (SPM) 5.2 before SP6 EP6, 6.0 SP2 before EP26, 6.0.4 before, and 6.0.5 before requires failed-login handling for web-service accounts to have the same lockout policy as for standard user accounts, which makes it easier for remote attackers to cause...

Dark Reading Radio
Archived Dark Reading Radio
Join security and risk expert John Pironti and Dark Reading Editor-in-Chief Tim Wilson for a live online discussion of the sea-changing shift in security strategy and the many ways it is affecting IT and business.