Two men were charged with computer crimes today for allegedly hacking
into AT&T servers and stealing e-mail addresses and other information
of about 120,000 iPad users last summer.
Andrew Auernheimer, 25, was arrested in his home town of Fayetteville,
Ark., while appearing in state court on unrelated drug charges, and
Daniel Spitler, 26, of San Francisco, surrendered to FBI agents in
Newark, N.J., according to the U.S. Attorney's office in New Jersey.
Both men were expected to appear before federal judges in Arkansas and
New Jersey.
They each face one count of conspiracy to access a computer without
authorization and one count of fraud in connection with personal
information. They're also looking at a maximum of 10 years in prison
and a $500,000 fine.
Auernheimer was ordered held until a bail hearing set for Friday,
while Spitler was released on $50,000 bail and ordered not to use the
Internet except at his job as a security at a Borders bookstore,
according to an Associated Press report. In comments to reporters
outside the Newark courthouse, Spitler said he was innocent and that:
"The information in the complaint is false. This case has been blown
way out of proportion."
Auernheimer told the magistrate that he had been drinking until 6:30
that morning and said of the complaint: "This is a great
affidavit--fantastic reading," according to the AP report.
Last June, Auernheimer told CNET that members of his hacker group,
which calls itself Goatse Security, uncovered a hole in AT&T's Web
site used by iPad customers on the 3G wireless network and went public
with it by revealing details to Gawker Media.
Up until then, AT&T automatically linked an iPad 3G user's e-mail
address to the iPad's unique number, called Integrated Circuit Card
Identifier (ICC-ID) so that whenever the customer accessed the AT&T
Web site, the ICC-ID was recognized, the e-mail address was
automatically populated and the ICC-ID was displayed in the URL in
plain text.
Spitler is accused of writing a script called the "iPad 3G Account
Slurper" and using it to harvest AT&T customer data via a brute force
attack on the site, which fooled the site into revealing the
confidential information, according to the criminal complaint filed
last week but unsealed and released publicly today.
The complaint includes Internet Relay Chat messages supposedly sent
between Auernheimer and Spitler in which they talk about selling the
e-mail addresses to spammers, shorting AT&T stock before releasing
details of the breach, and destroying evidence.
"If we can get a big dataset we could direct market iPad accessories,"
Auernheimer says in a message to Spitler, according to the complaint.
In another chat session included in the complaint, Spitler says he
would like to stay anonymous so he doesn't get sued. "Absolutely may
be legal risk yeah, mostly civil you absolutely could get sued,"
Auernheimer replied, the complaint read.
Before going to Gawker, Auernheimer also allegedly contacted
Thomson-Reuters and the San Francisco Chronicle, and sent an e-mail to
a board member at News Corp. whose e-mail address was leaked in the
breach in attempts to get news articles written about the incident,
according to the complaint.
Asked if he reported the hole to AT&T, Auernheimer replied "totally
but not really...I don't (expletive) care I hope they sue me,"
according to the chat logs.
"Those chats not only demonstrate that Spitler and Auernheimer were
responsible for the data breach, but also that they conducted the
breach to simultaneously damage AT&T and promote themselves and Goatse
Security," the U.S. Attorney's office said in a statement.
AT&T has spent about $73,000 as a result of the breach, including
contacting all iPad 3G customers to notify them, the complaint says.
Among the iPad users who appeared to have been affected were White
House Chief of Staff Rahm Emanuel, journalist Diane Sawyer, New York
Mayor Michael Bloomberg, movie producer Harvey Weinstein, and New York
Times CEO Janet Robinson.
Auernheimer told CNET last summer that the data exposed in the breach
was contained. The concern was that iPad users who had their e-mail
addresses exposed would then be at risk of receiving phishing or spam
e-mail that appeared to be from Apple or AT&T but which was designed
instead to trick them into revealing more information or downloading
malware.
Auernheimer did not return an e-mail seeking comment, and Spitler
could not be reached. AT&T did not immediately respond to a request
for comment.
Auernheimer, a self-described Internet "troll," was arrested last June
when authorities found drugs while searching his home for evidence
related to the AT&T-iPad investigation. He was later released on bail.
No comments:
Post a Comment