Published: Wednesday, January 19, 2011, 12:45 PM Updated: Wednesday, January 19, 2011, 12:46 PM
By
Leslie Kwoh/The Star-Ledger
Share
Email
Federal authorities have charged two members of a rogue computer hacking group with breaching ATT’s security and stealing the e-mail addresses of 120,000 Apple iPad users across the country.
Daniel Spitler, 26, of San Francisco and Andrew Auernheimer, 25, of Fayetteville, Ark., were arrested yesterday on charges that they pilfered an extensive e-mail list of early iPad adopters, including New York Mayor Michael Bloomberg, former White House chief of staff Rahm Emanuel and TV journalist Diane Sawyer.
In a complaint filed in federal court in Newark, prosecutors accused Spitler and Auernheimer of hacking ATT’s Bedminster-based servers in June using a homemade computer script called the “Account Slurper.” By churning out random numbers that mimicked actual iPad serial numbers, the script fooled the servers into giving out owners’ e-mail addresses.
The defendants, members of a loose group of internet hackers called Goatse Security, told authorities that their hacking spree was an altruistic effort to expose security flaws in ATT’s network.
“ATT needs to be held accountable for their insecure infrastructure as a public utility and we must defend the rights of consumers, over the rights of shareholders,” Auernheimer wrote in a November e-mail to authorities.
Both men appeared in federal court yesterday — Spitler in Newark and Auernheimer in Fayetteville. Spitler, a Borders bookstore security guard and author of the script, surrendered to the FBI in the morning. Auernheimer, who is unemployed, was arrested while appearing in state court on unrelated drug charges, authorities said.
Each faces one count of conspiracy to access a computer without authorization and one count of fraud. Each charge carries a maximum penalty of five years in prison and $250,000 fine. They are also responsible for compensating ATT for the breach, which to date has cost the company $73,000, the complaint said.
U.S. Attorney Paul Fishman described the defendants’ actions as a “brute force attack” that could have led to disastrous consequences had they not been stopped.
“It’s what some people might perceive as stealing for a joyride,” he said. “It might start out as a prank, but it could turn into something much more malicious.”
The defendants and their friends had considered capitalizing on the e-mail list by selling it to spammers, thus tarnishing ATT’s reputation, and releasing it to news outlets to drive down the company’s stock price, according to the complaint. In one correspondence, Spitler suggested finding the matching passwords to the e-mail addresses so they could access more personal information, but he quickly dismissed the idea as “boring.”
Shortly after the breach, they provided the stolen e-mail addresses to the gossip website Gawker, detailing how they found the security loophole at America’s biggest phone company. Gawker published the information in redacted form, a move that brought attention to the security breach and prompted ATT to send a note of apology to affected customers.
While the hacking lasted four days, ATT did not know about the breach until Gawker published the account, Fishman said yesterday.
Kate MacKinnon, a spokeswoman for ATT, referred questions to federal authorities but added: “We take our customers’ privacy very seriously, and we cooperate with law enforcement whenever necessary to protect it.”
A spokeswoman for Apple declined comment.
Law experts yesterday said the case is an example of how wireless connectivity has created a new, complicated wave of crime for law enforcement authorities.
“Information isn’t a kind of property that’s traditionally subject to theft,” said Stuart Green, a professor at Rutgers Law School-Newark.
“Law enforcement hasn’t figured out how to deal with this yet — both the detection and prosecution of these cases.”
Spitler, who made his first court appearance yesterday, looked subdued as Judge Claire Cecchi listed the charges against him and imposed a travel restriction limiting him to California and New Jersey.
However, he appeared agitated later while his court-appointed attorney, Susan Cassell, engaged in a prolonged debate with Assistant U.S. Attorney Lee Vartan over a proposed ban on Spitler’s internet usage. Cassell said Spitler will need the internet to communicate with her about the legal proceedings and also with his parents in Chicago, who only found out about the charges the previous night.
The judge closed by supporting the ban, saying “phone and overnight mail” should suffice as his main tools of communication for the foreseeable future. As Spitler emerged from the courthouse after being released on $50,000 bail, he told a group of reporters that he thought authorities had taken many things “out of context.”
Asked how he would survive without the internet, he replied: “It will be like a vacation.”
Staff writer Alexi Friedman and photographer Tim Farrell contributed to this report. Leslie Kwoh: (973) 392-4147 or lkwoh@starledger.com
Article source: http://www.nj.com/business/index.ssf/2011/01/pair_charged_with_hacking_atts.html
Category: Prison Time