The head of a self-described “security research” hacking group was
sentenced today to 41 months in prison for breaching AT&T’s servers,
stealing e-mail addresses and other personal information belonging to
approximately 120,000 Apple iPad users, and disclosing that information
to an Internet magazine, U.S. Attorney Paul J. Fishman announced.
Andrew Auernheimer, 27, of New York, was convicted November 20, 2012,
on both counts of a superseding indictment: conspiracy to access
AT&T’s servers without authorization and disclose that information
to a reporter at Gawker magazine and possession and transfer of means of
identification for more than 120,000 iPad users. Auernheimer was tried
before U.S. District Judge Susan D. Wigenton, who imposed the sentence
today in Newark federal court. His co-conspirator, Daniel Spitler, 27,
of San Francisco, California, previously pleaded guilty to the same
charges and is awaiting sentencing.
“Andrew Auernheimer knew he was breaking the law when he and his
partner hacked into AT&T’s servers and stole personal information
from unsuspecting iPad users,” U.S. Attorney Fishman said. “When it
became clear that he was in trouble, he concocted the fiction that he
was trying to make the Internet more secure and that all he did was walk
in through an unlocked door. The jury didn’t buy it, and neither did
the court in imposing sentence upon him today.”
“Auernheimer coordinated a self-serving cyber attack on a United
States corporation and tens of thousands of innocent customers, in order
to promote his business,” FBI Acting Special Agent in Charge David
Velazquez said. “Immediately after the attack he attempted to hide all
the evidence. Auernheimer’s conviction and today’s sentence signifies
the continued and growing efforts of the U.S. Attorney’s Office and the
FBI in investigating and prosecuting computer hacking and intellectual
property crimes.”
According to documents filed in this case and the evidence at trial:
The iPad is a touch-screen tablet computer, developed and marketed by
Apple Computers Inc., that allows users to, among other things, access
the Internet and send and receive e-mail. Since its introduction in
January 2010, AT&T has provided iPad users with Internet
connectivity via AT&T’s 3G wireless network. During the registration
process for subscribing to the network, a user is required to provide
an e-mail address, billing address, and password.
Prior to mid-June 2010, AT&T automatically linked an iPad 3G
user’s e-mail address to the Integrated Circuit Card Identifier
(ICC-ID), a number unique to the user’s iPad, when he or she registered.
Every time a user accessed the AT&T website, the ICC-ID was
recognized and the e-mail address was automatically populated for
faster, user-friendly access to the site. AT&T kept the ICC-IDs and
associated e-mail addresses confidential.
At that time, when an iPad 3G communicated with AT&T’s website,
its ICC-ID was automatically displayed in the Universal Resource
Locator, or URL, of the AT&T website in plain text. Seeing this, and
discovering that each ICC-ID was connected to an iPad 3G user e-mail
address, hackers wrote a script termed the “iPad 3G Account Slurper” and
deployed it against AT&T’s servers.
The Account Slurper attacked AT&T’s servers for several days in
early June 2010 and was designed to harvest as many ICC-ID/e-mail
address pairings as possible. It worked by mimicking the behavior of an
iPad 3G so that AT&T’s servers would be deceived into granting the
Account Slurper access. Once deployed, the Account Slurper used a
process known as a “brute force” against the servers, randomly guessing
at ranges of ICC-IDs. An incorrect guess was met with no additional
information, while a correct guess was rewarded with an ICC-ID/e-mail
pairing for a specific, identifiable iPad 3G user.
From June 5, 2010 through June 9, 2010, the Account Slurper stole for
its hacker-authors approximately 120,000 ICC-ID/e-mail address pairings
for iPad 3G customers.
Immediately following the theft, the hacker-authors of the Account
Slurper provided the stolen e-mail addresses and ICC-IDs to the website
Gawker, which published the stolen information in redacted form, along
with an article concerning the breach. The article indicated that the
breach “exposed the most exclusive e-mail list on the planet,” and named
a number of famous individuals whose e-mails had been compromised,
including Diane Sawyer, Harvey Weinstein, New York Mayor Michael
Bloomberg, and then-White House Chief of Staff Rahm Emanuel. The article
also stated that iPad users could be vulnerable to spam marketing and
malicious hacking. A group calling itself “Goatse Security” was
identified as obtaining the subscriber data.
Goatse Security is a so-called “security research” group, composed of
Internet hackers, to which both Spitler and Auernheimer belonged.
During the data breach, co-defendant Daniel Spitler and Auernheimer
communicated with one another using Internet Relay Chat, an Internet
instant messaging program. Those chats not only demonstrated that
Spitler and Auernheimer were responsible for the data breach, but also
that they conducted the breach to simultaneously damage AT&T and
promote themselves and Goatse Security. As the data breach continued,
so, too, did the discussions between Spitler, Auernheimer, and other
Goatse Security members about the best way to take advantage of the
breach and associated theft. On June 10, 2010, immediately after going
public with the breach, Spitler and Auernheimer discussed destroying
evidence of their crime.
In addition to the prison term, Judge Wigenton sentenced Auernheimer
to three years of supervised release and ordered him to pay restitution
of $73,162.
U.S. Attorney Fishman credited special agents of the FBI, under the
direction of Acting Special Agent in Charge David Velazquez in Newark,
with the investigation leading to the charges. He also thanked special
agents of the FBI, under the direction of then-Special Agent in Charge
Valerie Parlave in Little Rock, Arkansas, and the U.S. Attorney’s Office
for the Western District of Arkansas, under the direction of U.S.
Attorney William Conner Eldridge.
The government is represented by Executive Assistant U.S. Attorney
Michael Martinez and Assistant U.S. Attorney Zach Intrater of the
Computer Hacking and Intellectual Property Section of the U.S.
Attorney’s Office Economic Crimes Unit.
Subscribe to:
Post Comments (Atom)
-
+5 Caught: The 36-year-old maid was caught on camera stuffing cash into her pockets and knickers A housekeeper h...
-
Seyi Gesinde reports the tragic death of Dr Myles Munroe, which occured aboard a plane which crashed while trying to land in The Baha...
-
A Magistrates’ Court in Minna yesterday sentenced a 26-yearold man, Rabiu Umaru, to four months’ imprisonment or N10,000 fine for house-br...
No comments:
Post a Comment