Experts question guilty verdict for AT&T 'hackers'

If there is a villain in the 2010 AT&T "hacking" case involving about 120,000 email addresses of iPad owners, it is not the two members of Goatse Security (GoatSec) who found a way to collect the addresses, but the telecom giant that made it possible with a gaping vulnerability that didn't even require a real hack to exploit, say security experts.

But that is not the way the legal system sees it. As of this week, the official bad guys are Daniel "JacksonBrowne" Spitler and Andrew "Weev" Auernheimer, who both stand convicted -- Spitler through a plea agreement and Auernheimer after a jury in a Newark, NJ federal court found him guilty Tuesday of conspiracy to access a computer without authorization under the Computer Fraud and Abuse Act of 1986 (CFAA), and fraud in connection with personal information.

Auernheimer, who tweeted following the verdict, "Hey epals don't worry! We went in knowing there would be a guilty here. I'm appealing, of course," could face 10 years in prison -- five on each count.

Several security experts view that as absurd, since the two didn't even hack through any security barriers on the AT&T website, and didn't make any of the email addresses public. The only damage AT&T and iPad maker Apple suffered was embarrassment.

Spitler and Auernheimer were able to collect the addresses when they noticed a way to spoof, or impersonate, iPad owners. As Ansel Halliburton, an attorney with ComputerLaw Group wrote at TechCrunch: "If the (AT&T) website received a valid ICC-ID (Integrated Circuit Card Identifier), it would serve a login page with an iPad owner's email address pre-filled. This meant that if GoatSec could guess valid ICC-IDs, the website would leak email addresses of 3G iPad owners."

Spitler then wrote a program called the "Account Slurper" that tried thousands of possible ICC-ID numbers, and simply collected the email addresses on the ones that worked, yielding about 120,000 of them, including celebrities like ABC news anchor Diane Sawyer, New York Mayor Michael Bloomberg, film producer Harvey Weinstein and former White House chief of staff (now Chicago Mayor) Rahm Emanuel.

The two passed on their findings to Gawker, which ran a story on it on June 9, 2010. According to the story, GoatSec had notified AT&T and the company fixed the vulnerability before the story ran, but the company issued a statement in response to the story saying it had been informed of the problem by "a business customer," and that, "the person or group who discovered this gap did not contact AT&T."

[See also: How to hack an iPad]

Still, security experts tend to agree with Auernheimer's attorney, Tor Ekeland, who told Ansel Halliburton that the verdict should concern "any legitimate security researcher," because Auernheimer and Spitler didn't hack through any security on the AT&T website.

They also agree with Halliburton that the CFAA is hopelessly vague and outdated, since it was created before the evolution of the Web.

"Auernheimer is charged with participating in a conspiracy to violate the FAA by 'intentionally access[ing] a computer without authorization or exceed[ing] authorized access, and thereby obtain[ing]...information from [a] protected computer,'" Halliburton wrote. "But what exactly does that mean?"

The language, he said, comes from a law that defines "protected computer" as either a government or bank computer, or as any computer "which is used in or affecting interstate or foreign commerce or communication."

"Maybe that worked in 1986 when not that many computers were networked in interstate commerce, but in 2012, it covers almost anything with a microprocessor."

Kevin Mitnick, once known as the world's "most wanted hacker" and now a security consultant, also said the CFAA is neither clear nor up to date. And he said as written, it is so broad that just about anybody who uses the Internet could be convicted.

"Take caller ID spoofing, which allows me to call you and display any number I want," he said. "If I spoof your number to a business, and the business answers the call with an automated system, that says, 'Hello Taylor,' because of the linkage, is that a crime? Where is the unauthorized access? Spoofing your cell phone number? I don't think so."

Mitnick said he thinks the government's case "is a joke, because anyone can be accused of unauthorized access by simply visiting a web site. How ridiculous is that?"

Support for Spitler and Auernheimer is not unanimous. One comment on the TechCrunch site from "George Schmaltz" argued that, "A 'legitimate' security researcher either finds a problem, then gets permission to conduct penetration tests or vice-versa. You don't hack a site, then present yourself as a 'white hat.'"

But Ansel Halliburton raises a number of questions that he contends weakens the government's case.

"The GoatSec's slurper script never entered anything into the password field of the login page; it just collected the emails the page offered up to it," he wrote. "Who decides who is 'without authorization'? The government? The website operator? How do you know the website operator deems you to be 'without authorization'? The CFAA gives no answers."

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.

Tags AppleapplicationsData Protection | Malwareat&tlegalGoatse Securitysoftwaredata protectioncybercrime

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts