Experts question guilty verdict for AT&T 'hackers'

If there is a villain in the 2010 AT&T "hacking" case involving about 120,000 email addresses of iPad owners, it is not the two members of Goatse Security (GoatSec) who found a way to collect the addresses, but the telecom giant that made it possible with a gaping vulnerability that didn't even require a real hack to exploit, say security experts.

But that is not the way the legal system sees it. As of this week, the official bad guys are Daniel "JacksonBrowne" Spitler and Andrew "Weev" Auernheimer, who both stand convicted -- Spitler through a plea agreement and Auernheimer after a jury in a Newark, NJ federal court found him guilty Tuesday of conspiracy to access a computer without authorization under the Computer Fraud and Abuse Act of 1986 (CFAA), and fraud in connection with personal information.

Auernheimer, who tweeted following the verdict, "Hey epals don't worry! We went in knowing there would be a guilty here. I'm appealing, of course," could face 10 years in prison -- five on each count.

Several security experts view that as absurd, since the two didn't even hack through any security barriers on the AT&T website, and didn't make any of the email addresses public. The only damage AT&T and iPad maker Apple suffered was embarrassment.

Spitler and Auernheimer were able to collect the addresses when they noticed a way to spoof, or impersonate, iPad owners. As Ansel Halliburton, an attorney with ComputerLaw Group wrote at TechCrunch: "If the (AT&T) website received a valid ICC-ID (Integrated Circuit Card Identifier), it would serve a login page with an iPad owner's email address pre-filled. This meant that if GoatSec could guess valid ICC-IDs, the website would leak email addresses of 3G iPad owners."

Spitler then wrote a program called the "Account Slurper" that tried thousands of possible ICC-ID numbers, and simply collected the email addresses on the ones that worked, yielding about 120,000 of them, including celebrities like ABC news anchor Diane Sawyer, New York Mayor Michael Bloomberg, film producer Harvey Weinstein and former White House chief of staff (now Chicago Mayor) Rahm Emanuel.

The two passed on their findings to Gawker, which ran a story on it on June 9, 2010. According to the story, GoatSec had notified AT&T and the company fixed the vulnerability before the story ran, but the company issued a statement in response to the story saying it had been informed of the problem by "a business customer," and that, "the person or group who discovered this gap did not contact AT&T."

[See also: How to hack an iPad]

Still, security experts tend to agree with Auernheimer's attorney, Tor Ekeland, who told Ansel Halliburton that the verdict should concern "any legitimate security researcher," because Auernheimer and Spitler didn't hack through any security on the AT&T website.

They also agree with Halliburton that the CFAA is hopelessly vague and outdated, since it was created before the evolution of the Web.

"Auernheimer is charged with participating in a conspiracy to violate the FAA by 'intentionally access[ing] a computer without authorization or exceed[ing] authorized access, and thereby obtain[ing]...information from [a] protected computer,'" Halliburton wrote. "But what exactly does that mean?"

The language, he said, comes from a law that defines "protected computer" as either a government or bank computer, or as any computer "which is used in or affecting interstate or foreign commerce or communication."

"Maybe that worked in 1986 when not that many computers were networked in interstate commerce, but in 2012, it covers almost anything with a microprocessor."

Kevin Mitnick, once known as the world's "most wanted hacker" and now a security consultant, also said the CFAA is neither clear nor up to date. And he said as written, it is so broad that just about anybody who uses the Internet could be convicted.

"Take caller ID spoofing, which allows me to call you and display any number I want," he said. "If I spoof your number to a business, and the business answers the call with an automated system, that says, 'Hello Taylor,' because of the linkage, is that a crime? Where is the unauthorized access? Spoofing your cell phone number? I don't think so."

Mitnick said he thinks the government's case "is a joke, because anyone can be accused of unauthorized access by simply visiting a web site. How ridiculous is that?"

Support for Spitler and Auernheimer is not unanimous. One comment on the TechCrunch site from "George Schmaltz" argued that, "A 'legitimate' security researcher either finds a problem, then gets permission to conduct penetration tests or vice-versa. You don't hack a site, then present yourself as a 'white hat.'"

But Ansel Halliburton raises a number of questions that he contends weakens the government's case.

"The GoatSec's slurper script never entered anything into the password field of the login page; it just collected the emails the page offered up to it," he wrote. "Who decides who is 'without authorization'? The government? The website operator? How do you know the website operator deems you to be 'without authorization'? The CFAA gives no answers."

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Tags: Apple, Data Protection | Malware, applications, at&t, legal, software, Goatse Security, data protection, cybercrime

Netcraft tool flags websites affected by Heartbleed

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]
Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Webroot SecureAnywhere Business

The lightest, fastest, easiest-to-manage, and most effective endpoint protection.

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.