Feds charge professed white-hat hackers in iPad breach

Professed White Hat hackers face federal criminal charges for grabbing the e-mail addresses of 114,000 AT&T 3G customers who use iPads.

The breach they acknowledge committing and publicized last summer took advantage of weaknesses in AT&Ts resubscription page for iPads to harvest the e-mail addresses and ID numbers for the SIM cards in their iPads.

The breach yielded this information for some famous people, including TV journalist Diane Sawyer, former White House Chief of Staff Rahm Emanuel and New York Mayor Michael Bloomberg, as well as employees of NASA, the U.S. Department of Justice, DARPA, The New York Times, Google, Microsoft, Goldman Sachs and Citigroup.

Wake up to piping hot IT security news with CSO’s Salted Hash daily newsletter – sign up today!

According to Reuters, Daniel Spitler and Andrew Auernheimer, both of whom work at Goatse Security are being charged with fraud and conspiracy to access a computer without authorization.

The pair leaked information about the breach to Gawker Media, but AT&T said the weakness that allowed the breach was fixed before the story ran.

The flaw was that AT&T prepopulated the subscription-renewal page with users’ e-mail addresses. The hackers managed to access these pagers for other users and wrote a script that automated scraping the e-mail addresses and SIM card IDs.

While claiming to hack for social good, Aunheimer has also been characterized as an Internet troll – someone who performs destructive or annoying acts via the Internet. In court documents last month, FBI agent Christian Schorle says the FBI has been aware of Aunheimer as a hacker and “self-proclaimed troll” since 2001.

When the FBI raided his home in Arkansas as part of the AT&T breach, they found drugs that resulted in charges of possession of cocaine, LSD, ecstasy and oxycodone.

In an open letter last November to Assistant U.S. Attorney Lee Vartan on the Goatse Security Web site, Auernheimer says the intent of the breach was to point out lax security on the part of AT&T. At the time of the letter, Auernheimer says he knew the U.S. Attorney was considering charges.

In the letter he claims that Goatse has a reputation for fighting cyber crime. “Social responsibility has always been at the core of everything we do at Goatse Security,” he writes, “and this will be extraordinarily obvious at a trial. Goatse has done large amounts of documented work in project areas such as combating safe havens for pedophiles worldwide, protecting U.S. infrastructure, and keeping U.S. citizens safe from Russian and Chinese organized crime.”

The letter urges Vartan to drop the prosecution because continuing might damage his professional reputation. “I pray for you, Lee,” Auernheimer says in the letter. “I pray for you to see wisdom in your actions, and pray for you to be guided towards righteousness. I advise you to discuss this matter with your family, your friends, victims of crimes you have prosecuted and your teachers, for they are the people who would have been harmed had AT&T been allowed to silently bury their negligent endangerment of United States infrastructure.”

Read more about wide area network in Network World’s Wide Area Network section.