Second hacker indicted over stolen AT&T iPad data

By on July 7, 2011 at 2:30 PM.

Second hacker indicted over stolen AT&T iPad data

An Arkansas man has been indicted for carrying out a cyberattack on AT&T servers that resulted in the theft of personal data from more than 100,000 iPad users. Andrew Auernheimer has been charged by a New Jersey grand jury with one count of conspiracy to gain unauthorized access to computers and one count of identity theft, Reuters reports. Auernheimer’s codefendant Daniel Spitler entered a guilty plea after being charged with the same crimes late last month. Court documents recount several conversations Auernheimer allegedly had surrounding the AT&T breach, and the evidence appears to be damning. “If we get 1 reporters address with this somehow we instantly have a story,” he wrote to Spitler on June 6, 2010, according to the indictment. “HI I STOLE YOUR EMAIL FROM AT&&T WANT TO KNOW HOW?” Auernheimer later continued, “The more email addresses we get … the more of a freakout we can cause.” Both Auernheimer and Spitler are said to be associated with “Goatse Security,” a hacker group reportedly focused on disrupting online content and services. More →

34 Comments

Goatse Security: The iPad simply is not a safe platform for those that require a secure environment

By on June 15, 2010 at 8:58 AM.

Goatse Security: The iPad simply is not a safe platform for those that require a secure environment

Screen shot 2010-06-15 at 7.53.59 AM

Goatse Security, the firm who blew the lid off of an exploit that allowed the names and email addresses of over 114,000 iPad owners to be farmed, is speaking out. In a blog post, Goastse team member Escher Auernheimer writes:

I released a semantic integer overflow exploit for Safari through Goatse Security in March– it was patched on Apple’s desktop Safari but has yet to be patched on the iPad. This bug we crafted allows the viewer of a webpage to become a proxy (behind corporate and government firewalls!) for spamming, exploit payloads, password bruteforce attacks and other undesirables. The kicker is that this attack cannot be detected by any current IDS/IPS system. We released this in March, mind you, and Apple still hasn’t got around to patching this on the iPad! I know through personal experience that the patch time for an iPad vulnerability is over two months and counting. Given that, the number of parties which probably have active iPad exploits likely numbers in the hundreds, if not the thousands. The iPad simply is not a safe platform for those that require a secure environment.

And it doesn’t stop there. Addressing some of the verbiage in AT&T’s apology letter, Auernheimer goes onto say:

AT&T had plenty of time to inform the public before our disclosure. It was not done. Post-patch, disclosure should be immediate– within the hour. Days afterward is not acceptable. […] AT&T says the person responsible for this went “to great efforts”. I’ll tell you this, the finder of the AT&T email leak spent just over a single hour of labor total (not counting the time the script ran with no human intervention) to scrape the 114,000 emails. If you see this as “great efforts”, so be it.

Auernheimer closes with: “We love America and the idea of the Russians or Chinese being able to subvert American infrastructure is a nightmare. We understand that good deeds many times go punished, and AT&T is trying to crucify us over this. […] We did the right thing, and I will stand by the actions of my team and protect the finder of this bug no matter what the cost.” Amen, Escher, Amen. Your move Apple/AT&T. More →

35 Comments