backtop


Print 28 comment(s) - last by Piiman.. on May 4 at 11:32 AM

Exploiting iPad flaw proves costly for researcher, despite relatively responsible disclosure process

Nearly four years behind bars; that's the fate a New York security "researcher" faces after being found guilty by a jury of his peers and sentenced by a federal judge on cybercrime charges involving his 2010 exploitation of a flaw in the security of iPad service provider AT&T. He allegedly used the flaw to expose the email address of over 100,000 individuals.

I. A Leaky Hole

The story began in June 2010.  Apple, Inc. (AAPL) had just released the first generation iPad, a tablet computer that transformed the form factor from overlooked to in vogue.  And the service provider du jour for iPads with 3G data connectivity was AT&T, Inc. (T).  

But AT&T's iPad support services had a relatively minor, but notable security flaw.  AT&T's iPad-related servers ran a script that accepted an ICC-ID (integrated circuit card identifiers), an identifier unique to each device.  

If sent a valid ICC-ID, the script served up the personal email of the subscriber associated with that device.  AT&T had planned to use the feature to generate a slick AJAX-style response on its web applications for the iPad.

iPad hole
AT&T left a gaping hole in their iPad web scripts. [Image Source: DailyTech/Jason Mick]

But Andrew Auernheimer, Daniel Spitler, and other hackers with the profanely named "troll" hacker collective Goatse Security identified the vulnerability when they were probing AT&T's servers.  They quickly wrote a so-called "data slurper" -- a script that performed a brute force attack, working through tables of ICC-IDs and recording the ones that received a response.

AT&T apologized for the breach and took down the script, closing its hole.

II. Investigation, Trial Conclude in Guilty Verdict

But the damage was already done.  Goatse Sec. had published its results to the blog site Gawker, revealing parts of a data set that contained roughly 114,000 email addresses.  Among the high-profile figures exposed were ABC News anchor Diane Sawyer, New York City Mayor Michael Bloomberg, and current Chicago Mayor Rahm Emanuel.

Soon after the data loss, U.S. Federal Bureau of Investigation agents investigating the incident conducted a raid on the home Mr. Auernheimer who had moved from New York to a residence in Arkansas.  Mr. Auernheimer, aka "weev" or "Escher Auernheimer" was arrested by federal agents on suspicion of computer crimes.  Authorities also allegedly found cocaine, LSD, and ecstasy in his residence.  Lawyers for Mr. Auernheimer contend that the raid was unnecessary and illegal.  The security "researcher" has yet to face charges on the drugs found.

However, he was charged with one count of conspiracy to access servers without permission and one count of identity theft.  These offenses -- spelled out in the Computer Fraud and Abuse Act of 1986 (18 USC § 1030) -- carry a maximum sentence of five years in prison and a fine of up to $250,000 USD.

Andrew Auernheimer
Goatse Security "researcher" Andrew Auernheimer was found guilty of two counts of computer crimes and may be sentenced to up to five years in prison, pending appeal. [Image Source: AP]

Mr. Auernheimer was charged in U.S. District Court for the District of New Jersey, the location where his co-defendant (Daniel Spitler) was charged.  Initially, federal authorities had planned to charge the two members separately, which would have resulted in a trial of Mr. Auernheimer in an Arkansas District Court.  However, the case was eventually shuffled to the New Jersey District Court.

In June 2011, Mr. Spitler, aka "JacksonBrown" pled guilty to the two cybercrimes counts, in hopes of receiving a lighter sentence.  He is currently awaiting sentencing.

Mr. Auernheimer fought the charges, and but the triakl with the jury finding Mr. Auernheimer guilty of both counts, despite the fact that Mr. Auernheimer only accessed a gaping open system.

III. Auernheimer to Cyber-Dissidents: Rise Up

Four months after that guilty verdict Mr. Auernheimer seems more at peace with his coming time behind bars.  He participated in a mostly lighthearted 
Reddit AmA ("Ask Me Anything") on Sunday before the sentencing.  

Ironically, prosecutors tried to turn Mr. Auernheier's upbeat and sarcastic Reddit comments against him at the sentencing hearing the next day.  They pushed for 4 years -- nearly the maximum sentence.  The judge instead sentenced him to a slightly shorter 41 months sentence, to be followed by 3 years of supervised release, during which time his electronic behavior will be monitored.

The accused read John Keats' The Fall of Hyperion and told reporters at a press conference, "I'm going to jail for doing arithmetic."

Andrew Auernheimer
Andrew Auernheimer will soon be headed to a nearly four year stay in prison.
[Image Source: The Verge]

The statement comes just months after his proclamation that he hoped he would get the maximum 5 year sentence to encourage Anonymous and other cyber-rebels to "rise up and storm the decks."

He and his co-defendant Mr. Spitler will have to pay $73,000 USD in restitution if the verdict sticks.  Mr. Auernehimer is currently appealing the sentence.  His attorney, Tor Ekeland told The Verge in an interview that courts are divided on what exactly constitutes "unauthorized access" in the CFAA, pointing to a possible route for the appeal.

Source: The Verge



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

Poor Guy Gettin Screwd IMO
By Yeah on 3/19/2013 9:28:48 AM , Rating: 3
So really the guy is getting 3.5 years for posting up what he found and not really for ' hacking ' anything. AT&T should have been slaped with a law suit from Apple for having such a huge gaping hole in their CGI.

He didn't break in to the server to steal anything .. the CGI at AT&T offered the information if you could provide a valid I-Pad ID. He just used a program to run the numbers instead of putting them in by hand.

And I certainly wouldnt use the word brute force as that is akin to someone hacking your password... It wasn't brute forced at all .. the CGI at AT&Y worked as intended- they just did not see the potential liablity in allowing someone to enter in a valid Ipad ID and have their system spit out the email address associated with it.

Wow .... I feel for the guy cuz his intentions werent really malicous .. however he didnt have to post out the data he collected.. then again given the speed that companies in general fix their 'issues' if you dont show straight up what can be done... how long would it have been until AT&T shut down their script server??




RE: Poor Guy Gettin Screwd IMO
By xti on 3/19/13, Rating: -1
RE: Poor Guy Gettin Screwd IMO
By ritualm on 3/19/2013 2:30:44 PM , Rating: 5
quote:
this is just like the case of the hacker who killed himself.

both of them knew what they were doing. they knew there were consequences and they didnt care and took the risk. stop trying to justify them.

You're a retard.

http://www.dailytech.com/Anonymous+Declares+War+on...
quote:
Ortiz decided to hit Swartz with 13 felony charges that could have sent him to jail for up to 35 years. Swartz would also be on the hook for a $1 million fine for his actions. In a 2011 press release, Ortiz declared that, "Stealing is stealing whether you use a computer command or a crowbar, and whether you take documents, data or dollars. It is equally harmful to the victim whether you sell what you have stolen or give it away.”

With the U.S. Government breathing down his neck and with no outlet and no amicable resolution in sight to "humanely" resolve his legal woes, Swartz took his own life on January 11, 2013.

After Swartz committed suicide, Ortiz acknowledged that, “There was no evidence against Mr. Swartz indicating that he committed his acts for personal gain” and that his conduct “did not warrant the severe punishments authorized by Congress.”

He either pleads guilty to all 13 felonies, $1-million in damages, and a forever ruined life thanks to your government... or enter a plea bargain where the final sentence may get lightened up, but he still gets his life ruined by the government.

Swartz took his own life because the alternatives are intolerable for anyone with a smidgen of common sense. Then the lawyer who ultimately "killed" him basically admitted "I'm doing all of these things to muck him up, I didn't mean to 'kill' him though!"

Don't freaking tell me that the US government's witch-hunt position on Swartz while he was still alive was remotely justifiable, you insensitive clod!


RE: Poor Guy Gettin Screwd IMO
By xti on 3/20/13, Rating: -1
RE: Poor Guy Gettin Screwd IMO
By ritualm on 3/20/2013 4:56:22 PM , Rating: 2
So you highly approve of McCarthy-style witch hunts orchestrated by your government? Swartz was cleared of wrongdoing, only to get hit with high hell just because somebody in Washington DC wanted his ass in prison.

The government puts you in hot water, then whispers to your ears, "Just admit you screwed up, declare an oath, and swear you won't ever do this again. If you do all of that, we promise to leave you alone." You automatically assume the government is acting to protect your interests. Yet the government has proven time and again that it, like most corporations, simply can not be trusted to act in your best interests.

You're a retard.


RE: Poor Guy Gettin Screwd IMO
By xti on 3/20/13, Rating: 0
RE: Poor Guy Gettin Screwd IMO
By ritualm on 3/21/2013 12:28:34 AM , Rating: 4
quote:
youre the moron that cant see that suicide is a cowards way out.

That's your comeback?

How about this one: the government has bottomless pockets and practically unlimited time to muck up your life, long after everything is decided - just because it can.

Next: explain to me how this is borderline fair. A big time financial executive gets 6 months at a country club-style minimum security prison for actions that caused the foreclosure of thousands of homes and enriched himself at everyone else's expense. Swartz could've ended up with as much as 35 years total for a comparatively harmless intrusion.
quote:
this screams 'woe is me' and emo crap of todays youth - suicide is someones own damn fault because you arent strong enough to live up to your choices.

ALL of this avoided if he didnt post stuff he wasnt supposed to. 'tard.

Right... because the following never happened:
quote:
While Swartz had indeed compromised MIT's network and the JSTOR database, the Middlesex County district court decided that he wouldn't face jail time for his actions. The matter would have been closed and Swartz would have been "off the hook" so to speak, but United States Attorney Carmen M. Ortiz took up the case and things decidedly took a turn for the worse.

Ortiz decided to hit Swartz with 13 felony charges that could have sent him to jail for up to 35 years. Swartz would also be on the hook for a $1 million fine for his actions. In a 2011 press release, Ortiz declared that, "Stealing is stealing whether you use a computer command or a crowbar, and whether you take documents, data or dollars. It is equally harmful to the victim whether you sell what you have stolen or give it away.”

With the U.S. Government breathing down his neck and with no outlet and no amicable resolution in sight to "humanely" resolve his legal woes, Swartz took his own life on January 11, 2013.

After Swartz committed suicide, Ortiz acknowledged that, “There was no evidence against Mr. Swartz indicating that he committed his acts for personal gain” and that his conduct “did not warrant the severe punishments authorized by Congress.”

Who the hell thinks it's right to resurrect a done deal and say, "no, this is wrong, we're going to screw you until we win!"? Swartz wasn't a coward, that title belongs to the government.

xti, you're not just retarded, you're delusional.


RE: Poor Guy Gettin Screwd IMO
By xti on 3/23/13, Rating: 0
RE: Poor Guy Gettin Screwd IMO
By ritualm on 3/21/2013 12:40:30 AM , Rating: 2
Or how about something even simpler.

A corporation "inadvertently" puts supposedly private data online, free for anyone to steal and pilfer. All it gets is a slap in the wrist, several million dollars in fines tops, and a promise to not repeat the same mistake in the future (by the way, a promise that is never kept).

An individual exposing security vulnerabilities in a system used by thousands of customers gets multiple years behind bars, their lives completely ruined by the government and corporation together.

Care to explain how he shouldn't have done what he did?

Oh but this guy drives the point home even better than you do.
http://www.dailytech.com/article.aspx?newsid=30149...

xti, you're not just retarded, you're delusional.


RE: Poor Guy Gettin Screwd IMO
By xti on 3/23/2013 11:18:06 PM , Rating: 1
suicide is cowardly. link whatever you want. then ask families of those that take their lives if it solved anything.

he knew what he was doing going online doing something he wasnt supposed to. tough shit.


RE: Poor Guy Gettin Screwd IMO
By InsGadget on 3/24/2013 12:36:06 PM , Rating: 2
Agree with your contentions, ritualm, but please find another word to use besides "retard".


Not consistent
By Shadowself on 3/19/2013 8:54:59 AM , Rating: 5
These two are not consistent:
quote:
Exploiting iPad flaw proves costly for researcher, despite relatively responsible disclosure process

Nearly four years behind bars; that's the fate a New York security "researcher" faces after being found guilty by a jury of his peers and sentenced by a federal judge on cybercrime charges involving his 2010 exploitation of a flaw in the security of iPad service provider AT&T. He allegedly used the flaw to expose the email address of over 100,000 individuals.


But then Jason has never shied away from an inaccurate headline that says something negative about an Apple product or Apple itself. Yes, the article does go on to explain that AT&T was the source of the flaw, not Apple, but this does not explain the headline.

And since when is 41 months "nearly four years". It's less than 3.5 years. In any decent mathematics class they would have taught that you round to the nearest whole number or "over three years".




RE: Not consistent
By Newspapercrane on 3/19/2013 9:27:48 AM , Rating: 3
Maybe Mick should get "Nearly 4 Years" in jail for FAILING to do Arithmetic.


RE: Not consistent
By vol7ron on 3/19/2013 9:48:41 AM , Rating: 2
I think the flaw was regarding ICCID of iPads, therefore it was iPad owners that were affected.

To be fully functional, iPad w/internet has both a manufacturer (Apple) and service provider (AT&T). Though it may have been AT&T's fault, they still had the contract and ownership data.


RE: Not consistent
By Reclaimer77 on 3/19/2013 4:29:11 PM , Rating: 3
quote:
And since when is 41 months "nearly four years". It's less than 3.5 years. In any decent mathematics class they would have taught that you round to the nearest whole number or "over three years".


Okay ass, talk about a nitpick. I mean seriously, you're joking right? I guess you think a headline like "A little less than three and a half years" flows better??

Anyway back on topic, once again our "Justice" system shows complete and utter contempt for it's citizens, those they supposedly swore to protect and uphold justice.

This guys life is, for all intents and purposes, now ruined. At most a "crime" like this should warrant a house arrest or some form of supervised parole community service, something, slap on the wrist. Instead, like far FAR too many Americans, we're shipping him off to hardcore prison. For doing what exactly??

quote:
Yes, the article does go on to explain that AT&T was the source of the flaw, not Apple, but this does not explain the headline.


The flaw was on the iPad though. Yes, it's AT&T's fault, but the product in question was the iPad, no getting around that. You're coming off like a butthurt fanboi, Jason in a journalist and his job is to make topics seem interesting. He's not trying to make Apple "look bad" here, give me a break.


The mistake he made was downloading the data
By hashish on 3/19/2013 10:09:38 AM , Rating: 3
Say you find a weak gas main that you know is going to rupture. You don't go take a pick axe to it to cause the rupture then call a journalist to tell them what you found.

He found a security hole. He should have notified authorities and ATT should have been heavily fined. Instead, he access the data illegally.

If someone left their car door unlocked, it doesn't mean you can open it and take their cell phone. Just because it was unlocked doesn't make is ok.




By hashish on 3/19/2013 10:10:32 AM , Rating: 3
Granted the punishment does not reflect the crime at all. I would like to know if ATT was ever leveraged a fine or not?


By ritualm on 3/19/2013 2:18:36 PM , Rating: 2
quote:
He found a security hole. He should have notified authorities and ATT should have been heavily fined. Instead, he access the data illegally.

Oh really? Two months ago:

http://www.dailytech.com/Montreal+Students+Academi...

Meanwhile you're harping on how he should have CYA'ed with responsible disclosure? I call a double-frieghter load of BS on you, sir.


By bodar on 3/19/2013 6:10:54 PM , Rating: 2
quote:
and ATT should have been heavily fined.


And did AT&T pay a fine for their worthless security? I can't find any articles that indicate that they did. So, clearly the system works. /sarcasm

They were totally in the wrong to release the emails (probably for a payout from Gawker Media), but let's not kid ourselves here.


By SublimeSimplicity on 3/19/2013 9:41:32 AM , Rating: 5
My "peers" are idiots... put them on a jury together and their IQ falls even further.




Absolutely Idiotic
By MTEK on 3/19/2013 4:55:58 PM , Rating: 2
So if I understand this right... let's say there's a web page with an embedded image that I really like. When I right-click and save the file to my desktop (is that still allowed?), I see that it's named "AwesomePic_1-of-1000.png".

So if I were to write a quick for-loop (n=2; n<=1000; n++) that downloads "AwesomePic_{n}-of-1000.png", I could be convicted of hacking another system... ?!




RE: Absolutely Idiotic
By half_duplex on 3/20/2013 8:46:38 PM , Rating: 2
I don't think it was the for-loop that is the issue here, it's impersonating iPad users by counterfeiting iPad requests.

I'm really surprised there wasnt some form of security token included in the Ajax call that would validate the request.

Anyway, trying to be leet and get board cred by publishing the data was stupid, he knew better, time to do the time. What he did isn't really even considered hacking, anyone familiar with wireshark and a little JS could've pulled this off.


You'll all find out, every single one of you.
By strapmonkey on 3/20/2013 9:21:43 PM , Rating: 2
In 2009, while working as a contract pharmacist in a rural healthcare facility, I got a call from the PA on shift. The PA explained that one of the EMT's was at the clinic with his dog ($3000 bird dog, 2 years old). The dog had ingested a large quantity of rat poison, the antidote for which is Vitamin K. The nearest vet was 60 miles away, the EMT was on call (wasn't even supposed to be at the clinic, but we were only a block or so from the EMT quarters). The dog wasn't going to survive the trip anyway. The PA asked if we had any injectable Vit K on hand, and if so, if I'd see fit to dispense the medication to the EMT that he might save his friend. I said yes, and thereby became a federal felon.

For dispensing $143 worth of medication (which amount I tried to reimburse the clinic the following day, and was rebuked), we lost everything. Our house, vehicles, my ability to ever earn a living in my chosen profession (although I still retain my professional license in good standing, I am banned from working for any entity that bills a federally funded program; e.g. Medicare/Medicaid, i.e. all entities). The OIG rousted me out of Wanblee, SD a week after I buried my father. Armed Federal agents arrested me at gun point after threatening me and my wife, the week after we buried my father-in-law. They could have made a phone call; instead they sent armed marshals to point loaded weapons at us whilst screaming obscenities.

I copped a plea and received 3 years probation. Had I gone to trial, I would've lost and served 2 years in a Federal penitentiary.

For $443 (the final determination of restitution), the Federal government was willing to spend upward of $100,000 over a three year period, all to keep a "dangerous felon" off the streets. This does not include $150,000 in Federally insured student loans I will never be able to repay, or the hundreds of thousands of dollars of lost tax revenue over the span of my career.

I currently work day labor for minimum wage. With a Federal larceny conviction, I can't get a job mowing lawns.

Tommy Chong served 18 months in prison for allowing his likeness to be displayed on a brand of marijuana paraphernalia. When he got out, he said "People come up to me and ask "Whoa, man, prison; what was that like?" I tell them "You'll find out. Every single one of you is going to find out." God help us, he is right.

The Federal prosecutorial system is completely off the rails. Their decision to indict and prosecute a case is based entirely on what that prosecution will do for the AUSA in charge. Whether you are low hanging fruit, like me, or a high ticket item, like Schwartz, all "civilians" are viewed as an expediency to a higher pay grade, and another notch on the prosecutor's gun. The cost to the individual, and to society as a whole, doesn't even enter the equation.

It is time for the American people to wake up. The longer we wait, the more difficult that awakening becomes.

Bye the bye, the dog survived. Every time the EMT came into the clinic, he made a point of thanking me, and shaking my hand. It was never about the dog, kids. It was about not letting a young man watch his friend die a horrible death, when I could do something to prevent that. For what this has cost me, cost my family, not acting would've cost me so much more. My soul, my humanity and my free will.




By Piiman on 5/4/2013 11:32:15 AM , Rating: 2
You should have taken this to every media outlet you could find.

Since the only reason they go after people without deep pockets in the first place is to pretend they are doing their jobs the only way to get this jerks to back down is to make them look bad.


Jail Bird
By KOOLTIME on 3/20/2013 12:01:37 PM , Rating: 3
They did not just do arithmetic, that what these dirt bags always claim they are innocent.

They published over 100,000 personal accounts to the open public, that are supposed to be private. Thats not reseach any more at that point.

Sure they find a flaw/bug. But publishing them is where the FAIL happens. A true researcher, will say hay apple/at&t I was doing some reesearch and there apparently is a security flaw I found while crunching some numbers, on some scripts.

Working with companies of security flaws vs going public trying to make them look bad, and exposing peoples information that are innocent victums is why these dirt bags need lots of jail time.

100,000 poeple that are just trying to use a phone or ipad or any other elctronic media in the internet, doesnt deserve to have their personal data posted public, due to software flaws/bugs every single time. Poeple that do that need max prison time.




Wow... scary dude there.....
By Integral9 on 3/19/2013 9:56:05 AM , Rating: 2
...so glad he's behind bars for 3.5 years. I'm gonna sleep so much better at night knowing that this *hard core criminal* is serving the same amount of time as people do for manslaughter... <sarcasm>




So how many years did AT&T get?
By rs2 on 3/19/2013 11:23:40 PM , Rating: 2
...for publishing an absurdly insecure web-service in the first place. I'm hoping it's a lot. Please tell me it's a lot.

The problem with this verdict (or at least, one problem of many) is that it tells developers and large organizations "it's okay to deploy your webservice without giving a passing thought to security; when your obvious vulnerabilities are exposed we'll help you crucify the people who exposed your own ineptitude".




By chick0n on 3/19/2013 10:29:55 PM , Rating: 1
I remember this news, the FBI raid his home like the next day or 2 ? is it really necessary? they never work as fast on other kinds of crime ---- they work fast ONLY if it involves in some corporation. Remember how Apple lost one of their "engineering" sample of iPhone4? holy crap they made it like it was the biggest ape shit ever and raid that guy's home like he is a terrorist.

and funny thing is, fbi never give a shit about all those serial killers, drug lords, etc etc.

o they put this guy behind bars while they let all these mom killing her baby/serial rapist/etc etc go.

talk about failed.




"We shipped it on Saturday. Then on Sunday, we rested." -- Steve Jobs on the iPad launch














botimage
Copyright 2015 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki