jueves, 20 de enero de 2011

Two Are Charged With Fraud in iPad Security Breach


NEWARK — Federal prosecutors arrested two men on Tuesday on charges of fraud and conspiracy in obtaining and distributing the e-mail addresses of 114,000 iPad 3G owners.  The men, Daniel Spitler, 26, and Andrew Auernheimer, 25, who are part of a group known as Goatse Security, gained national attention last June when they discovered a security loophole on AT&T’s Web site that allowed them to gain access to the addresses and corresponding iPad identification numbers.

Those affected by the breach included military personnel, members of the Senate and the House of Representatives, and employees of NASA and the Department of Homeland Security. Mr. Auernheimer, of Fayetteville, Ark., was taken into custody by the F.B.I. there on Tuesday and was charged in federal court there. Mr. Spitler, of San Francisco, surrendered to the authorities in Newark. Each man is charged with one count of conspiracy to access a computer without authorization and one count of fraud, according to the United States district attorney’s office in Newark. Each count carries a maximum penalty of five years in prison and a $250,000 fine.

In July, an informer gave federal agents more than 150 pages of chat logs with exchanges between Mr. Spitler and Mr. Auernheimer. Transcripts of the logs provided by the district attorney’s office outline how the two men were able to gather the information from AT&T’s site, and show the two men speculating about potential ways to use it.

“This could be like, a future massive phishing operation,” Mr. Auernheimer wrote, referring to the practice of using fraudulent messages to trick people into disclosing confidential information. “Serious like [sic] this is valuable data.” There was no indication that the men tried to sell the information.

In another exchange with an unidentified person, Mr. Spitler said he did not think he was doing anything illegal. When asked why, he replied, “cause I didn’t hack anything.”

At a hearing Tuesday in United States District Court in Newark, prosecutors tried to paint Mr. Spitler as a rogue hacker, citing the chat logs. But Mr. Spitler’s court-appointed lawyer, Susan Cassell, argued that Mr. Auernheimer had made the damaging remarks in the logs.

Mr. Spitler was released on $50,000 bail, and Judge Claire C. Cecchi restricted his travel and use of the Internet. A bond hearing for Mr. Auernheimer is scheduled for Friday, The Associated Press reported. His lawyer could not be reached for comment.

At a news conference in Newark, Paul J. Fishman, the United States attorney for New Jersey, likened Mr. Auernheimer and Mr. Spitler to “a group of people who took a car for a joy ride.”

“The reason they bragged about it is because in the community that they travel in, it’s important for them that the people in their community know about the hack,” Mr. Fishman said.

Mr. Auernheimer, who goes by the online alias Weev, and Mr. Spitler, who uses the handle JacksonBrown, are both associated with a loose group of hackers and programmers called Goatse Security that tinkers with online services, prosecutors said.

Although the complaint filed by the Justice Department says that the Goatse Security group may involve as many as 10 people, the district attorney said there was no plan to charge anyone else in the case.

The Goatse Security group originally maintained, in an open letter to AT&T in June, that it exposed the security vulnerability on the company’s site to alert it to the problem. The flaw allowed anyone to discover e-mail addresses by submitting potential iPad identification numbers to the site.

The group’s post said that “all data was gathered from a public Web server with no password, accessible by anyone on the Internet.” The hacked servers were based in New Jersey and 16,000 of the e-mail addresses were for New Jersey residents.

No actual e-mail messages were available through the security hole. But AT&T has described the group’s collection of data as “malicious” and has said that it could have exposed customers to spam or fraud.

Mark Siegel, an AT&T spokesman, said Tuesday in a statement that the company took the privacy of its customers “very seriously.”

“We cooperate with law enforcement whenever necessary to protect it,” he continued.

Mr. Siegel directed further inquiries to Mr. Fishman’s office. Trudy Muller, a spokeswoman at Apple, declined to comment on the matter.

Richard Wang, manager of the security firm SophosLabs in the United States, said there was “criticism to be leveled at both sides” in the case.

“AT&T’s site wasn’t sufficiently secure,” Mr. Wang said. The company may have felt pressure to take strong action, he said, considering the data leak involved a prominent business partner.

But in general, Mr. Wang said, the security risk was low. He said the Goatse Security group could have handled matters in a way that would have let it avoid prosecution.