Fayetteville man charged in e-mail scam

 Andrew Auernheimer

Andrew Auernheimer

Wednesday, January 19, 2011

— A Fayetteville man is in jail awaiting a bond determination on federal charges that he and another man hacked into AT&T servers and stole the e-mail addresses of thousands of iPad users.

Andrew Alan Escher Auernheimer laughed Tuesday as he read the affidavit accusing him of stealing 120,000 email addresses of people using Apple iPads on AT&T’s data network.

“This is a great affidavit - fantastic reading,” Auernheimer told two FBI agentsbefore his hearing in U.S. District Court in Fayetteville.

Auernheimer, 25, of Fayetteville and Daniel Spitler, 26, of San Francisco were arrested separately Tuesday. The pair is accused of taking advantage last June of how AT&T at the time tracked iPad users connecting to the Internet through the company’s wireless network. The iPad is the tablet computer introduced by Apple last April.

The men promote themselves as being part of Goatse Security, which the FBIdescribes in court records as “a loose association of Internet hackers and self-professed Internet ‘trolls.’” A “troll” is someone who “intentionally and without authorization, disrupts services and content on the Internet,” the FBI said.

Copies of internet relay chat logs included in court records state that Spitler represented himself as the person who created the scripting language that was used to obtain the e-mail addresses. “Internet relay chat” is a form of online text-messaging.

Some of the addresses were used by famous people, such as then-White House Chief of Staff Rahm Emanuel, New York Mayor Michael Bloomberg and ABC News’ Diane Sawyer, court records state.

The script mimicked how iPads communicated with the network, which link devicespecific numbers to e-mail addresses of the users. As the number/e-mail pairing began trickling in, the two discussed what to do with the information, eventually settling on making the breach public, records state.

The stolen e-mail addresses, on their own, aren’t that valuable; many of them easily could have been guessed by knowing a person’s name and how his e-mail service structures its email addresses.

But once cybercriminals and spammers knew a person was an iPad owner and an AT&Tcustomer, they could have sent e-mails that looked like they came from Apple or AT&T, tricking recipients into opening them.

Those emails could, inturn, plant malicious software on the recipient’s computer or trick the person into sharing private information, such as Social Security or credit card numbers.

Spitler surrendered to authorities in New Jersey on Tuesday, where the two face federal charges of conspiracy to access a computer without authorization and fraud in connection with personal information. Authorities said thousands of victims in the case live in New Jersey.

Auernheimer encouraged Spitler to continue amassing as many number/e-mail pairings as possible because AT&T would fix the problem as soon as it became public, court records show. Auernheimer was confident they could get media coverage published by Gawker. com, a website that advertises itself as providing “Gossip from Manhattan and the Beltway toHollywood and the Valley.”

In June, AT&T acknowledged a security weak spot on a website that exposed the e-mail addresses of apparently more than 100,000 iPad users. The company said that the vulnerability affected only iPad users who signed up for AT&T’s wireless Internet service and that it had fixed the problem.

On Nov. 17, court records state, Auernheimer sent an e-mail to an assistant U.S. attorney in New Jersey taking credit for the data breach saying, “AT&T needs to be held accountable for their insecure infrastructure as a public utility and we must defend the rights of consumers, over the rights of shareholders.”

Contrary to what he’d told Gawker, Auernheimer told other members of Goatse that he never told AT&T about the breach and said he hopes the company sues him.

Auernheimer was arrested in Washington County Circuit Court by federal agents about 8 a.m. Tuesday before he was to be tried on state drug possession charges. He was arrested in June by Fayetteville police who said they discovered LSD, cocaine, Ecstasy and oxycodone while searching his home on a federal warrant.

“Before we walked into court four federal officers arrested him,” Fayetteville attorney Drew Ledbetter said Tuesday.

“That means that he is going to be extradited to New Jersey to face whatever charges the federal government wants to charge him with,” Ledbetter said.

Washington County Prosecuting Attorney John Threet said he would drop the state charges because Auernheimer will be taken to New Jersey to face the federal charges.

Auernheimer and Spitler each face up to five years in federal prison and a $250,000fine for each count, according to an announcement issued by U.S. Attorney Paul J. Fishman, who serves the District of New Jersey.

Spitler is free on a $50,000 bond, said Rebekah Carmichael, spokesman for the New Jersey district.

Carmichael said Spitler is under travel restrictions but allowed to return home to California and can only use the Internet for his job. He has been a security guard at a Borders bookstore.

Auernheimer will remain in Washington County jail awaiting a detention hearing, set for 9 a.m. Friday. He waived his right to a probable cause hearing at his initial appearance Tuesday before U.S. Magistrate Judge Erin Setser.

Setser inquired about Auernheimer’s sobriety after he told her during the hearing he’d been drinking until about 6:30 a.m. He said he was not drunk.

Ken Osborne, a federal public defender, was appointed for the hearings in Fayetteville, though Auernheimer has another public defender in New Jersey.

Setser asked if Auernheimer wanted Osborne’s counsel.

“Yeah,” Auernheimer responded. “He seems like a great guy.” To contact this reporter:

[email protected]

-

———◊--

——— Information for this article was contributed by Ron Wood of the Northwest Arkansas Times and The Associated Press.

Northwest Arkansas, Pages 7 on 01/19/2011