A computer hacker who helped write the malicious code behind a breach of AT&T’s computer servers admitted today that he conspired with another Internet “troll” to hack into the servers, steal information from “the most exclusive list of [iPad subscribers] on the planet,” and then boast about it online.
The feds say Spitler’s partner, Andrew Auernheimer , masterminded the breach
In pleading guilty to his part in the attack, Daniel Spitler, 26, of San Francisco, didn’t agree to help the government in its case against the accused mastermind of the scheme, 25-year-old Andrew Auernheimer, 25, of Fayetteville, Ark.
As a result, he’s looking at up to five years in federal prison, along with a fine of up to $250,000.
U.S. District Court Judge Susan D. Wigenton set a Sept. 28 sentencing date.
“Computer hackers are exacting an increasing toll on our society, damaging individuals and organizations to gain notoriety for themselves,” said U.S. Attorney Paul Fishman, whose office is handling the cases against both men. “Hacks have serious implications – from the personal devastation of a stolen identity to danger to our national security.
“In the wake of other recent hacking attacks by loose-knit organizations like Anonymous and LulzSec, Daniel Spitler’s guilty plea is a timely reminder of the consequences of treating criminal activity as a competitive sport.”
In January, Spitler told Channel 2 news reporter Christine Sloan “…a lot of the information in the complaint was misquoted and a lot of things were taken out of context.”
“This is blown way out of proportion,” he said, outside the Martin Luther King Jr. federal courthouse in Newark.
However, Auernheimer told CNET that Spitler “used this AT&T security maintenance app” to hack into AT&T, showing servers how vulnerable they were. “It was part of the normal user experience that tipped him off to something that would allow him to scrape this data.”
The total monetary loss was about $30,000, which Spitler must repay under his plea agreement with the government.
Auernheimer — known as “Weev” — later accused Assistant U.S. Attorney Lee Vartan, then the lead federal prosecutor in the case, of conducting a “smear campaign” against him. In an open letter, he predicted that Vartan “may be required to resign” as a result of the investigation.
“[U]ltimately, you will be held accountable to the people for your actions,” Auernheimer wrote, adding that he believed the government was prepared to “engage in the manufacture of evidence” to prosecute him.
FBI investigators said all of the evidence was produced by both men. This included videos posted by Auernheimer urging people to arm themselves with “lots of” guns and saying, “Jesus wasn’t a kike.”
All told, the hackers reportedly swiped email addresses for members of several branches of the military, NASA, the FCC, the Senate, the House of Representatives, the Department of Justice, the Department of Homeland Security and the National Institute of Health, as well as for executives from The New York Times Company, Dow Jones, Condé Nast, Viacom, Time Warner, News Corporation, HBO, Hearst as well as others from Google, Amazon, AOL, Microsoft, Goldman Sachs, JP Morgan, Citigroup and Morgan Stanley.
Also on the list were Diane Sawyer, Harvey Weinstein, Mayor Michael Bloomberg, and former White House Chief of Staff Rahm Emanuel.
They even posted a video that shows how they did it:
“I hack, I ruin, I make piles of money. I make people afraid for their lives,” Auernheimer boasted.
Because he was “very public concerning his hacking and trolling activities, giving interviews to The New York Times, as well as other publications,” said FBI agent Christian Schorte, Auernheimer clearly “was not working for the public interest.”
He couldn’t have done it without Spitler, federal prosecutors said.
An “Account Slurper” created by Spitler for what the duo called “Goatse Security” attacked AT&T’s servers for several days in early June 2010, with the purpose of harvesting as many email addresses as possible from Apple iPad users who accessed the Internet through the 3G network, Schorte wrote in an application for a warrant to search Auernheimer’s Fayetteville home.
The slurper, he said, “was designed to mimic the behavior of an iPad 3G so that AT&T servers would falsely believe that the servers were communicating with an actual iPad 3G.”
During the “brute force” attack, the slurper cycled through different possible account numbers until it hit on genuine AT&T accounts, then stole the email addresses and other information, the agent added.
Auernheimer and Spitler then gave the information to the gossip website gawker.com, the government alleges in a criminal complaint. Gawker then published an article “Breach Details: Who Did It and How,” in which it said the breach “exposed the most exclusive email list on the planet.”
FBI agents said Auernheimer even emailed a members of News Corp’s Board of Directors, saying, “Your iPad’s unique network identifier was pulled straight out of AT&T’s database.”
Auernheimer also claimed he trolled Amazon.com and caused a “one billion dollar change in their market capitalization.”
According to the FBI, Auernheimer also told The New York Times he had collected hundreds of Social Security numbers — and, as proof, sent the number of the author of the story.
FBI agents identified Auernheimer as the author of the emails thanks to, of all people, his parents.
Spitler admitted today that he and Auernheimer exchanged instant messages that clearly show his involvement in the breach. The two discussed ways of destroying evidence linking them to the crime, he said.
FOR MORE, SEE: Government: Evidence clearly points to two men as hackers of 120,000 Apple iPad accounts through AT&T
Fishman credited special agents of the FBI’s Newark Cyber Crimes Task Force, as well as the forensic examiners of the New Jersey Regional Computer Forensics Laboratory and the New Jersey Division of Criminal Justice.
He also thanked special agents of the FBI’s Little Rock, Arkansas Divison, Fayetteville Resident Agency; and the San Francsiso Division; as well as the U.S. Attorney’s Office for the Western District of Arkansas.
Now handling the case for the government is Assistant U.S. Attorney Zach Intrater of the Computer Hacking and Intellectual Property Section.
“It’s important to note that it wasn’t just the hacking itself that was criminal, but what could potentially occur utilizing the pilfered information,” said Michael B. Ward, Special Agent In Charge of the FBI’s Newark Division. “Because of the popularity and widespread use of the new and emerging technology of the iPad and devices like it, it was absolutely critical that emerging threats to it were addressed promptly and aggressively.”
Click here to sign up for Daily Voice's free daily emails and news alerts.