If a Web site leaves sensitive data hanging out in the open, can you still be accused of hacking when you grab it? Turns out, the answer is “hell, yeah!” But lots of people still do it.
OK – you’re walking down the street and you come upon this apple tree in some one’s front yard. It’s a lovely tree, full of ripe apples. And, just by standing on the street, you can reach into the yard and jiggle the branch of this apple tree and these lovely, ripe apples just drop to your feet. Are you stealing the apples by shaking the branch and then walking away with the fruit that falls off? Or, how about this: you’re at this vending machine and the dude who was servicing it just left the door to the machine wide open, so you can reach in and take the bag of Funyuns without paying for them. Is that stealing?
Turns out, the answer is both cases is “hell yeah!” But most of us might see these types of scenarios as more ambiguous than the cut and dry “throw-the-brick-through-the-window, snatch-the-diamond-necklace-and-run-away” kind of property crime. And those ambiguities are going to be front and center in the case of the two men who were arrested, this week, and charged in the high profile hack of a server holding the account information of VIP iPad owners.
Like the vending machine with its door swinging wide open, woefully lax security on the AT&T server hosting the iPad accounts left the data in question all but out in the open. And that will raise thorny issues about who is and who isn’t “hacking,” and shine a light on the spotty privacy and data security practices that abound on the Internet, experts say.
A criminal complaint filed in the U.S. District Court for the District of New Jersey on Tuesday charged two men, Daniel Spitler and Andrew Auernheimer for their compromise of a server operated by AT&T. The server held the device identifiers and e-mail addresses for more than 100,000 VIPs – including prominent journalists, politicians, celebrities and members of the military – who were given pre-release copies of the iPad.
The complaint charges Spitler and Auernheimer, both affiliated with the online mischief making organization GOATSE Security, with violations of U.S. federal law and New Jersey State law for what the U.S. Attorney describes as a “brute force” attack on AT&T’s servers that yielded pairings of iPad identifiers and e-mail addresses for members of the media, government and U.S. military. The men face fines of $250,000 if convicted, and prison sentences of up to five years for their actions.
The men are accused of using a specialized PHP script, dubbed the “Account Slurper” (what else!?), to mimic the behavior of an iPad and query the server with ranges of valid ICC-ID values – the unique device identifiers used by iPads. In the end, as we know, the two made off with more than 100,000 e-mail addresses and turned them over to the media (after debating using them for spam runs and spear phishing attacks, we now learn.)
We know that the stolen data could have been used for more than just spamming, and that AT&T wrote a new chapter in the book on ‘How Not To Respond To Data Breaches’ in its handling of the incident. But lax security practices by AT&T will likely be front and center in this case, with attention to the loose practices that allowed the two men to harvest e-mail addresses from a publicly accessible server simply by figuring out how to generate correct iPad device identifier, known as the ICC-ID.
Though spectacular, the hack by the GOATSE members didn’t require the compromise of any authentication and was simple enough that one of the defendents wondered, in an online chat obtained by the U.S. Attorney, whether what they were doing really constituted hacking.
“If you use some one’s ICCID on the iPad service site, it gives you their address,” Spitler writes in an online exchange with Auernheimer from June 5, 2010. “(I) dunno how legal this is or if they could sue for damages” Spitler wonders in a later exchange.
While Spitler, who used the online handle “JacksonBrown” was assured by his compatriots in GOATSE that what he was doing was illegal and that he could, in fact, face criminal or civil charges for it, he was still dubious. “why isn’t it (criminal) why don’t you think it is” writes a GOATSE member using the online handle Rucas in an online exchange with Spitler, who replied “cause I ddnt (sp) hack anything”. ”
Jeremiah Grossman, CTO of Web application security company Whitehat said that what Spitler and Auernheimer were doing was clearly crossing the line.
“I would never recommend that someone do what they did without permission,” Grossman told Threatpost. “It can be hard to say what’s legal and illegal, but its probably a bad idea.”
But Grossman and others said the kind of language used to describe their actions – the complaint refers repeatedly to a “brute force” attack on AT&T’s server – stretches the commonly accepted definition for that term. “I tend to think of brute force attacks in the context of encryption keys or passwords,” he said.
The federal Computer Fraud and Abuse Act (CFAA) under which the men are charged (in part) make it illegal to intentionally access a computer “without authorization” or to “exceed authorized access” on a computer. But semantics matter, and the definition of “without authorization” isn’t defined specifically. Past cases seem to set the definition of “without authorization” to mean a “reasonable expectation” of conduct – a broad concept that might mean “any use of the computer that’s other than what its owner intended.” Others argue for a narrower definition that would prohibit uses totally unrelated to the function of the computer. In either case, the GOATSE case would seem to run afoul of the CFAA But prior cases, and previous cases, like EF Cultural Travel BV v. Exploirca Inc., from 2001, explicitly prohibit the kinds of Web site scraping, slurping and related forms of automated data skimming that GOATSE engaged in.
Alas, that kind of activity is quite common online – and not just by shadowy hacking and trolling groups. Grossman points to recent reports about Bloomberg’s use of automated slurping of the kind GOATSE engages in to grab publicly accessible but unpublished earnings reports hours before their official release. The techniques for grabbing that information aren’t significantly different from GOATSE’s trawling of AT&T servers for iPAD IDs and e-mails, but no charges have been pressed against Bloomberg for what’s seen as heads up reporting.
“If the legal definition (of brute force attacks) is expanded to such a degree, then Bloomberg better watch out, they pretty much did/do the same thing,” Grossman wrote.
The sad truth is that the kind of lax security exhibited by AT&T is common online, Grossman said, where even large corporations fail to build Web applications securely, leaving data at risk. “Bugs are a fact of life, but that means that you should go out and hack yourself first,” he said.
Firms like Google and Mozilla now pay bounties for vulnerabilities of the type the GOATSE crew ginned up. Had the GOATSE hackers gone to AT&T with their findings, rather than the press, they probably would have been thanked, rather than sued. Experts like Grossman worry that a stiff judgement against the iPad hackers may have a chilling effect: with good citizens will be reluctant to disclose holes that they find, while cyber criminals continue to keep their findings to themselves.