Goatse Security Hacker Jailed On Drug Charges

Goatse Security member Andrew Auernheimer, 24, also known in the hacker community as Escher and Weev, was detained in the Washington County Sheriff's Office jail after being charged with four felony counts of possession of controlled substance and one related misdemeanor charge, a sheriff's department spokesperson said Wednesday.

The FBI detected the drugs while executing a search warrant at Auernheimer's apartment related to a security breach on an AT&T Web application that enabled hackers to obtain around 114,000 e-mail addresses of Apple iPad 3G customers. Further details from the FBI were not immediately available.

Auernheimer and other Goatse Security members made waves last week when they exploited a security feature on an AT&T authentication site that enabled them to access iPad customers e-mail addresses in exchange for a customer ID, known as the ICC-ID, associated with the device's SIM card. Some of the affected iPad customers included high-profile executives, military personnel and politicians, including New York Times Co. CEO Janet Robinson and New York Mayor Michael Bloomberg.

Auernheimer, who also provided the first name of Escher during interviews with The Wall Street Journal, last week, defended Goatse Security's motivations for exploiting the security flaw in a blog post, maintaining that the group exposed security holes in AT&T's Web application to help prevent iPad users from becoming vulnerable to a malicious attack.

Auernheimer's blog came in response to a letter circulated by AT&T, which apologized for the security breach but blamed the incident on Goatse hackers. AT&T plugged the security hole on Wednesday, two days after Goatse said that they alerted the company to the breach.

"The hacker deliberately went to great efforts with a random program to extract the information," said Dorothy Attwood, AT&T's chief privacy officer, in an e-mail to affected iPad customers. "They then put together a list of these e-mails and distributed it for their own publicity. We apologize for the incident and any inconvenience it may have caused."

The FBI launched an investigation last week after Gawker first broke the story, possibly galvanized to action when it came to light that victims included President Obama's White House Chief of Staff Rahm Emanuel, Air Force Col. William Eldridge, and other military personnel registering DARPA domains to their iPad.

Meanwhile, Goatse also accused the telecom giant and Apple of negligence in addressing a critical flaw in Safari, which the hacker group claimed AT&T has known about since March. Apple repaired the Safari vulnerability on the desktop but had yet to plug the hole in iPad more than two months later, Auemheimer said.

"This bug we crafted allows the viewer of a Web page to become a proxy for spamming, exploit payloads, password bruteforce [sic] attacks, and other undesireables," Auemheimer wrote in a blog post. "The kicker is that this attack cannot be detected by any current IDS/IPS system. We released this in March, mind you, and Apple still hasn’t' got around to patching this on the iPad."

Apple's failure to patch the flaw on the device ultimately enabled hackers to develop code and launch malicious attacks on users' iPads, which could, among other things, steal sensitive data and login credentials.