To cap off a summer of devastating corporate data breaches, hackers yesterday
posted online what might be the crown jewel of 2012 data dumps: 1 million
identification numbers for Apple iPhones, iPads and iPod Touch's, all
purportedly stolen from the FBI.
There may also be an additional 11 million Apple device IDs yet to be
released, many with users' full names, addresses and telephone numbers attached.
"Why exposing [sic] this personal data?" asked the unnamed writer of the Pastebin
posting announcing the data dump, who claimed to be affiliated with the
anti-government hacktivist group AntiSec. "Well, we have learnt it seems
quite clear nobody pays attention if you just come and say 'Hey, FBI is using
your device details and info and who the [expletive] knows what the hell are
they experimenting with that,' well sorry, but nobody will care."
The FBI has asked other websites to remove the link to the Pastebin
posting on the grounds that the posting is spreading malware.
SecurityNewsDaily can find no evidence of embedded malware in the
Pastebin page, but reminds users to run an anti-virus scan on any
material downloaded from file-sharing sites.
"If this story is true, then the real question becomes one of why an
FBI agent is carrying this personally identifiable information on his
laptop, and what sort of security practices the FBI is taking to protect
that information," said Jennifer Granick, a digital-rights attorney who
is currently the director of civil liberties at the Stanford Law School
Center for Internet and Society.
In a statement released late Tuesday, the FBI denied involvement in the affair.
"At this time, there is no evidence indicating that an FBI laptop was
compromised or that the FBI either sought or obtained this data," two
different FBI spokesmen told SecurityNewsDaily.
Safe … for now
Users of the 1 million affected devices are, for the moment, probably
not in any danger of identity theft or account takeovers. However, they
may want to know why the FBI apparently had their device IDs on file.
"I'd say the owner has already been subject of theft, if Apple or a
software manufacturer has been providing government agencies with the
ability to track the identities of the devices' owners," said Jonathan
Zdziarski, an iPhone forensics specialist with Chicago-based security
firm ViaForensics. "I don't think the UDID itself could be used to
attack the owner."
Apple unique device identification numbers (UDIDs) establish a single iOS
device's identity in the Apple ecosystem, letting iTunes and app developers know
which device is running what.
UDIDs are what lock most iOS devices into installing only software from the
iTunes App Store, and what let game developers keep track of each user's high
score.
The 88-megabyte file posted by AntiSec on several file-sharing sites is
heavily encrypted, but the Pastebin posting offers detailed
instructions for decrypting it using open-source software.
To check whether your iPhone, iPad or iPod Touch's UDID might be among those
affected, a software developer based in Florida has already posted a tool at http://kimosabe.net/test.html.
Apple UDIDs can be found by plugging an iOS device into a
computer, opening iTunes and clicking on the device serial number displayed.
Mac-centric website MacOS Rumors has verified that many of the UDIDs
in the data dump are genuine, but notes that "UDIDs themselves are rather
harmless in isolation."
However, New Zealand-based security researcher Aldo Cortesi has shown that thanks to disregard
of Apple's security guidelines by iOS game and app developers, it's possible to
determine a user's identity through a UDID alone.
Hacker counterintelligenceThe Pastebin post claims that the UDIDs were stolen thanks to an Anonymous
hack into the laptop of FBI agent Christopher Stangl, a member of a New
York-based cybercrime task force.
Stangl has spoken publicly on matters of cybersecurity, appearing in February
2011 on a panel discussion on cybercrime attended by
SecurityNewsDaily. Two years earlier, he starred in a FBI recruitment video posted on Facebook.
Stangl was also among 44 American and European law-enforcement personnel
copied on an email, sent in January 2012, inviting recipients to join a
conference call to discuss efforts against the hacktivist groups Anonymous and
LulzSec.
Anonymous intercepted the email and used it to eavesdrop on and record the
conference call, which they then posted online in February 2012.
According to yesterday's Pastebin post, hackers used a then-new Java exploit
to get into Stangl's machine.
"During the second week of March 2012, a Dell Vostro notebook, used by
Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action
Team and New York FBI Office Evidence Response Team was breached using the
AtomicReferenceArray vulnerability on Java," the posting states. "During the
shell session some files were downloaded from his Desktop folder one of them
with the name of 'NCFTA_iOS_devices_intel.csv' turned to be a list of 12,367,232
Apple iOS devices including Unique Device Identifiers (UDID), user names, name
of device, type of device, Apple Push Notification Service tokens, zipcodes,
cellphone numbers, addresses, etc. the personal details fields referring to
people appears many times empty leaving the whole list incompleted on many
parts."
"No other file on the same folder makes mention about this list or its
purpose," adds the writer of the Pastebin post.
"CSV" is the Windows filetype associated with a list of comma-separated
values, which separate database entries with a comma and can be read by
Microsoft Excel and many other applications.
"NFCTA" may refer to the National Cyber-Forensics & Training Alliance, a
Pittsburgh-based non-profit organization that, in its own words, "functions as a conduit
between private industry and law enforcement with a core mission to identify,
mitigate and neutralize cybercrime."
It is not clear why an FBI agent would have a database of 12.4 million iOS
device UDIDs on his laptop, nor why the NFCTA would have provided them to him.
"It would not surprise me if either a large social or financial network
(e.g. Twitter, Facebook, PayPal, etc) or possibly even Apple had some
kind of agreement to provide this data on a contractual basis,"
Zdziarski said. "As far as why the FBI would want this information — it
could be used [in] a number of different ways to track individuals."
Requests for comment by SecurityNewsDaily to Apple and the NFCTA were not immediately returned.
Sprechen Sie Deutsch?In a blog posting this morning, Errata Security CEO Robert Graham theorizes that
the hackers may have used the intercepted FBI email to " spear phish " the email's recipients, luring them to a
rigged website that would have loaded the brand-new, or "zero-day," Java exploit
onto their machines.
"If I have an email list of victims, and a new [zero]-day appears, I'm
immediately going to phish with it," wrote Graham. "It's not Chinese uber APT
[advanced persistent threat] hackers, it's just monkeys mindless[ly] following a
script."
Graham Cluley, a security researcher with the British firm Sophos, pointed out today that the Pastebin writer may
be a native German speaker thanks to an impolite message in German to Mitt
Romney at the end of the post. The stilted English grammar, frequent use of the
preposition "so" to begin sentences, a reference to Austrian banks and a Goethe
quotation also indicate a German-language connection.
As might be expected, the writer makes shout-outs to Anonymous, WikiLeaks,
the Syrian rebels and the imprisoned Russian punk band Pussy Riot, and criticizes National Security Agency head Gen. Keith Alexander's appeal in July to hackers to join
the government.
But the writer also cites Jack Henry Abbott, the prison-based writer who was
paroled in 1981 thanks to the efforts of famed author Norman Mailer. Abbott
killed another man six weeks into his parole and spent the rest of his life in
prison.
The writer also uses the Latin phrase "argumentum ad baculum," or "appeal to
the stick," the proposition that arguments, however flawed, can be won through
use of force.
In a dig at the press, the writer also demands that Adrian Chen, a technology
reporter at the gossip blog Gawker who has written extensively on Anonymous,
humiliate himself on camera.
"No more interviews to anyone till Adrian Chen get featured in the front page
of Gawker, a whole day, with a huge picture of him dressing a ballet tutu and
shoe on the head," the posting says. "No Photoshop."
Update 4:40 p.m. ET, Sept. 4: According to a law enforcement official who spoke to NBC News on condition of anonymity, " The FBI is aware of published
reports alleging that an FBI laptop was compromised and private data regarding
Apple UDIDs was exposed. At this time, there is no evidence indicating
that an FBI laptop was compromised or that the FBI either sought or obtained
this data."
Take Action California is a virtual, one-stop, for political activism, action alerts, fact sheets, and events in support of grassroots advocacy throughout the state of California.
Community News
Open dialogue among community members is an important part of successful advocacy. Take Action California believes that the more information and discussion we have about what's important to us, the more empowered we all are to make change.
Tuesday, September 4, 2012
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment