“Why does the FBI have your UDID (and 12.4 million more)?” FBI Laptop Hacked…1 million Apple IDS posted online September 4, 2012
Posted by Chris Mark in cyberespionage, cybersecurity.Tags: anonymous, Apple, Christopher Stangl, Cyber Action Team, data breach, fbi, Hacked, mark consulting group, UDID
add a comment
*UPDATE* It was reported yesterday that the FBI laptop was not, in fact, the source of UUIDs that were hacked. A company called Blue Toad revealed that it was the source of the stolen ids. It’s not clear how the data was stolen from Blue Toad or what, if any relationship exists between the company and the laptop that was first identified as the source of the breach.***
According to NBC News, hackers associated with the anti-government group AntiSec have hacked an FBI Agent’s laptop and posted over 1 million Apple Unique Device Identification Number or UDIDs online. The Apple UDID is used by Apple to determine what applications are running and to lock down the phones, IPads and computers from other applications. Alone, they do not represent personally identifiable information but However, New Zealand-based security researcher Aldo Cortesi has shown that thanks to disregard of Apple’s security guidelines by iOS game and app developers, it’s possible to determine a user’s identity through an UDID alone. According to the story:
“The Pastebin post claims that the UDIDs were stolen thanks to an Anonymous hack into the laptop of FBI agent Christopher Stangl, a member of a New York-based cybercrime task force. “During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java,” the posting states. “During the shell session some files were downloaded from his Desktop folder one of them with the name of ‘NCFTA_iOS_devices_intel.csv’ turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc. the personal details fields referring to people appears many times empty leaving the whole list incompleted on many parts.”
Why the FBI has such a list of over 12 million UDIDs is an interesting question. Why the list would be on a laptop is another interesting question. To check whether your iPhone, iPad or iPod Touch’s UDID might be among those affected, a Unix developer based in Florida has already posted a tool: http://kimosabe.net/test.html
“…our own policies were not followed…”; Apple and Amazon Hacks August 8, 2012
Posted by Chris Mark in Data Breach, InfoSec & Privacy.Tags: Amazon, Apple, authentication, cybercrime, cybersecurity, iCloud, mark consulting group, Matt Hanon, risk, security, social engineering
2 comments
This past week, tech writer Matt Honan (of Wired) had his Amazon and Apple accounts hacked and his “…digital life destroyed”. You can read his first hand account here. The hacker did not use any special technology rather was able to hack the accounts using a basic social engineering and knowledge of who the systems worked. Here is a description of the hack from CNN.com:
“At the heart of his story is a dangerous blind spot between the identity verification systems used by Amazon and Apple, two of the tech industry’s most popular vendors.
Like many people, Honan has a variety of email addresses. Several of them can be easily tracked down by anyone hunting around online. The hacker who went after Honan found his @me.com address — a tip-off that Honan had an AppleID account. (more…)
“Poisoned Apple?” – OSX Lion Encryption Passwords Insecure May 7, 2012
Posted by Chris Mark in cybersecurity, Industry News, InfoSec & Privacy, PCI DSS.Tags: Apple, Chris Mark, cybercrime, cybersecurity, encryption, FileVault, InfoSec & Privacy, mark consulting group, password, security
add a comment
For years many Apple purists (I used to be one) have been touting the inherent security of the Apple operating system. According to Techcrunch in February, 2012 it was discovered that OSX Lion (the newest OS from Apple) had a major security weakness and released widely within the last few days. It was disclosed that the FileVault encryption passwords are now visible in plain text outside of a computer’s encrypted area. This effectively renders the encryption useless as the keys (the passwords) are not secure. While it was originally believed that the vulnerability as specific to the encrypted File Vault solution, it appears now that the vulnerability is larger…potentially much larger. Sophos Naked Security blog states: “Anyone with access to the disk can read the file containing the password and use it to log into the encrypted area of the disk, rendering the encryption pointless and permitting access to potentially sensitive documents. This could occur through theft, physical access, or a piece of malware that knows where to look.” Key management and password security continue to be the weakest link in most encryption implementations.
Global Security, Privacy, & Risk Management 