jump to navigation

“Why does the FBI have your UDID (and 12.4 million more)?” FBI Laptop Hacked…1 million Apple IDS posted online September 4, 2012

Posted by Chris Mark in cyberespionage, cybersecurity.
Tags: , , , , , , , ,
add a comment

*UPDATE* It was reported yesterday that the FBI laptop was not, in fact, the source of UUIDs that were hacked.  A company called Blue Toad revealed that it was the source of the stolen ids.  It’s not clear how the data was stolen from Blue Toad or what, if any relationship exists between the company and the laptop that was first identified as the source of the breach.***

According to NBC News, hackers associated with the anti-government group AntiSec have hacked an FBI Agent’s laptop and posted over 1 million Apple Unique Device Identification Number or UDIDs online.   The Apple UDID is used by Apple to determine what applications are running and to lock down the phones, IPads and computers from other applications.  Alone, they do not represent personally identifiable information but However, New Zealand-based security researcher Aldo Cortesi has shown that thanks to disregard of Apple’s security guidelines by iOS game and app developers, it’s possible to determine a user’s identity through an UDID alone.  According to the story:

“The Pastebin post claims that the UDIDs were stolen thanks to an Anonymous hack into the laptop of FBI agent Christopher Stangl, a member of a New York-based cybercrime task force. “During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java,” the posting states. “During the shell session some files were downloaded from his Desktop folder one of them with the name of ‘NCFTA_iOS_devices_intel.csv’ turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc. the personal details fields referring to people appears many times empty leaving the whole list incompleted on many parts.”

Why the FBI has such a list of over 12 million UDIDs is an interesting question. Why the list would be on a laptop is another interesting question. To check whether your iPhone, iPad or iPod Touch’s UDID might be among those affected, a Unix developer based in Florida has already posted a tool: http://kimosabe.net/test.html

“This is the American Express Fraud Department” – Two Dozen Carders Arrested on 4 Continents June 26, 2012

Posted by Chris Mark in cybersecurity, Industry News.
Tags: , , , , , , , , , ,
1 comment so far

Lnight my wife received an email about a suspcious transaction on our Amex card.  Turns out it was a fraudulent transaction and my wife’s card had been stolen.  I was writing a blog post on this very subject when a Google alert informs me of this article on Foxnews.  “Two Dozen Arrested in Online Financial Fraud Sting”.  According to the article:  “Two dozen people on four continents have been arrested in an elaborate sting  targeting a black market for online financial fraud, federal officials in New  York said Tuesday.

U.S. officials called the crackdown in United States, Europe, Asia and  Australia the largest enforcement effort ever against hackers who steal credit  card, bank and other information on the Internet — a practice known as  “carding.”   The officials claimed the two-year FBI sting protected more than 400,000  potential victims and prevented losses of around $205 million.”

On that note, I recommend that you take a look at the book “Fatal System Error”…gives very good insight into the underworld of Carding.

“We Can’t Live in Castles” – FBI Official Concedes; CyberSecurity Policy is a Failure March 28, 2012

Posted by Chris Mark in Industry News, InfoSec & Privacy, Laws and Leglslation.
Tags: , , , , , ,
add a comment

In my Google alerts  today was an article from Foxnews titled: “Retiring FBI Official Says Current US CyberSecurity Strategy ‘Unsustainable'”  Shawn Henry, the FBI’s Assistant Director for CyberSecurity refers to the increasing cyber attacks on government and corporate targets and says: “We are not winning”.  All I can say at this point is…WOW..again we are beating a dead horse!  In 2010, I said the same thing at an InfraGard event in Salt Lake City, and RSA has said the same thing.  We sound like broken records at this point.  This post will likely be a bit more pointed and blunt than most but my frustration is mounting on the subject. For a shameless plug on my own research brief, please read: “A Failed State of Security” now published by IDGA.

CyberAttacks against corporates, committed by individuals are crimes.  Crimes are human acts undertaking by living, breathing, thinking human beings.  CyberSecurity, at its core, is about more than building castles to keep the princess protected.  It is also about changing human behavior to deter the criminal behavior.

“deterrence is ultimately about decisively influencing decision making.  Achieving such decisive influence requires altering or reinforcing decision makers’ perceptions of key factors they must weigh in deciding whether to act counter to (our interests) or to exercise restraint.”[1] (more…)

More Security Theater – “CyberCops and Robbers” March 15, 2012

Posted by Chris Mark in Industry News, Risk & Risk Management, Uncategorized.
Tags: , , , , , ,
add a comment

Today in my Google alerts, I had a story from FoxNews (…ahemm) titled “CyberCops and Robbers; Digital Posses to Bust Bank Robbers”  After reading the article, I had to write a post and discuss (rant?) about the fluff that is being proposed.  The article talks about a new initiative by the FBI and select banks where banks that comply with certain rules and agree to be involved in the program get to post a “badge” on their door like the one in this post.

There are so many flaws and issues with this approach, I don’t know where to start.  This is Security Theater at its finest.  For those who are unfamiliar with the term, Bruce Schneier, in his book Beyond Fear, coined the phrase security theater.  Security theater describes security countermeasures intended to provide the feeling of improved security while doing little or nothing to actually improve security. (more…)

%d bloggers like this: