Re: FBI hack yielded 12 million iPhone and iPad IDs, Anonymous claims

[Jeffrey Walton <noloader () gmail com>]

"FBI Says AntiSec Hackers Lied About List of iPhone ID Numbers,"
http://allthingsd.com/20120904/fbi-says-antisec-hackers-lied-about-list-of-iphone-id-numbers/

The FBI has shot down today’s claim by the AntiSec hacking group that
it breached an agency-owned computer and stole a database said to
contains some 12 million unique ID numbers for iPhones and iPads
around the world.

Here’s the statement straight from an FBI spokesperson, only five
minutes ago: "The FBI is aware of published reports alleging that an
FBI laptop was compromised and private data regarding Apple UDIDs was
exposed. At this time there is no evidence indicating that an FBI
laptop was compromised or that the FBI either sought or obtained this
data."

...

On Tue, Sep 4, 2012 at 11:51 AM, Jeffrey Walton <noloader () gmail com> wrote:
> Not sure how much of this is true, but the FBI does have a history of
> violations against US citizens.
>
> http://www.zdnet.com/fbi-hack-yielded-12-million-iphone-and-ipad-ids-anonymous-claims-7000003668/
>
> Hackers associated with Anonymous claim to have swiped more than 12
> million Apple iPhone and iPad device identifiers from an FBI computer.
>
> Someone using the banner of AntiSec — a 14-month-old joint operation
> of Anonymous and LulzSec — posted a document to Pastebin on Monday
> that contained links to around a million Apple unique device
> identifiers (UDIDs). The anonymous poster said the release was
> intended to highlight the FBI's alleged tracking of Apple customers.
>
> "We never liked the concept of UDIDs since the beginning indeed," the
> post read. "Really bad decision from Apple. Fishy thingie."
>
> Every iOS device has a UDID. The number was put in place so developers
> and mobile advertising networks could track user behaviour. However,
> over the last year Apple has been phasing out apps' access to UDIDs,
> as the numbers were sometimes being transmitted to third parties
> without users' consent.
>
> According to the post, which was linked to from a well-known Anonymous
> Twitter account, the hackers got into the Dell laptop of FBI special
> agent Christopher Stangl during the second week of March this year.
> Stangl works at the FBI's New York field office, and has been a
> prominent face in the agency's cybersecurity recruitment efforts.
>
> AntiSec said the hack, which apparently exploited a Java
> vulnerability, yielded a CSV file containing "a list of 12,367,232
> Apple iOS devices including Unique Device Identifiers (UDID), user
> names, name of device, type of device, Apple Push Notification Service
> [APNS] tokens, zipcodes, cellphone numbers, addresses, etc".
>
> 1,000,001 released
>
> The hackers said they were publishing 1,000,001 of the UDIDs and APNS
> tokens as that was "enough to release". They stressed that they had
> stripped out the other personal data held in the file, noting that not
> all the listed devices have the same amount of personal data linked.
>
> "We have learnt it seems quite clear nobody pays attention if you just
> come and say 'hey, [the] FBI is using your device details and info and
> who... knows [why they are] experimenting with that'," the document
> read. "We could have released mail and a very small extract of the
> data. Some people would eventually pick up the issue but well, let's
> be honest, that will be ephemeral... Eventually, looking at the
> massive number of devices concerned, someone should care about it."
>
> The hackers added that it was "the right moment" to release the data
> as Apple was currently looking for alternatives to the UDID system.
>
> "In this case it's too late for those concerned owners on the list,"
> the document read. "We always thought it was a really bad idea. That
> hardware coded IDs for devices concept should be eradicated from any
> device on the market in the future."
>
> The document, which is written in slightly broken English, has near
> its end an insult about US presidential candidate Mitt Romney, written
> in German.
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.