Sophos Cloud Optix
Hackers have published a collection of what they say is over a million Unique Device Identifiers (UDID), connected with Apple iPhones and iPads.
The data, claims the hackers, is just part of a larger database of 12,367,232 UDIDs, and personal information such as full names, cellphone numbers, addresses and zipcodes belonging to Apple customers. The data was allegedly stolen via a Java vulnerability from a laptop belonging to an FBI cybersecurity agent:
"During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of ”NCFTA_iOS_devices_intel.csv” turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc. the personal details fields referring to people appears many times empty leaving the whole list incompleted on many parts. no other file on the same folder makes mention about this list or its purpose."
Quite why the FBI was collecting the UDIDs and personal information of millions of iPhone and iPad users is not yet clear – but it’s obvious that the data (and the computer it was apparently stored on) was not adequately secured.
I suppose we should be pleased that the hackers have not, as yet, published the majority of the information they claim to have purloined from the FBI though the hack – including the personal information about members of the public.
As such, my suspicion is that the hackers were more interested in embarrassing the FBI’s team than endangering innocent users.
All the same, hacking into computers is a criminal act – and I would anticipate that the FBI and other law enforcement agencies will be keen to hunt down those responsible.
Mitt Romney, journalists wearing tutus, and a shoe on head
If it helps cut down the number of suspects at all, here’s a clue to help the FBI with their investigation.
Attached to the end of the hackers’ announcement is the following phrase in German:
"Romney aber, sag's ihm, er kann mich im Arsche lecken!"
This translates into English as:
"Romney, however, tell him he can kiss the asses!"
Clearly not a fan of the Republican party then..
And someone else that the hackers aren’t huge fans of is Gawker journalist Adrian Chen.
Chen has become something of a bête noire for the likes of 4Chan and Anonymous.
Whoever was responsible for the latest hack says that they will only agree to speak to the press if a photo of Chen, dressed as a ballerina with a shoe on his head, is published on the main page of Gawker.
The whole “shoe on the head” thing is a 4Chan meme – victims are told they have to take a photograph of themselves wearing a shoe on their head for the amusement of hackers.
Whatever tickles your fancy I suppose..
Er, "er kann mich im Arsche lecken" literally means "he can lick my ass," but I'm pretty sure it gets used the same way "he can kiss my ass" does in English. "He can kiss the asses"? That's just weird.
Obviously a case of Google translate here…
What I find alarming is the fact .. if it is a fact and not an exaggerated boast… that the FBI has the personal details of all these Apple users .. are they really monitoring and alarmed about 12 million suspected terrorists, criminals, activists, (add what ever other considered criminal, subversive activity you can think of ) all of whom can afford Apple devices?
You're kidding me right? They search for who's hacked and into the FBI's pc but not WHY they keep such information? Maybe this is not illegal…?
I agree with you. Yes it's important to know who the hackers are but I have an iPad, iPhone…etc & I'm not a criminal!!!! I had to give my cell phone number to the trusted travelers program to be used in conjunction with my US passport which of course they check with the FBI to see of you are a criminal! No wonder I've been getting so many strange calls……..
I also joined the Trusted traveler Program (NEXUS) and giving my phone numbers, address, and email address up are required. I also have got a lot of phone calls from places I never heard of, and usually don't answer. I suspect most are junk calls, but who knows.
Rob, my cell & home phone numbers keep getting strange calls even though I am on the do not call list and my most private trusted email address is suddenly filled with a little too much junk mail….
It makes me wonder what kind of security the FBI & other governmental agencies have in place……
Yep! It is on http://pastebin.com/nfVT7b0Z
What amuses me even more than the data breach is that the FBI use vostro laptops not the latitudes with FDE. Cheapskates.
Well I guess I won't be using my iPhone to talk dirty to my wife again..
Hi Graham,
I found your article very interesting and worthwile, however, i would like to
point out one thing:
You wrote:
If it helps cut down the number of suspects at all, here's a clue to
help the FBI with their investigation.
Attached to the end of the hackers' announcement is the following
phrase in German:
"Romney aber, sag's ihm, er kann mich im Arsche lecken!"
This translates into English as:
"Romney, however, tell him he can kiss the asses!"
Clearly not a fan of the Republican party then..
I would like to add:
Theres more to be learned from that sentence, which is actually a
quote from the story "Der Götz von Berlichingen" by Johann Wolfgang
von Goethe. This seems to indicate a high level of education and a
fondness for good german literature besides the contempt for the
republicans (Goethe is considered good literature for sure). Also,
your translation is a little off. Literally, it would be translated
as: "Romney, however, he can kiss the inside of my Ass".
In literature, the original phrase, which does not mention Mitt
Romney, is usually translated as :" But he, tell him, can lick my
arse".
Just wanted to get that off my chest, thanks for listening, Jan
Thanks for the extra information Jan!
So we have a Goethe-loving hacker!
Does this mean at least one of the hackers was German and in Germany?
Hackers have to have some intelligence, and maybe reading good literature is a clue to their intelligence.
…er, it's not entirely clear that hacking the FBI provides evidence of actual intelligence. The most you could say is that, if these hacknoids have any intelligence, it's highly compartmentalized.
they also quote several other books, are clearly literate and intelligent and political, but you've managed to bring this back to adrian chen, shoe on head (it's "shoe on head", not "a shoe on head" and mitt romney? you didn't address any of the political points here, the re-emergence of a starkly politicized anon with a major breach of both FBI security and .. wait, why do the FBI have this information? infosec story of the year and you treat them like script kiddies? yikes. graham– shoe on head!
That incident, assuming the info we have at this point is correct, raises a few other questions
– is it legal for Apple to dump personal information about its customers (obviously standard average customers given the UDID and real world ID confirmations we are now seeing) to a Law Enforcement Agency outside any legal process? Give us your Big Data, just in case we need to correlate it later, or use it to deploy our own spyware…
– It's quite obvious that large US companies will frequently share anyone's private data with law enforcement, for any reason. Big dumps are quite cheap compared to targeted requests and subpoenas. Isn't that a bit worrying in the long run, especially if neither the companies, nor the agencies can keep it safe?
– is it legal for a FBI employee to travel/connect to the outside world with a laptop containing such a database, thereby potentially exposing it to the world?
– except for common sense (not exposing the database, not following potentially well crafted phishing e-mails, etc…) how would one avoid zero days in widespread software. If you have a solution to, as you say, "properly secure" that poor chap's machine under those circumstances, feel free to reveal it to the world…
AFAIC, I see no immediate solution in a world where intentionally leaked information can be correlated (cf that Wired journalist misadventure) and exploited, where companies can't secure their data (countless examples) and where high profile cyber-security officials not only misbehave but seem to be blissfully unaware of the risks an ever expanding attack surface implies.
As in most high profile cases, I have no doubt a tremendous amount of resources will be put into the hunt for the hacker and some young guy might very well end up behind bars thanks to BSI, GCHQ or others. But it seems this also reveals other crimes which may have far reaching long term consequences…
Anyone actually confirmed their device is on the list?
Well I guess that was 1 FBI agent with a lot of information we as a FREE America don't exactly feel good about him having. Privacy rights ? Where in the heck did those go?
So many name and numbers on one mans memory files and if we multiply that by the number of agents in that one department , then we are probably without any privacy at all as a nation and as a world.
Rather disgusting in my opinion.
This was pretty much my thoughts. 12 million records out of what? Nearly 400 million Apple devices?
Seem that the research Frederic Jacobs is conducting (http://fredericjacobs.com/identifying-the-traitor) is finding no particular patterns of ownership or usage. Pretty random results so far; worldwide spread, iPhones and iPads, some with lots of downloaded apps, others with no extra apps. Is it reasonable to just assume this is a small sample of a complete dataset that is now out of Apple's control?
FBI involved or not, Apple is responsible for the data's existence.
I think the original post had an exploit of some sort for Mac users: following a link from a CNN article, my console log immediately reported failed "su -" messages and later on a contact in my address book reported what appeared to be a malicious email with a link in it.
WTF the german text makes no sence.