Sophos Cloud Optix
Yesterday, our very own Graham Cluley wrote about anonymous claims by Anonymous that 12 million users’ worth of Apple-related PII (personally identifiable information) had been hacked.
According to the self-declared hackers, a Java exploit – so last month! – was used to penetrate an FBI agent’s laptop. The data was lying around in a CSV file on his PC desktop, from where the crooks stole it.
Conspiracy theorists quickly took over.
The fact that the FBI got hacked immediately faded into the background – who hasn’t been hacked lately? – and the story became why the Feds had the data in the first place. As commentators on Techdirt opined:
* What were the the feds doing with the personal information of 12 million iPhone users in the first place? Certainly they can't all be involved in cyber-crime. Looks to me like they were gathering data on huge numbers of innocent people without probable cause.
* Just knowing that one FBI laptop had all this personal info sitting there raises serious alarms.
Ten out of ten for a PR bait-and-switch by Anonymous!
Of course, if you genuinely insist on probable cause, if you consider yourself scientific in your approach to life, if you require evidence to a stronger standard than “I read it on the internet”, and if you keep “know” to imply that you have genuine knowledge about something, then you might equally well conclude that it is presumptuous to believe that the Feds ever had the data, whether they got hacked or not.
(That was quite a sentence! In modern Twitterglish, “FBI pwned? Had UDID data? Sez who?”)
The FBI quickly took to the Twittersphere to MAKE THAT VERY POINT:
Statement soon on reports that one of our laptops with personal info was hacked. We never had info in question. Bottom Line: TOTALLY FALSE.
This was soon followed by a LESS DRAMATIC statement, delivered soberly on fbi.gov, with a degree of brevity that PR agencies everywhere would do well to emulate. Here is the press release in full:
The FBI is aware of published reports alleging that an FBI laptop was compromised and private data regarding Apple UDIDs was exposed. At this time, there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data.
But then the FBI would deny it. As a commentator on Techdirt put it:
But then the FBI would deny it.
Or, as a commentator on Naked Security pointed out wittily, if admittedly in respect of something else entirely, namely Mac malware – another topic that attracts a conspiracy-theoretical crowd:
I was completely on the opposite side of the field. I was nowhere near the cottage.
...not that it was a cottage -- it was a river. But, then, I wouldn't know, of course, because I wasn't there. But, apparently, some fool cut his head off... or at least killed him in some way... perhaps... took an ear off or something.
Yes, yes, in fact, I think he was only wounded! er, or was that somebody else? Yes, I think it was. Why, he wasn't even wounded! [*]
So few facts! So many opinions!
Whatever you feel, or think, or want to think, please use this as an opportunity to embrace some scientific method in your attitude to computer security.
Don’t say you “know” something unless you have knowledge about it:
![knowledge [mass noun]: facts, information, and skills acquired through experience or education; true, justified belief; certain understanding, as opposed to opinion.](http://news-sophos.go-vip.net/wp-content/uploads/sites/2/2012/09/knowledge-definition-5001.png "knowledge [mass noun]: facts, information, and skills acquired through experience or education; true, justified belief; certain understanding, as opposed to opinion.")
knowledge [noun]: facts, information, and skills acquired through experience or education.
But then I would say something like that.
–
[*] With apologies to Messrs Curtis and Atkinson. From The Black Adder – Episode 1 – “The Foretelling”.
All well an good on the points of fact vs fiction and how to conclude what that is and is not but that IMO shouldn’t be of the highest concern right now. The U.S. IS building a data center in the Utah desert and finfisher DOSE come from Ducklin’s side of the pond. So not to have speculation that governments are doing shady things is fool hardy.
[Post edited for length.]
In my initial comment I stated this (opinions) is not of the highest concern right now. What is, is that there is one million UDIDs in the wild and they did come from somewhere. All i want to know is were. That’s it. Then those person held accountable. If it’s the government good luck.
[…]
In ending… We know there is a proverbial tea pot called UDID apple data orbiting the web. Were it came from we do not know.. 😛
Just for the record: I'm from Oz, which is on the other side (Southern hemisphere) of the other pond (Pacific Ocean).
FWIW, I think we agree. As you point out, "Where it came from we do not know." So blaming the Feds is not only unfair at this stage, but also distracting to the real story…
I always just correlated Sophos=U.K. My apologies.
The last part of the TechDirt article dose ring true any ways.
“Either way, now that the fight is happening on Twitter, it seems time to grab some virtual popcorn, sit back and watch the fireworks.”
But they left out eventually reading about the inevitable arrests.
I honestly wouldn't be surprised if the FBI was hacked. Was the information from the FFF event that anonymous runs every week? Regardless, I know my data is all over the internet and I've nearly given up caring. Its a fact of life and there is little I can do to prevent it.
But, I'll keep posting here as a guest to avoid logging in. Needless logins. 😀
I like in the UK, however I Know it was the republican convention last week and I know it's the democrat convention this week, how? because I have a credabul source (the BBC news) tell me. Now if you consider the person who leaked this credabul is up to you, but the person who leaked it has been on twitter since October 30, 2010 where as NakedSecurity has been on since October 04, 2010 (both according to http://howlongontwitter.com/ ).
The FBI has a reason to cover-up (or more likely they may just have been mistaken, and not realised the file was there) than the hacker (and if you say the hacker did it for fame, I'd ask you to name them… their nic isn't in the pastebin)
the real question is why does any organisation want to collect that data (maybe the only exception is Apple)
Fwiw, Naked Security’s writers (@gcluley, @duckblog etc) have been on Twitter a lot longer than @NakedSecurity
Eventually we were convinced by marketroids to create a Twitter acc specifically for Nak Sec.
The FBI Press Office, as it happens, has been on Twitter since 25 November 2008.
(Also – just to avoid words being put into my own mouth – I didn't say that the hacker did it for fame. In fact, I'm sure I described the hackers as anonymous. Yep! Twice. In the first sentence.)
As to "why does anyone want to collect that data?" Why, to release anonymously to frame the FBI, of course 🙂
Who should I believe the most?
Tough one 🙂
You can argue that "belief," like "uniqueness", is a binary concept. Either you believe or you don't. A concept is unique, or it is not. You can't "half believe" or have something that is "fairly unique."
If you believe that, then…hmm. I'm sorry, that doesn't answer your question 🙂
My point is that "belief" often refers to something you are willing to accept without proof, where in this case, we should stick to "evidence", "opinion" and "knowledge". They're all pretty important in computer security, or else you can end up running down a rabbithole (wormhole?) thinking you are hot on the solution of a problem…whilst you aren't.
(We see that a lot with malware. It's easy to blame malware, and then go looking for it, because if you find something then you have what seems like a clinical answer. The fake anti-virus guys rely on this. "Cool. I had a problem, I always thought it might be malware, now I've found the explanation I wanted, plus a fix." Meanwhile, no such thing.)
They can both be correct. they may be from an FBI laptop, and the FBI didn't know they were on there.
It could be they where part of an old investigation (maybe into stolen iPhones) and just weren’t deleted. that wouldn’t make the anti-anons or the anti-FBI people happy but life it rarely binary
Okay…. hackers publish a collection of data they say they got from an FBI laptop.The FBI says they never had that data.
Hackers generally know where the data they steal comes from.Does every computer user really know what data they have on their computer?Has anyone_ besides me_ ever found strange data on your machine that you have no idea about as to how it got there & why its there?
The hackers published proof that they did have the data they said they had.Since there is no way to prove a negative,the FBI can't publish proof that they never had that data.
For me,it comes down to do I believe the evidence or the denial.I have to go with the evidence on this one.Yes,the FBI had the data that the hackers said they (the hackers)stole.
But…there's not actually any evidence that the data came from the FBI, whether as the result of a hack or not, is there?
@Scott Herbert in the comment above gives a graceful suggestion that allows both the hackers and the FBI to be correct. It's also perfectly possible that the FBI isn't involved at all. And it's possible that there aren't 12,000,000 records. And so on.
As for the connection to the FBI, and to a Java exploit having been used, I still don't see what you are calling "evidence" – just some stuff on Twitter 🙂
That's gullible. What stops Anon from posting information and saying that it's from FBI regardless of source? You cannot call that evidence. I am not saying Anon is lying and I am not saying FBI is lying what I am saying is that in life, things aren't always black & white…sometimes it's grey. & at the end of the day this is Internet. Besides hackers aren't exactly "Holy" there intentions a lot of times are not innocent and pure but actually quite destructive and many times for all the wrong reasons, mainly selfish regardless of what they say. Kind of like Anon implying about they want freedom of information etc etc but attacking any organization that THEY deem is wrong…that's suppressing the freedom…*cough* PBS *cough* when they aired episode about that Assange guy or however you spell his name.
What proof did the hackers publish? They said they'd publish if someone appeared in a dress with a shoe on their head.
Since the person isn't likely to appear in a dress wearing a head-shoe then the hackers know they'll never need to offer up their "proof".
Andy
PS I've just hacked into your computer. Publish a picture of yourself wearing a gorilla suit and a clown mask and I'll send you proof that I've accessed your email address book.
(Now prove to everyone else here I HAVN'T hacked into your PC!!)
Actually, Adrian Chen has submitted himself to the hackers demands and published a photo of himself (with tutu and shoe)
http://gawker.com/5940444/here-is-a-picture-of-a-…
These type of confirming the allegations arises only when it is related to US/Israel linked allegations. Otherwise if it is china/Cuba.. it is implied that they are doing it for most of these security researchers.
Well I might not know anything about this, but I have the complete box set of Black Adder on DVD at home. While everyone else keeps on stirring the storm in this particular teacup I'll be watching Rowan and friends Going Forth instead. 🙂
Thanks Duck!
Think about who had this valuable information? If one of FBI's laptop was hacked, then hacker can use that laptop and credential to access other FBI's network resources. Who knows when and how much data was collected by the hacker.
So, Mr. Chen has stepped up and done his part. Now let's see if the Anonymous twits have the balls to do theirs…er, assuming they actually have any data to release.
Let's be clear on the issues here. The question is not whether the FBI can prove they DIDN'T have the data. As someone else has pointed out, that kind of negative is unprovable. The real question is whether Anonymous can prove that the FBI actually DID have the data.
If they can, the FBI loses thrice, big-time:
1. Once for the security breach
2. Once for falsely denying it had the data
3. Once for having collected the data in the first place
In any case, it's now up to Anonymous (or whoever these loudmouths are) to make the next move and prove that there's any truth in their allegations. For my part, I'm skeptical.
"…let's see if the Anonymous twits have the balls to do theirs…er, assuming they actually have any data…"
Or balls? 🙂
After watching the Republican Convention and seeing how easily people are duped by government officials' deliberate lies (whether outright lies or lies of omission), I have no doubt the FBI will come out of this clean.
Their statements have built-in deceptive phrasings that can result in them being truthful even if the hackers actually did get the data from an FBI worker's laptop.
"At this time" –that's an all-time favorite.
"there is no evidence" –and who knows better what to do with evidence than the FBI?
And then there's the compound logic with the "or's" that are sure to result in a true statement.
The FBI itself considers this type of wording as a sign of deception.
'And then there's the compound logic with the "or's" that are sure to result in a true statement.'
To be fair, the FBI has simply stated three claims, which IMO are equivalent to this:
'As far as we know, the next three sentences are all true. We did not get hacked. And we did not ask for the info the hackers have. And we did not have that data.'
The fact that they wrote their version with the word "or" doesn't make any difference to its veracity. So it seems rather strange to try to find any sort of conspiracy to deceive on that basis 🙂
Thanks for the feedback.
I guess I let my sarcasm get in the way of my point. I never said there was a conspiracy. Granted, some may say it was implied, but the truth is that I never said it.
Based on the "genuine knowledge" paragraph in your story, it would be presumptuous to believe anything at this point considering the complete lack of facts.
I just thought it was funny the way the FBI worded its statement (and how they view such statements when made by suspects). I certainly prefer your re-phrasing of it. It is clear and to the point.
Finally, I am unfailingly guilty of trying to apply programming logic to conversational language. If people (myself included) were as logical as computers, it would be a very different world.
After having their bluff called by the FBI, the hackers seem to have two options:
1) Disappear with their tail between their legs
or
2) Release 12,367,232 UDIDs along with all the associated personal information and whatever other files they took in order to prove their hack claim.
We should all hope it was, in fact, a bluff….
Anonymous certainly has more options than that. But i can tell you that they won't disappear. I for one trust Anonymous more than i trust the Government. It would not surprise me if such was true. If Anonymous did find that info on an FBI laptop, it would make sense for the FBI to deny such a claim so as to avoid implication. Fact is most of you believe Anonymous is lieing or such just because the FBI and Government say so. But truth is. The FBI and the Government has lied to the public on more than one occassion.
You Can probably reckon the FBI and the British "security" services have info on us all.
The snoopers charter going through parliament at the moment just shows how nervous the ruling classes are of the Internet.
The security services don't exist for the likes of us but to protect those with the power over us and to keep the status quo.