Sophos Cloud Optix
A techie named David Schuetz at security consultancy Intrepidus Group has done something so obvious, so simple, and so tellingly useful, that I’m going to go all out and call it a stroke of genius.
Here’s the story.
A week ago, a person called Anonymous published one-million-and-one stolen Apple device IDs. (There’s always room for numerological whimsy in hacking circles.)
This Anonymous person then blamed the FBI – crimes are always someone else’s fault if you’re a hacker – by claiming that the data was stolen from an FBI agent’s Windows desktop.
Conspiracy theories abounded. Even here on Naked Security we fell into the trap of believing Anonymous, noting, without the whiff of an if, that “why the FBI was collecting the UDIDs and personal information of millions of iPhone and iPad users is not yet clear.”
The FBI answered back to say that this was all poppycock. Not the crime, of course. The one thing which was certain was that data had been stolen and published unlawfully.
The Feds simply denied having had that data, having asked for it in the first place, and having been hacked at all.
Conspiracy theories then spiralled out of control. What could be more of an admission than a denial?
David Schuetz was made of sterner and more scientific stuff. In a fit of applied rationality, he turned his trusty Unix tools at the Apple Unique Device Identifier (UDID) dump, and quickly noticed that there weren’t 1,000,001 of them. That was just Anonymous marketing claptrap. There were only 985,117, giving about 15,000 repeats.
Schuetz – and learn from this! – quickly realised that the non-unique UDIDs weren’t just a contradiction, but the key to the whole thing. With help from a fellow Twitterer, who offered the explanation “seems like maybe a game or ad company,” Schuetz guessed that the repeated UDIDs might belong to developers, and went looking.
Many of the most-repeated UDIDs turned out to link back to the text string Bluetoad. And Bluetoad is a digital media company that creates iPhone and iPad apps. And after seeing Schuetz’s evidence, Bluetoad fessed up.
Bluetoad was hacked – just over a week ago, as it happened. A database of Apple device IDs was stolen. This list was, almost without doubt, the source of the data leaked by Anonymous.
Conspiracy theory won’t go away, of course. Perhaps the FBI stole the data from whomever stole it from Bluetoad? Perhaps the FBI paid for a cover-up which could be blamed on Bluetoad? Perhaps this is extreme guerilla marketing by Bluetoad?
The ironies in all of this?
Bluetoad’s speciality is software to convert one online format to another – notably from PDF to Flash, a concept perhaps best described as out of the frying pan, into the fire, and doubly ironic since PDFs are supported on iDevices, whilst Flash is not.
And Apple no longer accepts apps which collect UDIDs, following a privacy backlash.
So, if you were feeling uncharitable, you could blame this on a not-actually-necessary application that gathered no-longer-acceptable-to-collect data and sent it back to a not-secure-enough company that stored it in a needlessly-remotely-accessible database.
I hope you can make a good conspiracy theory out of that spectacularly hyphenated combination of circumstances.
Because if you can’t, we’re stuck with a depressingly familiar explanation where computer security is concerned: SNAFU.
Worse than that, you’re going to have to admit the ghastly possibility that Anonymous might not have been entirely truthful about its criminality.
–
"Perhaps the FBI stole the data from whomever stole it from Bluetoad?"
This is precisely possible. That is, Blue Toad's files could have been hoovered up by someone, combined with others, and only their stuff released by the hackers regardless of where they obtained it.
The FBI's denial is completely worthless in any event. Anyone who knows the name Sibel Edmonds knows the FBI is completely and totally untrustworthy.
However, until the hackers provide more evidence of the source of the file, the extent of the full data file, and additional data such as user names, their credibility will be suspect.
I'm lightly confused…but it seems you are saying that it may have gone down like this: hackers stole data from Bluetoad and others, and combined it all. Then the FBI almost immediately stole the combo-data from those hackers, and left it lying around on the Windows desktop of a PC that was remotely exploitable via Java, then some others hacker or hackers (what I'm calling Anonymous above) almost immediately stole that combo-data from the FBI, carefully extracted only the part of the combo-data which originally came from Bluetoad, and released that.
I have to agree with you that this is possible, but I wouldn't have chosen the adjective "precisely" to go with the word "possible". "Doubtful but admittedly possible", perhaps. "Fancifully possible." But _precisely_?
Some dictionaries link "precisely" to "just". I don't think I caught the meaning on first reading, but "precisely possible" was (probably) intended as "no more (or less) than possible". So, the great minds were thinking alike!
(And it's an ad_verb_, as you've probably realised after switching off.)
“Even here on Naked Security we fell into the trap of believing Anonymous”
We? No. Don't be so hard on yourself, Paul. It was all Graham. And no surprise, really. Reading any of his posts, one will soon realize, his FUD detector must be broken.
Or at least I hope it's broken. I really hate thinking that he cynically jumps on every passing bandwagon just for the sake of catchy headlines.
Hmmm. That's a bit harsh, don't you think?
Firstly, I'm not being "hard on myself". Secondly, Graham wrote "why" where I might have written "if so, why." So he fell into an Anonymous hephalump trap [*], nothing more than that.
Anyway, his misplaced "why" wasn't central to the point – he went on to say, "whatever the story, the data wasn't secure, and that's bad." He was right.
To jump from my criticism of Graham to blast everything Graham writes ("reading any of his posts", as you put it) is a bit rich, wouldn't you say?
I think my criticism of his mistake is fair; I think yours is OTT. So there 🙂
PS. Note to readers: Sean works for a competitor.
[*] See the children's books of A.A. Milne for further details.
Re-reading my article, I did miss an “if” in one para.. Sorry about that
But elsewhere I said “Anonymous claims”, “allegedly purloined” etc
So, on balance… Not the greatest error, but one I still regret.
i read both articles, and knew very clearly that Graham was -at best- unsure of the claims. i never for a second thought he had simply accepted Anonymous' claims, rather theorized about what the implications could be if such claims turned out to be true.
i am so glad i liked Sophos on facebook, i feel much more educated about online security and such, reading each article that comes out regarding the latest news.
keep it up lads.
Which competitor? I'd love to which company has staff that goes around other peoples sites just to insult and poke at their (minor) mistakes
Based on Google search results: f-secure.
@richardhack :: I read your Twitter feed. You're an idiot. Having said that, hacker claims are ALWAYS suspect.
Wisdom follows, pay attention!
Any data, residing with any company is in the posession of US federal institutions, because all US and submissive allies' companies are required by secret FISA court order to have a "Room 641A", where the NSA bit-siphon is attached. Whatever BlueToad collected was collected for Uncle Sam, no matter what Blue Toad intended.
Whether NSA shares said data with FBI does not need to concern us, opressed citizens, we only need to know freedom, liberty and privacy does not exist anymore!
By the way, in related news the US federal government released formerly classified docs yesterday to eventually admit that President FDR did know about the 1940 "Katyn" massacre of 20,000 polish POW officers, specifically at the hands of soviet secret police henchmen of NKVD.
Yet, Franklin Delano Rosenfeldt kept mum on the topic and tossed the 1945 "liberated" Poland into the soviet communist empire of evil, for 4 full decades of misery. This shows how wile the US federal government has always been. You and your family could be the next Katyn victims!
You do realise that the American government owns the company that produces the tin-foil which your stylish piece of headwear is made from, don't you? Maybe they just want you to believe that there is a room 641A. The NSA is just a loss leader for their tin-foil business.
Anonymous have always spouted rubbish they did a few dos attacks and suddenly they think there big time
wasn't it Antisec? That's what I read on forbes by Andy Greenberg
So, can I assume you'll be hiring David as a consultant writer? Or at least as a researcher…
His application of "Oh Really?" seems to have cracked this wide open. Accepting a statement as fact when it comes from an apparent authority is a key feature of social engineering hacks.
Think Mulder: Trust No One.
“..Anonymous might not have been entirely truthful..”
Excellent punchline for the article. This one had me howling with lulz at Anonymous’ expense.
(scarcasm) : But those folks are so open and accountable for their actions, as well as cohesive and consistent. “I want to believe,” says the poster in Fox Mulder’s FBI basement office.