Attacks/Breaches
9/5/2012
10:40 AM
Connect Directly
RSS
E-Mail
50%
50%

FBI, AntiSec Spar On Apple IDs

FBI denies laptop data breach, but some security experts believe agency may have suffered a phishing attack.

11 Security Sights Seen Only At Black Hat
11 Security Sights Seen Only At Black Hat
(click image for larger view and for slideshow)
Does the release of one million Apple UDIDs (Unique Device Identifiers)--including device types and associated usernames--reveal a massive device-tracking operation involving the FBI, an attempt by the hacktivist group AntiSec to make the bureau look bad, or something in between?

For now, the related debate continues to rage online. The FBI, for its part, took to Twitter Tuesday to say that any suggestion that one of its agents was collecting or storing millions of UDIDs was "totally false" and that the agency "never had the info in question." In an official statement emailed to journalists, meanwhile, the FBI said that "at this time there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data."

In response to the FBI's official statement, AntiSec noted via the AnonymousIRC channel that "this is far from denial," and continued to taunt the FBI. "Before you deny too much: Remember we're sitting on 3TB additional data. We have not even started," it said.

[ It's time for companies to get serious about social engineering attacks. Read more at Apple, Amazon Security Fails: Time For Change. ]

But is the leaked UDID data legit? AntiSec said via the Par:AnoIA website that the data "was involuntarily provided by Special Agent Christopher Stangl, whose notebook was breached by AntiSec in March 2012," and that "among the data on his notebook was a file named NCFTA_iOS_devices_intel.csv which contained a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, ZIP codes, cell phone numbers, and addresses."

Rob Rachwald, director of security strategy at Imperva, thinks the breach is probably for real. For starters, he explained, the agent who's been targeted--either for real, or for reputational damage--is "a known recruiter in the FBI focused on getting white hat hackers to work for the feds," he said in a blog post. In addition, "the structure and format of the data indicates that this is a real breach ... it would be hard to fake such data." He noted, however, that Apple is likely the only organization that can reliably ascertain how much of the data is or isn't real.

An Apple spokesman didn't immediately respond to an emailed request for comment. The company has yet to publicly address the alleged UDID leak.

Interestingly, AntiSec suggested that all of the UDIDs had been collected thanks to an app installed on iOS devices. "People whose UDID was on the list released by AntiSec might want to compare their installed apps. A common culprit might be found," hinted AntiSec via Twitter.

What are the privacy or information security worries associated with AntiSec--or possibly the FBI--having what may be legitimate UDIDs for 12 million Apple iOS users? "Since AntiSec removed all the personal data from the data they released, this hack doesn't present much risk to end users," said Andrew Storms, director of security operations for nCircle, in an emailed statement. "UDIDs in isolation aren't a big deal. In fact, Apple used to permit apps to spew UDIDs all over the place, so there's a lot of UDID data already in the public domain. For a while, there were a lot of apps using UDID and personal data to track users activity and selling it to advertisers."

On the other hand, 12 million people's UDIDs could be used for more than just advertising purposes. "If the hackers have what they claim, they may be able to cross-reference the breached data to monitor a user's online activity--possibly even a user's location," said Rachwald. "To be clear, the released database is sanitized so you cannot perform this type of surveillance today. But with the full information that hackers claim to have, someone can perform this type of surveillance. This implies that the FBI can track Apple users."

If AntiSec did manage to compromise an FBI agent's computer, Robert David Graham, head of Errata Security, has a theory for how they could have accomplished this. For starters, he noted that earlier this year, a hacktivist managed to listen in on a 16-minute FBI conference call, which was leaked by Anonymous. To do this, an attacker intercepted an FBI email with dial-in directions that had been sent to 40 international cyber-crime investigators, with all of their addresses clearly visible in the "to" field. The attacker leaked not just a recording of the call, but also the invite email.

Next, in its Pastebin post announcing the UDID leak, AntiSec claimed that Stangl's laptop had been compromised by using a Java vulnerability--not the one publicly disclosed less than two weeks ago--but one being used earlier this year. "That Java 0day was being actively exploited in March 2012, as described in this MS TechNet article on CVE-2012-0507," said Graham.

According to Graham, the email addresses plus a Java vulnerability points clearly to one type of attack: phishing. "The obvious attack is for hackers to phish all 40 of those e-mail addresses. The phishing message would appear to come from the same sender, and simply point to a website hosting a Java app with [an] exploit," said Graham in a blog post. Anyone with a PC that contained the Java vulnerability who clicked the link could then find their computer owned by the attacker.

If Graham's theory is correct, the FBI may have inadvertently played a part in the attack. Earlier this year, Irish citizen Donncha O'Cearrbhail (a.k.a. Palladium) was arrested and charged with having intercepted the FBI conference call, which authorities said he provided to LulzSec and Anonymous leader Sabu. Unbeknownst to O'Cearrbhail, however, Sabu--real name: Hector Xavier Monsegur--was arrested by the FBI in June 2011 and immediately turned informant. Accordingly, the leaked call did get released, although the names of people about to be arrested and some other investigative details were curiously "blanked out" of the audio.

In retrospect, it seems obvious that the FBI excised information from the recording before allowing it to be released, in order not to impede related investigations. But they apparently didn't do the same for the email addresses of the 40 law enforcement agents who had been included in the conference call invite.

Cybercriminals are taking aim at your website. Is your security strategy up to the challenge? Also in the new, all-digital 10 Steps To E-Commerce Security issue of Dark Reading: About half of the traffic to e-commerce sites is machine generated--and much of it is malicious. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6117
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

CVE-2014-0174
Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

CVE-2014-3485
Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

CVE-2014-3499
Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

CVE-2014-3503
Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.