Tuesday, September 04, 2012

The crown jewel of hacks for 2012 ..... that is, if you can understand it

Hackers leak 1 million Apple device IDs
By Paul Wagenseil
Tuesday, September 4, 2012
To cap off a summer of devastating corporate data breaches, hackers yesterday posted online what might be the crown jewel of 2012 data dumps: 1 million identification numbers for Apple iPhones, iPads and iPod Touch's, all purportedly stolen from the FBI.

There may also be an additional 11 million Apple device IDs yet to be released, many with users' full names, addresses and telephone numbers attached.

"Why exposing [sic] this personal data?" asked the unnamed writer of the Pastebin posting announcing the data dump, who claimed to be affiliated with the anti-government hacktivist group AntiSec. "Well, we have learnt it seems quite clear nobody pays attention if you just come and say 'Hey, FBI is using your device details and info and who the [expletive] knows what the hell are they experimenting with that,' well sorry, but nobody will care."

Safe … for now

Users of the 1 million affected devices are, for the moment, probably not in any danger of identity theft or account takeovers. However, they may want to know why the FBI apparently had their device IDs on file.

[ 10 Ways the Government Watches You ]

Apple unique device identification numbers (UDIDs) establish a single iOS device's identity in the Apple ecosystem, letting iTunes and app developers know which device is running what.

UDIDs are what lock most iOS devices into installing only software from the iTunes App Store, and what let game developers keep track of each user's high score.

The 88-megabyte file posted by AntiSec on several file-sharing sites is heavily encrypted, but the Pastebin posting offers detailed instructions for decrypting it using open-source software.

To check whether your iPhone, iPad or iPod Touch's UDID might be among those affected, a software developer based in Florida has already posted a tool at http://kimosabe.net/test.html.

Apple UDIDs can be found by plugging an iOS device into a computer, opening iTunes and clicking on the device serial number displayed.

Mac-centric website MacOS Rumors has verified that many of the UDIDs in the data dump are genuine, but notes that "UDIDs themselves are rather harmless in isolation."

However, New Zealand-based security researcher Aldo Cortesi has shown that thanks to disregard of Apple's security guidelines by iOS game and app developers, it's possible to determine a user's identity through an UDID alone.

Hacker counterintelligence

The Pastebin post claims that the UDIDs were stolen thanks to an Anonymous hack into the laptop of FBI agent Christopher Stangl, a member of a New York-based cybercrime task force.

Stangl has spoken publicly on matters of cybersecurity, appearing in February 2011 on a panel discussion on cybercrime attended by SecurityNewsDaily. Two years earlier, he starred in a FBI recruitment video posted on Facebook.

Stangl was also among 44 American and European law-enforcement personnel copied on an email, sent in January 2012, inviting recipients to join a conference call to discuss efforts against the hacktivist groups Anonymous and LulzSec.
Anonymous intercepted the email and used it to eavesdrop on and record the conference call, which they then posted online in February 2012.

According to yesterday's Pastebin post, hackers used a then-new Java exploit to get into Stangl's machine.

"During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java," the posting states.

"During the shell session some files were downloaded from his Desktop folder one of them with the name of 'NCFTA_iOS_devices_intel.csv' turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc. the personal details fields referring to people appears many times empty leaving the whole list incompleted on many parts."

"No other file on the same folder makes mention about this list or its purpose," adds the writer of the Pastebin post.

"CSV" is the Windows filetype associated with a list of comma-separated values, which separate database entries with a comma and can be read by Microsoft Excel and many other applications.

"NFCTA" may refer to the National Cyber-Forensics & Training Alliance, a Pittsburgh-based non-profit organization that, in its own words, "functions as a conduit between private industry and law enforcement with a core mission to identify, mitigate and neutralize cybercrime."

It is not clear why an FBI agent would have a database of 12.4 million iOS device UDIDs on his laptop, nor why the NFCTA would have provided them to him.

Requests for comment by SecurityNewsDaily to Apple and the NFCTA were not immediately returned. An FBI spokeswoman said the bureau was aware of the reports but had no further comment.

Sprechen Sie Deutsch?

In a blog posting this morning, Errata Security CEO Robert Graham theorizes that the hackers may have used the intercepted FBI email to " spear phish " the email's recipients, luring them to a rigged website that would have loaded the brand-new, or "zero-day," Java exploit onto their machines.

"If I have an email list of victims, and a new [zero]-day appears, I'm immediately going to phish with it," wrote Graham. "It's not Chinese uber APT [advanced persistent threat] hackers, it's just monkeys mindless[ly] following a script."
Graham Cluley, a security researcher with the British firm Sophos, pointed out today that the Pastebin writer may be a native German speaker thanks to an impolite message in German to Mitt Romney at the end of the post. The stilted English grammar, frequent use of the preposition "so" to begin sentences, a reference to Austrian banks and a Goethe quotation also indicate a German-language connection.

As might be expected, the writer makes shout-outs to Anonymous, WikiLeaks, the Syrian rebels and the imprisoned Russian punk band Pussy Riot, and criticizes National Security Agency head Gen. Keith Alexander's appeal in July to hackers to join the government.

But the writer also cites Jack Henry Abbott, the prison-based writer who was paroled in 1981 thanks to the efforts of famed author Norman Mailer. Abbott killed another man six weeks into his parole and spent the rest of his life in prison.

The writer also uses the Latin phrase "argumentum ad baculum," or "appeal to the stick," the proposition that arguments, however flawed, can be won through use of force.

In a dig at the press, the writer also demands that Adrian Chen, a technology reporter at the gossip blog Gawker who has written extensively on Anonymous, humiliate himself on camera.

"No more interviews to anyone till Adrian Chen get featured in the front page of Gawker, a whole day, with a huge picture of him dressing a ballet tutu and shoe on the head," the posting says. "No Photoshop."


Update 1:30 p.m. ET, September 4:  A law enforcement official who spoke to NBC News on condition of anonymity said that there is no evidence the FBI ever requested the Apple data through the legal process.  It’s believed to be likely a hoax designed to infect other users because of malware in the posting. No evidence, so far, of any FBI computers being compromised, though that is still being checked.

0 Comments:

Post a Comment

Links to this post:

Create a Link

<< Home