Nearly 12 Million Apple UDIDs Potentially Stolen From FBI
A hacktivist group has released an archive of more than a million Apple-related Unique Device Identifiers (UDIDs) that were apparently stolen from an FBI computer. The same group also claims to possess at least 11 million more UDIDs taken from the same computer.
The group, known as "AntiSec," is believed to be related to the hacking group known as "Anonymous" and purportedly acquired the list of user names, devices names, cell phone numbers and addresses last spring by leveraging a Java vulnerability.
Java-based vulnerabilities have also been widely reported in the news lately. Two issues with Java 7 were disclosed more than a week ago. Oracle issued a patch aimed at alleviating the problem last week, and then flaws in that patch were discovered over the weekend.
A spokesperson for the FBI has declined comment. However, it has been widely reported that the FBI is in the midst of an ongoing investigation of Anonymous, and therefore, the exploit is seen as a likely attempt to discredit and embarrass the agency.
[Related: Despite Oracle's Patch, New Java 7 Vulnerabilities Emerge ]
A post on the group's Facebook page reads, "Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was P0wn3d using the AtomicReferenceArray vulnerability on Java. R u mad?"
Some reports also suggest that Stangl also appeared on a special video in 2009, inviting the hacker community to turn white-hat and work in collaboration with the FBI to combat black-hat cyber operations. This might've made that specific agent a particularly inviting target, according to Rob Rachwald, director of security strategy at Imperva, a Redwood Shores, Calif.-based security company.
"This is very inconsistent with previous hacktivist attacks because it's very personal in nature, and this could be an indication of trends to come," he said. "They targeted a very specific individual, which is kind of unique, although not unheard of. The second thing that's different is that this attack was not pre-announced. They typically pre-announce who they are going to attack in order to better promote their efforts."
NEXT: How Data Could Be Leveraged
Imperva's Rachwald says only the FBI would know about the 12 million people purported to be on the database, and why those people might've been tracked or monitored. "I can say that the breached data could be used to monitor somebody's cell phone activity, not only from the standpoint of what calls they make but also what websites they're visiting and so forth," he said. "And also, cell phones are pretty good for geolocation, so this could be used to identify an individual's location, as well."
It's also difficult to ascertain whether the hackers were aware that this database was present on the agent's machine or if they were merely targeting the individual in hopes of gathering whatever they might find. "This is a guy who's involved in the recruiting of hackers, which might make him a natural target," he said. "But it's also possible that somebody in the organization knew that he had some interesting data on his machine."
Rachwald added that the breach is just the latest testimonial to the complicated world of cyber security. "It tells you that hackers continue to be innovators by definition, and even the most advanced, intelligent defense people will get duped from time to time," he said. "This is the defender's dilemma. You have to know all of your vulnerabilities, but the attacker only needs to find one."
PUBLISHED SEPT. 4, 2012