Hackers Get Personal Info On 12-Million Apple Users... From An FBI Laptop
from the privacy-schmivacy? dept
Much of the debate over cybersecurity legislation like CISPA and the Cybersecurity Act focused on getting more private companies to "share data" with federal government agencies, including the FBI and the NSA. As we've pointed out time and time again, beyond the basic privacy rules that the bills tended to bulldoze through, any time you increase the sharing of private data, you're only making it that much easier for hackers to access that info because you're putting it in more places -- some of which will almost definitely be insecure. In other words, even though these bills were ostensibly about "protecting" from hack attacks, by increasing the sharing of data, they'd almost certainly open up new attack opportunities and make it easier for hackers to get info.While neither bill passed (yet), the latest example of what happens when you have widespread data sharing comes from some Antisec hackers, who claim that -- in response to a presentation from the NSA's General Keith Alexander -- they wanted to probe the security of various government agencies, including the FBI. End result? They claim to have hacked into the laptop of FBI agent Christopher Stangl, who has appeared in recruitment videos for the FBI looking to hire "cyber security experts."
The hackers claim that on his laptop, they found a csv file with:
...a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc.The hackers have released 1,000,001 UDIDs and APNS tokens to prove they had the data, stripping out the personal info. The file they found was called: "NCFTA_iOS_devices_intel.csv" which folks at Hacker News have pointed out likely refers to the National Cyber-Forensics & Training Alliance. According to its website, the NCFTA...
functions as a conduit between private industry and law enforcement with a core mission to identify, mitigate and neutralize cyber crime. In an effort to streamline intelligence exchange, the NCFTA will often organize SME interaction into threat-specific initiatives. Once a significant online scheme is realized and a stakeholder consensus defined, an initiative is developed wherein the NCFTA manages the collection and sharing of intelligence with the affected parties, industry partners, appropriate law enforcement, and other SMEs.In other words, it's almost exactly what we were told we needed CISPA to enable. In fact, during the CISPA debate, we specifically pointed to the NCFTA to ask why we needed CISPA, since something like that was already possible.
And now it seems to also be showing why CISPA or other similar legislation focused on increased "sharing" of info could actually put many more users at risk, rather than protect them. When the feds are careless with the info they receive from companies, it's going to get hacked. These kinds of things just put a giant target on their back, and now we're seeing the harmful results of such sharing without effective privacy protections.
And the feds want more of this?
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: antisec, christopher strangl, cispa, cybersecurity, data, data sharing, fbi, ios, keith alexander, ncfta, privacy, udid
Companies: apple
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
Ether way, 12.3 million usernames and passwords suggest that the NCFTA isn't about teaching, nor is it about mitigating cyber crime.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
While it may be possible for the telcos to hack their way into someone's phone and steal their password, it's far more likely that 12.3 million usernames and passwords came from one central source; Apple.
If we find out that all those usernames and passwords come from just one telco, then you would be right. If that is the case, then a boycott isn't just justified, it's required for reasons too long to get into without knowing for sure.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
What bothers me most though is that the NSA didn't find collectimg this amount and type of data unethical.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
FBI agent stores it on an insecure, unencrypted location (a laptop) and the data is stolen.
So Apple had nothing to do with handing any data over. As an Apple user myself, I can tell you that you have to have an Internet connection to register your device. Since the NSA computer system collects everything under the sun that is transmitted through the Internet, their computers got this information.
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
Should I assume anyone using an apple device is a crook?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Cyber-insecurity
And I doubt it was for any "cyber security" purpose, either. How does having that info help that? It doesn't. What it *does* do is let them very quickly identify the owner of a cell phone the FBI suddenly takes an interest in for any reason, without having to go to a judge or even to Apple first after taking an interest in it. Sounds much more likely to be used to get around that pesky Fourth Amendment and track down accused drug dealers and terrorists.
Of course, the smart ones of those use burn phones purchased without a plan and loaded with prepaid minutes using anonymous cash transactions, so they a) won't have (non-phony) names and addresses in that data and b) would be using cheaper handsets anyway (no plan, no subsidy).
So, in short, the feds' data was useless for going after any real bad guys (though it could be very easily abused to harass random citizens), and it has now proved to be worse than useless for "cyber security" purposes.
[ link to this | view in chronology ]
Re: Cyber-insecurity
[ link to this | view in chronology ]
Re: Cyber-insecurity (Perspective)
Another indicator of the 1% being criminals.
[ link to this | view in chronology ]
Re: Re: Cyber-insecurity (Perspective)
Why is that amount of data on a damned laptop in the first place?
[ link to this | view in chronology ]
Re: Re: Re: Cyber-insecurity (Perspective)
[ link to this | view in chronology ]
Re: Re: Re: Re: Cyber-insecurity (Perspective)
[ link to this | view in chronology ]
Re: Re: Re: Re: Cyber-insecurity (Perspective)
Think of the children!
Worry about the terrorists!
Pay no attention to that list of supposed "rights" and laws, there is something bad out there and we will find it!
Sadly they need only look in the mirror to find it.
[ link to this | view in chronology ]
Re: Re: Re: Re: Cyber-insecurity (Perspective)
[ link to this | view in chronology ]
Re: Cyber-insecurity
Burner phones are passe. Now, there's an app for that.
http://arstechnica.com/business/2012/08/burner-wants-to-help-you-temporarily-obfuscate-your -phone-number/
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
Whether we like it or not, the NSA computers collect everything coming in and out of the country. The FBI chooses to extract whatever data they want under an ad-hock warrant approved by an even more incompetent DOJ.
[ link to this | view in chronology ]
Re: Re:
ftfy
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
They dont really care
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
And that it came from the laptop of a Cyber-Security specialist is just over-the-top funny. While the data itself may not be considered especially sensitive (to the FBI, anyway), they neglected to consider the sensitivity of the fact that they have the data at all. FAIL and FAIL.
[ link to this | view in chronology ]
Re: Re: Re:
I wouldn't really qualify it as funny by ether definition. I would qualify it as horrifying. If they have millions of usernames and passwords from Apple, they probably also have millions from Android, Windows Mobile, and Blackberry. It's only a matter of time before those get leaked. The US government is not a secure system.
[ link to this | view in chronology ]
Re: Re: Re: Re:
While this to some is funny haha, it also is a prime example of funny utoh. None of them are pleased they have the data, but there is sheer joy to be found in them getting caught spying on citizens (AGAIN) and proving it with epic failure.
I await the PR spin trying to clean this up, the calls for "investigations" that will result in not a damn thing happening to stop this. The only way it will stop is when they start putting the files on what Congresscritters are doing and publishing those, then it will be of great concern and require action to reign them in.
Someone we pay to be an expert and protect us is a moron.
They were hired by people who are supposed to make sure we have the best, we sure as hell pay enough for the very best and what we got it someone who obviously took a weekend course to be "certified".
The problem is and continues to be the inability of the Government to move forward, like the cartels, in a logical way instead waiting for the next headline and knee-jerk overreactions.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
Never attribute to Echelon what you can get with a post-it note demand for data under widely abused terrorism laws.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
My mind is terribly anylitical and I figured that if I were to collect data using some of the most powerful computers in the world from all over the world at once, it would be quite disorganized and you would HAVE to program in a set of flags for certain bits that you desire.
That being said, knowing full well wasn't Apple who gave it away, why did the FBI have all that data on 12.3 million users a) in one location and b)how did they get the data without a court order?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
I can say this as an iPod Touch user, it's a good thing the UDID info stolen is virtually useless to hackers. Apple's way of making you log into iTunes to approve a transaction gets in the way.
My wife and I and our parents never use credit cards on iTunes purchases, just gift cards.
[ link to this | view in chronology ]
Re:
Apple:"We are going to sue you for loosing our customers data!"
FBI:"You can't sue us for that."
Apple:"Why can't we?"
FBI:*points to their logo* "MotherFuckingEagle! That's why!"
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Just knowing that one FBI laptop had all this personal info sitting there raises serious alarms. What was this person, Christopher Strangl, doing with all this private info on his laptop?
[ link to this | view in chronology ]
Re:
I'm glad I'm not the only one wondering why the personal info of 12 million people are on a LAPTOP There should be no reason that much info needs to be taken out of the FBI Building!!!
[ link to this | view in chronology ]
Re:
More importantly, what was the FBI doing with all this private info at all?
[ link to this | view in chronology ]
they, like the rest of the law enforcement agencies, cant be trusted to close a door!
[ link to this | view in chronology ]
Re:
Duh! They only specialize in opening doors! Congratulations, 12.1 Million doors now opened in the blink of an eye.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
MIGHT
There's no proof any of this is legit yet.
[ link to this | view in chronology ]
Re: MIGHT
https://twitter.com/peterkruse/status/242936275420717056
[ link to this | view in chronology ]
FBI Spying
www.rt.com/usa/news/nsa-whistleblower-binney-drake-978/
http://www.wired.com/thre atlevel/2012/07/binney-on-alexander-and-nsa/
[ link to this | view in chronology ]
It's Not for Spying on You
So find out what your up to or to track you is not the issue...they can easily get your mobile# and track you whenever they want.All law enforcement can.
Why they would need this much info on a laptop is anybody's guess.
Perhaps it's a list of naive young men that they can convince to join in a terrorist plot.
But what ever the reason, you can bet that it's not good.
Maybe a disgruntled former Apple employee can fill us in.
[ link to this | view in chronology ]
No "might-have's" about it...
From the article...
The hackers have released 1,000,001 UDIDs and APNS tokens to prove they had the data, stripping out the personal info. The file they found was called: "NCFTA_iOS_devices_intel.csv"
[ link to this | view in chronology ]
Shiny New Legislation
[ link to this | view in chronology ]
This means we MUST make CISPA even stronger! We must remove ALL privacy protections from it, and government MUST be able to know EVERYTHING, including what you eat, and even where you breath air from!
But adding new cyber security regulations on private business or the government, even voluntary guidelines? NO WAY! That's how you KILL FREEDOM!!! Do you want freedom of American businesses to die! That's what will happen if we try to stop private businesses from leaving your personal info laying around where any hacker can steal it!
Besides, if anything goes wrong after CISPA passes we can always just blame the government! Everyone likes blaming the government!
[ link to this | view in chronology ]
Just because they were "hacked" doesn't mean they didn't recover the information during an investigation.
We certainly don't have enough information to make a judgement as to why the information was in the possession of the agency/FBI. Heck - maybe he's the hacker?!?
I'd be interested to know if this hacking occurred through a govt network or some other network. If the laptop doesn't leave the office (in many jobs these days, the computer issued is a laptop regardless of whether you get to take it home), then the network is compromised and an individual agent might not be to blame. If the laptop does leave the office and isn't physically compromised, then there might a problem with VPN security. If the agent is using the laptop inappropriately and exposing it to network or other threats, then it's a different issue.
Again, not enough information to actually determine what's going on, if anything.
And if you believe Apple isn't getting hacked...well, hehe...keep dreaming.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
WHY...
why do they have this information in the first place?
why are the warrant & case #'s not in the spreadsheet?
why is this data outside of the firewall?
why are passwords included on the same doc?
and finally... why the hell is an gov IT guy using a mac?
[ link to this | view in chronology ]
Re: WHY...
Why are you assuming it was a Mac?
[ link to this | view in chronology ]
Corrupt App Developer...?
I don't know enough about Apple products to add much myself. However, isn't it broadly known that their app ecosystem is insecure enough that it could have been a very minor player acting poorly, rather than anyone major?
[ link to this | view in chronology ]
Can we please start treating all of this circus as the issue really at hand?
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
I know what UDID last summer.
[ link to this | view in chronology ]
jailbroken??
[ link to this | view in chronology ]
They should be...
[ link to this | view in chronology ]
Apple Users feeling the danger..!!
[ link to this | view in chronology ]
Re: Apple Users feeling the danger..!!
[ link to this | view in chronology ]
Re: Apple Users feeling the danger..!!
http://www.ripoffreport.com/computer-service-repair/pc-care-247/pc-care-247-norton-pccare 247-c-645bb.htm
[ link to this | view in chronology ]
Re: Apple Users feeling the danger..!!
http://forums.techguy.org/general-security/1044190-pccare247-legitimate.html
[ link to this | view in chronology ]
iPwnd...
[ link to this | view in chronology ]