Publishing Company Admits That Anonymous' UDID Data Leak Was Actually Taken From Their Database

from the the-plot-thickens dept

Last week, there was a big story in which AntiSec, a part of Anonymous, claimed to have downloaded personal info on about 12 million Apple device users from an FBI agent's computer. They released about a million UDIDs to "prove" it, claiming they had a lot more information as well. The FBI quickly denied that the evidence came from them, and Apple later insisted that it had not shared such info with the FBI either. Now, a Florida company, Blue Toad, has told NBC that an analysis of the leaked data and its own data set has made it almost certain that the data actually originated from Blue Toad's servers (whether or not it eventually got onto an FBI machine is a separate issue):

"That's 100 percent confidence level, it's our data," [Blue Toad CEO Paul] DeHart said. "As soon as we found out we were involved and victimized, we approached the appropriate law enforcement officials, and we began to take steps to come forward, clear the record and take responsibility for this.”

Apparently, Blue Toad's technology is used by tons of app publishers to help them build their own digital editions and apps -- which is why it would have access to all of this information.

The researcher who figured out that the data came from Blue Toad, David Schuetz, has pointed out that he can't say for certain if the FBI later got the same data, or where Anonymous got the data, but he does suggest that people should be skeptical of claims like that:

“It does raise questions,” he said. “I think people need to question what they see online, whether it comes from Anonymous or from a news organization or from a politician or from a corporation. You need to not take things at face value right away and jump straight to what you think it says. Somebody says, ‘Oh, this came from the FBI, everybody believes it. Well, let’s think about (it).”

Good advice.

Filed Under: anonymous, antisec, data, fbi, leaks
Companies: blue toad

FBI Denies That Hacked Apple Info Came From FBI

from the then-where-did-it-come-from dept

Earlier today, we wrote about Antisec releasing some Apple UDIDs to show that it had apparently collected info on 12 million Apple users, which it claims to have found when it hacked into an FBI's laptop. As we noted at the time, the file was called "NCFTA_iOS_devices_intel.csv," which implied that it came from the National Cyber-Forensics & Training Alliance, a vehicle set up to allow companies to share info with the government. However, the FBI is now flat out denying that any of its laptops had been hacked or that it had the info. Antisec is, to say the least, unimpressed: The FBI's denial comes after an earlier, weaker denial, in which they just said they had "no evidence" to support the story. Now they're saying it's "TOTALLY FALSE" (all caps for EMPHASIS). And, of course, Antisec folks are reminding the FBI (and the public) that they're still sitting on 3TB of additional data from this hack -- which suggests that they're planning to release more to prove that the hack really was of an FBI machine. Either way, now that the fight is happening on Twitter, it seems time to grab some virtual popcorn, sit back and watch the fireworks.

Filed Under: anonymous, antisec, apple udids, cybersecurity, fbi, hack, privacy
Companies: apple

Hacktivism: Anonymous Breaches Australian ISP To Protests Data Retention

from the proving-a-point dept

Glyn Moody recently wrote about Australia reviving some troubling internet snooping policy, part of which includes an aggressive data retention policy for ISPs, in which they need to collect and maintain connection data from their users for up to two years. As Glyn notes, this policy mirrors what other nations throughout the world are attempting to put in as well, despite the serious pushback on security and privacy grounds from the technology community.

So perhaps it shouldn't be all that surprising when famed hacktivist group Anonymous decides to make the concerns a reality to prove a point. Slashdot points us to news that Anonymous has breached one Australian ISP, AAPT, and lifted some 40GB of data using an un-patched Adobe Cold Fusion exploit. As Australian site ITnews reports, this hack appears to be yet another attempt at activism by Anonymous:

"Anonymous had threatened earlier this week to release the data but was reportedly working to minimise potential harm to individual customers.The compromised data is suspected to be a 40 GB backup of an Adobe Cold Fusion database, accessed through a well-known vulnerability.

The threatened release of data appears to be in protest against Australia's proposed data retention regime, which would mandate ISPs to collect and hold transmission data from its users for up to two years.

One hacker told iTnews' sister publication SC Magazine that the data was stolen "to prove a lack of security at ISPs and telcos to properly protect the information" that would be stored under the Federal Government's data retention draft policies."

This is what happens when you ignore complaints by the very people who can bring about the unintended consequences of your unfortunate internet legislation. Pushing forward with data retention bills even as it is proven that customer data is accessable seems problematic. Perhaps Anonymous and other groups can use this as an ongoing example of why such retention policies are dangerous.

Filed Under: anonymous, australia, data retention, hactivism

Not Wise: French T-Shirt Company Tries To Trademark Anonymous Logo

from the this-will-not-end-well dept

Via Asher Wolf, we learn that a French company by the name of Early Flicker, who appears to focus on making and selling pop-culture referencing t-shirts, has applied for a trademark on Anonymous' logo and slogan (pdf and embedded below).

This does not seem wise.

If you look around, there are others selling Anonymous apparel, but trying to trademark the logo, and limit its use by others isn't just playing with fire, it's directly taunting a large group of people with weapons that shoot fire... and who have little hesitation in using them.

Filed Under: anonymous, france, logo, t-shirts, trademark
Companies: early flicker

As CISPA Hits Congress, Cybersecurity Company Hypes The Fear Of Anonymous

from the fearing-fear-itself dept

Through TNW, we learn of a survey published by threat protection company Bit9 that states an attack by Anonymous is the number one thing IT security professionals fear. Doubtless the release of this survey was timed to coincide with CISPA, the dangerous cybersecurity bill that is being debated in the House this week. It's no surprise that a security provider would want to play up the fear of cyber attack, but I'm reminded of a quote from comedian Dara O'Briain: "Zombies are at an all time low level, but the fear of zombies could be incredibly high. It doesn't mean we have to have government policies to deal with the fear of zombies."

Apart from the fact that the fear of something is pretty meaningless (except to those who sell security, and those who want to pass bad laws), the details of the survey make it clear that this is entirely a matter of the hype around Anonymous:

61% believe that their organizations could suffer an attack by Anonymous, or other hacktivist groups.

Despite the utter sense of fear that Anonymous has created over the years, 62% were more worried about the actual method of attack, with malware accounting for the most cause for concern at 48%.

Only 11% of the respondents were concerned about one of Anonymous’ actual methods of attack – DDoS, while fears over SQL injections dipped to a measly 4%. Phishing was a concern for 17% of the respondents.

So, despite the fact that Anonymous apparently has them shaking in their boots, they know that their real vulnerability is malware—and that's not really Anonymous' game. The fear is manufactured.

What this survey calls attention to, though, is a fact that deserves more attention: under CISPA or a similar law, Anonymous would make a juicy target. Security companies and the government could collude and share data not only to strengthen their networks against attack, which would itself be perfectly reasonable, but also to identify and investigate Anonymous members, notwithstanding any other privacy laws. Regardless of how you feel about Anonymous' tactics, this should concern you: privacy rights and the 4th Amendment exist for a reason, and CISPA would wash them away online. The authors of the bill insist that it targets foreign entities, but it is arguably an even stronger weapon against domestic hacktivism that will inevitably be used and abused.

Filed Under: anonymous, cispa, cybercrime, fear, security

Overreacting To Anonymous Is A Greater Threat To Freedom, Innovation & Creativity Than Any Of Their Attacks

from the preach-it dept

We've noted the disturbing trend by the press and politicians to totally overreact or to pump up the actual impact and/or threat of various Anonymous hacking attacks. We've also noted multiple times that such attacks can be incredibly counterproductive -- and the press and politician backlash is part of what we're talking about. However, there is a real risk in continuing to overreact to Anonymous. The most extreme example, of course, was NSA boss General Keith Alexander insisting that Anonymous might hack power grids... while also noting that it had no actual ability to do so.

Yochai Benkler has a typically brilliant essay in Foreign Affair magazine explaining why overreacting to and misunderstanding Anonymous is ridiculous and dangerous:

Seeing Anonymous primarily as a cybersecurity threat is like analyzing the breadth of the antiwar movement and 1960s counterculture by focusing only on the Weathermen. Anonymous is not an organization. It is an idea, a zeitgeist, coupled with a set of social and technical practices. Diffuse and leaderless, its driving force is “lulz” -- irreverence, playfulness, and spectacle. It is also a protest movement, inspiring action both on and off the Internet, that seeks to contest the abuse of power by governments and corporations and promote transparency in politics and business. Just as the antiwar movement had its bomb-throwing radicals, online hacktivists organizing under the banner of Anonymous sometimes cross the boundaries of legitimate protest. But a fearful overreaction to Anonymous poses a greater threat to freedom of expression, creativity, and innovation than any threat posed by the disruptions themselves.

Benkler argues that if you look at Anonymous' actions in the "context of protest," you begin to realize that what they're doing is much more about political speech than any sort of "security" risk or terrorist threat. After detailing a bunch of hacks -- where they all had political messages of sort attached to them, Benkler notes:

The political nature of these targets demonstrates why it is patently wrong to see Anonymous purely as a cyberthreat. Opinions about the justifiability of any given attack may differ, either because of the target or because of its form. The main challenge becomes one of deciding who gets to set the boundaries of legitimate protest. If one unquestioningly accepts the validity of all U.S. government decisions, as well as the current distribution of power in the private sector, the pattern of Anonymous’ attacks seems unambiguously dangerous. But surely there must be a place for civil disobedience and protest that is sufficiently disruptive to rouse people from complacence. Viewing Anonymous purely as a matter of crime reduction or national security will lead governments to suppress it and ignore any countervailing considerations. A more appropriate, balanced response to Anonymous’ attacks would err on the side of absorbing damage and making the hacks’ targets resilient, rather than aggressively surveilling and prosecuting the network and its participants.

He notes that some of Anonymous' attacks appear to go over the line from protest to something more problematic, but most of them really are just forms of traditional protest. But the overreaction threatens to hinder all sorts of online protests and speech, which is a very dangerous precedent to set. Hopefully those insisting that Anonymous is pure evil can take the time to read Benkler's full article and reconsider their views.

Filed Under: anonymous, foreign affair magazine, hacking, overreaction, yochai benkler

EU Cybercrime Bill Targets Anonymous: Makes It A Criminal Offense To Conduct 'Cyber Attack'

from the seems-a-bit-broad dept

While we're still sorting through the crazy cybersecurity bill proposals in the US, it appears that some in the EU are going through a similar process. The EU Parliament's "Civil Liberties Committee" has approved a legislative proposal concerning "cyber attacks," which appears to ramp up criminal penalties for all sorts of broadly defined activities. It even applies criminal penalties to a company if an employee hacks into a competitor's database (even if they weren't told to do it). But where it gets scary is when it appears to directly target "hactivism" like what Anonymous does. While we still think Anonymous' DDoS attacks are incredibly counterproductive, are they really criminal?

The Committee's proposals would make it a criminal offence to conduct cyber attacks on computer systems. Individuals would face at least two years in jail if served with the maximum penalty for the offence.

A maximum penalty of at least five years in jail could apply if "aggravating circumstances" or "considerable damage ... financial costs or loss of financial data" occurred, the Parliament said in a statement.

One aggravating circumstance in which the heavier penalty could be levied is if an individual uses 'botnet' tools "specifically designed for large-scale attacks". Considerable damage may be said to have occurred through the disruption of system services, according to plans disclosed by the Parliament.

Even more ridiculous? Merely "possessing... hacking software and tools" could lead to criminal charges. Does that make everyone with a computer a criminal? This whole thing seems like a bad overreaction by politicians who are freaked out, but who clearly don't understand the technology in question.

Filed Under: anonymous, cybercrime, european union, hactivism

Attacking The Hacker Hydra: Why FBI's LulzSec Takedown May Backfire

from the top-down-approach-to-a-bottom-up-threat dept

Interesting timing. Just about the same time that we had our story concerning how LulzSec kept its own site from getting hacked, the news was breaking that the key leaders of LulzSec were being arrested, in large part because the "leader" of the group had become an FBI informant after they tracked him down last year. Of the various hacking efforts out there, LulzSec has definitely been the most brazen, so it's not a huge surprise that it would be targeted by the FBI. Also, unlike "Anonymous," LulzSec was pretty clearly an effort by a few key individuals, rather than a loose collective of folks joining and leaving at will.

As I've been saying since these various groups started their various hacking and vandalism campaigns, I think these efforts are a really bad idea, and don't do much to further the supposed causes that they're trying to support. They're only going to lead to backlash, as we're already seeing in government officials using these groups as an excuse to try to make a power grab over the wider internet.

Given that, as I've said in the past, I haven't been surprised to see the various arrests of folks supposedly associated with Anonymous or LulzSec. I expect that we'll continue to hear such stories -- in part because these kinds of stories are likely to provoke more of the same type of activity. Law enforcement keeps claiming that these arrests will frighten off others, but that shows a typical lack of understanding of what's going on. As counterproductive as these activities are, it's pretty clear that this isn't about criminal activity for the sake of criminal activity, but about dissatisfaction with what's going on in the world -- and, as such, the arrests are actually only likely to create more such activity, which is the exact opposite of what law enforcement should be seeking to do.

Not understanding who they're dealing with, and taking a top down approach to a bottom up threat, seems to be a specialty of US law enforcement.

Again, I think that the actual efforts by these folks are incredibly counterproductive and set up this "battle-siege" mentality, when the folks involved in all of this could be much more strategic in using their skills for good, rather than destruction. But that doesn't mean that we should ignore the reality of why it's happening, or how it's likely to continue to evolve. More groups will pop up, more hacks will happen and (I'm sure) more disaffected skilled computer hackers will be arrested. But none of that (either the hacking or the arrests) is likely to bring us any closer to actually dealing with the problems that created this mentality in the first place.

Filed Under: anonymous, bottom up, fbi, hacking, lulzsec, top down

File Sharing Moves En Masse To The Darknet; Good Luck Shutting That Down

from the the-industry-loses-another-generation dept

It's not like this wasn't easily predictable, but as the entertainment industry has "succeeded" in taking down Megaupload and continues to move against The Pirate Bay and others, anyone who's followed this space had to have known that file sharing would just move one step further underground. We've seen the same thing after every single "victory" against file sharing since Napster was shut down. Each time, it moves to a system slightly more underground and more distributed. The early ones were still easy to take down but as they get further underground, it just becomes worse for the industry (and makes it that much harder to win back those users). The latest news is that there's been massive uptake of a growing number of anonymous, decentralized file-sharing tools. As is pretty typical in these "shift" periods, it's still not clear which systems will "win" out over the others, but the leaders are starting to emerge. The Torrentfreak article above mentions players like Tribler and RetroShare. People in our comments have been discussing both, as well as Ares Galaxy. Who knows if any of these apps are actually any good, but it seems pretty clear that people are continuing to file share -- they're just finding ways to do so that are even harder to track down and stop. How long until the legacy entertainment industry starts publishing articles about these evil anonymous, decentralized file sharing systems and demanding new laws against them?

Filed Under: anonymous, darknets, decentralized, encryption, file sharing, underground
Companies: ares galaxy, retroshare, tribler

NSA: 'Anonymous Might One Day Hack Power Grids!' Anonymous: 'Huh?!?'

from the cyberfud dept

The fight to ramp up the fear mongering over cybersecurity has reached new and even more ridiculous levels -- in which an "anonymous" government source claims (without quotations) that the head of the NSA, Gen. Keith Alexander, recently briefed the White House claiming that the non-group Anonymous might be able to mount a cyberattack to take down parts of the power grid. The dubious sourcing already makes the story suspect, and without more context, the whole thing seems silly -- especially given that anyone who actually has any inkling of how Anonymous actually functions would question why it would ever seek to shut down a power grid. Anonymous tends to do things either for fun (i.e., for "the lulz") or (more frequently) out of a more vigilante sense of justice (sometimes misguided, but usually well meaning). The attacks are pretty carefully focused on causing temporary inconveniences, rather than lasting damage, as a sign of protest, or on revealing secret info that it feels deserves a wider airing. Attacking the power grid fits with exactly none of that -- a point that Anonymous itself made in response to this claim:

Why would Anons shut off a power grid? There are ppl on life support / other vital services that rely on it. Try again NSA. #FearMongering

But, even more to the point, the WSJ piece is so ridiculous that it's hard not to laugh when you read the following part:

A stateless group like Anonymous doesn’t yet have that capability, officials say. But if the group’s members around the world developed or acquired it, an attack on the power grid would become far more likely, according to cybersecurity experts.

I think Jerry Brito summed this up perfectly by saying:

Shorter version: Anonymous doesn’t have the power to attack the grid, but if they were able to get it someday, then they would have it. Got it.

You could go even further. I mean, why not just start listing out other hypotheticals using those ridiculous two sentences as a basis. I'll start:

• That baseball player doesn't yet have the capability to hit a baseball thrown by a pitcher, officials say. But, if he somehow developed or acquired it, his likelihood of being able to play baseball effectively would become far more likely, according to sports experts.
• An infant doesn't yet have the capability to drive, officials say. But, if toddlers around the world develop or acquire it, automobile accidents would become far more likely, according to automotive experts.
• Prisoners don't yet have the capability to shoot each other, officials say. But, if inmates around the world developed or acquired it, gunfights in prison would become far more likely, according to anger management experts.
• Techdirt readers don't yet have the capability to make clueless government officials get transferred to jobs washing toilets, officials say. But, if the community there develops or acquires it, dumb politicians being out of work would become far more likely, according to political pundits.

In what journalistic world is it okay to write something where the entire point of the article is to fear monger about a group having a certain power, and then brush aside the fact that it doesn't have that power... and appears to have no interest or possibility of obtaining that power... but then saying, "boy, if it did have that power, that would be dangerous!" None of the hypotheticals make any sense if there's no info on the interest or likelihood of the group in acquiring or using such capabilities. There is some speculation, based solely on Anonymous' (kinda stupid) idea to try to take down the entire internet to make a statement next month, that the group is moving in "this direction," but it still seems pretty silly.

Furthermore, you have to get 10 whole paragraphs down in the article, before it's mentioned that there really isn't any real "cyberthreat" to the power grid. It seems like that sort of information belongs at the top of the article, along with a message about how the rest of the article is fear mongering about stuff that really isn't likely to happen.

Filed Under: anonymous, cybersecurity, fud, nsa, online security, power grids