Hackers Get Personal Info On 12-Million Apple Users… From An FBI Laptop

from the privacy-schmivacy? dept

Much of the debate over cybersecurity legislation like CISPA and the Cybersecurity Act focused on getting more private companies to “share data” with federal government agencies, including the FBI and the NSA. As we’ve pointed out time and time again, beyond the basic privacy rules that the bills tended to bulldoze through, any time you increase the sharing of private data, you’re only making it that much easier for hackers to access that info because you’re putting it in more places — some of which will almost definitely be insecure. In other words, even though these bills were ostensibly about “protecting” from hack attacks, by increasing the sharing of data, they’d almost certainly open up new attack opportunities and make it easier for hackers to get info.

While neither bill passed (yet), the latest example of what happens when you have widespread data sharing comes from some Antisec hackers, who claim that — in response to a presentation from the NSA’s General Keith Alexander — they wanted to probe the security of various government agencies, including the FBI. End result? They claim to have hacked into the laptop of FBI agent Christopher Stangl, who has appeared in recruitment videos for the FBI looking to hire “cyber security experts.”

The hackers claim that on his laptop, they found a csv file with:

…a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc.

The hackers have released 1,000,001 UDIDs and APNS tokens to prove they had the data, stripping out the personal info. The file they found was called: “NCFTA_iOS_devices_intel.csv” which folks at Hacker News have pointed out likely refers to the National Cyber-Forensics & Training Alliance. According to its website, the NCFTA…

functions as a conduit between private industry and law enforcement with a core mission to identify, mitigate and neutralize cyber crime. In an effort to streamline intelligence exchange, the NCFTA will often organize SME interaction into threat-specific initiatives. Once a significant online scheme is realized and a stakeholder consensus defined, an initiative is developed wherein the NCFTA manages the collection and sharing of intelligence with the affected parties, industry partners, appropriate law enforcement, and other SMEs.

In other words, it’s almost exactly what we were told we needed CISPA to enable. In fact, during the CISPA debate, we specifically pointed to the NCFTA to ask why we needed CISPA, since something like that was already possible.

And now it seems to also be showing why CISPA or other similar legislation focused on increased “sharing” of info could actually put many more users at risk, rather than protect them. When the feds are careless with the info they receive from companies, it’s going to get hacked. These kinds of things just put a giant target on their back, and now we’re seeing the harmful results of such sharing without effective privacy protections.

And the feds want more of this?

Filed Under: , , , , , , , , , , ,
Companies: apple

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Hackers Get Personal Info On 12-Million Apple Users… From An FBI Laptop”

Subscribe: RSS Leave a comment
Chronno S. Trigger (profile) says:

Re: Re: Re:

12.3 million usernames and passwords in the hands of the US government (and now lost)? Odds are 50-50 that Apple had something to do with this. The options are; Apple gave the passwords up freely, or the government hacked into Apples servers.

Ether way, 12.3 million usernames and passwords suggest that the NCFTA isn’t about teaching, nor is it about mitigating cyber crime.

Chronno S. Trigger (profile) says:

Re: Re: Re:2 Re:

“Why apple? The telcos can probably pull this and have demonstrated their propensity to roll over for the feds.”

While it may be possible for the telcos to hack their way into someone’s phone and steal their password, it’s far more likely that 12.3 million usernames and passwords came from one central source; Apple.

If we find out that all those usernames and passwords come from just one telco, then you would be right. If that is the case, then a boycott isn’t just justified, it’s required for reasons too long to get into without knowing for sure.

Wally (profile) says:

Re: Re: Re:4 Re:

The personal information such as UDID’s and credit card info are sent in data packets through the NSA computer system where the FBI sifted through to get it. This data is transmitted over the Internet and therefore does in fact get filtered though the NSA where the FBI can set flags to catch certain sets of data to collect.

What bothers me most though is that the NSA didn’t find collectimg this amount and type of data unethical.

Wally (profile) says:

Re: Re: Re: Re:

Sorry, wasn’t logged in up there. Just a theory here, but the way I see it, the NSA only collects data regardless. It is majorly disorganized because new information comes in condtantly, so the FBI orders the data they need collected. It is sent over lines that are filtered throught their computers to the FBI’s system. The data for these users was flagged so by the incompetence of the FBI and DOJ, the “warrant” was “issued” and certain data types were collected from the unorganized mess of data stored on the computers at the NSA.

FBI agent stores it on an insecure, unencrypted location (a laptop) and the data is stolen.

So Apple had nothing to do with handing any data over. As an Apple user myself, I can tell you that you have to have an Internet connection to register your device. Since the NSA computer system collects everything under the sun that is transmitted through the Internet, their computers got this information.

Androgynous Cowherd says:


What were the the feds doing with the personal information of 12 million iPhone users in the first place? Certainly they can’t all be involved in cyber-crime. Looks to me like they were gathering data on huge numbers of innocent people without probable cause.

And I doubt it was for any “cyber security” purpose, either. How does having that info help that? It doesn’t. What it *does* do is let them very quickly identify the owner of a cell phone the FBI suddenly takes an interest in for any reason, without having to go to a judge or even to Apple first after taking an interest in it. Sounds much more likely to be used to get around that pesky Fourth Amendment and track down accused drug dealers and terrorists.

Of course, the smart ones of those use burn phones purchased without a plan and loaded with prepaid minutes using anonymous cash transactions, so they a) won’t have (non-phony) names and addresses in that data and b) would be using cheaper handsets anyway (no plan, no subsidy).

So, in short, the feds’ data was useless for going after any real bad guys (though it could be very easily abused to harass random citizens), and it has now proved to be worse than useless for “cyber security” purposes.

Wally (profile) says:

Re: Re: Re:

I don’t see the acronym NSA in “FBI Laptop”. However, collecting this amount of data from 12.3 million users is wrong, but it wasn’t the NSA who kept it in an insecure location. They weren’t responsible for the FBI’s lack of competence. Why does the FBI have this info? It’s their job to filter through the data on the NSA computers.
Whether we like it or not, the NSA computers collect everything coming in and out of the country. The FBI chooses to extract whatever data they want under an ad-hock warrant approved by an even more incompetent DOJ.

pegr (profile) says:

Re: Re: Re:

Uh, no. The only way the Feds could have this data is for Apple to give to to them. And if some random Fed has it on their laptop, 1,000’s of Feds have it on their laptops.

And that it came from the laptop of a Cyber-Security specialist is just over-the-top funny. While the data itself may not be considered especially sensitive (to the FBI, anyway), they neglected to consider the sensitivity of the fact that they have the data at all. FAIL and FAIL.

Chronno S. Trigger (profile) says:

Re: Re: Re: Re:

“is just over-the-top funny”

I wouldn’t really qualify it as funny by ether definition. I would qualify it as horrifying. If they have millions of usernames and passwords from Apple, they probably also have millions from Android, Windows Mobile, and Blackberry. It’s only a matter of time before those get leaked. The US government is not a secure system.

That Anonymous Coward (profile) says:

Re: Re: Re:2 Re:

I disagree.
While this to some is funny haha, it also is a prime example of funny utoh. None of them are pleased they have the data, but there is sheer joy to be found in them getting caught spying on citizens (AGAIN) and proving it with epic failure.

I await the PR spin trying to clean this up, the calls for “investigations” that will result in not a damn thing happening to stop this. The only way it will stop is when they start putting the files on what Congresscritters are doing and publishing those, then it will be of great concern and require action to reign them in.

Someone we pay to be an expert and protect us is a moron.
They were hired by people who are supposed to make sure we have the best, we sure as hell pay enough for the very best and what we got it someone who obviously took a weekend course to be “certified”.

The problem is and continues to be the inability of the Government to move forward, like the cartels, in a logical way instead waiting for the next headline and knee-jerk overreactions.

Wally (profile) says:

Re: Re: Re: Re:

It was data collected by the NSA computers and not given by Apple. Apple requires users to have a connection to the Internet to register on their site in order buy their products. All of this was monitored by the NSA’s computer system (which picks up all incoming and outgoing traffic) from which the FBI “organizes” lists without thought or due process from the DOJ.

Wally (profile) says:

Re: Re: Re:3 Re:

They collect data from everywhere so it can be assumed its rather unorganized.

My mind is terribly anylitical and I figured that if I were to collect data using some of the most powerful computers in the world from all over the world at once, it would be quite disorganized and you would HAVE to program in a set of flags for certain bits that you desire.

That being said, knowing full well wasn’t Apple who gave it away, why did the FBI have all that data on 12.3 million users a) in one location and b)how did they get the data without a court order?

Wally (profile) says:

Re: Re: Re:4 Re:

Mind you I think you’re right, there is no rightful reason for the NSA to collect that amount of data for the FBI. Nor is there any reason whatsoever for the FBI to keep it on an insecure laptop.

I can say this as an iPod Touch user, it’s a good thing the UDID info stolen is virtually useless to hackers. Apple’s way of making you log into iTunes to approve a transaction gets in the way.

My wife and I and our parents never use credit cards on iTunes purchases, just gift cards.

PlagueSD says:

Re: Re:

Just knowing that one FBI laptop had all this personal info sitting there raises serious alarms. What was this person, Christopher Strangl, doing with all this private info on his laptop?

I’m glad I’m not the only one wondering why the personal info of 12 million people are on a LAPTOP There should be no reason that much info needs to be taken out of the FBI Building!!!

Anonymous Coward says:

It's Not for Spying on You

The FBI already has already has all your personal information and has had for many years…it’s called a Driver’s license.They also have access to all your Bank, IRS, Employment, Medical and Social Security records.
So find out what your up to or to track you is not the issue…they can easily get your mobile# and track you whenever they want.All law enforcement can.
Why they would need this much info on a laptop is anybody’s guess.
Perhaps it’s a list of naive young men that they can convince to join in a terrorist plot.

But what ever the reason, you can bet that it’s not good.

Maybe a disgruntled former Apple employee can fill us in.

Anonymous Coward says:

Oh no the hackers have stolen personal data!

This means we MUST make CISPA even stronger! We must remove ALL privacy protections from it, and government MUST be able to know EVERYTHING, including what you eat, and even where you breath air from!

But adding new cyber security regulations on private business or the government, even voluntary guidelines? NO WAY! That’s how you KILL FREEDOM!!! Do you want freedom of American businesses to die! That’s what will happen if we try to stop private businesses from leaving your personal info laying around where any hacker can steal it!

Besides, if anything goes wrong after CISPA passes we can always just blame the government! Everyone likes blaming the government!

Anonymous Coward says:

Sorry to question this whole thing, but wouldn’t it make sense that this office have access to information that might have been stolen to begin with?

Just because they were “hacked” doesn’t mean they didn’t recover the information during an investigation.

We certainly don’t have enough information to make a judgement as to why the information was in the possession of the agency/FBI. Heck – maybe he’s the hacker?!?

I’d be interested to know if this hacking occurred through a govt network or some other network. If the laptop doesn’t leave the office (in many jobs these days, the computer issued is a laptop regardless of whether you get to take it home), then the network is compromised and an individual agent might not be to blame. If the laptop does leave the office and isn’t physically compromised, then there might a problem with VPN security. If the agent is using the laptop inappropriately and exposing it to network or other threats, then it’s a different issue.

Again, not enough information to actually determine what’s going on, if anything.

And if you believe Apple isn’t getting hacked…well, hehe…keep dreaming.

Berenerd (profile) says:

Re: Re:

If you read they article, the Hackers stated that they used a security hole in Java, I believe, to get into the FBI agent’s computer. The fact that he got hacked (despite being a Cyber security expert for the FBI) means nothing to me. Everyone gets hacked. The fact that he stored sensitive information on a computer which is the number one thing you learn NOT to do when you learn to be a Computer Security person is where I cry inside. He, of all people, should have known not to have that file on his computer at all. It is things like this that make people lose the faith in the government because the people WHO SHOULD KNOW BETTER and get paid to know better, don’t and yet nothing happens to them because they are the government.

Adam (profile) says:

Corrupt App Developer...?

To everyone asserting that Apple/a Telco/the NSA must have given this data to the FBI: please see GeordiEnGorge’s comment on this Gawker story: http://gawker.com/5940273/anonymous-demands-to-see-gawker-writer-in-ballet-tutu-for-more-information-on-massive-fbi-hack

“…given the number which is no where near how many iOS devices exist, and given Apple banned developers from using those IDs over 6 months ago, something makes me suspect the FBI was getting the IDs passed on to them from a shady app developer who was using the IDs to identify specific iOS devices who installed the app.”

I don’t know enough about Apple products to add much myself. However, isn’t it broadly known that their app ecosystem is insecure enough that it could have been a very minor player acting poorly, rather than anyone major?

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...