Hackers Get Personal Info On 12-Million Apple Users… From An FBI Laptop
from the privacy-schmivacy? dept
Much of the debate over cybersecurity legislation like CISPA and the Cybersecurity Act focused on getting more private companies to “share data” with federal government agencies, including the FBI and the NSA. As we’ve pointed out time and time again, beyond the basic privacy rules that the bills tended to bulldoze through, any time you increase the sharing of private data, you’re only making it that much easier for hackers to access that info because you’re putting it in more places — some of which will almost definitely be insecure. In other words, even though these bills were ostensibly about “protecting” from hack attacks, by increasing the sharing of data, they’d almost certainly open up new attack opportunities and make it easier for hackers to get info.
While neither bill passed (yet), the latest example of what happens when you have widespread data sharing comes from some Antisec hackers, who claim that — in response to a presentation from the NSA’s General Keith Alexander — they wanted to probe the security of various government agencies, including the FBI. End result? They claim to have hacked into the laptop of FBI agent Christopher Stangl, who has appeared in recruitment videos for the FBI looking to hire “cyber security experts.”
The hackers claim that on his laptop, they found a csv file with:
…a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc.
The hackers have released 1,000,001 UDIDs and APNS tokens to prove they had the data, stripping out the personal info. The file they found was called: “NCFTA_iOS_devices_intel.csv” which folks at Hacker News have pointed out likely refers to the National Cyber-Forensics & Training Alliance. According to its website, the NCFTA…
functions as a conduit between private industry and law enforcement with a core mission to identify, mitigate and neutralize cyber crime. In an effort to streamline intelligence exchange, the NCFTA will often organize SME interaction into threat-specific initiatives. Once a significant online scheme is realized and a stakeholder consensus defined, an initiative is developed wherein the NCFTA manages the collection and sharing of intelligence with the affected parties, industry partners, appropriate law enforcement, and other SMEs.
In other words, it’s almost exactly what we were told we needed CISPA to enable. In fact, during the CISPA debate, we specifically pointed to the NCFTA to ask why we needed CISPA, since something like that was already possible.
And now it seems to also be showing why CISPA or other similar legislation focused on increased “sharing” of info could actually put many more users at risk, rather than protect them. When the feds are careless with the info they receive from companies, it’s going to get hacked. These kinds of things just put a giant target on their back, and now we’re seeing the harmful results of such sharing without effective privacy protections.
And the feds want more of this?
Filed Under: antisec, christopher strangl, cispa, cybersecurity, data, data sharing, fbi, ios, keith alexander, ncfta, privacy, udid
Companies: apple
Comments on “Hackers Get Personal Info On 12-Million Apple Users… From An FBI Laptop”
Apple’s new product: iHaxulol
Re: Re:
Apple had nothing to do with he breach in security.
Re: Re: Re:
We know they “voluntarily” handed the information over to the Feds.
Re: Re: Re:
12.3 million usernames and passwords in the hands of the US government (and now lost)? Odds are 50-50 that Apple had something to do with this. The options are; Apple gave the passwords up freely, or the government hacked into Apples servers.
Ether way, 12.3 million usernames and passwords suggest that the NCFTA isn’t about teaching, nor is it about mitigating cyber crime.
Re: Re: Re: Re:
Why apple? The telcos can probably pull this and have demonstrated their propensity to roll over for the feds.
Re: Re: Re:2 Re:
“Why apple? The telcos can probably pull this and have demonstrated their propensity to roll over for the feds.”
While it may be possible for the telcos to hack their way into someone’s phone and steal their password, it’s far more likely that 12.3 million usernames and passwords came from one central source; Apple.
If we find out that all those usernames and passwords come from just one telco, then you would be right. If that is the case, then a boycott isn’t just justified, it’s required for reasons too long to get into without knowing for sure.
Re: Re: Re:3 Re:
Just say’in, there are no passwords. just UDIDs and personal information which is usually put into phones to identify who owns it. Where I want to blame apple, this information is easily gotten by Telcos.
Re: Re: Re:4 Re:
The personal information such as UDID’s and credit card info are sent in data packets through the NSA computer system where the FBI sifted through to get it. This data is transmitted over the Internet and therefore does in fact get filtered though the NSA where the FBI can set flags to catch certain sets of data to collect.
What bothers me most though is that the NSA didn’t find collectimg this amount and type of data unethical.
Re: Re: Re:
well, except for giving out the information on 12 million customers to begin with.. duh.
Re: Re: Re:
Supposedly secure Apple data ends up on an FBI laptop. How is it possible that Apple has “nothing to do” with this breach?
Re: Re: Re: Re:
Sorry, wasn’t logged in up there. Just a theory here, but the way I see it, the NSA only collects data regardless. It is majorly disorganized because new information comes in condtantly, so the FBI orders the data they need collected. It is sent over lines that are filtered throught their computers to the FBI’s system. The data for these users was flagged so by the incompetence of the FBI and DOJ, the “warrant” was “issued” and certain data types were collected from the unorganized mess of data stored on the computers at the NSA.
FBI agent stores it on an insecure, unencrypted location (a laptop) and the data is stolen.
So Apple had nothing to do with handing any data over. As an Apple user myself, I can tell you that you have to have an Internet connection to register your device. Since the NSA computer system collects everything under the sun that is transmitted through the Internet, their computers got this information.
Re: Re: Re:2 Re:
…or Apple handled that info over because the NSA won’t admit to spying on Americans, even to the FBI, and wouldn’t trust the evidently incompetent FBI with proof of their having done so.
Re: Re: Re:2 Re:
I think it’s far more probable that Apple handed the data over. Even if they did not, though, the scenario you described above makes Apple look even worse, as that would mean they suffered a direct failure of security rather than an intentional release.
Re: Re: Re:2 Re:
Any particular reason their “warrant” only flagged apple devices?
Should I assume anyone using an apple device is a crook?
Re: Re: Re:3 Re:
yes, yes they are.
Re: Re: Re:
Yeah except for the fact they had to have given it to the FBI… you must be one of those iQueers who still have necrophiliac fantasies of sucking steve jobs off.
Cyber-insecurity
What were the the feds doing with the personal information of 12 million iPhone users in the first place? Certainly they can’t all be involved in cyber-crime. Looks to me like they were gathering data on huge numbers of innocent people without probable cause.
And I doubt it was for any “cyber security” purpose, either. How does having that info help that? It doesn’t. What it *does* do is let them very quickly identify the owner of a cell phone the FBI suddenly takes an interest in for any reason, without having to go to a judge or even to Apple first after taking an interest in it. Sounds much more likely to be used to get around that pesky Fourth Amendment and track down accused drug dealers and terrorists.
Of course, the smart ones of those use burn phones purchased without a plan and loaded with prepaid minutes using anonymous cash transactions, so they a) won’t have (non-phony) names and addresses in that data and b) would be using cheaper handsets anyway (no plan, no subsidy).
So, in short, the feds’ data was useless for going after any real bad guys (though it could be very easily abused to harass random citizens), and it has now proved to be worse than useless for “cyber security” purposes.
Re: Cyber-insecurity
Big bruddah be watchin’ you mon
Re: Cyber-insecurity (Perspective)
That is roughly 5% of ALL iOS devices. Those are generally your top end consumers.
Another indicator of the 1% being criminals.
Re: Re: Cyber-insecurity (Perspective)
If all 12 million are US citizens (and there are not duplicates), it is information on roughly 4% of the US population.
Why is that amount of data on a damned laptop in the first place?
Re: Re: Re: Cyber-insecurity (Perspective)
NO. The question is WHY IS THAT DATA BEING COLLECTED IN THE FIRST PLACE? We already know they are incompetent, its the FBI, ffs.
Re: Re: Re:2 Cyber-insecurity (Perspective)
^ True
Re: Re: Re:2 Cyber-insecurity (Perspective)
umm umm ummm because we can!
Think of the children!
Worry about the terrorists!
Pay no attention to that list of supposed “rights” and laws, there is something bad out there and we will find it!
Sadly they need only look in the mirror to find it.
Re: Re: Re:2 Cyber-insecurity (Perspective)
Why? Why? Because you all simultaneously bent over and had your rights stolen from you. Good job. This is why you pay attention.
Re: Cyber-insecurity
“Of course, the smart ones of those use burn phones purchased without a plan and loaded with prepaid minutes”
Burner phones are passe. Now, there’s an app for that.
http://arstechnica.com/business/2012/08/burner-wants-to-help-you-temporarily-obfuscate-your-phone-number/
Before anyone blames the NSA, I want people to know that this is an FBI competance problem and not the NSA. FBI now stands for “Fucked Below Intelligence”.
Re: Re:
“From Buttholes, Information.”
Re: Re:
So you don’t think that having a massive amount of information that the NSA/FBI has NO REASON TO HAVE is part of the issue? Since when have 12.3 million iPhone users become the subject of a government investigation?
Re: Re: Re:
I think the more important thing is that the FBI have free access to 12.3 million cash accounts and possibly even more personal information, such as Facebook account info, e-maila ddresses etc.
Re: Re: Re:
I don’t see the acronym NSA in “FBI Laptop”. However, collecting this amount of data from 12.3 million users is wrong, but it wasn’t the NSA who kept it in an insecure location. They weren’t responsible for the FBI’s lack of competence. Why does the FBI have this info? It’s their job to filter through the data on the NSA computers.
Whether we like it or not, the NSA computers collect everything coming in and out of the country. The FBI chooses to extract whatever data they want under an ad-hock warrant approved by an even more incompetent DOJ.
Re: Re: Re:
“Since when have 12.3 million American iPhone users become the subject of a government investigation?”
ftfy
Re: Re:
So the obvious question becomes, if the FBI has this information… what does the NSA not have?
Re: Re: Re:
Precisely 🙂 but the difference is that the NSA isn’t stupid enough to store it on a laptop.
They dont really care
who gets to your info as long as they get it first.
So, does this mean Apple will sue the FBI? I kinda want to see that lawsuit go down.
Re: Re:
I doubt it. Corporations don’t give a fuck what happens to their users. They’ll put up some silly “we got hacked, sorry” note and forget it ever happened.
Re: Re: Re:
Uh, no. The only way the Feds could have this data is for Apple to give to to them. And if some random Fed has it on their laptop, 1,000’s of Feds have it on their laptops.
And that it came from the laptop of a Cyber-Security specialist is just over-the-top funny. While the data itself may not be considered especially sensitive (to the FBI, anyway), they neglected to consider the sensitivity of the fact that they have the data at all. FAIL and FAIL.
Re: Re: Re: Re:
“is just over-the-top funny”
I wouldn’t really qualify it as funny by ether definition. I would qualify it as horrifying. If they have millions of usernames and passwords from Apple, they probably also have millions from Android, Windows Mobile, and Blackberry. It’s only a matter of time before those get leaked. The US government is not a secure system.
Re: Re: Re:2 Re:
I disagree.
While this to some is funny haha, it also is a prime example of funny utoh. None of them are pleased they have the data, but there is sheer joy to be found in them getting caught spying on citizens (AGAIN) and proving it with epic failure.
I await the PR spin trying to clean this up, the calls for “investigations” that will result in not a damn thing happening to stop this. The only way it will stop is when they start putting the files on what Congresscritters are doing and publishing those, then it will be of great concern and require action to reign them in.
Someone we pay to be an expert and protect us is a moron.
They were hired by people who are supposed to make sure we have the best, we sure as hell pay enough for the very best and what we got it someone who obviously took a weekend course to be “certified”.
The problem is and continues to be the inability of the Government to move forward, like the cartels, in a logical way instead waiting for the next headline and knee-jerk overreactions.
Re: Re: Re: Re:
It was data collected by the NSA computers and not given by Apple. Apple requires users to have a connection to the Internet to register on their site in order buy their products. All of this was monitored by the NSA’s computer system (which picks up all incoming and outgoing traffic) from which the FBI “organizes” lists without thought or due process from the DOJ.
Re: Re: Re:2 Re:
[citation needed]
Never attribute to Echelon what you can get with a post-it note demand for data under widely abused terrorism laws.
Re: Re: Re:3 Re:
They collect data from everywhere so it can be assumed its rather unorganized.
My mind is terribly anylitical and I figured that if I were to collect data using some of the most powerful computers in the world from all over the world at once, it would be quite disorganized and you would HAVE to program in a set of flags for certain bits that you desire.
That being said, knowing full well wasn’t Apple who gave it away, why did the FBI have all that data on 12.3 million users a) in one location and b)how did they get the data without a court order?
Re: Re: Re:4 Re:
Mind you I think you’re right, there is no rightful reason for the NSA to collect that amount of data for the FBI. Nor is there any reason whatsoever for the FBI to keep it on an insecure laptop.
I can say this as an iPod Touch user, it’s a good thing the UDID info stolen is virtually useless to hackers. Apple’s way of making you log into iTunes to approve a transaction gets in the way.
My wife and I and our parents never use credit cards on iTunes purchases, just gift cards.
Re: Re:
Oh come on, we all know how that would go down:
Apple:”We are going to sue you for loosing our customers data!”
FBI:”You can’t sue us for that.”
Apple:”Why can’t we?”
FBI:*points to their logo* “MotherFuckingEagle! That’s why!”
Re: Re: Re:
Entar.net
Of course they want more of it, government bureaucracy always wants more, no matter what that more of is. It just feeds and grows without thought of consequence.
12 MILLION people’s private info compromised in one fell swoop. That’s cyber-security at work.
Just knowing that one FBI laptop had all this personal info sitting there raises serious alarms. What was this person, Christopher Strangl, doing with all this private info on his laptop?
Re: Re:
I’m glad I’m not the only one wondering why the personal info of 12 million people are on a LAPTOP There should be no reason that much info needs to be taken out of the FBI Building!!!
Re: Re:
More importantly, what was the FBI doing with all this private info at all?
‘you’re totally safe in our hands’, said the FBI. ‘you can put your trust in us!’
they, like the rest of the law enforcement agencies, cant be trusted to close a door!
Re: Re:
“they, like the rest of the law enforcement agencies, cant be trusted to close a door!”
Duh! They only specialize in opening doors! Congratulations, 12.1 Million doors now opened in the blink of an eye.
any particular, valid reason why the info on this number of people/devices is needed in the first place? are they all suspected, dirty terrorists?
Re: Re:
If this is true, 2 of my avid Apple user friends are on the 1,000,001 list. I should turn them in! Are YOU on the list? http://kimosabe.net/test.html
MIGHT
Hackers MIGHT HAVE gotten Personal Info On 12-Million Apple Users, you mean.
There’s no proof any of this is legit yet.
Re: MIGHT
I applaud your skepticism but these UDID’s seem to be extremely legitimate. There are numerous security experts reporting their devices on the list. Here is an example:
https://twitter.com/peterkruse/status/242936275420717056
FBI Spying
The NSA is spying on everyone in the USA. Didn’t you hear the news? Perhaps the FBI/NSA have a data sharing agreement?
http://www.rt.com/usa/news/nsa-whistleblower-binney-drake-978/
http://www.wired.com/threatlevel/2012/07/binney-on-alexander-and-nsa/
It's Not for Spying on You
The FBI already has already has all your personal information and has had for many years…it’s called a Driver’s license.They also have access to all your Bank, IRS, Employment, Medical and Social Security records.
So find out what your up to or to track you is not the issue…they can easily get your mobile# and track you whenever they want.All law enforcement can.
Why they would need this much info on a laptop is anybody’s guess.
Perhaps it’s a list of naive young men that they can convince to join in a terrorist plot.
But what ever the reason, you can bet that it’s not good.
Maybe a disgruntled former Apple employee can fill us in.
No "might-have's" about it...
“Hackers MIGHT HAVE gotten Personal Info On 12-Million Apple Users, you mean.”
From the article…
The hackers have released 1,000,001 UDIDs and APNS tokens to prove they had the data, stripping out the personal info. The file they found was called: “NCFTA_iOS_devices_intel.csv”
Shiny New Legislation
Soo… every time someone proposes one of these terrible new laws that gives the Government the authority to do something we’re pretty sure the people don’t want the Government doing, there’s someone at a federal agency going “shutup-shutup-shutup”, because they’re already doing it.
Oh no the hackers have stolen personal data!
This means we MUST make CISPA even stronger! We must remove ALL privacy protections from it, and government MUST be able to know EVERYTHING, including what you eat, and even where you breath air from!
But adding new cyber security regulations on private business or the government, even voluntary guidelines? NO WAY! That’s how you KILL FREEDOM!!! Do you want freedom of American businesses to die! That’s what will happen if we try to stop private businesses from leaving your personal info laying around where any hacker can steal it!
Besides, if anything goes wrong after CISPA passes we can always just blame the government! Everyone likes blaming the government!
Sorry to question this whole thing, but wouldn’t it make sense that this office have access to information that might have been stolen to begin with?
Just because they were “hacked” doesn’t mean they didn’t recover the information during an investigation.
We certainly don’t have enough information to make a judgement as to why the information was in the possession of the agency/FBI. Heck – maybe he’s the hacker?!?
I’d be interested to know if this hacking occurred through a govt network or some other network. If the laptop doesn’t leave the office (in many jobs these days, the computer issued is a laptop regardless of whether you get to take it home), then the network is compromised and an individual agent might not be to blame. If the laptop does leave the office and isn’t physically compromised, then there might a problem with VPN security. If the agent is using the laptop inappropriately and exposing it to network or other threats, then it’s a different issue.
Again, not enough information to actually determine what’s going on, if anything.
And if you believe Apple isn’t getting hacked…well, hehe…keep dreaming.
Re: Re:
If you read they article, the Hackers stated that they used a security hole in Java, I believe, to get into the FBI agent’s computer. The fact that he got hacked (despite being a Cyber security expert for the FBI) means nothing to me. Everyone gets hacked. The fact that he stored sensitive information on a computer which is the number one thing you learn NOT to do when you learn to be a Computer Security person is where I cry inside. He, of all people, should have known not to have that file on his computer at all. It is things like this that make people lose the faith in the government because the people WHO SHOULD KNOW BETTER and get paid to know better, don’t and yet nothing happens to them because they are the government.
WHY...
just some important questions to be asked
why do they have this information in the first place?
why are the warrant & case #’s not in the spreadsheet?
why is this data outside of the firewall?
why are passwords included on the same doc?
and finally… why the hell is an gov IT guy using a mac?
Re: WHY...
Um, it was a Dell Vostro.
Why are you assuming it was a Mac?
Corrupt App Developer...?
To everyone asserting that Apple/a Telco/the NSA must have given this data to the FBI: please see GeordiEnGorge’s comment on this Gawker story: http://gawker.com/5940273/anonymous-demands-to-see-gawker-writer-in-ballet-tutu-for-more-information-on-massive-fbi-hack
I don’t know enough about Apple products to add much myself. However, isn’t it broadly known that their app ecosystem is insecure enough that it could have been a very minor player acting poorly, rather than anyone major?
Oh please, this isn’t about cybersecurity it’s about censorship. Who cares if a little data is hacked away, it’s just collateral damage. They can still spy on their citizens.
Can we please start treating all of this circus as the issue really at hand?
Re: Re:
Not until we all get our cotton candy and a coke!
I know what UDID last summer.
You tee ’em up, I’ll hit ’em.
jailbroken??
i wonder if they are jailbroken phones? people freely jailbreak the devices without knowing exactly what is being installed. just curious
They should be...
Good, the Apple users should be tracked, bunch of freaks…
Apple Users feeling the danger..!!
Apple users find their computer security under threat. So what’s the next step. Will someone sue FBI?
Re: Apple Users feeling the danger..!!
Ugh. I really hope this shameless add is reported….seriously.
Re: Apple Users feeling the danger..!!
Don’t go to the URL provided from PCCare427, it’s a scam site:
http://www.ripoffreport.com/computer-service-repair/pc-care-247/pc-care-247-norton-pccare247-c-645bb.htm
Re: Apple Users feeling the danger..!!
More proof that PCCare427 is a scam.
http://forums.techguy.org/general-security/1044190-pccare247-legitimate.html
iPwnd...
[/thread]