The Privacy BlogPrivacy, Security, Cryptography, and Anonymity

TAG | security breaches

NBC News is reporting that the iOS UDIDs leaked last week were actually stolen from Blue Toad publishing company. Comparing the leaked data with Blue Toad’s data showed 98% correlation which makes them almost certainly the source.

They checked the leaked data against their own after receiving a tip from an outside researcher who had analyzed the leaked data.

It is certainly possible that this data had been stolen earlier and that, in tracking that crime, the FBI had obtained the stolen information. This strongly suggests that this is not a case of the FBI conducting some kind of massive surveillance activity.

The other possibility is that Anonymous and Antisec are simply lying about the origin of the information as part of an anti-government propaganda campaign.

Either way, it is a big knock on their credibility, unless you think this whole thing is just a conspiracy to protect the FBI.

· ·

Forbs is reporting that Anonymous and Antisec have dropped a file with a million Unique Device ID (UDID) numbers for Apple iOS devices. They claim to have acquired an additional 11 million records which they may release later.

In addition to the identifiers, the file is said to also contain usernames, device names, cell numbers, and addresses. It is this additional personal information that seems to be the real threat here.

The Next Web has set up a tool for checking to see if your information is in the leaked data. You don’t need to enter your full UDID into the field, just the first 5 characters. That way you don’t need to trust them with your information either.

None of my iOS devices showed up on the list, so I downloaded the entire file to look it over. You can see the release and download instructions here.

Looking through the document, I don’t see any examples of particularly sensitive information. In the first field are the claimed UDID. The second field is a 64 digit hex string. After that is the name of the device, frequently something like “Lance’s iPad”. Finally is a description of the device itself: iPad, iPhone, iPod touch.

SHA hashes are 64 hex digits long, and are widely used in forensics to verify that captured evidence has not been changed. My intuition is something like that is what we are seeing in that second column.

I have no idea where the claims about addresses, and account names came from. I am not seeing anything like that.

It is interesting that Anonymous / Antisec claim that this data came from the hacked laptop of an FBI agent. This certainly raises big questions about why he would have this information on his laptop, and why the FBI has it at all.

While 12 million is a big number, it is a tiny fraction of the over 400 million iOS devices sold to date. Still, that would represent a shockingly wide dragnet if these are all being monitored in some way by law enforcement.

Of course, for all we know this list was captured evidence from some other group of hackers.

So, short answer (too late!), you probably don’t have anything to worry about here, but you might want to check to see if your device is in the database anyway.

UPDATE: It appears that the UDID may tie to more information that was immediately apparent. While Apple’s guidelines forbid tying UDIDs to specific account, of course that happens all the time. My friend Steve shared a link with me to an open API from OpenFeint which can tie a UDID to personal information. Certainly there are others which would reveal other information. The existence of these, and the leaked list of UDIDs would allow an app developer to tie a user’s real identity to their activity and use of the app on their iOS device.

UDATE 2: I find it impossible to actually read documents from Anonymous and Antisec, they are just so poorly written. It seems I missed their statement in lines 353,354 of the pastbin where they say that they stripped out the personal information. The 64 digit block is actually the “Apple Push Notification Service DevToken”. SCMagazine is reporting that the FBI is denying the laptop was hacked or that they have the UDIDs.

· · · · ·

Thanks to a PrivacyBlog reader for pointing me to this article: Blackhat SEO – Esrun » Youtube privacy failure

It looks like it is easy to find thumbnail images from YouTube videos that have been marked private.

If you have any such videos, go back and check that you are comfortable with the information in the thumbnails being public, or delete the video completely.

· · · ·

There has been a lot of attention recently to the arrest of an alleged LulzSec hacker after his anonymity was compromised by the anonymity service he was using, HideMyAss.com. Some articles on the event are here, here and the provider’s explanation here.

The reason this company was able to compromise the privacy of their user was that they had logs of user activity. They know what IP address is assigned to each user and can use that to attribute any activity back to the real identity of the person behind the account.

The real problem with logs is that they exist or they don’t. You can’t keep logs only for “bad users” but not for responsible “good users” because even if it was possible to identify them as such in advance, you would not find anything like agreement about who should fall in which category.

Many operators of privacy services, including myself, feel very strongly that such tools should be usable in countries like China to circumvent the censorship and surveillance there. Such actions are certainly illegal for the user, and probably for the provider. While being a UK company and only responding to UK court orders, they were “forced” to expose the identity of a person in the US who was then arrested by the FBI.

I don’t know enough about this case to debate whether or not this person is guilty or deserved to be arrested. My concern is that this case has demonstrated that anyone who can cause a UK court order to be severed against this company can expose their users. It also makes them a target for hacking, social engineering, infiltration and other attacks which could gain access to these logs without a UK court order.

As a general rule, if information exists and people want it, there is a very good chance it will escape, if only by accident.

Perhaps we should not be too surprised that this company failed to protect its users, when it has no visible privacy policy on the website, and there are no identifiable people standing behind the product and brand with their personal reputations.

I founded this company, Anonymizer.com, and I personally stand behind our services. We have clear privacy policies, we keep no logs of the surfing activities of our users, we have no way of identifying what user may have visited what website. We have an unblemished record of providing robust privacy since 1995.

As I have said in many previous posts, it all comes down to trust. If you don’t know who is providing the service, and don’t have the ability to research their history and gauge their integrity, you should not use that service.

· · · · · ·

Schneier on Security: Domain-in-the-Middle Attacks

Bruce Schneier on the real world effectiveness of a very simple domain name based man in the middle attack.

Here is a Wired article on the same issue showing how it was used to steal 20 GB of email from a Fortune 500 company.

· · · · ·

Vendor of Stolen Bank Cards Hacked — Krebs on Security

Brian Krebs has an interesting blog post on how all of the credit card information was stolen by a hacker from a website that sells stolen credit cards.

This is in the “don’t know whether to laugh or cry” department.

· · · · · ·

Here is a really nice analysis of the recent security breach at Lockheed Martin. The short version is that is looks like their SecureID tokens got duplicated. This is almost certainly related to the security breach at EMC / RSA.

Digital Dao: An Open Source Analysis Of The Lockheed Martin Network Breach

· · · ·

<< Latest posts