From thenextweb.com (hat tip AitchD):
“The AntiSec hacking group claims to have released a set of more than 1 million Apple Unique Device Identifiers (UDIDs) obtained from breaching the FBI. The group claims to have over 12 million IDs, as well as personal information such as user names, device names, notification tokens, cell phone numbers and addresses.
The hackers issued a statement with the following description on how the data was obtained:
‘During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of ”NCFTA_iOS_devices_intel.csv” turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc. the personal details fields referring to people appears many times empty leaving the whole list incompleted on many parts. no other file on the same folder makes mention about this list or its purpose.’
They published the UDID numbers to call attention to suspicions that the FBI used the information to track citizens. (my bolds throughout) Much of the personal data has been trimmed, however, with the hackers claiming to have left enough for “a significant amount of users” to search for their devices.
“TNW has contacted the FBI for comment. Meanwhile, AntiSec says it will not provide further statements or interviews until a mysterious request is fulfilled – to have a photo of a Gawker staff writer dressed in a tutu featured on the company’s homepage.
Update: The TNW tech team has built a tool to let you check whether your device was included in the list.
(See below for the Gawker photo in response to Anonymous). And from wired’s threat level:
“The FBI (also) said it did not possess a file containing the data the hackers said they stole.
In a statement released Tuesday afternoon, the FBI said, “The FBI is aware of published reports alleging that an FBI laptop was compromised and private data regarding Apple UDIDs was exposed. At this time there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data.” [snip]
But the FBI disputes this. The FBI did not say whether the NCFTA, which was allegedly referred to in the file name the hackers obtained, possessed the data.
NCFTA refers to the National Cyber Forensics and Training Alliance. The NCFTA is a non-profit that was founded in 1997 by FBI agent Dan Larkin as a conduit between private industry and law enforcement agencies to help them exchange data and cooperate on cases. The organization’s members include financial institutions, telecommunications firms, ISPs, and other private industries.
The NCFTA did not respond to a call seeking comment”.
From computerworld.com, quoting AntiSec:
““This is our next challenge: to decide whether to become tools for the system, or for ourselves. The system plans to use us to hold the next in their endless wars, their cyberwars. Hackers vs. hackers, slaves vs slaves.” The AntiSec statement adds, “We are trapped.”
Displeased after NSA Chief General Keith Alexander spoke at Def Con, attempting to “seduce” hackers to improve Internet security and to recruit hackers for future cyberwars, AntiSec hackers said, “We decided we’d help out Internet security by auditing FBI first.” If a leak of 1,000,001 Apple device UDIDs linked to users and their APNS tokens doesn’t seem massive enough, the hackers say that’s a mere drop in the bucket and claim the original file had about 12 million!
How was this accomplished? By exploiting Java—what a shocker! And no it wasn’t the newest migraine-inducing Java zero-day for which Oracle finally issued an emergency patch. The hack was allegedly accomplished in March, so the hackers exploited the previous Java zero-day. [snip]
“If it’s true that the FBI is tracking people via devices, it doubtfully begins and ends with Apple products. If it’s true, it’s not very lulzy and we should all care.
The intrepid Emptywheel is on it, and says:
“There are multiple ways FBI could have collected this information–either using an NSL or Section 215 request or an insecure transmissions to an ad or game server. And no one knows how the FBI was using it. Whatever you think about Anonymous, we may finally learn more about how the government is tracking geolocation.
But here’s one other concern. Assuming that’s an official FBI database, not only the FBI has it, but also the National Counterterrorism Center. And they’ve got access to whatever federal databases they want to cross-check with existing counterterrorism databases. And one of the few checks we have on the use of our data in this way is a Privacy Act SCOTUS just watered down.
This is a massive amount of data the government likely has no good excuse for having collected, much less used. But it’s likely just one tip of a very big iceberg.”
(Adrian Chen responds, in this sorta ha ha form.)
If all this is so, and I have no reason to doubt it given the host of ways our civil rights and privacy have already been stolen, today is not only another Terror Tuesday, but another in a continuing march of Funeral Days for our Constitution. Remember: any of us can now be disappeared with no recourse under the law. Feel the burn!
(cross-posted at kgblogz.com)