1,000,001 UDIDs From A Trove Of 12 Million Allegedly Stolen From An FBI Laptop

[qualia]

Hacker group Antisec has released 1,000,001 pieces of data related to Apple’s UDID identification scheme. This data, if cross-referenced with Apple’s developer resources, could potentially identify a unique user’s geographic location and other specific information. In fact, the database does contain device names (for example, one UDID points to a device name “hobamain” and appeared in a search for the name “Obama”).

This leak is purported to come from a trove of 12 million UDIDs allegedly hacked from the Dell laptop of Supervisor Special Agent Christopher K. Stangl who appears in this video calling for more people to consider a career in cyber-security.

You can read details on the hack and how to find the data here.

Antisec wrote:

 

during the shell session some files were downloaded from his Desktop folder one of them with the name of “NCFTA_iOS_devices_intel.csv” turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc. the personal details fields referring to people appears many times empty leaving the whole list incompleted on many parts.

You can check to see if your UDID is in the list using this tool or you can download the file from one of Antisec’s mirrors. The organization stripped out any identifying information they had, claiming that “we trimmed out other personal data as, full names, cell numbers, addresses, zipcodes, etc.” As it stands, the data is fairly clean, supplying only the UDID, the Push Notification service ID, and a device name. I’ve been able to identify individuals based on this data using a quick social media search but they are still not a direct 1-to-1 identifier.

This data is interesting in that it didn’t necessarily have to come from Apple and the implications of its existence on an FBI machine (or anywhere) are not clear. In short, all of this data appears regularly in iOS app developer databases and is used to deliver push notifications. Therefore, it seems most likely that this is a database dump of an app’s albeit huge user base. Any app with more than 12 million users, then, would be suspect.

Also not clear are the security implications of this data. It is a customer list and as such could contain potentially damaging information. That it was sitting, unencrypted, on any hard drive is a travesty. That it was stolen from an FBI hard drive, even allegedly, is an outrage.

How bad could this be? Programmer and security guru Aldo Cortesi writes: “I looked at all the gaming social networks on IOS – basically OpenFeint and its competitors – and found catastrophic mismanagement by nearly everyone. The vulnerabilities ranged from de-anonymization, to takeover of the user’s gaming social network account, to the ability to completely take over the user’s Facebook and Twitter accounts using just a UDID.”

How bad is is really? We’re still not clear. We have emails in to Apple and other experts but look for updates as the story progresses.

 

http://techcrunch.com/2012/09/04/antisec-leaks-1000001-udids-from-a-trove-of-12-million-allegedly-stolen-from-an-fbi-laptop/

[qualia]

mandatory data retention is looking safer and wiser by the day

[Sallubrious]

How bad could this be? Programmer and security guru Aldo Cortesi writes: “I looked at all the gaming social networks on IOS – basically OpenFeint and its competitors – and found catastrophic mismanagement by nearly everyone. The vulnerabilities ranged from de-anonymization, to takeover of the user’s gaming social network account, to the ability to completely take over the user’s Facebook and Twitter accounts using just a UDID.”

So if such data is that easily accessible and it's so easy to penetrate personal accounts with that data does that mean data gathered by intelligence services from social networking sites is redundant and unreliable ie not admissible in court proceedings

[DarkSpark]

You are forbidden to outsmart the system, to defy it, to work around it. In

short, while you may hack for the status quo, you are forbidden to hack the

status quo. Just do what you're told. Don't worry about dirty geopolitical

games, that's business for the elite. They're the ones that give dancing orders

to our favorite general, Keith, while he happily puts on a ballet tutu. Just

dance along, hackers. Otherwise... well...

 

quite an interesting read i must say, makes me think back to my younger years exploring forbidden systems. Those wer the days, now odds are i could barely even get into a protected system LOL.

[Shamanistic]

Yes Mr Government man, store all my private browsing information including my credit card details, emails/passwords, etc.

SallyD, you bring up a really interesting point regarding how reliable the information gained is to be presented as evidence in court. I'd say if this stuff continues happen the more the public will be against their information being stored. Even MSM is calling police state on that planned legislation; http://www.smh.com.au/technology/technology-news/internet-data-tracking-proposal-seen-as-a-police-state-20120828-24yvn.html

Although they still jump up and down when groups like anon, lulzsec and antisec do things like this to make the general public fear them and think their evil but why would a hacker whose worked to get your personal information for malevolent purposes then proceed to tell the world and release the whole database (stripped of personal information). I don't know about you guys but if I wanted to hack something to steal money/identity I would want to tell no one so that the least number of people changed certain details and keep law enforcement off my tail, maybe that's just me?

[IndianDreaming]

Privacy is an illusion - on the internet expecially so - The internet is the 'priest', 'doctor', 'friend' and 'parent' of the digital age. You type it and send it, its stored... especailly social "middleman between you and the person you're talking to" media. If you think it's hard to dig up that info or steal it, hmm... you're going to be dissapointed.

Edited September 5, 2012 by IndianDreaming

[qualia]

Although they still jump up and down when groups like anon, lulzsec and antisec do things like this to make the general public fear them and think their evil but why would a hacker whose worked to get your personal information for malevolent purposes then proceed to tell the world and release the whole database (stripped of personal information). I don't know about you guys but if I wanted to hack something to steal money/identity I would want to tell no one so that the least number of people changed certain details and keep law enforcement off my tail, maybe that's just me?

it strikes me as peculiar that people can support a government waging war on a sovereign nation based on nothing but lies, killing hundreds of thousands of innocent people, but they freak and demonise groups for leaking data like this (and maybe not necessarily care that TPTB were keeping it all in the first place). seems to me groups liek antisec et al. don't have malicious intent with this stuff, and probably view the leaking of personal info as collateral damage. i've reached the conclusion that the world, or the west in particular, is in the grips of a society wide sockholm syndrome, it seems people might be breaking the bonds but too late?

[ThunderIdeal]

iiNet is our champion. get behind them. they're my first choice for an ISP even if they don't have the best deal.

[chnt]

westnet uses iinet servers so the same would apply to them right?

[Distracted]

rofl that's awesome!!~~

so you just get the UDID, put it into a jailbroken iphone and you can access that person's facebook!

if what i'm reading is correct...

no idea how difficult that would be...

[DarkSpark]

Although they still jump up and down when groups like anon, lulzsec and antisec do things like this to make the general public fear them and think their evil but why would a hacker whose worked to get your personal information for malevolent purposes then proceed to tell the world and release the whole database (stripped of personal information). I don't know about you guys but if I wanted to hack something to steal money/identity I would want to tell no one so that the least number of people changed certain details and keep law enforcement off my tail, maybe that's just me?

 

Yep as theycovered briefly in their spiel the 'FBI Damage Control' teams move into action and start spreading the word about these 'Nasty Hackers' who have stolen all their phone details... Nevermind that they stole them from our government agency that stole them from you. It doesn't count when we steal because we are the social elite, we own all the money anyway the rest of you just work for us.

Funny thing is that True Hackers are only in it to prove the corruption that is so prevalent in our modern society. Yet once they do this the stupid sheep are still able to be fooled with pretty pictures and dazzling news articles to soon forget what the actual point was. All they remember is that these 'nasty hackers' stole their personal information. Who cares that they never used it for anything other than to proove a point about the dodginess of the FBI as well as just how stupid using UDIDs is

rofl that's awesome!!~~

so you just get the UDID, put it into a jailbroken iphone and you can access that person's facebook!

if what i'm reading is correct...

no idea how difficult that would be...

 

Sort of yes, as well as all the info on games played etc, anything that used the UDID for identification, Maps applications, social networking, pretty much anything. Most apps should have depreciated this feature already but undoubtedly many haven't due to laziness. Apple themselves abandoned UDIDs and asked developers to move away from them.

Not very difficult at all, anyone who is able to actually extract the list of UDIDs should have enough knowlege to be able to google and find out how to do this. As for the bas guys, they have been ddoing it for years anyway this has just brought it out into the open.

Edited September 6, 2012 by DarkSpark

[Safez]

There is no such thing as digital security and anonymity. If you don't want people accessing your personal information you must disassociate yourself from society entirely. No licences, no social security, no banking, no permanent address.

I know that this is secondary to the case in point. That electronic data retention , whilst incredibly convenient is incredulously unsecure.

It's amusing to consider the argument that electronic data retention does away with a lot of paper waste and the need for huge storage vaults considering most official documents that end up stored electronically need to be physically signed before they can be stored. ergo until the government succeeds in thumbprint/retinal/internal chip signature of their entire population; there will always be paper waste rendering the argument moot.

[ErraneousHerbalist]

For those who want a little more in-depth look: http://pastebin.com/nfVT7b0Z

Edit: Before it was a link, now it has words.

Edited September 6, 2012 by ErraneousHerbalist

[BentoSpawn]

"When the people fear the government there is tyranny, when the government fears the people there is liberty."

― Thomas Jefferson

Awesome quote I have massive amounts of respect for the founding fathers of america, incredibly smart individuals - i wish there were more people like them out there today running the countries of the world, but sadly there is not.

Edited September 6, 2012 by BentoSpawn