Apple IDs At The Center Of Major Security Story Again [Updated]By: Chris Crum - September 4, 2012
Apple IDs are back in the news, thanks to a big hacking story, courtesy of Anonymous.
As previously reported, the AntiSec branch of Anonymous took to Pastebin to detail how it leaked a million Apple Device IDs (unique device identifier numbers – UDIDs) and other personal information by breaching an FBI notebook. They allegedly gained access to 12 million device IDs, but only published a million of them.
In the long document, the group wrote:
During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of ”NCFTA_iOS_devices_intel.csv” turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc. the personal details fields referring to people appears many times empty leaving the whole list incompleted on many parts. no other file on the same folder makes mention about this list or its purpose.
The group also used the document to express support to Wikileaks and Julian Assange, and for the Russian punk band Pussy Riot.
More on that story here.
The whole thing may have some Apple users a little rattled, particularly given that Apple IDs were at the center of one of last month’s big security stories.
About a month ago, Wired writer Mat Honan wrote a lengthy piece about an “epic hacking,” he experienced. At the root of the problem were some security issues related to Apple IDs and Amazon accounts.
“Apple tech support gave the hackers access to my iCloud account,” Honan wrote at the time. “Amazon tech support gave them the ability to see a piece of information — a partial credit card number — that Apple used to release information. In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification. The disconnect exposes flaws in data management policies endemic to the entire technology industry, and points to a looming nightmare as we enter the era of cloud computing and connected devices.”
You remember that story right? It was all over the tech news. In a later piece about his digital recovery, Honan wrote, “It’s shameful that Apple has asked its users to put so much trust in its cloud services, and not put better security mechanisms in place to protect them. AppleIDs are too easily reset, which effectively makes iCloud a data security nightmare. I’ve had person after person after person report similar instances to me, some providing documentation showing how easily their Apple accounts were compromised.”
“And due to Apple’s opacity, I have no way of knowing if things have improved,” he added.”Apple has refused to tell me in what ways its policies weren’t followed ‘completely’ in my case. Despite being an Apple user for nearly 20 years and having generally positive feelings toward the company, I no longer trust it to do the right thing in terms of protecting my data. I’ve turned off its Find My services and won’t turn them back on.”
Apple has a big event planned for the launch of the next iPhone for September 12. While that is very much anticipated by Apple users and future Apple users, perhaps another event centered around security is in order to set minds at ease.
Update: Apple and the FBI are both denying that the FBI had these IDs to begin with.