Jon-Louis Heimerl | September 13, 2012
Initial stories were that AntiSec had hacked the FBI and stolen 12 million UDIDs and additional private information about Apple devices and users. This quickly became a hack of an FBI laptop, and about a million released UDIDs. Eventually digital publishing company BlueToad announced that they had been attacked and that the data had, in fact, been stolen from them.
It looks like there are a few stories here.
First of all, is it important if your UDID is released? Well, yes. But in the context that it is never good to release private information. The UDID in and of itself appears to hold limited value, but if you pair that up with additional private information from other breaches or data gathering, and someone can match your UDID with your name, address, and other identifying information, this can become a real problem. We all know that organizations have private data about us. And we all know that this is data we would not want made public or in the hands of someone with nefarious intent. Assembling related pieces of data is not really all that hard. Assembling aggregated data can very easily lead to long-term sophisticated attacks campaigns down the road. As a matter of fact, we should expect that.
That leads to the second story. We know UDIDs were compromised, but we do not know what else. Allegedly, the breach included some personal information. As far as we know, “some” of the data has been released but it appears that other data has been stripped. For now, we can hope that it is NOT that “other” information from the previous paragraph.
The third story is the source of the information. Did the information come from the FBI, or did the information come from BlueToad? I have seen many stories online about how BlueToad is covering for the FBI loss. Personally, I see no reason to doubt BlueToad, but I am not a conspiracy theorist.
I guess the fourth story is “what do we do about it?” Like it or not, having good, practical security in place goes a long way towards protecting your environment. Organizations need to continue understanding that they are being targeted, and need to protect their information with appropriate due care. These are not just words. “Good practice” and “due care” should mean something about the way you run your security program.
If you want to find out if your UDID was one of the ones released, be careful. There are many scams designed to get you to enter your UDID for a search. Don’t do that. Some of these are designed just to capture your UDID. If you really want to know, download the list and search, or find an https: link that will allow you to search with a partial UDID.
POST A COMMENT