The FBI has denied claims by hacking group AntiSec that it stole 12 million Apple ID codes from a cyber security agent’s laptop.
AntiSec made the claim yesterday, leaking 1 million unique device identifier numbers (UDID) for Apple products, that it said were stolen from supervisor special agent Christopher K. Stangl’s laptop.
The group claimed that the original file contained names, phone numbers and addresses of the people who owned the devices, prompting questions about why the FBI would possess this information.
Last night, the FBI’s press office tweeted: "At this time there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data".
AntiSec says that it accessed the agent’s laptop using a vulnerability in the Java application platform, in March of this year. It gained remote access to the device and downloaded various files, AntiSec claims, including a .CSV file containing the UDIDs.
There are indications that the list of Apple UDID’s are genuine. According to security firm Imperva, "the structure and the format of the data indicates that this is a real breach. It would be hard to fake such data." This does not necessarily prove that the data was stolen from the FBI, however.
Imperva noted that the alleged breach, as AntiSec describes it, is more akin to a targetted cyber-criminal attacks than the broad attacks usually associated with hacktivists.
AntiSec was the group responsible for infiltrating a conference call between UK and Irish police officers and the FBI about their investigations into LulzSec. According to the FBI, it did this by accessing an Irish police officer’s personal email account and finding dial-in details of the conference call.
Robert Graham, of security consultanct Errata Security, speculates that AntiSec may have got hold of agent Stangl’s email address during this incident and used it to trick him into clicking a malicious link.
Graham said that targetted attacks of this kind now follow a regular pattern: when a previously unknown, ‘zero day’ security vulnerability comes to light, hackers will email their desired targets in an attempt to get them to download malware based on that vulnerabililty.
"Hackers aren’t necessarily smart, but operate from a set of well-known principles," he wrote yesterday. "If I have an e-mail list of victims, and a new [zero day] appears, I’m immediately going to phish with it.
"It’s not Chinese uber APT hackers, it’s just monkeys mindlessly following a script."