AntiSec hack of 12 million Apple IDs

From : AntiSec hack of 12 million Apple IDs gets ridiculous denials

Op-Ed: AntiSec hack of 12 million Apple IDs gets ridiculous denials

by Paul Wallis – Sept 5 2012

Does this sound familiar? Massive security breach, queue of people
denying it’s important, nobody’s responsible and a bit of propaganda. As
usual, a simple denial followed production of facts. Looks like
nobody’s even pretending to cover up any more

The story is that AntiSec, a hacking group related
to Anonymous, obtained 12 million records of Apple users, supposedly
from the laptop of an FBI agent. Those who use Apple products will be
aware of the type of information provided to Apple on purchase of their
products. This is fairly basic stuff, but it’s also a healthy slice of
personal ID.

AntiSec released user ID numbers, 40 character identifying numbers.
These numbers are not of themselves a way of accessing information
related to users. It looks more like they were used as proof of having
obtained the information.

The New York Times:

While the leaked identification numbers appeared to be real,
security experts said the release posed little risk. They said that
without more information on the devices’ owners — like e-mail addresses
or date of birth — it would be hard for someone to use the numbers to do

Not so much of a surprise. The “controlled release” of the Apple user
information was apparently vetted by hacker group AntiSec to make a
point, not damage user security. They had a lot more info than just user
IDs to play with.

A little more information than was contained in The New York Times article comes from CBS News:

Antisec claims that it breached the laptop of FBI special
agent Christopher K. Stangl. The group says a spreadsheet on Stangl’s
computer contained a list over 12 million Apple devices and included
UDIDs, user names, name of device, type of device, Apple push
notification service tokens, zip codes, mobile phone numbers and

That is a hell of a lot of sensitive personal information. You could swipe 12 million identities with that material.

NYT apparently also had a few bones to pick with Anonymous, which recently targeted the newspaper.

In February, Anonymous hackers intercepted a call between
the bureau and Scotland Yard. But the frequency of such attacks tapered
off after several members of Anonymous and a spinoff group, LulzSec,
were arrested in March.

Maybe not so unbiased. Global explains:

Anonymous is targeting the New York Times for the “failure of the press”
to give adequate coverage to Trapwire, what some say is a global system
of surveillance run by the US government.

I counted over 1500 news articles on Google News on the subject of Anonymous’ activities worldwide. If that’s tapering off, what’s not tapering off?

Why did the FBI have that information?

Meanwhile back on the subject which everyone seems to be trying very hard to blur as much as possible:

AntiSec did obtain those Apple user IDs.


1. If they were accessed from the FBI as claimed, how did they know where the files were?

2. If the FBI had those files, what the hell were they doing on a laptop?

3. That information, if used for law enforcement purposes, may require a warrant.

4. If not being used for law enforcement, why was it being acquired?

5. Who’s responsible for security of information held by the agency?

6. Is the FBI saying it really needs to have information on 12 million Apple users?

7. If so, why?

Denial, denial and more denial

Those questions have ramifications. The FBI denies it had the
information at all. It wouldn’t look too good if it admitted it did. The
denial didn’t wash with Anonymous.

Despite the FBI’s denial, Anonymous was not deterred.

“You know you’re doing something right if @FBIPressOffice throws caps at
you on twitter to deny an #Anonymous statement,” the @AnonymousIRC
Twitter feed wrote yesterday evening.

“Also, before you deny too much: Remember we’re sitting on 3TB
additional data. We have not even started. #funtimes #fff,” the group
posted a few minutes later.

Some more spin, this time absolutely absurd, followed on ITProPortal’s article.

However, security experts were sceptical.

“I personally think it is a PR scam by Anonymous,” F-Secure security advisor Sean Sullivan said.

PR scam? Someone gets 12 million user information files with authentic
ID numbers and it’s a PR scam for Anonymous? What are they trying to do,
sell more cookies by forcing Apple users to buy them or they’ll release
their info? Start a chat show and they need the publicity?

This is the other usual component of security excuse-making. The
security that was breached, either the FBI’s, Apple’s or more likely
both, is obviously is a major contract for somebody. Trivialize the
security breach, and downplay the significance of the failure of
security, however colossal. Someone will be dumb enough to believe the

This ridiculous crap is also pretty similar to the Wikileaks pattern of
denial. The military dropped the ball on security of major information
streams. The information was allegedly accessed by Bradley Manning, and
was released by Wikileaks. Not one other person responsible for security
has even been mentioned as having any sort of accountability for that
colossal failure. The motives of the leaks were the first thing targeted
by the spin factories.

The idea of a protest rarely gets through. All of this brings us back to
Trapwire. If surveillance is the game, the information obtained by
Trapwire obviously can’t be secure. Personal information can be obtained
by security systems which are themselves insecure. Legitimate
surveillance of actual criminals and terrorists could be compromised and
made accessible to the people under surveillance. That information
could also be “edited”.