FBI, Apple leave users vulnerable after alleged AntiSec hack
- By William Jackson
- Sep 05, 2012
If you use an Apple iOS device, you probably have asked yourself if unique identifiers for your device are included among a group of 12 million that the hacktivist group AntiSec this week claimed to have stolen from an FBI laptop. And you probably haven’t gotten much help from either the FBI or Apple.
Not to worry. There are sites popping up to help you find out if you are among the compromised.
“To check your device, just input your UDID (Unique Device Identifier)/UUID (Universally Unique Identifier) into the form and we’ll run it against the database” of exposed numbers, one site offers.
Dem, GOP platforms expose divide over cyber defense
Call me cynical, but if you are worried that identifiable information from your device has been stolen and exposed by hackers I don’t think it is a good idea to submit that information to strangers through an unsecured Web site.
The site in question appears to be legitimate, and users are advised that the information they submit is not encrypted and warns them not to use their entire identifier if they are concerned about security. But without using the entire identifier, it is difficult for the user to be sure of the results of the search. The user also has no way to determine if the site he is using for advice is legitimate or is just phishing for their info.
Another problem: AntiSec claims to have posted only about 1 million of more than 12 million stolen records, so even if you download the list yourself there still are more than 11 million that can’t be checked.
What have the FBI and Apple done to ease these concerns? So far, very little. The FBI has issued a non-denial denial, saying that “at this time, there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data.” This is not an outright “no,” and the feds leave open the door that they could confirm this at some other time.
Some analysts think it is likely that the breach is real because of the details provided by the hackers and the difficulty of convincingly faking the large volume of identifiers they have released.
Apple on Wednesday afternoon belatedly issued a statement to the website AllThingsD saying only that it didn't give the FBI any identifiers and that the FBI hadn't asked for any. That's something, but it doesn't answer the whole question.
What should the FBI and Apple do? At the least, come clean — especially the FBI — with a clear, unambiguous statement about whether the breach is real, and, if it is, tell users about whether their device info has been compromised and offer advice about what they can do about it. Leaving users in the dark creates more risks that we shouldn’t have to worry about.