IT Security Hack 1, AntiSec 0: Stolen Apple UDIDs Didn’t Come from FBI
The IT Security Hack blog told you so. AntiSec's too-good-to-be-true story about Apple UDIDs it stole from the FBI proved to be false. App-developer Blue Toad said it was the source of the stolen Apple data.
By Constantine von Hoffman, CIO
The case of AntiSec v. FBI: Who’s lying? has been decided, and the hacker group has a whole bunch of digital egg on its face.
It turns out AntiSec’s too-good-to-be-true story was just that. (I told you so last week.) The info reportedly came from app-publishing company BlueToad.
The story began last week when AntiSec posted one million Apple unique device identifiers (UDIDs) and the associated personal information to PasteBin. The group said it had 12 million Apple IDs and that it had stolen them from an FBI laptop. The FBI promptly denied any such theft.
AntiSec’s story seemed just a wee bit too perfect to be true. It began when AntiSec claimed the info came from a device used by an FBI agent named Christopher K. Stangl. Mr. Stangl is a real person and is in fact an FBI agent. He was featured in a 2009 recruitment video titled “Wanted by the FBI: Cyber Security Experts.” That would have been the type of perfect irony that PR people dream about. It was an irony level so high it set my Spidey-Sense a-tinglin’.
AntiSec’s methods of obtaining the info also seemed fishy. They claimed to have stolen the data last March by exploiting a Java security problem–not the recently-discovered Java security problem, but an earlier one. Given how much Java’s problems have been in the news this also seemed suspicious.
David Schuetz, a consultant with the Intrepidus Group, a New York-based mobile-device-security consulting firm, said he found numerous mentions of Blue Toad or variations of the name in the stolen UDIDs. He contacted the company. Blue Toad downloaded the data released by AntiSec and compared it to its own database. BINGO: The compnay found a 98 percent correlation.
Blue Toad CEO Paul DeHart told NBC News, “That’s 100 percent confidence level, it’s our data. As soon as we found out we were involved and victimized, we approached the appropriate law enforcement officials, and we began to take steps to come forward, clear the record and take responsibility for this.”
Am I the only one who thinks DeHart’s forthright and honest acceptance of responsibility is suspicious? Dammit man! That’s not how CEOs are supposed to behave. DeHart: Go take some lessons from Jamie Dimon right this very instant.