Sign in to follow this  
HELEN

Get Off My LAN: A Wi-Fi / Wireless Internet Discussion

Recommended Posts

iPhones, iPads, and most i-devices are unsecure. They transmit sensitive data which can be intercepted by anyone and can be traced back to the person. This article explains how UDID's and I-devices have literally put millions of people's information at risk. This kind of stuff is need-to-know info especially in this case. :(

Forbes.com / Anonymous Hackers Didn't Steal Your Apple ID From The FBI--Thanks To Apple, They Didn't Need To

by Andy Greenberg
Forbes Staff
9/10/2012

 

Last week, the hacker group Anonymous set off a storm of outrage–its favorite recreational activity–when it claimed that it had stolen 12 million Apple device identifiers from an FBI laptop.
 

But the truth, it now turns out, was disturbing in a different way: the massive collection of users’ data came instead from one of the hundreds of obscure companies that Apple’s app model has purposefully allowed to track and identify the company’s devices in an extensive data-sharing network most users aren’t aware of.
 

On Monday, David Schuetz, a security consultant at the Intrepidus Group, revealed that he had analyzed the one million published unique device identifiers (UDIDs) of the 12 million Anonymous claimed it had stolen from an FBI laptop last March and tied the leaked data to a small Florida app publisher called Blue Toad, as first reported by NBC News.
 

After Schuetz contacted the company, Blue Toad confirmed the breach and says it reported the hack to law enforcement. “I had no idea the impact this would ultimately cause,” Blue Toad’s CEO Paul DeHart told NBC. “We’re pretty apologetic to the people who relied on us to keep this information secure.”
 

When the subgroup of the Anonymous hacker movement known as Antisec released its one million Apple UDIDs last week, the data dump led to speculation that the FBI had amassed the user IDs for surveillance purposes. The identifiers, linked to iPads, iPhones and iPod touches, are designed to allow ad networks and app makers to track devices over time. But in some situations, the IDs can be used to install new code on the user devices. New Zealand security researcher Aldo Cortesi also found a method for linking the UDIDs with users’ real-world identities, and in cases of sloppy app development even taking over their gaming, Twitter, or Facebook accounts using only the UDID.
 

When the news broke last week, Apple quickly denied giving the UDID data to the FBI and the FBI denied being hacked. But now that the real story has emerged, the ability for hackers to steal so much user data from a little-known firm like Blue Toad points to a more pervasive privacy problem, says Chris Soghoian, principal technologist at the ACLU. “What this highlights is that this identifier that exists on your phone is not as private as you might think,” he says. “There are probably hundreds or thousands of companies that have databases of UDIDs.”
 

Or as University of Pennsylvania computer science professor Matt Blaze dryly wrote on Twitter, “So, instead of being tightly held data given to the FBI by Apple, UDIDs are widely available to random app developers you’ve never heard of.”
 

The UDIDs associated with Apple devices are unchangeable, and until recently Apple allowed apps to collect and transmit the IDs willy-nilly. Another study from researcher Aldo Cortesi found that three quarters of apps transmit the user’s UDID to a remote server, almost half the time with no encryption.
 

Apple’s lax privacy model has meant that ad firms and other third parties like Blue Toad can amass large quantities of relatively private, unchangeable user identifiers without most users’ knowledge. “In this case Blue Toad didn’t even have a direct relations with consumers–they provide services to app developers,” Soghoian says. “There’s no way for consumers to punish Blue Toad for losing their data. They’ve never even heard of them.”
 

Apple, to its credit, has started to phase out the UDID, preventing apps newly accepted to its App Store from tracking the identifiers. But the UDIDs for devices in users’ hands still can’t be changed, which privacy advocates have argued allows the problems they created to continue–especially after one million of those legacy identifiers are leaked on the Internet. “I’ve often been asked ‘What’s the worst that can happen?’,” Cortesi wrote when the UDIDs were published last week. “My response was always that the worst case scenario would be if a large database of UDIDs leaked… and here we are.”
 

Whether the FBI or other government agencies track UDIDs the same way ad networks and app makers do is still up for speculation. But thanks to a model where hundreds of firms can pass around users’ data without restrictions, it would have been a surprise if the government was left out of the party.
 

One thing is certain after Anonymous’ breach of Blue Toad, says Soghoian. “Even though this data wasn’t found on FBI computers, it’s certainly on FBI computers now.”

 

 

Share this post


Link to post
Share on other sites

@Visual, so they only have e-mail working, plus their dentistry programs ONLY on their computers, maybe Microsoft Office and that's it. They can't even go online to shop or check their social sites or anything. 

The best way Helen. People can shop on-line (if they wish) and check out facebook's pointless status updates at home. A company PC / Tablet should be set up just for business related use only. 

  • Upvote 1

Share this post


Link to post
Share on other sites

iPhones, iPads, and most i-devices are unsecure. They transmit sensitive data which can be intercepted by anyone and can be traced back to the person. This article explains how UDID's and I-devices have literally put millions of people's information at risk. This kind of stuff is need-to-know info especially in this case. :(

Forbes.com / Anonymous Hackers Didn't Steal Your Apple ID From The FBI--Thanks To Apple, They Didn't Need To

by Andy Greenberg

Forbes Staff

9/10/2012

 

Last week, the hacker group Anonymous set off a storm of outrage–its favorite recreational activity–when it claimed that it had stolen 12 million Apple device identifiers from an FBI laptop.

 

But the truth, it now turns out, was disturbing in a different way: the massive collection of users’ data came instead from one of the hundreds of obscure companies that Apple’s app model has purposefully allowed to track and identify the company’s devices in an extensive data-sharing network most users aren’t aware of.

Exactly. Here's another paranoid point that i realised a few years ago. What if they have a way today that nobody has the ability to hack and read the information? They can just pick certain targets of interest and record all of that data flying through the air. Record it for months and years. Later, somebody breaks that code. Now, all they do is go back to the recorded stuff and read every hash. All of these fancy new exciting things look cool, but they create a whole new set of problems. When in a transition mode, you have doubled your weak security areas. First adopters are at the highest risk.

 

I can access this site on my original way today. That was the only one disturbed yesterday.

Edited by Visual
  • Upvote 1

Share this post


Link to post
Share on other sites

So last month was finally the time I had to move out of the lovely student apartment with the crazy 800Mbps/250Mbps internet into a cheap apartment.

 

The replacement I got was a 4G "Unlimited*" Mobile Router combo deal with the future hope that as the network improves, one day I might get the full 150Mbps service.

 

The Huawei E5776 on the other hand is... with issues. Connect with WiFi and I get 5-10Mbps, connect with USB, I get as much as 38Mbps downlink. Main computer gets to use the USB link and laptop, mobile and tablet can survive with the weaker WiFi link.

 

I hope an external antenna to the router can improve connectivity, if I could somehow get the cradle meant for the E5776 which improves the 4G and WiFi antennas would be great... but it costs a lot.

 

*10 000GB monthly usage allowed. Should be enough :)

Edited by Zagna

Share this post


Link to post
Share on other sites

I don't want this to turn into another paranoid security discussion, so I'm going to say (as a web developer who has done research into security) that YES- you are correct, there is no such thing as perfect security. But is anyone likely to try to get your information if it's under a moderate-level security or encryption scheme? No. The fact is, your data is just not worth the time.

More to the point, your risk of data compromise, as long as you're following best security practices, is way too low to upend your life and remove your data from anywhere it can be compromised. Paranoia aside, the big companies (Microsoft, Apple, Google) have it in their best interests to keep your data safe. Breaches are phenomenally expensive in many different ways, from damage control and system improvement costs to lost business. I work for one of the biggest marketing software companies in the world, and you would not believe how zealously our data is guarded.

So, long story short: security is very important. But for 99.9% of people, "industry standard" is more than good enough and you need to be more worried about phishing or other scams.

  • Upvote 1

Share this post


Link to post
Share on other sites

I don't want this to turn into another paranoid security discussion, so I'm going to say (as a web developer who has done research into security) that YES- you are correct, there is no such thing as perfect security. But is anyone likely to try to get your information if it's under a moderate-level security or encryption scheme? No. The fact is, your data is just not worth the time.

More to the point, your risk of data compromise, as long as you're following best security practices, is way too low to upend your life and remove your data from anywhere it can be compromised. Paranoia aside, the big companies (Microsoft, Apple, Google) have it in their best interests to keep your data safe. Breaches are phenomenally expensive in many different ways, from damage control and system improvement costs to lost business. I work for one of the biggest marketing software companies in the world, and you would not believe how zealously our data is guarded.

So, long story short: security is very important. But for 99.9% of people, "industry standard" is more than good enough and you need to be more worried about phishing or other scams.

Mister Atwell, we will agree to disagree. The big internet firms have been paid a lot of money from NSA for the data that they collect on everyone. The funniest thing i have seen over the last few months, was wording on google start page that claimed that they respected your privacy. They were compensated for not respecting your privacy. You are correct in assuming that the average person probably doesn't need to fear, but larger targets like banks and hospitals need to be scared out of their minds.

My real issue is that it's not that they claim that they need to protect your data, or the public will be outraged. They have been selling it for years already to their friends at marketing firms. That is the problem. Your information belongs to you, and it's not theirs to sell. They have dozens of redundant storage centers. All it will take is another compromise. One turned employee can download tens of terabytes in no time, and sell them to whichever country will pay them the most.

  • Upvote 1

Share this post


Link to post
Share on other sites

I don't want this to turn into another paranoid security discussion, so I'm going to say (as a web developer who has done research into security) that YES- you are correct, there is no such thing as perfect security....

So, long story short: security is very important. But for 99.9% of people, "industry standard" is more than good enough and you need to be more worried about phishing or other scams.

I fully agree on the notion that I too don't want to make anyone paranoid about technology or the net however my intention is to simply inform people that may not be aware of these things so they can make an educated decision based on what they know. Not everyone can build a website or crack an encryption algorithm and is why it's up to us that do know these things to help keep others informed.

The best way to protect yourself and those around you is to inform & be informed. There is a difference in paranoid delusions and being aware of what not to do to keep your private info private.

As a CISSP qualified specialist for telecommunications & network security, I can tell you exactly how it happens and even how the NSA tracks people because it's the same certification they require to join the NSA. Rather than doing that, look up places like Spokeo or Radaris and see for yourself my friend. You'll be shocked, trust me.

Share this post


Link to post
Share on other sites

look up places like Spokeo or Radaris and see for yourself my friend. You'll be shocked, trust me.

I was shocked...I searched myself and got nothing.

Share this post


Link to post
Share on other sites

^ Me neither.

 

I think twice about what information I share on Facebook or other social media services. That said, I'm not paranoid about the information. I could come up with various worst-case scenarios of how my personal and public information could be abused, but realistically, I'm just another ordinary person (though my ambition in life is to be extraordinary one day) whose information is meaningless to everyone except advertisers, and personalised ads aren't really that bad I think. I'd rather get ads for art suppliers or good local services than viagra. And I'm relatively media-savvy so it's not difficult to filter out most ads.

 

To expand on the wireless topic: What do you think about having constant wireless internet access? I'm curious to see how being constantly online thanks to 3G, 4G and so on will change us in the future.

I admit to checking my facebook far too often, I'm trying to work on that and also trying not to be online all the time because it's getting a bit too hectic.

Share this post


Link to post
Share on other sites

To expand on the wireless topic: What do you think about having constant wireless internet access? I'm curious to see how being constantly online thanks to 3G, 4G and so on will change us in the future.

I admit to checking my facebook far too often, I'm trying to work on that and also trying not to be online all the time because it's getting a bit too hectic.

 

Hmm.  Interesting topic.  I find myself using my smartphone less and less, but wishing that my tablet was more connected.  All in all I think I'm on the internet less than I was three years ago.  Maybe it's lost its luster?

Share this post


Link to post
Share on other sites

I'm with you on the smartphone David.  I loaded mine with apps which I progressively discarded as I used them so rarely.  About the only thing I do with the phone now is Google stuff & check websites for graceful degradation to mobile size.

 

Always on?  Not me.  Always accessible (on my terms) check.

Share this post


Link to post
Share on other sites

I just updated DD-WRT on my router at home. I discovered it to use on the routers at my part-time job - they are a realty office with a coffee shop attached, so they have a fairly obvious security need. When I installed it at home and switched the DNS to Google's public DNS, I noticed a distinct speed increase. 'Tis awesome.

So, yeah. DD-WRT. Highly recommended.

Share this post


Link to post
Share on other sites

@David: Here's the issue at my house. We have a large family and most of us have our own laptops and one desktop computer for printing. So that's eight computers connected to one router. Sometimes, the Internet works well and some days it just lags and shuts off in the middle. We have a wireless connection, by the way. I know that it shouldn't really matter how many people are connected to one router, but sometimes I'm not so sure. 

 

Anything to speed up the Internet? 

Share this post


Link to post
Share on other sites

Possibility, a single router trying to accommodate 8 computers scattered around the house, it has to use max transmitter power to reach all, so that might be just that tiny bit too taxing for it.

Maybe a wireless extender of some sort could help split the load.

My guess.

Share this post


Link to post
Share on other sites

Depending on a lot of different factors, you might want to get a higher-gain router antenna, or perhaps a router that you can program to automatically restart itself every night (to clean out any memory not cleaned up, etc).

Share this post


Link to post
Share on other sites

If you decide to use a router. Whatever you do, don't get a D-Link router. Worst brand ever. >_>

Good routers: Linksys/Cisco (mid- to high-end), Buffalo, ASUS.

Mediocre routers: D-Link, Linksys/Cisco (low-end).

Bad routers: Belkin, Netgear, Apple (seriously), whatever router your ISP gave you

Share this post


Link to post
Share on other sites

 

Bad routers: whatever router your ISP gave you

 

I'd have to disagree 

 

The BT Broadband Hub is fantastic.  I can be on my desktop, the wife on a netbook and smartphone, the kids on consoles, laptops and smartphones ( ridiculous how much bandwidth they have to use instead of the old fashioned way of actually going out and seeing people) and there's always a great speed.  It never goes off except @ 3 a.m. to update.  Excellent service and quality for £10 a month totally unlimited

Share this post


Link to post
Share on other sites

I didn't even know Apple made routers. At least not I know to stay away from them.

 

Only 2: The AirPort Express and the AirPort Extreme.  They're short-range, feature-limited, and (in many cases, usually involving non-Apple products) slow and difficult to connect to.

 

I guess the routers (provided by ISP) in your country are decent. In America, they're garbage.

 

I've heard legends of such places.  But 99/100 times, yes, they're garbage.  Compounded by the fact that they're often bundled with the modem, which means that when the one crappy piece of equipment goes down, you're stuck.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this