The story which broke earlier this week concerning AntiSec allegedly stealing 12 million Unique Device Identifers (UDIDs) for iPhones and iPads from the laptop of an FBI agent has rapidly become a case of "he-said-she-said."
Regardless of who was victimised, the more interesting question is how the data was compiled, and there are hints it may have been the result of a targeted email attack.
Graham Cluley, senior technology consultant at Sophos, told us: "I'm speculating that the Java vulnerability was exploited to install malware onto the computer that then scooped up the data file.”
He declined to elaborate on how the owner of the laptop may have been duped into visiting a malicious web page containing the exploit.
FBI wasn't attacked, says FBI
On Monday, AntiSec claimed in a Pastebin post that the file containing these unique identifiers for Apple devices were lifted from a laptop belonging to Christopher K. Stangl, an FBI recruiter well known for his efforts to recruit white hat hackers for the federal government.
The FBI has also adamantly denied AntiSec's claim. "At this time, there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data," the federal agency said in a statement.
The post accompanying the leaked data claimed the attackers used a zero-day vulnerability in Java back in March. The zero-day allegedly used is not the same vulnerability Oracle patched last week. If the post lied about where the data was stolen from, it may also have lied about the methods used to generate this list. It's also not known at this time why the FBI would have this list in the first place (although the implications are frightening).
Some security experts have pointed out that the list could have been generated using information collected by apps and transmitted to ad networks.
Phishing FBI agents?
However, if the Java vulnerability was really used, it is possible attackers sent targeted emails to gain access to that file, speculated Robert Graham, CEO of security firm Errata Security. The "obvious attack" is to phish the email addresses belonging to law enforcement officers that were leaked back in February, Graham wrote on the company blog.
Earlier this year, Anonymous had intercepted an email inviting 40 law enforcement authorities in the United States and various areas of Europe, including the UK, France, and Germany, to a conference call discussing LulzSec. Anonymous listened in on the conference call and posted the initial meeting invite as well as a transcript of the call. The email addresses of all the agents on that call were exposed.
Stangl was one of the 40 participants on that infamous conference call, although it's not known whether he actually attended the meeting.
After the email was leaked, attackers could phish those email addresses using the same sender address and place a link to a website hosting a Java app with that exploit, said Graham. A possible message could even refer to the fact that the call had been recorded and the transcript posted, and it was possible up to 20 per cent of the victims (8 out of 40) might have fallen for the scam, he speculated.
Hackers aren't necessarily smart, but operate from a set of well-known principles, Graham said. He commented: “If I have an e-mail list of victims, and a new zero-day appears, I'm immediately going to phish with it. It's not Chinese uber APT hackers, it's just monkeys mindlessly following a script.”