The disclosure of 1 million purported identification numbers for Apple mobile devices focused a national spotlight on a little-known Pittsburgh nonprofit with FBI roots.
Hacking group AntiSec released the ID numbers this week, claiming the digits belong to individual iPad, iPhone and iPod Touch devices. The data are among 12 million Apple-device ID numbers — and personal information from device owners — that AntiSec claims it secured from an FBI agent's laptop. The FBI said no evidence shows “an FBI laptop was compromised or that the FBI either sought or obtained this data.”
The digital file AntiSec revealed on Sunday includes “NCFTA” in its title, fueling speculation the data might be linked to the National Cyber-Forensics and Training Alliance. The FBI formed the Oakland-based alliance in 1997 to unite law enforcement, industry and academics against online security threats.
A Downtown-based security executive said he has “no doubt” the Apple ID data did not originate with the NCFTA. The alliance would not have that type of information unless it were researching an earlier breach or leak of the same data, said Tiversa Inc. CEO Robert Boback.
Even then, he said, the alliance would not have stored the material in an Internet-accessible venue. “Short of a physical burglary, there wouldn't be a way for you to access that information” from the NCFTA, Boback said.
He said his company, which prevents identity theft and fraud, sometimes assists the NCFTA but has no financial relationship with the alliance. The NCFTA researches “vulnerabilities to try to prevent future breaches,” he said.
Alliance CEO Ronald E. Plesco Jr. did not return calls. Now a nonprofit foundation, the alliance reported $1.87 million in revenue in 2010.
An FBI spokeswoman said she could not comment on the type of data the NCFTA holds. AntiSec charged the FBI has been “using your device info for a tracking people project.”
The hacking movement, formed last summer, targets classified government information and high-profile financial institutions.
On its website, the alliance says it acts “as a conduit between private industry and law enforcement with a core mission to identify, mitigate and neutralize cyber crime.” It serves as “an early-warning system,” spreading word of digital threats among private- and public-sector members, according to an FBI report.
Its private-sector members number in the hundreds, the report states. The Carnegie Mellon Computer Emergency Response Team is one listed partner. Officials at the team did not respond to a request for comment.
Cyber-security experts called the apparent Apple-ID hacking a significant breach that should get the attention of iPad, iPhone and iPod Touch users.
“Their personally identifying information is potentially out there and quite possibly (could be) used for nefarious purposes,” said Eric Chapman, deputy director at the Maryland Cybersecurity Center.
Apple gives each of its devices a unique device identification number, or UDID. If a UDID is paired with other information about a user, such as a name, address or Social Security number, it could become a tool to pick at more sensitive data.
“Without that added information ... it's not really going to affect the person,” said James Adams, a support engineer at Sierra w/o Wires in Robinson.
It was not immediately clear how much personal information about device owners might have fallen into AntiSec's hands.
Experts advised Apple users to go to http://whatsmyudid.com and http://dazzlepod.com/apple/ to identify their UDIDs and whether they've been exposed, at least in the 1 million UDIDs released by AntiSec.
Users whose numbers are exposed should set up a free fraud alert, Boback said.
“Years ago, it seemed that a million records was unheard of. Fifty thousand records would be a large breach,” he said. “Now it seems like nothing to have a million or tens of millions of records” exposed.
The Associated Press contributed to this report. Adam Smeltz is a staff writer for Trib Total Media. He can be reached at 412-380-5676 or asmeltz@tribweb.com.
