Hacktivist group AntiSec claims to have swiped 12 million unique Apple UDIDs (Unique Device IDs) from an FBI agent's computer and published 1 million of them, according to various reports. (The FBI states that it neither suffered a breach nor collected Apple UDIDs in the first place. Apple said it has given no one any list of UDIDs and notes that as of iOS 6, they're being discontinued.) Beyond raising some questions about privacy (why is the FBI tracking millions of Apple users, if it indeed is?), the news demonstrates once again how a single user can open a gaping security hole in a company's IT infrastructure.
The revelation is fittingly timed. According to a study released by security company TrustWave, 87 percent of organizations that suffer data breaches do not have security policies in place, including security awareness education programs.
The group says it accomplished the breach by exploiting a Java vulnerability -- though not the "newest migraine-inducing Java zero-day for which Oracle finally issued an emergency patch," according to Computerworld. "The hack was allegedly accomplished in March, so the hackers exploited the previous Java zero-day."
The total bounty allegedly swiped from the agent's machine is said to be 12,367,232 Apple iOS devices, including UDIDs, user names, names of devices, types of devices, Apple Push Notification Service tokens, ZIP codes, cellphone numbers, addresses, and more, according to AntiSec's post on Pastebin.
AntiSec pulled off the data heist because it was "displeased after NSA Chief Keith Alexander spoke at DefCon, attempting to seduce hackers to improve Internet security and to recruit hackers for future cyberwars, AntiSec hackers said, 'We decided we'd help out Internet security by auditing the FBI first,'" according to Computerworld.
Whatever AntiSec's rationale, the breach exemplifies the dangers of insufficient, nonexistent, unenforced, or ignored security policies. TrustWave investigated more than 300 security breaches worldwide and found that in the overwhelming majority of cases, organizations suffering breaches did not have security policies, including end-user awareness programs, in place. Curiously, 56 percent of IT professionals said security policies are communicated to new hires during orientation, but only 32 percent of employees said they received any kind of education about their organization's security policies. Evidently, there's a disconnect.
Seven ways users open up security holes
TrustWave identified seven ways that users expose themselves and their organizations to breaches. Among them: 15 percent of users write down their passwords and keep them on or near their workstation, an invitation for a malicious insider to take over the system. Users are also notoriously bad about choosing strong passwords, though at the same time, organizations aren't good about requiring users to choose appropriate passwords nor to change them frequently.