March 25, 2023

Bits Blog: Hackers Claim to Have 12 Million Apple Device Records

Unique strings of letters and numbers known as UDIDs are assigned to each of Apple's mobile devices.Chris Goodney/Bloomberg NewsUnique strings of letters and numbers known as UDIDs are assigned to each of Apple’s mobile devices.

4:39 p.m. | Updated Adding F.B.I. statement.

Hackers have released a file that they say contains more than one million identification numbers for Apple iPhones, iPads and iPod Touch devices. They claim to have obtained the file by hacking into the computer of a federal agent.

The hacking group, known as AntiSec — a subset of the loose hacking collective known as Anonymous — posted copies of the file on Sunday and, in an online message, claimed to have a total of more than 12 million Apple identification numbers and associated personal data in their possession. They said they obtained the file in March by hacking into the laptop of a Federal Bureau of Investigation agent in the bureau’s New York field office.

The F.B.I. denied that the file was obtained from one of its agents.

“The F.B.I. is aware of published reports alleging that an F.B.I. laptop was compromised and private data regarding Apple UDIDs was exposed,” the bureau said in a statement. “At this time there is no evidence indicating that an F.B.I. laptop was compromised or that the F.B.I. either sought or obtained this data.”

Apple’s unique device identifiers, known as UDIDs, are strings of letters and numbers assigned to Apple devices. On their own, they are not of much value to hackers, but stitched together with other data — name, e-mail address, ZIP code, date of birth or driver’s license, for example — they can be used to compile a profile of a person that could be used to, say, answer their online security questions.

Apple has recently moved away from letting its app developers use device identifiers to make it harder for marketers to tie that that information to other data and track users across apps. Steve Dowling, an Apple spokesman, did not return requests for comment.

“A UDID is just a jumble of digits,” said Jim Fenton, the chief security officer of OneID. “It is only powerful when it is aggregated with other information.”

In their statement on the bulletin board PasteBin, the hackers said that they had obtained a file with “a list of 12,367,232 Apple iOS devices, including Unique Device Identifiers (UDID), user names, name of devices, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc.”

Of the file posted online, only a few identifiers were tied to e-mail addresses, apparently because the device’s owner chose to use an e-mail address when naming the device.

The hackers claimed to have obtained the file from the computer of Christopher K. Stangl, a member of the F.B.I.’s Cyber Action Team. A spokesman for the F.B.I. did not immediately comment on the reported breach, but security experts said the file could have been obtained from anywhere.

“There are a million ways this could have happened,” said Marcus Carey, a researcher at Rapid7. “Apple could have been breached. ATT could have been breached. A video game maker could have been breached. The F.B.I. could have obtained the file while doing forensics on another data breach.”

The hackers said, in their statement, that no other file on the breached computer mentioned the list of unique identification numbers or its purpose.

For now, Mr. Carey said that without more information, the breach posed little danger to those whose identification numbers had been exposed. “This is smoke, not fire,” Mr. Carey said. “This poses very little risk. None of this information could be used to hack someone or launch an attack.”

Article source:

Wealth Matters: Financial Adviser Mark Spangler Accused of Securities Fraud

Now, the former chairman, Mark F. Spangler, an investment adviser in Seattle, is being accused by the federal authorities of committing securities fraud when he put his clients’ money into investments in private companies without their consent. In an affidavit to support a search warrant of Mr. Spangler’s home, a Federal Bureau of Investigation agent claimed that he also created false statements and failed to disclose that he had an interest in two of the companies in which he invested clients’ money. One of those companies went out of business this year.

Here’s a little background: The investments at issue are so-called private placements, meant for sophisticated investors who are aware that they could make a lot of money but also that they could lose it all. In this case, the F.B.I. estimated losses of at least $46 million out of the $106 million that Mr. Spangler managed.

Ronald J. Friedman, the attorney representing Mr. Spangler, said his client had been cooperating with the federal investigation and had not been charged. He declined to give Mr. Spangler’s version of what happened or make him available for comment. A court-appointed receiver has been named to try to recover whatever assets remain.

“We’re at the front end of this,” Mr. Friedman said. He added that the allegations had “raised interesting questions about discretionary authority in accounts.”

All investors should ask how much they should trust their advisers. But for the wealthy, in particular, the case underlines the serious risks of investing in private placement deals. Whether they are set up to invest in real estate, private companies or particular types of securities, private placements are created to finance someone’s enterprise. That enterprise is usually undervalued or poised for growth. But it should be a given that it may not play out as planned.

Susan John, the current national chairwoman of the National Association of Personal Financial Advisors, said she served on the board with Mr. Spangler in the 1990s and had known him for 20 years. The organization says it prides itself on transparency.

“He was perhaps one of the strongest believers in standards for Napfa,” she said. “So it’s very difficult for me to see how he could have evolved into the person that these allegations would lead you to believe he had become.”

She said Mr. Spangler did a series of presentations showing that returns in private placements were better than in public companies for his clients, many of whom had become wealthy from stock in Microsoft and Starbucks.

In the F.B.I. agent’s affidavit, several of Mr. Spangler’s clients said that he had shown them documents saying they were putting their money in funds that would invest in publicly traded securities, but their money was put into private companies.

Because these private placements carry the risk that all the principal will be lost, most advisers recommend them only for their wealthiest clients, whose financial lives will not be affected by the loss. Mr. Spangler’s clients said in the affidavit that they told him they did not want to take any big risks with their money.

But even when clients agree to the risks, they need to look for red flags that the deal may not work or pay the returns they expect.

Perhaps the biggest one here was that Mr. Spangler was associated with the companies in which he invested clients’ money. Clients said they were not told that he was on the board of TeraHop Networks, the company that went out of business, and Tamarac Inc., which provides software for financial advisers.

With any legitimate private placement, the person offering it will provide a memorandum that discloses how the company is structured and how the promoters of the deal are paid. The memorandum should also lay out how a person’s money will be invested, what returns can be expected and what fees will be charged. Getting a lawyer or certified public accountant to read through this is crucial.

Article source: