A small Florida online publishing company named Blue Toad has inserted itself into last week’s Anonymous/AntiSec-FBI story about an iOS data leak — making an already murky story even murkier. And while everyone likes a good crime story, this latest twist just underscores how affected users are the ones left holding the bag.
If you’re just catching up to this story: Last week, AntiSec, an offshoot of the well-known Anonymous “hacktivist” group, publicly released information on 1 million Apple device users. In their statement, they claimed it was a subset of information from 12,367,232 Apple iOS devices obtained in a file named “NCFTA_iOS_devices_intel.csv.” They went on to claim that they got this file through an attack using a Java vulnerability against an FBI Supervisor Special Agent carried out in March 2012. They claimed the information they obtained contained “[Apple iOS] Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc.”
However, they said, in the subset of information that they published, they stripped out personal data such as “full names, cell numbers, addresses, zipcodes” leaving only enough for people to be able identify their device if present.
With this information out there, third parties started to speculate on the validity of the claims and what they might mean if valid. The “NCFTA” in the alleged file name was quickly associated with the National Cyber-Forensics & Training Alliance, a public/private alliance focused on helping to coordinate and share knowledge and information around cyber crime threats. The FBI denied categorically that they ever had the data or that they had been attacked. Apple too broke their usual playbook of not commenting on security to say that “The FBI has not requested this information from Apple, nor have we provided it to the FBI or any organization.”
But denials are to be expected in situations like this, so the rumor and speculation mill has been running rampant on the idea that this might be evidence of domestic surveillance being carried out by the FBI.
It’s not uncommon for AntiSec/Anonymous to make big claims, and for government agencies to deny them — leaving the rest of us to guess whom to believe or not. And that would be the end of this story except for what happened this weekend.
Kerry Sanders and Bob Sullivan over at the Redtape Chronicles at NBC News obtained an exclusive interview with Paul DeHart, the CEO of Blue Toad Publishing, who came forward to claim that the data released most likely came from their systems.
DeHart tells NBC News that they first became aware that they could be the source when an outside security consultant named David Scheutz came to them saying his analysis suggested that the data came from them (you can read Scheutz’s analysis here). DeHart goes on to say that they launched an investigation suggesting that the data had been taken “in the past two weeks” but wouldn’t say any more due to the ongoing investigation.
A third-party coming forward proactively to dispute the claims of the source of a data leak, and claim the leak as theirs is certainly a new twist: I can’t recall the last time I saw this. In claiming the data was taken from their systems, Blue Toad is indirectly refuting AntiSec’s claims and implying AntiSec fabricated the FBI and the NCFTA angle entirely.
While this has made the question of where the data came from even murkier than before (or is usual in these Anonymous-related cases) it’s also made the question of “who had my information in the first place?” no less clear for affected users.
Blue Toad is a company few have heard of. They note that they are “a Digital Publishing company providing Digital Editions and Mobile Apps to publishers worldwide.” Basically, they provide third-party platform support to other publishers. You’re not a Blue Toad customer, you’re a customer of their customer (their site notes they are “[t]rusted by over 30 resellers, 5,000 publishers, and 10,000 titles.”). Assuming the Blue Toad claims are accurate and they lost the data, from the standpoint of those affected by this data breach this is a situation similar to the Episilon data breach in April 2011. Here, like there, you have people who are affected by a data breach at a company they likely have never heard of. And based on DeHart’s comments, like with Episilon, Blue Toad has no intention of notifying those affected directly, leaving it instead to the publishers (its customers) to handle.
This leaves iOS users in the unenviable position of not knowing if they’re affected or to what degree. There are sites that can let you try to look up your UDID to see if you’re affected, but one should always be wary of third-party sites. And as Gizmodo notes, just because your UDID doesn’t comes up doesn’t mean that your data isn’t out there. AntiSec claimed 12 million records and Blue Toad hasn’t disputed that particular piece of information (at least not yet).
While the AntiSec-FBI/NCFTA angle makes for good fuel for conspiracy theories and the information from Blue Toad can play into that, the most important story here is that, yet again, we have a data breach where affected users are left to fend for themselves, and all of us are left to wonder if we’re in that pool of affected users.
Christopher Budd is a freelance writer and independent consultant in the areas of online security and privacy, social media, incident response and crisis communications. A ten-year veteran of the Microsoft Security Response Center (MSRC), he combines his prior career as an engineer with his communications expertise to help bridge the gap between the technical and communications realms. Follow him on Twitter.