Leaked Apple IDs expose holes in corporate information security

Hacktivist group AntiSec claims to have swiped 12 million unique Apple UDIDs (Unique Device IDs) from an FBI agent’s computer and published 1 million of them, according to various reports. (The FBI states that it neither suffered a breach nor collected Apple UDIDs in the first place. Apple said it has given no one any list of UDIDs and notes that as of iOS 6, they’re being discontinued.) Beyond raising some questions about privacy (why is the FBI tracking millions of Apple users, if it indeed is?), the news demonstrates once again how a single user can open a gaping security hole in a company’s IT infrastructure.

The revelation is fittingly timed. According to a study released by security company TrustWave, 87 percent of organizations that suffer data breaches do not have security policies in place, including security awareness education programs.

The group says it accomplished the breach by exploiting a Java vulnerability — though not the “newest migraine-inducing Java zero-day for which Oracle finally issued an emergency patch,” according to Computerworld. “The hack was allegedly accomplished in March, so the hackers exploited the previous Java zero-day.”

The total bounty allegedly swiped from the agent’s machine is said to be 12,367,232 Apple iOS devices, including UDIDs, user names, names of devices, types of devices, Apple Push Notification Service tokens, ZIP codes, cellphone numbers, addresses, and more, according to AntiSec’s post on Pastebin.

AntiSec pulled off the data heist because it was “displeased after NSA Chief Keith Alexander spoke at DefCon, attempting to seduce hackers to improve Internet security and to recruit hackers for future cyberwars, AntiSec hackers said, ‘We decided we’d help out Internet security by auditing the FBI first,'” according to Computerworld.

Whatever AntiSec’s rationale, the breach exemplifies the dangers of insufficient, nonexistent, unenforced, or ignored security policies. TrustWave investigated more than 300 security breaches worldwide and found that in the overwhelming majority of cases, organizations suffering breaches did not have security policies, including end-user awareness programs, in place. Curiously, 56 percent of IT professionals said security policies are communicated to new hires during orientation, but only 32 percent of employees said they received any kind of education about their organization’s security policies. Evidently, there’s a disconnect.

Seven ways users open up security holes

TrustWave identified seven ways that users expose themselves and their organizations to breaches. Among them: 15 percent of users write down their passwords and keep them on or near their workstation, an invitation for a malicious insider to take over the system. Users are also notoriously bad about choosing strong passwords, though at the same time, organizations aren’t good about requiring users to choose appropriate passwords nor to change them frequently.

Also problematic, per TrustWave: 71 percent of users surveyed said they have managed to sneak a peek at a coworker’s or stranger’s machine while he or she is away from it. One in three employees said they stay logged on to the network when they step away from their PCs. Again, that poses a clear security risk, especially at organizations in which IT fails to limit users’ access rights.

Users are also suckers when it comes to plugging wayward USB sticks into their machines. TrustWave found that 60 percent of users who find one in a parking lot will plug it into their machines. The number increases to 90 percent when the stick has the company logo on it. The danger here: USB sticks can come loaded with malware. (Per the study, 35 percent of users have experienced a virus infection via a USB stick.) Employees need to learn that connecting any device — even a mouse — to a machine is a potential threat – particularly if IT neglects to set user machines not to auto-run contents of peripherals.

Users are also prone to falling for increasingly sophisticated phishing attacks, according to TrustWave. The company found that 27 percent of organizations have top executive and privileged users who have fallen for such scams. Education goes a long way here; users trained in avoiding phishing and scam emails fell for them 42 percent less often than those without training, according to the study.

Fifth on TrustWave’s list: 70 percent of users said that they do not password-protect their mobile devices. Further, 89 percent of people who find a lost mobile device rummage through its contents. Those findings are particularly striking in this BYOD era, where employees use their smartphones for both work and personal purposes — not always with IT’s blessing.

At number six, only 18 percent of users use a VPN tool when connecting to a public Wi-Fi hotspot. Not using a VPN is a fine way to expose one’s machine to any number of attacks, such as fake software updates.

Finally, TrustWave found that users tend to ignore company policies about using social networks: 67 percent of young workers said they think corporate social-media policies are outdated, and 70 percent of users said they regularly ignore IT policies. The impact: Just over half of enterprises said they have seen an increase in malware infections due to employees’ use of social media.

This story, “Leaked Apple IDs expose holes in corporate information security,” was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.