Slashdot Mirror
Apple Support Allowed Hackers Access To User's iCloud Account
Robadob writes "Yesterday a hacker gained access to Mat Honan's (An editor at Gizmodo) Apple iCloud account allowing the attacker to reset his iPhone, iPad, and Macbook. The attacker was also able to gain access to Google and Twitter accounts by sending password recovery emails. At the time this was believed to be down to a brute-force attack, however today it has come out that the hacker used social engineering to convince Apple customer support to allow him to bypass the security questions on the account."
.... macs sure are shiny!
But understand that it will cause massive unhappiness for the majority of cases where(for example) one's 75 year-old grandmother, who has forgotten her password and can't figure out how she phrased the answer to the security question, is about to permanently lose access to the last 5 years of her grand-children's emails.
The trouble is that the security appropriate for someone's professional e-mail accounts and security appropriate to the occasional elderly e-mail user are so far apart that having a single policy is guaranteed to serve one of the two market segments very badly.
I'm waiting for a 'hacker' to remote wipe every iPad, iPhone and Mac (needs to be enabled for iCloud and running 10.7.2+)!
This is why I hate it when "security questions" are obvious things that anyone who knows me even slightly can figure out easily.
"What was the name of your first pet?" Hell you can find that with Google.
"What was the name of your Elementary School?" I sometimes talk about my childhood; people might know this.
Really, it's like they're asking for accounts to be hacked. There needs to be more preventing a password reset than weak "security questions".
Reading the article is hard, I know. But come on, at LEAST read to the end of the summary.
There's no -1 for "I don't get it."
The poster says he was contacted by someone who says he is the hacker. Nothing was confirmed about AppleCare involvement, though it is a possibility - especially if the hacker knows his victim. But the best part? The INSANE posts to the original article: Death threats from "Navy Seals", tons of homophobic comments and hatred for days. Oddly, very few were able to respond directly to the original post since the comments were so ridiculously incendiary. Sadly the adage still applies:Think before you post or you are toast!
Now here is the question: would Apple be liable for the damages? Of course, they will have an EULA waiving all liabilities, but in a case like this where it is clearly Apple's failure to adhere to their own security framework, one could argue that Apple would be liable for all damages, plus a bit extra for all the inconvenience. Not to mention the bad press...
I'm not a complete idiot... Some parts are missing.
I don't doubt social engineering is a possible (and likely) culprit - but the guy had a seven character password. A dictionary attack could probably crack that pretty easily. And if you were a hacker that was successfully using dictionary attacks... would you want to draw attention to that fact, potentially driving future targets to improve their passwords?
"d3l!ver" isn't a very secure password, dude.
#DeleteChrome
What is your age and date of birth?
*Reads directly from targets facebook*
Thank you sir. Please hold one moment...
We've verified your account what can I do for you today? Change shipping address? Change password? Change email? Purchase 30,000 worth of fetish gear?
No problem Mr Shimomura.
A neighbor had a similar problem several years ago - but that was with her bank account. Someone convinced the online support person to help her and as a result she lost the contents of her checking and savings accounts. No, the bank did not refund the money.
All this shows is that if a hacker knows enough about you to convince someone else that they are you, you can lose a great deal. This guy should count himself lucky.
It's a very fine line between providing good customer support and helping them, and being hard-nosed and losing a customer. When I was pick-pocketed in Paris it was a major issue getting a new American Express card to pay my hotel bill - the AMEX agent apologized for the incredible amount the fact checking that was needed, but they did provide superb help when I did manage to pass their validation checks.
Had the user set up Two Factor authentication, his Google stuff probably would have been safe"
As for 2 factor authentication preventing this, it would have kept my google account from being deleted, and probably kept them off of my Twitter feed, but it wouldn’t have prevented my Macbook from being wiped. That, which is the worst effect of all this so far, was possible as soon as they were able to log into iCloud. Nonetheless, I’m setting it up on my Google account once I have access to it again.
As for all his devices being wiped by one single hack, relying on a single point of security, makes for a single point of failure.
I'm not sure I would have chosen this route even if I was a total Apple fan joined at the hip to iCloud.
Apple support has some serious 'splaining to do. But this is likely to happen again, probably not for a while, but any time you are tied so closely
to one single point of security.
And what would he have done if he was just Joe Corporate Drone?
He and Gawker’s Scott Kidder then got on the phone with contacts at Google and Twitter trying to help me put the brakes on. A friend at Twitter helped expedite the request to suspend the account, which stopped the tweeting.
Seriously? contacts at Google and Twitter?
1) very few people have that kind of contacts.
2) didn't those two companies just violate their own security standards by helping this guy kill accounts he couldn't prove were his??
Sig Battery depleted. Reverting to safe mode.
Mothers maiden name: sdfioufjhisej8()U*(yu980H(u*&a&*(ay
First pets name: sfjgksrl8kjdgjoijOIU*(U*&^&Tiuhkjlmkjniuhi8hiuh
City born in: KJNBJKNJKN(&*(&*Y*(njklKNLNLKJ8IJOkijYJ Nkj nTFe44esijaiojT^&*%*&*T(&
Well you gave Apple permission to do all that stuff, and then they turned out to be untrustworthy, which shouldn't have been a surprise. You work for Gizmodo, surely you should have known about all the ways in which Apple has been incompetent and/or stupid in the past regarding security.
Nope, no sympathy here.
...I demand all employees to only use official company communication services for company related communications.
If you forget your password ask your system admin who knows your face for help.
For personal data, (which I don't care about) I suggest you do not put it into the "trusting" hands of corporates.
You have been warned.
Your friendly neighborhood,
BOFH
You cannot stop a successful social engineering attack. Technology cannot solve a problem like this. Only a change in policy can.
The absolute problem is that no matter how many authentication factors you add, recovery will always be the weakest link.
People will always lose their tokens, and they will always need a way of getting access to their account.. and that way is usually someone making minimum wage with 3 weeks of training.
Personally I wish there was a way to opt out of recovery. Basically a "I accept the risk, if I ever lose my token and forget my recovery questions / password.. I'm shit out of luck" option. This option would have to make it literally impossible for a support person to greant access to the account.. because if they technically can, someone will social engineer one to do so...
Seems about right. For someone who purports to be in touch with tech and security trends, that guy is kind of fail. If you know what you're doing, iCloud, and anything involving iLife or .mac is NOT the right answer.
If the only way you can accept an assertion is by faith, then you are conceding that it can't be taken on its own merits
Yesterday a hacker gained access to Mat Honans...
Let me introduce to you to Mr Apostrophe.
(An editor at gizmodo)
(an editor at Gizmodo)
allowing him... He was also able...
No. Use "the hacker," firstly because it's otherwise ambiguous with respect to Honan's name, secondly because the hacker's gender is unknown (yes, "he" is the gender non-specific pronoun, but this works better.)
apple iCloud account... google and twitter accounts... apple customer support
Apple, Google and Twitter (and Gizmodo, above) should all be capitalised.
down to a brute force attack, however today it has come out
A semi-colon would be preferable to a comma, but I'll admit this is a pretty minor one compared to the rest.
Seriously, what the hell? I know we all have a good joke about the editors' incompetence, but this is a new low.
systemd is Roko's Basilisk.
My bank will mail me a new temporary computer login if I ask. Yes, I have to wait for it to arrive through the post office.
Apple could have said "Okay, we'll snail-mail you a temporary password to an address we can verify against information we already have on file, such as a credit card number, product-warranty-registraiton-information, etc.," or,
"Okay, you are in a hurry, we understand that. We will give you half of your temporary password over the phone and fax the other half to your nearest Apple Store or Notary Public. Bring your drivers' license or passport with you. If you use a Notary, they will charge a fee which you will have to pay."
That would've at least made sure the crook would have to commit more crimes along the way, likely intimidating him. It would've also made it much more likely that the police would be able to put a face to one of the crooks.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
This is how SpiderOak does it. https://spideroak.com/faq/questions/13/what_if_i_forget_my_spideroak_password/
I wonder if Mat Honans had enabled the two step authorization steps for his Google account. A stolen cell phone would make that useless, but at least it would offer another hurdle for a hacker to jump off of.
Take that gizmodo!
The fact that the Apple account happened to be owned by a Gizmodo editor was just a coincidence. I'm sure Gizmodo wouldn't benefit from the increased traffic and this story isn't just a continuation of their suspected anti-Apple bias.
I think a slightly better option would be "If my password is reset then wipe all data from my accounts and lock it out for a further few days before reactivating it".
I prefer the solution at webex - I have a weblink, that opens to a page showing my current password in cleartext.... ...others should really implement this, seeing how userfriendly it is!
I don't have any sympathy for one of Gizmodo's shitty, asshole writers. Especially when every compromise other than iCloud is is own fault.
It is sad that it's still this easy to social engineer your way in to an account for which you have absolutely no proof of ownership.
the sheer destructive/malicious -ness of this attack makes it sound very personal (either something against the user or Gizmodo - the compromise gave access to Gizmodo's Twitter feed).
you can't execute a social engineering attack without knowing something about the user.... some random attacker might have been able to get enough info from past his blog posts to launch the attack, but this smells more personal. Apple uses out of wallet info for their security questions - the whole point of OOO is asking questions that ONLY the user (or someone close to them) would know.
I got asked OOO by my bank.. some of the questions
1) who is related to you (list of 4 names - none match)
2) what city have you visited before (list of 4 cities - one match)
You don't have this kind of info unless you know me.
Must be nice to have friends at Google and Twitter to get around the massive communication blocks that are normally put up. If this were to happen to us mortals, what could we have done? If we were not online writers with a reputation, would AppleCare have done anything in response to our emails? This reminds me of when Senator Kennedy found his name on the no-fly list, and he just called up Tom Ridge (three times).
And no backups because the "Cloud" is the backup, right? HAHAHAHA. This is beyond stupid. Seriously.
If the best Apple can come up with against device theft is the ability to remotely wipe them, then their customer base deserves everything they get. Personal responsibility needs to be burned into those morons with pain. Lots of pain. Maybe then they'll pay attention to what the fuck they are doing.
No pity for this fool.
Of course it runs NetBSD. BTC: 1NT7QvbetmANwaMzhpVL6
You *can* more or less do that just encipher everything you store on others peoples systems before you upload it. They don't need the keys. My friends and I use drop box a fair amount, to trade files asynchronously but we run all our files thru openssl first and the certificates have never been anywhere near dropbox.
Unless someone can break AES or gets the certs and the passwords protecting them via rubber-hose crypto analysis its safe and nobody will enable *recovery*.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
Sure, but getting the data wasn't a goal here. Infact, they appear to specifically wiped out the data. It's the accounts that are valuable, not what is in them.
2 factor authentication solves nothing if you have a good social engineer: http://it.slashdot.org/story/11/12/06/0321250/scammers-work-around-two-factor-authentication-with-social-engineering
CNET just reports it. Every one of their sentences about the info says "according to..." or "journalist blames".
Careful, multiple stories written by reading one report is not any kind of confirmation, it's just repetition.
http://lkml.org/lkml/2005/8/20/95
There really is no substitute for regular, tested backups. Hell, device backup is even built into iTunes. Given Gawker Media's "fuck 'em" attitude towards users not so long ago regarding their password breach I'm finding really hard to find any sympathy for one of their employees getting hacked.
XBox live was getting hit by this a couple of years ago too
You know how Xbox Live "solved" the problem? You have security questions. And if you can't remember them, and paid with paypal, they tell you they "can't" terminate your membership, and will therefore steal your money. Well, they don't admit that it's stealing, of course. They will let you sign up for Xbox Live with just your Xbox, but you can't terminate it from there, and you have to use Internet Explorer to access their site. Then they will keep trying to charge your paypal account for months (sending you email about how your Xbox Live account may be suspended soon every so often) before they will finally cancel your membership.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
"If you don’t store it yourself it’s going to be stored by a guy taking taking advantage of you deeply, erradicating your privacy and making you the android of him."
-
Eben Moglen
https://www.softwarefreedom.org/events/2012/hope_moglen-speech-2012.html
https://www.youtube.com/watch?v=r3yIarp3J2o
idk, but to me this seems like another case of a "news outlet" (to use the phrase loosely) creating news... like that one site did a while back with antennagate.
The Admin and the Engineer
I've never even heard of a brute force attack succeeding for something like this. Presumably iCloud is set up to respond intelligently to repeated login failures. I'm a little surprised that somebody who edits a major tech site doesn't realize that this is standard practice.
when your product is for dummies you only need dummy support right?
I find this hard to believe. There is no way that anyone could fool an, "Apple Genius." I mean, come on, they are geniuses, it says so right in their title.
I have an email in to Tim Cook and Apple PR, and want to give them a chance to respond (and make changes)
If you read his original account, it's littered with this kind of thing:
.... and Gawker’s Scott Kidder then got on the phone with contacts at Google and Twitter trying to help me put the brakes on. A friend at Twitter helped expedite the request to suspend the account, which stopped the tweeting
It really must be nice to have these kind of contacts when this kind of situation occurs.
Thought about the problem in the context of my MacBook. The (conflicting) goals would be: 1. I want to be able to wipe my MacBook remotely when it is stolen. 2. I want to be able to do this even when I forgot or lost important information to identify myself. 3. I don't want a hacker to remotely destroy the information on my Mac.
Obviously the first step is to have a backup. If you don't have a backup, you are f***ed. If you have a backup, worst case you buy a new MacBook, install the backup, and you're done. The problem is that Apple (or whoever controls remote wiping) cannot possibly distinguish between cases (2) and (3). So you have the choice of allowing thieves to empty your bank accounts even though Apple could have destroyed the info, or allowing hackers to remotely wipe your computer.
With encrypted hard drives, there would be a way around this (kind of). Apple's volume encryption uses a primary key that is stored on your hard drive in encrypted form, and a secondary key that is used to decrypt the primary key. You are given the secondary key when the hard drive is encrypted, and you can write it down and put it into your safe. And then you have the password that you enter, which is used to decrypt the secondary password. Remote wiping is easy: Just wipe the encrypted primary key, and there is no way to reconstruct it. Now the alternative: When you convince Apple to remotely wipe the computer, they could generate a key and store it at Apple, then encrypt the encrypted primary key again with that key. The hard drive cannot be read. To access it, you'd have to go to an Apple Store in person with proper ID, and then the can remove the second encryption. Inconvenient obviously, but not as bad as permanently wiped.
Agreed, recovery and escrow present an equal if not larger hole through the backdoor of any online data vault than through your login account.
Apple, Google, Microsoft, RIM, Amazon, Dropbox and other tech companies that operate extensive online services which store user data and provide device synchronization must evolve toward _banks_ and incorporate business practices from Brinks and the Pinkertons to maintain customer trust.
Operating an online data storage service is akin to operating a vault, but many service providers today aren't thinking in terms of armed robbery and state-or-corporate sponsored, very sophisticated attacks. One hacker social engineers his way into a journalist's iCloud account? Much more is certainly possible. Tie online storage that syncs to your physical devices, and you have a distributed safe deposit box, where its multiple access methods arguably make it weaker, not stronger.
Consider: if it's easy for you to access from anywhere, it's easy for you to lose from anywhere. If it's important, you should keep a copy _offline_.
(an editor at Gizmodo)
And furthermore, Mat Honan works for Wired, not Gizmodo.
I'd prefer Microsoft and Apple not evolve towards banks, actually. In fact, I'd rather my bank evolve towards Blizzard Entertainment and offer me some real security.
It never ceases to amaze me that my Diablo III loot is better protected than my salary.
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
I'll have an Old Fashion for Old Times Sake.
XD
My /. passphrase is tickling.
Totally.
I can't even find a bank that will offer me two factor authentication here in Atlantic Canada. RBC will do it for _corproate_ customers.. which is even more maddening because it means they have the infrastruction in place, they just won't let us peons down here use it..
Paypal offers better security than my bank. If I'd said that not to long ago people would look at me funny.. kinda sad!
Unfortunately PayPal won't even allow us here down under to use 2-factor authentication. We have to use the "pray it isn't hacked" security our banks use.
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
You could be in a car accident tomorrow, resulting in short-term amnesia. You could have a stroke. You could just get old and start forgetting things. Your solution doesn't fly, I'm afraid. There is no absolute solution, but your solution could be much worse than the problem
http://www.lurkmore.com/wiki/Apple
Your answer can not contain any characters that aren't in the [A-Z][a-z] range and can not be more than 12 characters. Also, they do not exist on our list of pre-approved names and Cities. If you were born in Mooselookmeguntic (ME), or Chickasawhatchee (GA) you will not be able to use our service. Have a nice day mister Moon Unit.
I was promised a flying car. Where is my flying car?
The problem was that the hacker engineered an INSIDER (helpdesk) to help. That gets past any password quality, lockouts - the works. I saw some people mention that this would not happen with Google because you can use two-factor. Well, duh, if you get an insider to open the backdoor it becomes pretty irrelevant how shiny and well armoured the front door looks like.
Q for APple: why not ping an iMessage to all devices associated with the Apple ID and ask for some inside info before giving access? It would also have given the account owner an early heads up that something was happening..
Insert
Now here is the question: would Apple be liable for the damages? Of course, they will have an EULA waiving all liabilities, but in a case like this where it is clearly Apple's failure to adhere to their own security framework, one could argue that Apple would be liable for all damages, plus a bit extra for all the inconvenience. Not to mention the bad press...
For all the trouble and inconvenience (and it sounds like a lot) that this guy suffered, he lost no money or property from what I can tell. Some of his devices were disabled, but he should be able to restore them to working condition. His only losses were (1) Data that he did not back up (Who does that anymore?) and (2) Embarrassment. Neither of those is likely to be recognized by any court; he might be able to claim lost income, but I doubt it.
From TFA: " I did, however, get an urgent call from AppleCare ten minutes after emailing Mr. Cook, informing me that my situation had been escalated and there is now only one person at Apple who can make changes to my account. " ...how do I get the same level of security?
--Matthew
At hostgator they email your password to you in plain text when you sign up, and when you click the recover password. Not quite as bad as webex, but close.
Banks allow you to take your money out, where you have the freedom to operate offline. Banks allow you to move money from one institution to another.
I say again, online tech companies should evolve toward banks. This includes Microsoft, Apple, and all the others, to include Blizzard, Steam, etc.
If you can't remember your log in information, or the answer to you security questions, why SHOULD they make any changes to the account or membership? If you remember your passwords and the information you would need in the FIRST place to even cancel it by the website, you would have been able to reset your security questions. Why in gods name do you think its a good idea to be able to call up, ask to cancel an account, and if you don't have the information to access it still get to cancel it??? Gee that would never get abused e_e I was actually one of the monkeys at xbox live that you would have gotten on the phone a couple years ago, if you wanted to cancel- so I can definitely say they do some shaaaaaddddddey fucking shit, no question about it (such as changing the refund period from 60 to 30 days, effectively making it so you could have potentially one day between being notified it would bill and being unable to refund, depending on your bill date). But what your describing should actually speak positively of their security.
If you can't remember your log in information, or the answer to you security questions, why SHOULD they make any changes to the account or membership?
Because I can prove that I am who I say I am.
Why in gods name do you think its a good idea to be able to call up, ask to cancel an account, and if you don't have the information to access it still get to cancel it???
I have the means to prove it's my Paypal account. Also, I have the means to prove it's connected to my Windows Live login, if only you didn't have to run Internet Explorer. I guess I could install Aieee via winetricks, but once I found out that I could just terminate the billing agreement via paypal I did that instead, and let them try to bill me for months.
But what your describing
My describing what?
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
The guy only found out that it was a social engineering attack after the hacker called him. He initially assumed it was a brute force attack.
And I say again, no they shouldn't. Banks are ridiculously insecure beasts. Not only that, but they charge for every tiny little thing. Sure you can take that money out, but it'll cost you. Put money in? That'll cost you. Call them up? That'll cost you. Customer service? Fuck that shit.
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
...with cameras so pervasive, cant we use something like, uh, using your THUMB or RETINE as information too for logins? I am not much into it right now, but I suspect that we can add enough individuality easily to avoid user collisions and...
There is a solution: delegation rights. In some countries (not backward id holes like the US - sorry to rain on your parade), it is possible to set up delegated access precisely for this sort of scenario. A relative, a lawyer, or some other trusted thrid party is given delegate rights to help out in clearly defined situations.
Use role-based access rather than the poor tools we have