Slashdot Mirror
Apple Support Allowed Hackers Access To User's iCloud Account
Robadob writes "Yesterday a hacker gained access to Mat Honan's (An editor at Gizmodo) Apple iCloud account allowing the attacker to reset his iPhone, iPad, and Macbook. The attacker was also able to gain access to Google and Twitter accounts by sending password recovery emails. At the time this was believed to be down to a brute-force attack, however today it has come out that the hacker used social engineering to convince Apple customer support to allow him to bypass the security questions on the account."
.... macs sure are shiny!
But understand that it will cause massive unhappiness for the majority of cases where(for example) one's 75 year-old grandmother, who has forgotten her password and can't figure out how she phrased the answer to the security question, is about to permanently lose access to the last 5 years of her grand-children's emails.
The trouble is that the security appropriate for someone's professional e-mail accounts and security appropriate to the occasional elderly e-mail user are so far apart that having a single policy is guaranteed to serve one of the two market segments very badly.
This is why I hate it when "security questions" are obvious things that anyone who knows me even slightly can figure out easily.
"What was the name of your first pet?" Hell you can find that with Google.
"What was the name of your Elementary School?" I sometimes talk about my childhood; people might know this.
Really, it's like they're asking for accounts to be hacked. There needs to be more preventing a password reset than weak "security questions".
Reading the article is hard, I know. But come on, at LEAST read to the end of the summary.
There's no -1 for "I don't get it."
The poster says he was contacted by someone who says he is the hacker. Nothing was confirmed about AppleCare involvement, though it is a possibility - especially if the hacker knows his victim. But the best part? The INSANE posts to the original article: Death threats from "Navy Seals", tons of homophobic comments and hatred for days. Oddly, very few were able to respond directly to the original post since the comments were so ridiculously incendiary. Sadly the adage still applies:Think before you post or you are toast!
Now here is the question: would Apple be liable for the damages? Of course, they will have an EULA waiving all liabilities, but in a case like this where it is clearly Apple's failure to adhere to their own security framework, one could argue that Apple would be liable for all damages, plus a bit extra for all the inconvenience. Not to mention the bad press...
I'm not a complete idiot... Some parts are missing.
A neighbor had a similar problem several years ago - but that was with her bank account. Someone convinced the online support person to help her and as a result she lost the contents of her checking and savings accounts. No, the bank did not refund the money.
All this shows is that if a hacker knows enough about you to convince someone else that they are you, you can lose a great deal. This guy should count himself lucky.
It's a very fine line between providing good customer support and helping them, and being hard-nosed and losing a customer. When I was pick-pocketed in Paris it was a major issue getting a new American Express card to pay my hotel bill - the AMEX agent apologized for the incredible amount the fact checking that was needed, but they did provide superb help when I did manage to pass their validation checks.
Had the user set up Two Factor authentication, his Google stuff probably would have been safe"
As for 2 factor authentication preventing this, it would have kept my google account from being deleted, and probably kept them off of my Twitter feed, but it wouldn’t have prevented my Macbook from being wiped. That, which is the worst effect of all this so far, was possible as soon as they were able to log into iCloud. Nonetheless, I’m setting it up on my Google account once I have access to it again.
As for all his devices being wiped by one single hack, relying on a single point of security, makes for a single point of failure.
I'm not sure I would have chosen this route even if I was a total Apple fan joined at the hip to iCloud.
Apple support has some serious 'splaining to do. But this is likely to happen again, probably not for a while, but any time you are tied so closely
to one single point of security.
And what would he have done if he was just Joe Corporate Drone?
He and Gawker’s Scott Kidder then got on the phone with contacts at Google and Twitter trying to help me put the brakes on. A friend at Twitter helped expedite the request to suspend the account, which stopped the tweeting.
Seriously? contacts at Google and Twitter?
1) very few people have that kind of contacts.
2) didn't those two companies just violate their own security standards by helping this guy kill accounts he couldn't prove were his??
Sig Battery depleted. Reverting to safe mode.
Mothers maiden name: sdfioufjhisej8()U*(yu980H(u*&a&*(ay
First pets name: sfjgksrl8kjdgjoijOIU*(U*&^&Tiuhkjlmkjniuhi8hiuh
City born in: KJNBJKNJKN(&*(&*Y*(njklKNLNLKJ8IJOkijYJ Nkj nTFe44esijaiojT^&*%*&*T(&
That's a password with somewhere around ~20 bits of entropy. Let's be generous to weak passwords and consider one with 16 bits of entropy, meaning that a dictionary attack has to make (around half of) 60000 attempts to crack it.
If you've got the hashed password, this is trivial to do. But if you're trying to break a remote login and the computer on the other side lets you make 60000 attempts, then there are far bigger issues at work than a weak password.
Well you gave Apple permission to do all that stuff, and then they turned out to be untrustworthy, which shouldn't have been a surprise. You work for Gizmodo, surely you should have known about all the ways in which Apple has been incompetent and/or stupid in the past regarding security.
Nope, no sympathy here.
Because if you RTFA, Apple confirmed that this occurred. Probably via the notes in the call log.
Because if you RTFA, Apple confirmed that this occurred. Probably via the notes in the call log.
I did RTFA. Everything we're currently aware of comes from this guy's point of view. I'm not saying it's incorrect - but it's usually smart to wait for corroboration before drawing conclusions on anything.
#DeleteChrome
You cannot stop a successful social engineering attack. Technology cannot solve a problem like this. Only a change in policy can.
The absolute problem is that no matter how many authentication factors you add, recovery will always be the weakest link.
People will always lose their tokens, and they will always need a way of getting access to their account.. and that way is usually someone making minimum wage with 3 weeks of training.
Personally I wish there was a way to opt out of recovery. Basically a "I accept the risk, if I ever lose my token and forget my recovery questions / password.. I'm shit out of luck" option. This option would have to make it literally impossible for a support person to greant access to the account.. because if they technically can, someone will social engineer one to do so...
Or the agent reads the answer as 'Sweetmorn, Chaos 1, 3136 YOLD' and says:
Sorry sir, this is the wrong answer. Please hold while we trace this call.
Don't fight for your country, if your country does not fight for you.
Yesterday a hacker gained access to Mat Honans...
Let me introduce to you to Mr Apostrophe.
(An editor at gizmodo)
(an editor at Gizmodo)
allowing him... He was also able...
No. Use "the hacker," firstly because it's otherwise ambiguous with respect to Honan's name, secondly because the hacker's gender is unknown (yes, "he" is the gender non-specific pronoun, but this works better.)
apple iCloud account... google and twitter accounts... apple customer support
Apple, Google and Twitter (and Gizmodo, above) should all be capitalised.
down to a brute force attack, however today it has come out
A semi-colon would be preferable to a comma, but I'll admit this is a pretty minor one compared to the rest.
Seriously, what the hell? I know we all have a good joke about the editors' incompetence, but this is a new low.
systemd is Roko's Basilisk.
My bank will mail me a new temporary computer login if I ask. Yes, I have to wait for it to arrive through the post office.
Apple could have said "Okay, we'll snail-mail you a temporary password to an address we can verify against information we already have on file, such as a credit card number, product-warranty-registraiton-information, etc.," or,
"Okay, you are in a hurry, we understand that. We will give you half of your temporary password over the phone and fax the other half to your nearest Apple Store or Notary Public. Bring your drivers' license or passport with you. If you use a Notary, they will charge a fee which you will have to pay."
That would've at least made sure the crook would have to commit more crimes along the way, likely intimidating him. It would've also made it much more likely that the police would be able to put a face to one of the crooks.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
This is how SpiderOak does it. https://spideroak.com/faq/questions/13/what_if_i_forget_my_spideroak_password/
Take that gizmodo!
I think a slightly better option would be "If my password is reset then wipe all data from my accounts and lock it out for a further few days before reactivating it".
I prefer the solution at webex - I have a weblink, that opens to a page showing my current password in cleartext.... ...others should really implement this, seeing how userfriendly it is!
the sheer destructive/malicious -ness of this attack makes it sound very personal (either something against the user or Gizmodo - the compromise gave access to Gizmodo's Twitter feed).
you can't execute a social engineering attack without knowing something about the user.... some random attacker might have been able to get enough info from past his blog posts to launch the attack, but this smells more personal. Apple uses out of wallet info for their security questions - the whole point of OOO is asking questions that ONLY the user (or someone close to them) would know.
I got asked OOO by my bank.. some of the questions
1) who is related to you (list of 4 names - none match)
2) what city have you visited before (list of 4 cities - one match)
You don't have this kind of info unless you know me.
And no backups because the "Cloud" is the backup, right? HAHAHAHA. This is beyond stupid. Seriously.
If the best Apple can come up with against device theft is the ability to remotely wipe them, then their customer base deserves everything they get. Personal responsibility needs to be burned into those morons with pain. Lots of pain. Maybe then they'll pay attention to what the fuck they are doing.
No pity for this fool.
Of course it runs NetBSD. BTC: 1NT7QvbetmANwaMzhpVL6
You *can* more or less do that just encipher everything you store on others peoples systems before you upload it. They don't need the keys. My friends and I use drop box a fair amount, to trade files asynchronously but we run all our files thru openssl first and the certificates have never been anywhere near dropbox.
Unless someone can break AES or gets the certs and the passwords protecting them via rubber-hose crypto analysis its safe and nobody will enable *recovery*.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
I apologize for going on a sidetrack here, but this has been bugging me for a while:
On occasion the xkcd "correct horse battery staple" comic comes up, and when people compare the password strength to other methods, they calculate the strength of the random words password based on (number of words in dictionary used)^(number of words in password).
This makes no sense to me. When an attacker is trying to brute force your password, he has no idea how you created your password, so calculating a random-word password strength like that would imply the attacker knows you used that method (i.e. he is guessing nothing but multi-word passwords) and knows the dictionary you used. If I made my own dictionary of 20 words, it would be absurd to calculate my password strength based on the dictionary size, as the attacker does not have that information (other than if he was cracking all my accounts and figured out my dictionary).
I realize an attacker might start with common passwords, then go on to a multiple-word attack, then maybe other common methods, but he has no idea how long my password is and at some point he has to decide when to stop the targeted approach and try random strings.
I could (potentially) defeat his targeted approach in a number of ways:
-Use a word not in his dictionary
-Add extra characters in a way he wouldn't guess
-Use more words/characters than he is willing to try before switching to a random string approach
Heck, using the word "cat" 100 times would have little entropy, but so long as its too long of an "easy" password for the attacker to explicitly guess, it's a strong password (and before you say he might try "cat" 100 times, consider he has to do that with all dictionary words, then try them all many times more if I add even a single random character in there, all time he's wasting on really obscure passwords).
Am I missing something here, or is password strength being calculated based on unrealistic assumptions? At the very least, password strength should be based on an attacker starting with low-entropy passwords and working his way up, instead of assuming the attacker knows your password generation method (alpha case-insensitive, alphanumeric with symbols, multiple words, etc.).
My webcomic
Sure, but getting the data wasn't a goal here. Infact, they appear to specifically wiped out the data. It's the accounts that are valuable, not what is in them.
2 factor authentication solves nothing if you have a good social engineer: http://it.slashdot.org/story/11/12/06/0321250/scammers-work-around-two-factor-authentication-with-social-engineering
CNET just reports it. Every one of their sentences about the info says "according to..." or "journalist blames".
Careful, multiple stories written by reading one report is not any kind of confirmation, it's just repetition.
http://lkml.org/lkml/2005/8/20/95
XBox live was getting hit by this a couple of years ago too
You know how Xbox Live "solved" the problem? You have security questions. And if you can't remember them, and paid with paypal, they tell you they "can't" terminate your membership, and will therefore steal your money. Well, they don't admit that it's stealing, of course. They will let you sign up for Xbox Live with just your Xbox, but you can't terminate it from there, and you have to use Internet Explorer to access their site. Then they will keep trying to charge your paypal account for months (sending you email about how your Xbox Live account may be suspended soon every so often) before they will finally cancel your membership.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Hell, device backup is even built into iTunes.
Yep, it backs up to the computer your iPhone or iPad was set up on. Which in this case meant his Macbook Pro. Which was remotely wiped by the attacker at the same time as his iPhone and iPad. Whoops!
Not to worry, though, Apple now offers cloud-based backups of your iDevices to your iCloud account. Oh wait, the entire reason that the attacker could wipe this guy's data was because he'd gained access to the iCloud account they were linked to, so he could just delete those backups at the same time as well. Double-whoops!
What is your age and date of birth?
*Reads directly from targets facebook*
Thank you sir. Please hold one moment...
We've verified your account what can I do for you today? Change shipping address? Change password? Change email? Purchase 30,000 worth of fetish gear?
No problem Mr Shimomura.
WHAT... is the airspeed velocity of an unladen sparrow?
Jesus was all right but his disciples were thick and ordinary. -John Lennon
Where was his MacBook backed up? Oh, it wasn't? Tough shit. If he had it backed up with a Time Machine backup (whether to a Time Capsule, an external hard drive, a stack of floppies, or whatever), you merely restore the laptop from that backup, and then restore the iOS devices from the Mac.
Jesus was all right but his disciples were thick and ordinary. -John Lennon
idk, but to me this seems like another case of a "news outlet" (to use the phrase loosely) creating news... like that one site did a while back with antennagate.
The Admin and the Engineer
Well, until Apple iCloud-enables Time Capsule too...
I have an email in to Tim Cook and Apple PR, and want to give them a chance to respond (and make changes)
If you read his original account, it's littered with this kind of thing:
.... and Gawker’s Scott Kidder then got on the phone with contacts at Google and Twitter trying to help me put the brakes on. A friend at Twitter helped expedite the request to suspend the account, which stopped the tweeting
It really must be nice to have these kind of contacts when this kind of situation occurs.
Funny, but that's why I mentioned a Time Machine backup, a method that can use several different backup destinations.
Jesus was all right but his disciples were thick and ordinary. -John Lennon
Thought about the problem in the context of my MacBook. The (conflicting) goals would be: 1. I want to be able to wipe my MacBook remotely when it is stolen. 2. I want to be able to do this even when I forgot or lost important information to identify myself. 3. I don't want a hacker to remotely destroy the information on my Mac.
Obviously the first step is to have a backup. If you don't have a backup, you are f***ed. If you have a backup, worst case you buy a new MacBook, install the backup, and you're done. The problem is that Apple (or whoever controls remote wiping) cannot possibly distinguish between cases (2) and (3). So you have the choice of allowing thieves to empty your bank accounts even though Apple could have destroyed the info, or allowing hackers to remotely wipe your computer.
With encrypted hard drives, there would be a way around this (kind of). Apple's volume encryption uses a primary key that is stored on your hard drive in encrypted form, and a secondary key that is used to decrypt the primary key. You are given the secondary key when the hard drive is encrypted, and you can write it down and put it into your safe. And then you have the password that you enter, which is used to decrypt the secondary password. Remote wiping is easy: Just wipe the encrypted primary key, and there is no way to reconstruct it. Now the alternative: When you convince Apple to remotely wipe the computer, they could generate a key and store it at Apple, then encrypt the encrypted primary key again with that key. The hard drive cannot be read. To access it, you'd have to go to an Apple Store in person with proper ID, and then the can remove the second encryption. Inconvenient obviously, but not as bad as permanently wiped.
A dictionary attack could probably crack that pretty easily
I think you get something like five shots at the icloud password before it's locked out. Dictionary attacks are overrated - I can't think off the top of my head of a single online service that will just let you hammer away with thousands of unsuccessful password attempts.
Agreed, recovery and escrow present an equal if not larger hole through the backdoor of any online data vault than through your login account.
Apple, Google, Microsoft, RIM, Amazon, Dropbox and other tech companies that operate extensive online services which store user data and provide device synchronization must evolve toward _banks_ and incorporate business practices from Brinks and the Pinkertons to maintain customer trust.
Operating an online data storage service is akin to operating a vault, but many service providers today aren't thinking in terms of armed robbery and state-or-corporate sponsored, very sophisticated attacks. One hacker social engineers his way into a journalist's iCloud account? Much more is certainly possible. Tie online storage that syncs to your physical devices, and you have a distributed safe deposit box, where its multiple access methods arguably make it weaker, not stronger.
Consider: if it's easy for you to access from anywhere, it's easy for you to lose from anywhere. If it's important, you should keep a copy _offline_.
(an editor at Gizmodo)
And furthermore, Mat Honan works for Wired, not Gizmodo.
I'd prefer Microsoft and Apple not evolve towards banks, actually. In fact, I'd rather my bank evolve towards Blizzard Entertainment and offer me some real security.
It never ceases to amaze me that my Diablo III loot is better protected than my salary.
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
Totally.
I can't even find a bank that will offer me two factor authentication here in Atlantic Canada. RBC will do it for _corproate_ customers.. which is even more maddening because it means they have the infrastruction in place, they just won't let us peons down here use it..
Paypal offers better security than my bank. If I'd said that not to long ago people would look at me funny.. kinda sad!
You will never calculate an exact figure for "how long will an attacker take to crack my password" because you will never know the attackers strategy. The attacker will presumably start with passwords they think are more likely and move to ones they think are less likely but you don't know what things they will or won't consider likely.
So there are two ways to try and defend a password. You can try and come up with a clever scheme and hope it's not on the attackers list of things to try. The trouble is in reality many people end up with one a of a few common schemes. So the scheme you thought was really clever may be somewhere pretty early in the list of things for the attacker to try.
Or you can assume the attacker has your scheme on his list of things to try and make sure you include enough entropy in the password so that even if the attacker does know your scheme they still can't guess your password.
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
Unfortunately PayPal won't even allow us here down under to use 2-factor authentication. We have to use the "pray it isn't hacked" security our banks use.
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
http://www.lurkmore.com/wiki/Apple
There are ways around that -- for instance, by rate-limiting logins from each IP to (say) 1 per 5 seconds, allowing (perhaps) the first ten with only a 500ms delay to deal with NAT shenanigans, and locking an IP out for a significant amount of time after (say) twenty failed logins. An attacker could bypass this with a botnet, of course -- but you'd need an awfully big botnet. Against all but the largest websites this would quickly cause a noticeable spike in "overall failed login rate", which should trigger a more aggressive rate limit (say, each IP gets banned for an hour after three failed login attempts), which is a reasonable thing to do while under heavy attack. This still doesn't cause a DoS condition for any user that remembers his password, or who needs a couple of attempts to get it right.
Your answer can not contain any characters that aren't in the [A-Z][a-z] range and can not be more than 12 characters. Also, they do not exist on our list of pre-approved names and Cities. If you were born in Mooselookmeguntic (ME), or Chickasawhatchee (GA) you will not be able to use our service. Have a nice day mister Moon Unit.
I was promised a flying car. Where is my flying car?
The problem was that the hacker engineered an INSIDER (helpdesk) to help. That gets past any password quality, lockouts - the works. I saw some people mention that this would not happen with Google because you can use two-factor. Well, duh, if you get an insider to open the backdoor it becomes pretty irrelevant how shiny and well armoured the front door looks like.
Q for APple: why not ping an iMessage to all devices associated with the Apple ID and ask for some inside info before giving access? It would also have given the account owner an early heads up that something was happening..
Insert
From TFA: " I did, however, get an urgent call from AppleCare ten minutes after emailing Mr. Cook, informing me that my situation had been escalated and there is now only one person at Apple who can make changes to my account. " ...how do I get the same level of security?
--Matthew
At hostgator they email your password to you in plain text when you sign up, and when you click the recover password. Not quite as bad as webex, but close.
Banks allow you to take your money out, where you have the freedom to operate offline. Banks allow you to move money from one institution to another.
I say again, online tech companies should evolve toward banks. This includes Microsoft, Apple, and all the others, to include Blizzard, Steam, etc.
According to the guy from Gizmodo...
What's that saying about an ionic solid made up of sodium and chlorine atoms and grabbing a small amount of it between your fingers?
We should really wait for some actual confirmation, rather than the word of Gizmodo.
If you can't remember your log in information, or the answer to you security questions, why SHOULD they make any changes to the account or membership?
Because I can prove that I am who I say I am.
Why in gods name do you think its a good idea to be able to call up, ask to cancel an account, and if you don't have the information to access it still get to cancel it???
I have the means to prove it's my Paypal account. Also, I have the means to prove it's connected to my Windows Live login, if only you didn't have to run Internet Explorer. I guess I could install Aieee via winetricks, but once I found out that I could just terminate the billing agreement via paypal I did that instead, and let them try to bill me for months.
But what your describing
My describing what?
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
The guy only found out that it was a social engineering attack after the hacker called him. He initially assumed it was a brute force attack.
And I say again, no they shouldn't. Banks are ridiculously insecure beasts. Not only that, but they charge for every tiny little thing. Sure you can take that money out, but it'll cost you. Put money in? That'll cost you. Call them up? That'll cost you. Customer service? Fuck that shit.
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
Interestingly, it apparently wouldn't have helped him with his iPhone or iPad. Apparently - and I didn't know this before - if you backup your iDevices to iCloud Apple don't let you make local backups of them as well, presumably because they don't think you'll need them. After all, your data is all nice and safe in the cloud! Wonder when they'll "upgrade" Mac OS X with this feature.
Never heard of this. Have a citation?
(And if it proves true, I may have to join the bitching about it.)
Jesus was all right but his disciples were thick and ordinary. -John Lennon