Slashdot Mirror
Apple Support Allowed Hackers Access To User's iCloud Account
Robadob writes "Yesterday a hacker gained access to Mat Honan's (An editor at Gizmodo) Apple iCloud account allowing the attacker to reset his iPhone, iPad, and Macbook. The attacker was also able to gain access to Google and Twitter accounts by sending password recovery emails. At the time this was believed to be down to a brute-force attack, however today it has come out that the hacker used social engineering to convince Apple customer support to allow him to bypass the security questions on the account."
But understand that it will cause massive unhappiness for the majority of cases where(for example) one's 75 year-old grandmother, who has forgotten her password and can't figure out how she phrased the answer to the security question, is about to permanently lose access to the last 5 years of her grand-children's emails.
The trouble is that the security appropriate for someone's professional e-mail accounts and security appropriate to the occasional elderly e-mail user are so far apart that having a single policy is guaranteed to serve one of the two market segments very badly.
This is why I hate it when "security questions" are obvious things that anyone who knows me even slightly can figure out easily.
"What was the name of your first pet?" Hell you can find that with Google.
"What was the name of your Elementary School?" I sometimes talk about my childhood; people might know this.
Really, it's like they're asking for accounts to be hacked. There needs to be more preventing a password reset than weak "security questions".
Reading the article is hard, I know. But come on, at LEAST read to the end of the summary.
There's no -1 for "I don't get it."
Had the user set up Two Factor authentication, his Google stuff probably would have been safe"
As for 2 factor authentication preventing this, it would have kept my google account from being deleted, and probably kept them off of my Twitter feed, but it wouldn’t have prevented my Macbook from being wiped. That, which is the worst effect of all this so far, was possible as soon as they were able to log into iCloud. Nonetheless, I’m setting it up on my Google account once I have access to it again.
As for all his devices being wiped by one single hack, relying on a single point of security, makes for a single point of failure.
I'm not sure I would have chosen this route even if I was a total Apple fan joined at the hip to iCloud.
Apple support has some serious 'splaining to do. But this is likely to happen again, probably not for a while, but any time you are tied so closely
to one single point of security.
And what would he have done if he was just Joe Corporate Drone?
He and Gawker’s Scott Kidder then got on the phone with contacts at Google and Twitter trying to help me put the brakes on. A friend at Twitter helped expedite the request to suspend the account, which stopped the tweeting.
Seriously? contacts at Google and Twitter?
1) very few people have that kind of contacts.
2) didn't those two companies just violate their own security standards by helping this guy kill accounts he couldn't prove were his??
Sig Battery depleted. Reverting to safe mode.
That's a password with somewhere around ~20 bits of entropy. Let's be generous to weak passwords and consider one with 16 bits of entropy, meaning that a dictionary attack has to make (around half of) 60000 attempts to crack it.
If you've got the hashed password, this is trivial to do. But if you're trying to break a remote login and the computer on the other side lets you make 60000 attempts, then there are far bigger issues at work than a weak password.
This is really unrelated to any specific company. It *is* an excellent lesson in relying only on online backups.
Quick, now, without cut and paste could you please enter those again?
No.
Though not.
Fail.
Sig Battery depleted. Reverting to safe mode.
The absolute problem is that no matter how many authentication factors you add, recovery will always be the weakest link.
People will always lose their tokens, and they will always need a way of getting access to their account.. and that way is usually someone making minimum wage with 3 weeks of training.
Personally I wish there was a way to opt out of recovery. Basically a "I accept the risk, if I ever lose my token and forget my recovery questions / password.. I'm shit out of luck" option. This option would have to make it literally impossible for a support person to greant access to the account.. because if they technically can, someone will social engineer one to do so...
Yesterday a hacker gained access to Mat Honans...
Let me introduce to you to Mr Apostrophe.
(An editor at gizmodo)
(an editor at Gizmodo)
allowing him... He was also able...
No. Use "the hacker," firstly because it's otherwise ambiguous with respect to Honan's name, secondly because the hacker's gender is unknown (yes, "he" is the gender non-specific pronoun, but this works better.)
apple iCloud account... google and twitter accounts... apple customer support
Apple, Google and Twitter (and Gizmodo, above) should all be capitalised.
down to a brute force attack, however today it has come out
A semi-colon would be preferable to a comma, but I'll admit this is a pretty minor one compared to the rest.
Seriously, what the hell? I know we all have a good joke about the editors' incompetence, but this is a new low.
systemd is Roko's Basilisk.
Sure, just read that string over a the phone to a tech support operator in India some time, moron.
Sig Battery depleted. Reverting to safe mode.
My bank will mail me a new temporary computer login if I ask. Yes, I have to wait for it to arrive through the post office.
Apple could have said "Okay, we'll snail-mail you a temporary password to an address we can verify against information we already have on file, such as a credit card number, product-warranty-registraiton-information, etc.," or,
"Okay, you are in a hurry, we understand that. We will give you half of your temporary password over the phone and fax the other half to your nearest Apple Store or Notary Public. Bring your drivers' license or passport with you. If you use a Notary, they will charge a fee which you will have to pay."
That would've at least made sure the crook would have to commit more crimes along the way, likely intimidating him. It would've also made it much more likely that the police would be able to put a face to one of the crooks.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
This is how SpiderOak does it. https://spideroak.com/faq/questions/13/what_if_i_forget_my_spideroak_password/
I prefer the solution at webex - I have a weblink, that opens to a page showing my current password in cleartext.... ...others should really implement this, seeing how userfriendly it is!
Sure, but getting the data wasn't a goal here. Infact, they appear to specifically wiped out the data. It's the accounts that are valuable, not what is in them.
It's also a lesson in not putting all your eggs in one basket.
That one _is_ apple specific. Tight integration has it's price. If someone gets into my email, I won't lose access to every damn piece of technology I own. I actually find it pretty damn impressive how much damage they managed to pull off.
Mothers maiden name: sdfioufjhisej8()U*(yu980H(u*&a&*(ay
First pets name: sfjgksrl8kjdgjoijOIU*(U*&^&Tiuhkjlmkjniuhi8hiuh
City born in: KJNBJKNJKN(&*(&*Y*(njklKNLNLKJ8IJOkijYJ Nkj nTFe44esijaiojT^&*%*&*T(&
I see you are Welsh.
Jesus was all right but his disciples were thick and ordinary. -John Lennon
(an editor at Gizmodo)
And furthermore, Mat Honan works for Wired, not Gizmodo.
I'd prefer Microsoft and Apple not evolve towards banks, actually. In fact, I'd rather my bank evolve towards Blizzard Entertainment and offer me some real security.
It never ceases to amaze me that my Diablo III loot is better protected than my salary.
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
Uhm... no? Gmail has no function in it to remotely wipe an android phone.