Welcome to Netrider ... Connecting Riders!

Interested in talking motorbikes with a terrific community of riders?
Signup (it's quick and free) to join the discussions and access the full suite of tools and information that Netrider has to offer.

iCLOUD fail - IT journo loses digital life.

Discussion in 'The Pub' started by robsalvv, Aug 6, 2012.

  1. http://www.theage.com.au/digital-li...ow-hacker-wiped-mats-life-20120806-23orv.html

    Apple cloud burst: how hacker wiped Mat's 'life'

    Date: August 6, 2012 - 10:17AM

    What would you do if your entire digital life started evaporating before your eyes and there was virtually nothing you could do about it?

    "I really worry about everything going to the cloud ... I think there are going to be a lot of horrible problems in the next five years." Apple co-founder Steve Wozniak
    This is the nightmare scenario that greeted US technology journalist Mat Honan, who had all of the contents of his iPhone, iPad and Macbook Air wiped, and lost control of his Gmail and Twitter accounts, all in the span of just over 15 minutes.

    And the scariest part is that he had a strong, seven-digit alphanumeric password. Apple has confirmed to Honan that its own tech support staff provided the hacker entry into his online world via a bit of clever social engineering.

    Several others have reported similar stories of Apple handing access to their accounts over to hackers. Security experts say it is "very concerning" that Apple's staff could be so easily tricked, while even Apple co-founder Steve Wozniak believes the move to cloud computing will create "horrendous" problems in the next five years.

    It all snowballed after the hacker gained access to Honan's account on iCloud, an Apple service that allows users to keep all of their files backed up in the online "cloud", to trace stolen Apple devices and even to wipe them remotely if they fall into the wrong hands.


    Mat Honan's online passwords were reset by someone who had gained access to his iCloud account.

    Once the hacker gained access to Honan's iCloud account, he or she was able to reset his password, before sending the confirmation email to the trash. Since Honan's Gmail is linked to his .mac email address, the hacker was also able to reset his Gmail password by sending a password recovery email to his .mac address.

    Minutes later, the hacker used iCloud to wipe Honan's iPhone, iPad and Macbook Air remotely. Since the hacker had access to his email accounts, it was effortless to access Honan's other online accounts such as Twitter.

    In a blog post published at the weekend, Honan said he was playing with his daughter when his phone suddenly went dead and rebooted to the set-up screen.

    "This was irritating, but I wasn't concerned. I assumed it was a software glitch. And, my phone automatically backs up every night. I just assumed it would be a pain in the ass, and nothing more," Honan wrote.

    "I entered my iCloud login to restore, and it wasn't accepted. Again, I was irritated, but not alarmed."

    He then fired up his Macbook to try to restore his data from a back-up, but an iCal message popped up saying his Gmail account information was wrong, and then the screen went blank, asking for a four-digit pin.

    "By now, I knew something was very, very wrong. I walked to the hallway to grab my iPad from my work bag. It had been reset too. I couldn't turn on my computer, my iPad, or iPhone," Honan wrote.

    The hacker eventually deleted Honan's Google account and he was unable to restore it as this required Google sending a text message to his phone, which was now offline.

    Honan was previously a writer for gadget blog Gizmodo and still had Gizmodo's Twitter linked to his account. The hacker started tweeting from the Gizmodo account and from Honan's personal account with racist and other offensive remarks.

    Apple's tech support could do virtually nothing to help and told Honan that the data on his iOS devices would most likely be gone for good without "serious forensics".

    "I've lost more than a year's worth of photos, emails, documents, and more. And, really, who knows what else. It's been a shitty night," Honan concluded.

    Honan eventually got his iPhone back online but because he uses Google Voice, and his account was deleted along with his Google account, he couldn't send or receive text messages or make calls. All he could do was wait to see if Google would decide to reinstate his account.

    He wrote on Twitter that, even though he used a password management tool called 1Password, this provided no protection as the hacker broke into his account without knowing his passwords.

    Honan's blog post went viral on the net, and it wasn't long before staff at Apple, Google and Twitter were on to it. Clearly, being a technology journalist for one of the major tech sites helped him as his Google and Twitter accounts were restored on the weekend. Honan also sent an email to Apple chief executive Tim Cook and, within 10 minutes, received a call from Apple Care.

    The hacker also contacted Honan to let him know that they access his account "via Apple tech support and some clever social engineering that let them bypass security questions".

    Apple has today confirmed to Honan that it was tricked by the hacker and has since assured him that now only one person at Apple can make changes to his account. The company is still trying to restore the data on his MacBook.

    Honan is not the only one whose online life has been upended by a hacker who used social engineering tricks on Apple. Chance Graham, a "designer at Apple" according to his Twitter page, tweeted: "Exact same thing happened to me - iCloud was social engineered via support. All accounts compromised. Hacker contacts me. Same m/o?"

    The website MyBB.com was recently hacked and in a blog post the site's owners revealed the attackers attempted unsuccessfully to use the same social engineering method to try to access their accounts.

    Chris Gatford, of security consultancy HackLabs, said social engineering was always the easiest method to gain unauthorised access and organisations could only defend themselves by having it performed and seeing how employees react.

    "This I assume has not happened at Apple specifically the people at Apple Tech support anyhow," said Gatford.

    "This is a very concerning situation and I hope Apple look into this and investigate ASAP."

    Apple co-founder Steve Wozniak predicted at the weekend that there would be "horrible problems" in the coming years as cloud-based computing takes hold.

    "I really worry about everything going to the cloud. I think it's going to be horrendous. I think there are going to be a lot of horrible problems in the next five years," he said.

    "With the cloud, you don't own anything. You already signed it away ... a lot of people feel, 'Oh, everything is really on my computer,' but I say the more we transfer everything on to the web, on to the cloud, the less we're going to have control over it."

    Ty Miller, CTO at Pure Hacking, said email accounts were considered a "trusted primary contact point" and once your email account is compromised the attacker can easily reset passwords for almost all your other online services. The impact you feel is going to be dependent upon the attacker's intent, he said.

    "This can range from destroying your data and a public shaming of the victim for being hacked, through to causing financial losses by causing large Skype bills, or performing complete identity theft where the attacker can take control of your bank accounts and finances," he said.

    "To reduce the risk of your online identity becoming compromised, individuals should set very complex answers to password reset security questions, utilise two-factor authentication where possible for online services, and make sure that different passwords are used across all online accounts."

    Honan and Apple did not respond to requests for comment.

    = = = = = = = = = = = = = = = = =

    Anyone concerned about the iCloud? The concept has always made me uncomfortable.

    So who uses a different password for each different account???

  2. I generally use a different password for each, but that's still farken scary as!
    Next generation will use these things more and more with the probability of things going tits up!
    To remember my passwords I use the name of the company/site then some numbers that stay the same. Otherwise, I'd be screwed!
  3. as a tech-savvy person just remarked on the a teacher blog I'm on, "I have my own personal cloud account; it's called my brain"

    I can't for the life of me undertand why people would commit their data, no matter how trivial, to someone they don't even know. ALL my data is stored locally, backed up locally and my personal responsibility....
  4. Well that's not sexy enough anymore...

    Various government departments are sending there HR functions to the cloud...

    ---> http://www.governmentnews.com.au/2012/07/24/article/SAP-clouds-up-NSW-agencies/FJRKPHALDE.html

    Managers love the Cloud or outsourcing as we used to call it...
  5. Amen to that. I just went back to an old symbian phone from a smart phone because I've decided I only want my phone for calls and texts.
  6. I couldn't agree more Hornet. Why embrace a technology that by it's very nature is fraught with danger, then be alarmed when it lets you down. Weird I say, but then I'm an old geezer trapped in a time warp where we hold ourselves responsible for our actions.
  7. Same here I do not subscribe to cloud technology
  8. Fundamental problem of one account to multiple services. Don't use Apple but similar things could happen in the Google ecosphere I guess, although not sure how far Google has progressed down the "user initiates wipe of data on all devices/accounts" path.

    For websites I use a password hasher so I can use a single master password to login to different sites that use "random" text strings as passwords based on the site/master password combo.

    But this was social engineering anyway - so the hacker used known info about the journalist (name/DOB/???) to fool the apple employee into resetting account access.
  9. I resisted going to IOS5 on my iPhone because of the cloud - I thought it was mandatory. Screw that.

    What a PW hasher Anto? Does it automate login's somehow?

    I have common themes in my passwords, so it sometimes takes a few log in attempts to find the right one. I was thinking of strengthening it further with some site related randomness. Interesting about the social engineering - that wouldn't work against me. None of my security questions are related to DOB, Place of birth, birthplace, mothers maiden name etc etc. ...so that makes me feel a bit better.

    What doesn't make me feel better though is that the utility companies ask you to confirm very basic information to prove you are you... that's nuts! The one that really disappoints is when they ask for info that's already on the bill... like, WTF? What if I just pilfered the bill from someone's letter box?
  10. I always wondered why they need to identify me they called.

    If I'm feeling mean I get them to identify themselves...

    Normally makes them go away.
  11. I can use my mad hacker skills to make a phone call.
    GT-I9100 using Tapatalk 2
  12. There are a few types, available as Firefox or chrome extensions. So when I create my password for netrider, the site defaults to Netrider, I enter my simple master password eg "bike" and using an algorithm it hashes the password to "qFN1baf-". You can set up rules include number of characters, exclude/include special characters etc.

    So for my Facebook account I can use the same master password but the hashed password is different. So "bike" becomes "8$JGWyZw". But I still only need to remember the one master password.

    Limitations - I need to have the extension installed on the machine I'm using, although you can put it on a USB stick. Wouldn't defend against the scenario the journalist experienced on interlinked services using the one password.

    Just go to your firefox/chrome extensions page and search for "hasher".
  13. I always do this when it's for me personally. If I don't get their name and employee number I ask them for a number to call back. If it's legit you get this info, if not, then unless they give me a reason for the call, I don't even call back.

    At work if it doesn't come through my direct line, and I can't see who is calling then they get nothing. Fortunately we have a relationship manager with the bank and Amex so if they claim to be from either of these I tell them I will call back.

    As far as passwords go, I have about a dozen words and the same of at least 2 digit numbers that I use in different combinations. That way I only need to record one letter and one of those numbers against a user login and that's it. I then have a code for a non alpha/numeric symbol that I put in as well as for the upper/lower case sequence used. For NAB connect I have one those units where the bank sends the password to me for approving transactions online. If I don't have the unit with me, it can't get approved.

    Think I'm as safe as anyone can be.