Motherboard Forums


Reply
Thread Tools Display Modes

iCloud Hacked Article

 
 
Fred Moore
Guest
Posts: n/a
 
      08-06-2012, 09:46 PM
Thought folks here would be interested in this article I saw on
Macintouch:

Yes, I was hacked. Hard.
<http://www.emptyage.com/post/28679875595/yes-i-was-hacked-hard>

At 4:50 PM, someone got into my iCloud account, reset the password and
sent the confirmation message about the reset to the trash. My password
was a 7 digit alphanumeric that I didnt use elsewhere. When I set it
up, years and years ago, that seemed pretty secure at the time. But its
not. Especially given that I've been using it for, well, years and
years. My [guess is they used brute force to get the password]<-[this
bit negated in the original] (see update) and then reset it to do the
damage to my devices.

The backup email address on my Gmail account is that same .mac email
address. At 4:52 PM, they sent a Gmail password recovery email to the
..mac account. Two minutes later, an email arrived notifying me that my
Google Account password had changed.

At 5:00 PM, they remote wiped my iPhone
At 5:01 PM, they remote wiped my iPad
At 5:05, they remote wiped my MacBook Air.
A few minutes after that, they took over my Twitter.
[...]
Update Three: I know how it was done now. Confirmed with both the hacker
and Apple. It wasnt password related. They got in via Apple tech
support and some clever social engineering that let them bypass security
questions. [...]
 
Reply With Quote
 
 
 
 
Lewis
Guest
Posts: n/a
 
      08-06-2012, 09:54 PM
In message <(E-Mail Removed)-september.org>
Fred Moore <(E-Mail Removed)> wrote:
> Thought folks here would be interested in this article I saw on
> Macintouch:


> Yes, I was hacked. Hard.
> <http://www.emptyage.com/post/28679875595/yes-i-was-hacked-hard>


*HE* was hacked. iCoud was not hacked.

> Update Three: I know how it was done now. Confirmed with both the hacker
> and Apple. It wasn¹t password related. They got in via Apple tech
> support and some clever social engineering that let them bypass security
> questions. [...]


That is worrisome.

--
I SAW NOTHING UNUSUAL IN THE TEACHER'S LOUNGE Bart chalkboard Ep. 8F17
 
Reply With Quote
 
 
 
 
JF Mezei
Guest
Posts: n/a
 
      08-07-2012, 12:33 AM
>> Yes, I was hacked. Hard.
>> <http://www.emptyage.com/post/28679875595/yes-i-was-hacked-hard>



I can understand the iPhone being wiped since there is a "wipe the
iPhone" function on iCloud.

But how can a laptop be wiped ? Is there also a "wipe my laptop"
function on iCloud ? If not, what exactly is being deleted from the laptop ?

Are we just talking about a sync for iTunes and iPhoto and iCal and
Contacts ? (which make the laptop's libraries match the empty libraries
on iCloud). ?


If you suspect wrong doing, I guess the first thing would be to turn off
wi-fi at your router before opening the laptop, and then disabling that
iCloud thingy on the laptop.


Reading the article, I kept thiniing "just take your SIM out and ut it
in another phone". But then the writer admitted being with that old CDAM
stuff (Sprint).

Anyone know if an iPhone wipe has the power/auhority to muck with the
SIM card ? I guess it can erase contacts stored on SIM. But for the
rest, I am not sure it can really disable the SIM card.
 
Reply With Quote
 
JF Mezei
Guest
Posts: n/a
 
      08-07-2012, 12:47 AM
More info now available in a Wired article:

http://www.wired.com/gadgetlab/2012/...honan-hacking/

##
The very four digits that Amazon considers unimportant enough to display
in the clear on the Web are precisely the same ones that Apple considers
secure enough to perform identity verification.?
##

(talking about credit card numbers)

 
Reply With Quote
 
David Empson
Guest
Posts: n/a
 
      08-07-2012, 01:20 AM
JF Mezei <(E-Mail Removed)> wrote:

> >> Yes, I was hacked. Hard.
> >> <http://www.emptyage.com/post/28679875595/yes-i-was-hacked-hard>

>
>
> I can understand the iPhone being wiped since there is a "wipe the
> iPhone" function on iCloud.
>
> But how can a laptop be wiped ? Is there also a "wipe my laptop"
> function on iCloud ? If not, what exactly is being deleted from the laptop ?


There is a "Find My Mac" feature. I have it turned off. If I go to
enable it there is a warning sheet which says "Find My Mac is part of
iCloud and helps you locate, lock or erase a lost Mac".

I haven't experimented with it to see the full details, but based on how
it works for the iPhone I expect that the "Erase" will do either of two
things:

(a) If the volume is encrypted with FileVault 2, it will destroy the
master key, immediately losing access to all data on the volume.

(b) If the volume is not encrypted with FileVault 2, it will have to
erase individual files or block erase the volume. It probably tries to
delete everything, but perhaps starts with files in the home folders.

Based on the description in the article, it sounds like it was deleting
files.

I'd have expected a restart to the recovery partition so that all files
or the volume could be erased without having some locked due to being in
use.

> Are we just talking about a sync for iTunes and iPhoto and iCal and
> Contacts ? (which make the laptop's libraries match the empty libraries
> on iCloud). ?


No. The wording implies the Mac is erased.

> If you suspect wrong doing, I guess the first thing would be to turn off
> wi-fi at your router before opening the laptop, and then disabling that
> iCloud thingy on the laptop.


Just turn off Find My Mac if you are concerned about losing the contents
of your Mac due to a similar hack.

> Reading the article, I kept thiniing "just take your SIM out and ut it
> in another phone". But then the writer admitted being with that old CDAM
> stuff (Sprint).
>
> Anyone know if an iPhone wipe has the power/auhority to muck with the
> SIM card ? I guess it can erase contacts stored on SIM. But for the
> rest, I am not sure it can really disable the SIM card.


An iPhone with no SIM connected to a WiFi network that has Internet
access could be remotely erased via Find My iPhone. The SIM card and
cellular connectivity just makes it far easier as it is more likely to
have Internet access.

--
David Empson
(E-Mail Removed)
 
Reply With Quote
 
Wes Groleau
Guest
Posts: n/a
 
      08-07-2012, 03:21 AM
On 08-06-2012 17:46, Fred Moore wrote:
> Thought folks here would be interested in this article I saw on
> Macintouch:
>
> Yes, I was hacked. Hard.
> <http://www.emptyage.com/post/28679875595/yes-i-was-hacked-hard>


And people laughed at me when I said I didn't want my life in iCloud.

--
Wes Groleau

“Two things are infinite, the universe and human stupidity.
But I'm not so sure about the universe.”
— Albert Einstein

 
Reply With Quote
 
Justin
Guest
Posts: n/a
 
      08-07-2012, 04:26 AM
On 8/6/12 5:46 PM, Fred Moore wrote:
> Thought folks here would be interested in this article I saw on
> Macintouch:
>
> Yes, I was hacked. Hard.
> <http://www.emptyage.com/post/28679875595/yes-i-was-hacked-hard>


Even Apple can't defend against lousy passwords.

 
Reply With Quote
 
nospam
Guest
Posts: n/a
 
      08-07-2012, 04:31 AM
In article <jvq5co$6tm$(E-Mail Removed)>, Justin
<(E-Mail Removed)> wrote:

> > Thought folks here would be interested in this article I saw on
> > Macintouch:
> >
> > Yes, I was hacked. Hard.
> > <http://www.emptyage.com/post/28679875595/yes-i-was-hacked-hard>

>
> Even Apple can't defend against lousy passwords.


it wasn't a lousy password. in fact, his password made no difference
whatsoever.

apple *gave* the hacker a new, temporary password.

apple and amazon (where he got enough info to fool apple) are entirely
to blame for really shitty security.

read more here:
<http://www.wired.com/gadgetlab/2012/...onan-hacking/a
ll/1>
 
Reply With Quote
 
Lewis
Guest
Posts: n/a
 
      08-07-2012, 04:49 AM
In message <jvq1jh$pga$(E-Mail Removed)>
Wes Groleau <(E-Mail Removed)> wrote:
> On 08-06-2012 17:46, Fred Moore wrote:
>> Thought folks here would be interested in this article I saw on
>> Macintouch:
>>
>> Yes, I was hacked. Hard.
>> <http://www.emptyage.com/post/28679875595/yes-i-was-hacked-hard>


> And people laughed at me when I said I didn't want my life in iCloud.


Well, there are several things he did wrong.

#1 was using his Apple ID email for anything else.

I have unique emails for Amazon, Apple ID, Yahoo, Google, Ebay, Paypal,
World of Warcraft, buy.com, DropBox, woot, and just about any other
online service. Not only are they unique, but they are spread out over
several domains. While someone getting into one of my accounts would be
able to cause some damage, they would not be able to rampage through all
my services.

#2 was using the same address for his domain registration as his credit
card billing address. Rent a PO Box or something if you don't have an
office. You don't want anyone looking you up having your home address
*anyway*.

#3 was not running Time Machine

#4 was not having a completely separate off-line and/or off-site backup of
the files he considered most important (like his photos).

There are issues that have been exposed that are problematic, such as
Apple accepting simply a billing address and last 4 of credit card to
give anyone access. There are security questions for a reason, they
should be using them.

Amazon's security hole is even worse, to my mind, in allowing you to add
an unverified credit card to an account and then using it to unlock the
account.

--
He was Igor, son of Igor, nephew of several Igors, brother of Igors and
cousin of more Igors than he could remember without checking up in his
diary. Igors did not change a winning formula. {Footnote: Especially if
it was green, and bubbled.}
 
Reply With Quote
 
Lewis
Guest
Posts: n/a
 
      08-07-2012, 04:49 AM
In message <jvq5co$6tm$(E-Mail Removed)>
Justin <(E-Mail Removed)> wrote:
> On 8/6/12 5:46 PM, Fred Moore wrote:
>> Thought folks here would be interested in this article I saw on
>> Macintouch:
>>
>> Yes, I was hacked. Hard.
>> <http://www.emptyage.com/post/28679875595/yes-i-was-hacked-hard>


> Even Apple can't defend against lousy passwords.


Please go read the link. His Apple password was not *hacked*, Apple reset it.


--
Suddenly the animals look shiny and new
 
Reply With Quote
 
 
 
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
A8N-SLI: Any hacked BIOS available? Leadfoot Asus 2 09-24-2005 04:29 PM
Is their any hacked bios's that include locking pci and agp buses ? We Live for the One we Die for the One Asus 2 06-13-2004 11:17 AM
A7V133: hacked Bios 1010.01a bootable? OttO Winter Asus 0 01-28-2004 01:58 PM
Problems with P4B533-E and Pure UDMA Hacked Bios holee@oddkarma.com Asus 1 01-10-2004 12:44 AM
k7d running hacked 2800 XPs John Smallberries MSI 0 12-03-2003 12:49 AM


All times are GMT. The time now is 10:24 AM.


Welcome!
Welcome to Motherboard Point
 

Advertisment