iCloud Hacked Article

Thought folks here would be interested in this article I saw on
Macintouch:

Yes, I was hacked. Hard.
<http://www.emptyage.com/post/28679875595/yes-i-was-hacked-hard>

At 4:50 PM, someone got into my iCloud account, reset the password and
sent the confirmation message about the reset to the trash. My password
was a 7 digit alphanumeric that I didn¹t use elsewhere. When I set it
up, years and years ago, that seemed pretty secure at the time. But it¹s
not. Especially given that I've been using it for, well, years and
years. My [guess is they used brute force to get the password]<-[this
bit negated in the original] (see update) and then reset it to do the
damage to my devices.

The backup email address on my Gmail account is that same .mac email
address. At 4:52 PM, they sent a Gmail password recovery email to the
..mac account. Two minutes later, an email arrived notifying me that my
Google Account password had changed.

At 5:00 PM, they remote wiped my iPhone
At 5:01 PM, they remote wiped my iPad
At 5:05, they remote wiped my MacBook Air.
A few minutes after that, they took over my Twitter.
[...]
Update Three: I know how it was done now. Confirmed with both the hacker
and Apple. It wasn¹t password related. They got in via Apple tech
support and some clever social engineering that let them bypass security
questions. [...]

In message <fmoore->
Fred Moore <> wrote:
> Thought folks here would be interested in this article I saw on
> Macintouch:

> Yes, I was hacked. Hard.
> <http://www.emptyage.com/post/28679875595/yes-i-was-hacked-hard>

*HE* was hacked. iCoud was not hacked.

> Update Three: I know how it was done now. Confirmed with both the hacker
> and Apple. It wasn¹t password related. They got in via Apple tech
> support and some clever social engineering that let them bypass security
> questions. [...]

That is worrisome.

--
I SAW NOTHING UNUSUAL IN THE TEACHER'S LOUNGE Bart chalkboard Ep. 8F17

>> Yes, I was hacked. Hard.
>> <http://www.emptyage.com/post/28679875595/yes-i-was-hacked-hard>


I can understand the iPhone being wiped since there is a "wipe the
iPhone" function on iCloud.

But how can a laptop be wiped ? Is there also a "wipe my laptop"
function on iCloud ? If not, what exactly is being deleted from the laptop ?

Are we just talking about a sync for iTunes and iPhoto and iCal and
Contacts ? (which make the laptop's libraries match the empty libraries
on iCloud). ?


If you suspect wrong doing, I guess the first thing would be to turn off
wi-fi at your router before opening the laptop, and then disabling that
iCloud thingy on the laptop.


Reading the article, I kept thiniing "just take your SIM out and ut it
in another phone". But then the writer admitted being with that old CDAM
stuff (Sprint).

Anyone know if an iPhone wipe has the power/auhority to muck with the
SIM card ? I guess it can erase contacts stored on SIM. But for the
rest, I am not sure it can really disable the SIM card.

More info now available in a Wired article:

http://www.wired.com/gadgetlab/2012/...honan-hacking/

##
The very four digits that Amazon considers unimportant enough to display
in the clear on the Web are precisely the same ones that Apple considers
secure enough to perform identity verification.?
##

(talking about credit card numbers)

JF Mezei <> wrote:

> >> Yes, I was hacked. Hard.
> >> <http://www.emptyage.com/post/28679875595/yes-i-was-hacked-hard>
>
>
> I can understand the iPhone being wiped since there is a "wipe the
> iPhone" function on iCloud.
>
> But how can a laptop be wiped ? Is there also a "wipe my laptop"
> function on iCloud ? If not, what exactly is being deleted from the laptop ?

There is a "Find My Mac" feature. I have it turned off. If I go to
enable it there is a warning sheet which says "Find My Mac is part of
iCloud and helps you locate, lock or erase a lost Mac".

I haven't experimented with it to see the full details, but based on how
it works for the iPhone I expect that the "Erase" will do either of two
things:

(a) If the volume is encrypted with FileVault 2, it will destroy the
master key, immediately losing access to all data on the volume.

(b) If the volume is not encrypted with FileVault 2, it will have to
erase individual files or block erase the volume. It probably tries to
delete everything, but perhaps starts with files in the home folders.

Based on the description in the article, it sounds like it was deleting
files.

I'd have expected a restart to the recovery partition so that all files
or the volume could be erased without having some locked due to being in
use.

> Are we just talking about a sync for iTunes and iPhoto and iCal and
> Contacts ? (which make the laptop's libraries match the empty libraries
> on iCloud). ?

No. The wording implies the Mac is erased.

> If you suspect wrong doing, I guess the first thing would be to turn off
> wi-fi at your router before opening the laptop, and then disabling that
> iCloud thingy on the laptop.

Just turn off Find My Mac if you are concerned about losing the contents
of your Mac due to a similar hack.

> Reading the article, I kept thiniing "just take your SIM out and ut it
> in another phone". But then the writer admitted being with that old CDAM
> stuff (Sprint).
>
> Anyone know if an iPhone wipe has the power/auhority to muck with the
> SIM card ? I guess it can erase contacts stored on SIM. But for the
> rest, I am not sure it can really disable the SIM card.

An iPhone with no SIM connected to a WiFi network that has Internet
access could be remotely erased via Find My iPhone. The SIM card and
cellular connectivity just makes it far easier as it is more likely to
have Internet access.

--
David Empson

On 08-06-2012 17:46, Fred Moore wrote:
> Thought folks here would be interested in this article I saw on
> Macintouch:
>
> Yes, I was hacked. Hard.
> <http://www.emptyage.com/post/28679875595/yes-i-was-hacked-hard>

And people laughed at me when I said I didn't want my life in iCloud.

--
Wes Groleau

“Two things are infinite, the universe and human stupidity.
But I'm not so sure about the universe.�
— Albert Einstein

On 8/6/12 5:46 PM, Fred Moore wrote:
> Thought folks here would be interested in this article I saw on
> Macintouch:
>
> Yes, I was hacked. Hard.
> <http://www.emptyage.com/post/28679875595/yes-i-was-hacked-hard>

Even Apple can't defend against lousy passwords.

In article <jvq5co$6tm$>, Justin
<> wrote:

> > Thought folks here would be interested in this article I saw on
> > Macintouch:
> >
> > Yes, I was hacked. Hard.
> > <http://www.emptyage.com/post/28679875595/yes-i-was-hacked-hard>
>
> Even Apple can't defend against lousy passwords.

it wasn't a lousy password. in fact, his password made no difference
whatsoever.

apple *gave* the hacker a new, temporary password.

apple and amazon (where he got enough info to fool apple) are entirely
to blame for really shitty security.

read more here:
<http://www.wired.com/gadgetlab/2012/...onan-hacking/a
ll/1>

In message <jvq1jh$pga$>
Wes Groleau <Groleau+> wrote:
> On 08-06-2012 17:46, Fred Moore wrote:
>> Thought folks here would be interested in this article I saw on
>> Macintouch:
>>
>> Yes, I was hacked. Hard.
>> <http://www.emptyage.com/post/28679875595/yes-i-was-hacked-hard>

> And people laughed at me when I said I didn't want my life in iCloud.

Well, there are several things he did wrong.

#1 was using his Apple ID email for anything else.

I have unique emails for Amazon, Apple ID, Yahoo, Google, Ebay, Paypal,
World of Warcraft, buy.com, DropBox, woot, and just about any other
online service. Not only are they unique, but they are spread out over
several domains. While someone getting into one of my accounts would be
able to cause some damage, they would not be able to rampage through all
my services.

#2 was using the same address for his domain registration as his credit
card billing address. Rent a PO Box or something if you don't have an
office. You don't want anyone looking you up having your home address
*anyway*.

#3 was not running Time Machine

#4 was not having a completely separate off-line and/or off-site backup of
the files he considered most important (like his photos).

There are issues that have been exposed that are problematic, such as
Apple accepting simply a billing address and last 4 of credit card to
give anyone access. There are security questions for a reason, they
should be using them.

Amazon's security hole is even worse, to my mind, in allowing you to add
an unverified credit card to an account and then using it to unlock the
account.

--
He was Igor, son of Igor, nephew of several Igors, brother of Igors and
cousin of more Igors than he could remember without checking up in his
diary. Igors did not change a winning formula. {Footnote: Especially if
it was green, and bubbled.}

In message <jvq5co$6tm$>
Justin <> wrote:
> On 8/6/12 5:46 PM, Fred Moore wrote:
>> Thought folks here would be interested in this article I saw on
>> Macintouch:
>>
>> Yes, I was hacked. Hard.
>> <http://www.emptyage.com/post/28679875595/yes-i-was-hacked-hard>

> Even Apple can't defend against lousy passwords.

Please go read the link. His Apple password was not *hacked*, Apple reset it.


--
Suddenly the animals look shiny and new