Apple tech support handed over an iCloud password. Erasure ensued.

By Open Minded
in Back Page News

 Share

Recommended Posts

Grand Master

Open Minded

Posted
Posted

This weekend played host to a twisting, turning tale of hacking woe, which captured headlines primarily because of some unpleasant tweets sent from the hacked Twitter account of tech blog Gizmodo. But at the heart of the story is something far more worrying ? the deception of Apple tech support, and the subsequent access of an iCloud account.

While the story appears to start with the hacking of Gizmodo?s Twitter account, this was really a bonus for those hacking Mat Honan, a writer for Wired. Control of Gizmodo?s Twitter account was soon regained, but it was only the beginning of Honan?s problems.

Writing on his own blog, Honan describes how his iPhone, iPad and MacBook Air were systematically compromised and remote wiped using iCloud, and his Google account deleted too.

Because his Google account was linked to his Twitter account, which in turn was linked to Gizmodo?s Twitter ? Honan had previously written for the site ? offensive tweets were sent by the hackers. This is the point where the story went public.

Honan speculated that his iCloud account, where the problems all began, had been hacked using ?brute force,? where someone systematically enters possible passwords until the correct one is discovered. However, this wasn?t the case, as both AppleCare and the hacker have said the account was breached using ?social engineering.?

Trust gained using social engineering

In essence, social engineering involves a criminal lying about their identity and building trust to gain information from a third party, in this case AppleCare.

What?s interesting here is that no matter how secure you think your accounts are, or how strong your password is, it won?t matter if the person at the end of a telephone helpline is manipulated into handing it over to someone that?s not really you.

This will inevitably cause people to rethink how they use iCloud, and whether Apple?s security is good enough to protect all that important data. Before hands are thrown up in despair, Tony Bradley, writing for PCAdvisor.co.uk, has a very different story to tell concerning AppleCare. He describes a dogged refusal to handover any information at all, even with proof that he was who he said he was, indicating that either Honan?s experience is isolated, or that the criminals were really, really good.

Additionally, the attack will also ? once again ? highlight the importance of backing up data, encrypting data stored in the cloud, and taking care over linking online accounts together.

However, although these precautions may have limited Honan?s pain, they probably wouldn?t have prevented it happening in the first place. Infamous social engineer and hacker Kevin Mitnick said ?If you want to protect your network, you cannot rely on technology alone,? and this applies here too.

Let?s see if Apple has a response to this hack, and whether it will also need to work to regain its customers trust, especially as it?s so close to providing iCloud email addresses.

Source:

http://www.digitaltr...cloud-password/

Another good read on the story:

http://www.newstates...t-happening-you

EDIT: It was a password reset. More details on Tom's hardware:

http://www.tomshardw...Care,16642.html

Grand Master

Open Minded

Posted
  • Author
Posted

Doesn't apple salt their passwords?

What?s interesting here is that no matter how secure you think your accounts are, or how strong your password is, it won?t matter if the person at the end of a telephone helpline is manipulated into handing it over to someone that?s not really you.

It looks like they have access to the passwords.

Grand Master

Ryoken

Posted
Posted

Terrible that they did this. If he is unable to recover the data on his MacBook Air I would seriously sue Apple.

As bad as I feel for that.. in the end, my sympathy stops as he never did backups.

He'd have been just as screwed if it was stolen, or fried in a power surge, or whatever... Backup Backup Backup..

Grand Master

ichi

Posted
Posted

Read the article, Apple is as much to blame as Amazon and Google in this. The "hackers" would never have been able to do all that damage without the security failure of Amazon and Google.

Where does the article say that? Which article? What security failure? :huh:

Contributor

a0me

Posted
Posted

Where does the article say that? Which article? What security failure? :huh:

How Apple and Amazon Security Flaws Led to My Epic Hacking

http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking

The article shows that it's extremely easy to get (partial) credit card numbers from Amazon tech support and that Google Accounts shows your secondary email addresses (almost) unobfuscated...

I'm not saying that Apple is not to blame, but the hacker got the most useful piece of info from Amazon.

Grand Master

ichi

Posted
Posted

How Apple and Amazon Security Flaws Led to My Epic Hacking

http://www.wired.com...t-honan-hacking

The article shows that it's extremely easy to get (partial) credit card numbers from Amazon tech support and that Google Accounts shows your secondary email addresses (almost) unobfuscated...

I'm not saying that Apple is not to blame, but the hacker got the most useful piece of info from Amazon.

I could't fin the bit about Google there, but the issue with the 4 CC digits is cetainly epic :pinch:

Contributor

a0me

Posted
Posted

I could't fin the bit about Google there, but the issue with the 4 CC digits is cetainly epic :pinch:

The part about Google is mentioned in a number of related articles (see below). The Google Account recovery page gives away the email addresses configured for account recovery.

The chain of calamity began with the hackers finding Honan's Gmail address via his linked personal webpage off the @mat Twitter account and assuming correctly that it was the email address for his Twitter account. With that detail, they could go to the account recovery page for Gmail and -- without actually attempting to break into his account -- see a partial email address "[email protected]" already configured for account recovery. It doesn't take a rocket scientist to guess what the missing letters are there, and once they knew Honan's Gmail password reset would be heading for iCloud, they knew they had an easy path ahead.

Source: http://www.tuaw.com/2012/08/06/mat-honan-details-the-amazon-and-apple-security-flaws-that-let-h/

This topic is now closed to further replies.
 Share
Go to topic listing