Skip to comments.How Apple let a hacker remotely wipe an iPhone, iPad, MacBook
Posted on 08/06/2012 5:54:06 PM PDT by for-q-clinton
On Friday, I wrote about how Gizmodo's Twitter account was hacked. It turns out that this was Apple's fault.
Let's take a step back. Over the weekend, it quickly became clear that the bigger story was how the whole thing started. First, former Gizmodo employee Mat Honan's iCloud account was hacked. The hacker then remotely wiped his iPhone, iPad, and MacBook Air, got into his Gmail account, his Twitter account, and finally Gizmodo's Twitter account.
When this came to light, I updated my article with a link to Honan's blog: Emptyage. Once Honan regained access to his iCloud account, he was able to retrace the hacker's steps through password reset emails. With this new Apple tidbit, however, it's worth looking at what Honan found: . . . The fact a hacker was able to access Honan's iCloud account with the help of AppleCare support is very worrying. Remember: the hacker then proceeded to destroy Honan's whole digital life. That's something iCloud users need to be very wary of, and something Apple should address, but knowing Cupertino, it probably won't even comment.
As a journalist, I need to point out Honan currently works for Wired. It's not clear if he was targeted for this reason, but it is clear that his work was affected by this attack. On the flipside, his connections allowed him to get the issue resolved relatively quickly. How long would it have taken for the average Apple user?
(Excerpt) Read more at zdnet.com ...
From history......."Windows is bad, and full of bugs"
If Alle will let someone mangle your devices, chances are your stuff in the cloud can be mangled :).
When all of your stuff is stored off in some cloud, away from your direct control, how could this possibly NOT happen?
And second, it validates my skepticism of the entire "cloud" concept. This generation of immature geniuses probably aren't aware that in the late 50s, the few mainframes in existence WERE the "clouds" of the day.
And the "experts" unanimously declared, "why would the world need more than a half dozen mainframes?
We know how that turned out.
No reason whatsoever that the rational individual user today, as opposed to large complex companies, would voluntarily turn over all her critical files and personal data to the current equivalent of a "mainframe."
I certainly won't. How may times does this concept need to be shot down?
The "victim" had a weak password.
The Woz has already spoken on this matter
Another article on this incident: Casey Berwick Blog
Actually he didn't, but that didn't matter. From the article I posted:
And the scariest part is that he had a strong, seven-digit alphanumeric password. Apple has confirmed to Honan that its own tech support staff provided the hacker entry into his online world via a bit of clever social engineering.
Better yet, get one of everything Apple makes!
Ha ha ha ha ha ha ha ha ha ha!
Ooops, my bad.
Cloud security is trickier than noncloud.
aww, get a linux.
No, more like “get in touch with a dunce from tech support.” But you already knew that and decided to make your post about something that is basically unrelated.
I don’t like the idea of putting all my stuff out there for someone else to store, or look through.
iCloud should have been named iNightmare from my perspective.
I don’t trust the concept at all.
The alleged "hacker" supposedly used social engineering, a con game, to convince AppleCare he was this "journalist."
Since this "journalist" has ties to ethics-challenged Gawker Media, who infamously purchased the stolen iPhone 4 prototype, I wonder how much of what he claims is truth and how much is fantasy.
It's amazing how willing people are to believe a story about a subject, Apple in this case, they have a grudge against.
The facts: A worker bee at the Apple helpdesk didn't follow policy. I'd hate to work there around now. Interestingly, the personal information that Apple asked for, last four of credit card and billing address, was acquired through a loophole over at Amazon customer support. I don't see you bitching about Amazon.
Apple only required his email, home address, and the last four digits of his credit card associated with his iCloud account to allow the hacker access to his account... allowing them full access to remote wipe his devices. This is unacceptable. However, the reporter/owner takes full responsibility for linking his google accounts and twitter accounts with simple information that lead the hackers to his Apple devices. Apple's employee, however, is culpable in letting the hacker through to the account when he could not answer the security questions. What are security questions FOR, if not security?
If you want on or off the Mac Ping List, Freepmail me.
No spin, but you are ignoring that before the hacker got full access to the target’s Apple iCloud account, he also achieved full access to his Amazon account, Google Gmail Account and twitter account... He could have purchased a lot of merchandise with the Amazon access that was granted him. The problem is not just Apple’s issue.
The only way he got access to the Apple iCloud account was the successful compromising of the Amazon account as the result of guessing the user’s other Google Gmail accounts from and then CALLING Amazon and telling them he could not access his (the target’s) Amazon account to add a new credit card with his password... and THEY, with minimal information gleaned from other internet searches, gave him a temporary password! He used THAT temporary password to change the Amazon account password which gave him full access to the target’s Amazon account, which gave him a list of the last four numbers of his credit cards associated with his Amazon accounts. He then called Apple armed with this data... and Apple obligingly ignored their own protocols about security questions, and also gave the hacker access. These were ALL PEOPLE MISTAKES! Social Engineering!
Ironically, when trying to correct all this later, Apple would NOT let the victim into his account because HE could not answer the security questions when the Apple people misheard his last name and were asking him the wrong security questions from someone else’s account!
Many companies are going to have to look at their security arrangement with what was revealed with this story.
Last week I was talking to a young lad and asked “let me see your paper for a minute” and he said “Wake up Old Man! Newspapers are no longer hip, here, try my I-Pad”.
Poor fly never knew what hit him.
Guess my aim is good as ever.
Pretty scary. Read about it and some social engineering came into the picture.
And the Apple Community forums are filled with gripes and complaints about how Apple wouldn't get them into their accounts without security questions... basically deriding Apple for following protocol and insisting on answers.
I am in no-way condoning the negligent Apple employee (who may very well be a "former" Apple employee now). But they are darned if they do, darned if they don't. Personally - if it comes down to me not being able to access an account or Apple (or Amazon or....) making it so easy to get in that it could be hacked with ease.... I choose make it difficult and give me an alternative way to get back in (send in my computer/iPhone, or go in-person to AppleStore with ID...)
I see the donate button right now has Reagan on it.
He wouldn’t make it here these days, he would be zotted.
After all he actually believed that half a loaf was better than none. So certainly not pure enough nor conservative enough.
But it just works so well. I got an email on the Mac from a new business contact. I hovered over the signature block, and Mail offered to make a contact out of it. I did so, and dude was in my contacts (it parsed everything perfectly). Both the computer and my iPhone are hooked to iCloud, so later when I went to call him, the full contact was already there. I could also have the most seamless bookmark syncing out there, but I still use Firefox.
The cloud has also saved me money. I use iTunes match to get songs on my iPhone synced with my computer. So now my 16 GB iPhone has access to my 40+ GB of music (the service even upgraded most of my music to 256 kb). Why buy a 64 GB phone? I burn a new CD or download a new song, and there it is, available on the iPhone.
OTOH, none of this is worth anything to anybody, or more personal than the basic contact list. The most valuable thing is one credit card number, for an account with very limited credit. Now when you start storing very sensitive personal data, or mission-critical enterprise data, then I definitely have problems with the clouds as they are today.
That sounds good, and I’m sure some folks are making great use out of it.
One of the things that had me second guessing it, was the fee. You were talking 40 gigs of songs. What’s the rate on storing that on the iCloud?
Doesn’t Apple only give you five gigs or so gratis?
I just wasn’t looking for another monthly charge in addition to everything else I’m dinged per month.
Between our cable service and our telephone services, we’re paying out the kazoo each month. All I need is another $20 added on to that.