×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Apple Support Allowed Hackers Access To User's iCloud Account

samzenpus posted about a year and a half ago | from the let-me-in dept.

Security 266

Robadob writes "Yesterday a hacker gained access to Mat Honan's (An editor at Gizmodo) Apple iCloud account allowing the attacker to reset his iPhone, iPad, and Macbook. The attacker was also able to gain access to Google and Twitter accounts by sending password recovery emails. At the time this was believed to be down to a brute-force attack, however today it has come out that the hacker used social engineering to convince Apple customer support to allow him to bypass the security questions on the account."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

266 comments

They Know Best (-1, Troll)

Nerdfest (867930) | about a year and a half ago | (#40888233)

He was probably using his account wrong.

Seriously, it's too easy with most of these places. XBox live was getting hit by this a couple of years ago too. Even banks are using the "what was the name of your primary school" password recovery questions. Put 2 factor authentication in place at least.

Is it too hard to read the summary? (4, Funny)

MrEricSir (398214) | about a year and a half ago | (#40888271)

Reading the article is hard, I know. But come on, at LEAST read to the end of the summary.

Re:Is it too hard to read the summary? (1)

Nerdfest (867930) | about a year and a half ago | (#40888301)

I actually did (well, yesterday). I seem to remember him saying the only thing that would have survived the attack was his Google account ... if he'd enabled 2 factor. Of course, if his phone was wiped, he still would have been in trouble.

Re:They Know Best (4, Insightful)

Anrego (830717) | about a year and a half ago | (#40888489)

The absolute problem is that no matter how many authentication factors you add, recovery will always be the weakest link.

People will always lose their tokens, and they will always need a way of getting access to their account.. and that way is usually someone making minimum wage with 3 weeks of training.

Personally I wish there was a way to opt out of recovery. Basically a "I accept the risk, if I ever lose my token and forget my recovery questions / password.. I'm shit out of luck" option. This option would have to make it literally impossible for a support person to greant access to the account.. because if they technically can, someone will social engineer one to do so...

Re:They Know Best (4, Informative)

dsavitsk (178019) | about a year and a half ago | (#40888735)

Re:They Know Best (5, Funny)

GNious (953874) | about a year and a half ago | (#40888803)

I prefer the solution at webex - I have a weblink, that opens to a page showing my current password in cleartext.... ...others should really implement this, seeing how userfriendly it is!

Re:They Know Best (1)

viperidaenz (2515578) | about a year and a half ago | (#40888797)

I think a slightly better option would be "If my password is reset then wipe all data from my accounts and lock it out for a further few days before reactivating it".

Re:They Know Best (1)

DarkOx (621550) | about a year and a half ago | (#40888911)

You *can* more or less do that just encipher everything you store on others peoples systems before you upload it. They don't need the keys. My friends and I use drop box a fair amount, to trade files asynchronously but we run all our files thru openssl first and the certificates have never been anywhere near dropbox.

Unless someone can break AES or gets the certs and the passwords protecting them via rubber-hose crypto analysis its safe and nobody will enable *recovery*.

Yeah but.... (1)

Anonymous Coward | about a year and a half ago | (#40888245)

.... macs sure are shiny!

Re:Yeah but.... (4, Insightful)

Nerdfest (867930) | about a year and a half ago | (#40888383)

This is really unrelated to any specific company. It *is* an excellent lesson in relying only on online backups.

Re:Yeah but.... (0)

Anonymous Coward | about a year and a half ago | (#40888463)

"This is really unrelated to any specific company."

Having actually read the article (and headline ffs), specifically Apple support as having helped the hacker. No maybes, no ambiguities.

I would say that counts as being related to a particular company.

Re:Yeah but.... (0)

Anonymous Coward | about a year and a half ago | (#40888505)

Social engineering is NOT specific to a certain company. This case, yes, but Apple is only the last victim not the first or only.

Re:Yeah but.... (0)

Anonymous Coward | about a year and a half ago | (#40888529)

Not only that, most devices don't have such tight integration so that a compromised account would affect *EVERYTHING*.

For example, even if one was able to access an Android's Google account, the worst they could do is to install or uninstall applications (from the market) on the respective devices. Installed apps do *NOT* automatically run the first time they are installed and a notice appears in the Notification Area. As such, they cannot have access to all your personal files, nor any accounts you may have.

You can install various remote-wipe applications on the market, but there in lies the key: since you choose which one to use-- the hacker must guess which one you've used as well (if you've used one at all). Some apps will enable an auto-lock or trigger a loud alarm that can't be shut off without turning off the phone and will resume on power on.

Easy to demand more security (5, Insightful)

west (39918) | about a year and a half ago | (#40888251)

But understand that it will cause massive unhappiness for the majority of cases where(for example) one's 75 year-old grandmother, who has forgotten her password and can't figure out how she phrased the answer to the security question, is about to permanently lose access to the last 5 years of her grand-children's emails.

The trouble is that the security appropriate for someone's professional e-mail accounts and security appropriate to the occasional elderly e-mail user are so far apart that having a single policy is guaranteed to serve one of the two market segments very badly.

Re:Easy to demand more security (1)

jkflying (2190798) | about a year and a half ago | (#40888335)

Then have optional 2-factor auth. It's not that hard...

Re:Easy to demand more security (1)

Anrego (830717) | about a year and a half ago | (#40888561)

Recovery will still be the weak point.

Parent is on the right track though. You need some way to decide in advance how much of a pain it will be to recover down the road. Personally I'd love an option where they made it very difficult, even if at a cost to myself (like they actually verify my identity.. and charge me $200 for the time..).

Re:Easy to demand more security (3, Informative)

tomhath (637240) | about a year and a half ago | (#40888339)

True, but Gramma wouldn't link all her devices like that. One account compromised shouldn't get you remote root access to every other device

Re:Easy to demand more security (5, Informative)

ilsaloving (1534307) | about a year and a half ago | (#40888399)

Actually, it's entirely possible she could, because Apple's iCloud makes it that easy.

Re:Easy to demand more security (-1)

Anonymous Coward | about a year and a half ago | (#40888787)

My Gramma wouldn't, because she's dead. And my 92 y/o mother wouldn't because she doesn't own a cell phone and her Mac is a boat anchor now (although she doesn't understand why a six year old computer is useless).

If Apple makes it that easy their security is worse than Microsoft's.

Re:Easy to demand more security (1)

Splab (574204) | about a year and a half ago | (#40888677)

Why not?
Gain access to my email and you got at least 5 years worth of data to plow through, you should be able to figure out what sites I'm using and get password resets on most of them - and it's indexed by Google to make life easier for hackers.

On top of that, even the sites that require more information, you would probably be able to get through my mail account.

Re:Easy to demand more security (2)

TheRaven64 (641858) | about a year and a half ago | (#40888467)

So you post a password reset code to her house. Or you charge her $1 on the credit card that she used to pay for the phone for the reset. Or you send it to another email address that she entered when she created it.

Re:Easy to demand more security (0)

Nutria (679911) | about a year and a half ago | (#40888613)

But understand that it will cause massive unhappiness ...

Where's the personal fscking responsibility?

Even dear old Grandma knows that shit happens (even though she wouldn't use that phrase), and it's her responsibility to keep track of her own stuff.

But on the other hand, she lived through the 60s, 70s and 80s and so has probably voluntarily abrogated all responsibility to the government.

Re:Easy to demand more security (3, Insightful)

fm6 (162816) | about a year and a half ago | (#40888771)

Yeah, because people blaming others for their own mistakes was invented in 1963.

cue Nelson Muntz (-1)

Anonymous Coward | about a year and a half ago | (#40888253)

HA HA!

Social engineering Apple - It just works! (0)

Anonymous Coward | about a year and a half ago | (#40888257)

I'm waiting for a 'hacker' to remote wipe every iPad, iPhone and Mac (needs to be enabled for iCloud and running 10.7.2+)!

Weak security questions (4, Insightful)

ZorinLynx (31751) | about a year and a half ago | (#40888265)

This is why I hate it when "security questions" are obvious things that anyone who knows me even slightly can figure out easily.

"What was the name of your first pet?" Hell you can find that with Google.

"What was the name of your Elementary School?" I sometimes talk about my childhood; people might know this.

Really, it's like they're asking for accounts to be hacked. There needs to be more preventing a password reset than weak "security questions".

Re:Weak security questions (5, Informative)

sabri (584428) | about a year and a half ago | (#40888293)

This is why I hate it when "security questions" are obvious things that anyone who knows me even slightly can figure out easily.

"What was the name of your first pet?" Hell you can find that with Google.

"What was the name of your Elementary School?" I sometimes talk about my childhood; people might know this.

Really, it's like they're asking for accounts to be hacked. There needs to be more preventing a password reset than weak "security questions".

Perhaps you should go back and read the article (just the summary will do): the "hacker" socially engineered an Apple support "engineer" to bypass the security questions. So he did not even need to google them.

Re:Weak security questions (2)

Telvin_3d (855514) | about a year and a half ago | (#40888401)

So far the quote "They got in via Apple tech support and some clever social engineering that let them bypass security questions." is the only bit of information. It's hard to say what is covered under "clever social engineering" or "bypass" without more details. Did the hacker just do an incredible job of fast talking or is this a case where "clever social engineering" means they dug up security question answers that the author (and tech support) figured were un-discoverable?

Re:Weak security questions (2)

Macrat (638047) | about a year and a half ago | (#40888565)

And this report is coming from someone associated with Gizmodo.

This whole report could be staged.

Re:Weak security questions (2)

FrostDust (1009075) | about a year and a half ago | (#40888297)

What, do you think they verify if your answer is factually correct?

A person could find out what school you went to, while no one but you is going to know you put in "The Napoleonic Wars" as the acceptable response.

Re:Weak security questions (1)

Anonymous Coward | about a year and a half ago | (#40888549)

It was not the best of schools, it was not the worst of schools...

Re:Weak security questions (1)

Quazion (237706) | about a year and a half ago | (#40888319)

You don't have to use the real answer to these questions. Its just another password, but one with a hint.
Now that I am thinking of it, time to change all the security questions to the same hard to guess answer.

Re:Weak security questions (1)

Nerdfest (867930) | about a year and a half ago | (#40888321)

I actually use completely unrelated responses to these question and store them in a password manager as well. Of course with a password manager, they're never really needed.

Re:Weak security questions (1)

sco08y (615665) | about a year and a half ago | (#40888495)

I actually use completely unrelated responses to these question and store them in a password manager as well. Of course with a password manager, they're never really needed.

Some sites ask for security questions when they detect no cookie.

Re:Weak security questions (0)

Anonymous Coward | about a year and a half ago | (#40888637)

Really? That would be interesting. Since I believe security questions to lessen account security my answers are random jibberish I do not store, anywhere. If I were ever to use such a service I would effectively be locked out.

That's so far never happened.

Re:Weak security questions (2)

tkprit (8581) | about a year and a half ago | (#40888349)

True that, but some sites let you define questions. "Street your best friend lived on when she was twelve plus last name of her then-crush." My sister can't guess these. (Ofc her memory's shot to shit from opiates but w/e).

Re:Weak security questions (1)

flimflammer (956759) | about a year and a half ago | (#40888389)

Never answer the question accurately. Instead, use the question as a hint for your real answer. If it asks for the name of your elementary school, try to pick out something of interest like a fond memory or fact regarding the school that you don't blab to everyone, for example.

However, this has little to do with the article at hand. The question was completely bypassed without needing an answer. Apple just let him right in.

Re:Weak security questions (1)

zippthorne (748122) | about a year and a half ago | (#40888447)

Just use a password safe, and generate passwords to use as the answers to those questions. You could have a special password file which contains all the answers, in case your primary password file is corrupted.

You can put anything in those fields. It doesn't have to be the actual answer. It doesn't even have to be words.

Re:Weak security questions (0)

Anonymous Coward | about a year and a half ago | (#40888607)

What did Helen Keller name her dog?

a64f83e8428b121ea83a14a5d9a43868!

Re:Weak security questions (2)

ccguy (1116865) | about a year and a half ago | (#40888465)

This is why I hate it when "security questions" are obvious things that anyone who knows me even slightly can figure out easily.

I'm more pissed by the fact that the questions *can't be changed* and everyone asks the same ones. Seriously, how is it possible that both my bank and a torrent site make me tell them the name of the first school?

Questions must be user defined (a fucking string) instead of coming from a list of the same 5 or 6 questions that everyone asks.

Plus some of them just don't apply worldwide. The 'maiden name' of a mother may be something not trivial in the US, but in many countries the wife never changes her last name and in fact it's passed along to children.

I'm currently writing (in a physical notebook) the fake answers I provide to each site to those questions, since I just don't feel like telling anyone information that can easily be used to gain access to important stuff.

Re:Weak security questions (-1)

Anonymous Coward | about a year and a half ago | (#40888509)

you know its your answer... you moms maiden name could be FUCKYOUASSHOLE1qz3kjk43

Re:Weak security questions (5, Informative)

MacGyver2210 (1053110) | about a year and a half ago | (#40888573)

This is why I hate it when "security questions" are obvious things that anyone who knows me even slightly can figure out easily.

"What was the name of your first pet?" Hell you can find that with Google.

If it's so easy, kindly tell me my first pet's name, my date of birth, the city I was born in, the make of the first car I drove, my first school's name, my mother's maiden name, and the answer (or even question) to my 'other' security question? Keep in mind these need to be formatted exactly as I have entered them, and not as you may have copied them from a public record.

Security questions are plenty secure, as long as you don't have a path to just avoid them entirely, as Apple so kindly provided here.

Re:Weak security questions (1)

TCM (130219) | about a year and a half ago | (#40888679)

"What was the name of your first pet?" Hell you can find that with Google.

Which is another problem these days.

Re:Weak security questions (2)

Shetan (20885) | about a year and a half ago | (#40888793)

Why do you have to answer the questions with the correct answers? As long as you remember how you answered them, it doesn't matter if the answers are actually correct. Your first pet could be George W. Bush. Your elementary school could be Starfleet Academy.

Apple's status : told (-1)

Anonymous Coward | about a year and a half ago | (#40888269)

Your iclouds are zapped by thunder bolts. The mountain lion roars and stops windows users going on Safari.
.

Careful with this one... (1)

ttimes (534696) | about a year and a half ago | (#40888283)

The poster says he was contacted by someone who says he is the hacker. Nothing was confirmed about AppleCare involvement, though it is a possibility - especially if the hacker knows his victim. But the best part? The INSANE posts to the original article: Death threats from "Navy Seals", tons of homophobic comments and hatred for days. Oddly, very few were able to respond directly to the original post since the comments were so ridiculously incendiary. Sadly the adage still applies:Think before you post or you are toast!

Re:Careful with this one... (1)

jkflying (2190798) | about a year and a half ago | (#40888355)

If he put enough ads on the page he might just be coining it... especially if the ads are for i[Phone|Pad|Pod] accessories.

Re:Careful with this one... (2)

icebike (68054) | about a year and a half ago | (#40888423)

The poster says he was contacted by someone who says he is the hacker. Nothing was confirmed about AppleCare involvement, though it is a possibility - especially if the hacker knows his victim.

Wrong. Read all the way to the end of the article: Apple already fessed up.

Update Three: I know how it was done now. Confirmed with both the hacker and Apple. It wasn’t password related. They got in via Apple tech support and some clever social engineering that let them bypass security questions.

Re:Careful with this one... (1)

Macrat (638047) | about a year and a half ago | (#40888587)

Wrong. Read all the way to the end of the article: Apple already fessed up.

The article written by the someone who could be making it all up?

Re:Careful with this one... (2)

icebike (68054) | about a year and a half ago | (#40888815)

Seriously?

After calling out Tim Cook personally, getting Gawker Media involved, Gizmodo [gizmodo.com] also carrying the story written by a different editor, Cnet [cnet.com] carrying the story, and Mat posting under his own name, you are still going with the denial angle?

Re:Careful with this one... (0)

Macrat (638047) | about a year and a half ago | (#40888891)

Seriously?

After calling out Tim Cook personally, getting Gawker Media involved,Gizmodo also carrying the story written by a different editor

Multiple articles from a single source is still a single source.

you are still going with the denial angle?

Independent confirmation would be nice.

Would Apple be liable for the damages? (2)

sabri (584428) | about a year and a half ago | (#40888311)

Now here is the question: would Apple be liable for the damages? Of course, they will have an EULA waiving all liabilities, but in a case like this where it is clearly Apple's failure to adhere to their own security framework, one could argue that Apple would be liable for all damages, plus a bit extra for all the inconvenience. Not to mention the bad press...

Re:Would Apple be liable for the damages? (2)

arbiter1 (1204146) | about a year and a half ago | (#40888391)

I think even though they do waive all liabilities in the EULA when they don't even adhere to their own policy itself I think that removes the waiving of liabilities on their end to allow them to be sued. Kinda Like if a site did that for their EULA but stored all PW and CC info as plain txt. since they didn't do anything to protect data they shouldn't be allowed to say you waive liability when they get hacked.

Re:Would Apple be liable for the damages? (0)

Anonymous Coward | about a year and a half ago | (#40888563)

Considering he's such a fanboy, they'll just throw him a few new devices and he'll be happy.

Until, of course, he's hacked again. LOL

Why believe the hacker? (0)

93 Escort Wagon (326346) | about a year and a half ago | (#40888323)

I don't doubt social engineering is a possible (and likely) culprit - but the guy had a seven character password. A dictionary attack could probably crack that pretty easily. And if you were a hacker that was successfully using dictionary attacks... would you want to draw attention to that fact, potentially driving future targets to improve their passwords?

"d3l!ver" isn't a very secure password, dude.

Re:Why believe the hacker? (4, Insightful)

Entropius (188861) | about a year and a half ago | (#40888377)

That's a password with somewhere around ~20 bits of entropy. Let's be generous to weak passwords and consider one with 16 bits of entropy, meaning that a dictionary attack has to make (around half of) 60000 attempts to crack it.

If you've got the hashed password, this is trivial to do. But if you're trying to break a remote login and the computer on the other side lets you make 60000 attempts, then there are far bigger issues at work than a weak password.

Re:Why believe the hacker? (1)

T Murphy (1054674) | about a year and a half ago | (#40888939)

I apologize for going on a sidetrack here, but this has been bugging me for a while:

On occasion the xkcd "correct horse battery staple" comic comes up, and when people compare the password strength to other methods, they calculate the strength of the random words password based on (number of words in dictionary used)^(number of words in password).

This makes no sense to me. When an attacker is trying to brute force your password, he has no idea how you created your password, so calculating a random-word password strength like that would imply the attacker knows you used that method (i.e. he is guessing nothing but multi-word passwords) and knows the dictionary you used. If I made my own dictionary of 20 words, it would be absurd to calculate my password strength based on the dictionary size, as the attacker does not have that information (other than if he was cracking all my accounts and figured out my dictionary).

I realize an attacker might start with common passwords, then go on to a multiple-word attack, then maybe other common methods, but he has no idea how long my password is and at some point he has to decide when to stop the targeted approach and try random strings.

I could (potentially) defeat his targeted approach in a number of ways:
-Use a word not in his dictionary
-Add extra characters in a way he wouldn't guess
-Use more words/characters than he is willing to try before switching to a random string approach

Heck, using the word "cat" 100 times would have little entropy, but so long as its too long of an "easy" password for the attacker to explicitly guess, it's a strong password (and before you say he might try "cat" 100 times, consider he has to do that with all dictionary words, then try them all many times more if I add even a single random character in there, all time he's wasting on really obscure passwords).

Am I missing something here, or is password strength being calculated based on unrealistic assumptions? At the very least, password strength should be based on an attacker starting with low-entropy passwords and working his way up, instead of assuming the attacker knows your password generation method (alpha case-insensitive, alphanumeric with symbols, multiple words, etc.).

Re:Why believe the hacker? (1)

ilsaloving (1534307) | about a year and a half ago | (#40888409)

Because if you RTFA, Apple confirmed that this occurred. Probably via the notes in the call log.

Re:Why believe the hacker? (2, Interesting)

93 Escort Wagon (326346) | about a year and a half ago | (#40888441)

Because if you RTFA, Apple confirmed that this occurred. Probably via the notes in the call log.

I did RTFA. Everything we're currently aware of comes from this guy's point of view. I'm not saying it's incorrect - but it's usually smart to wait for corroboration before drawing conclusions on anything.

privacy guards often public (0)

Anonymous Coward | about a year and a half ago | (#40888329)

What is your age and date of birth?
*Reads directly from targets facebook*
Thank you sir. Please hold one moment...

We've verified your account what can I do for you today? Change shipping address? Change password? Change email? Purchase 30,000 worth of fetish gear?

No problem Mr Shimomura.

Re:privacy guards often public (1)

houghi (78078) | about a year and a half ago | (#40888517)

What is your age and date of birth?
*Reads directly from targets facebook* and says 1970-01-01

Or the agent reads the answer as 'Sweetmorn, Chaos 1, 3136 YOLD' and says:
Sorry sir, this is the wrong answer. Please hold while we trace this call.

Can happen in many different scenarios (1)

Calibax (151875) | about a year and a half ago | (#40888331)

A neighbor had a similar problem several years ago - but that was with her bank account. Someone convinced the online support person to help her and as a result she lost the contents of her checking and savings accounts. No, the bank did not refund the money.

All this shows is that if a hacker knows enough about you to convince someone else that they are you, you can lose a great deal. This guy should count himself lucky.

It's a very fine line between providing good customer support and helping them, and being hard-nosed and losing a customer. When I was pick-pocketed in Paris it was a major issue getting a new American Express card to pay my hotel bill - the AMEX agent apologized for the incredible amount the fact checking that was needed, but they did provide superb help when I did manage to pass their validation checks.

Re:Can happen in many different scenarios (2)

flimflammer (956759) | about a year and a half ago | (#40888427)

Did she try suing the bank? I can't imagine what judge would seriously allow the bank to get away with that if it were through no fault of her own.

Re:Can happen in many different scenarios (1)

Nerdfest (867930) | about a year and a half ago | (#40888431)

A friend of mine once forgot his wallet, needed money, so went to a branch of his bank near my place. He convinced them to give him a couple of hundred bucks from his account even though he had no ID. He got the money, and them yelled at them for giving it to him ... a bit rude, but I can understand his concern. People are very easy to talk into things. Nice people feel like dicks for turning down a perfectly reasonable request from a 'nice' person.

Re:Can happen in many different scenarios (0)

Anonymous Coward | about a year and a half ago | (#40888859)

A friend of mine once forgot his wallet, needed money, so went to a branch of his bank near my place. He convinced them to give him a couple of hundred bucks from his account even though he had no ID. He got the money, and them yelled at them for giving it to him ... a bit rude, but I can understand his concern. People are very easy to talk into things. Nice people feel like dicks for turning down a perfectly reasonable request from a 'nice' person.

You know, there's nothing wrong with what they did, they took a measured risk no different from any other service they provide, ATM, debit cards, credit, checking, etc. He had to stand in front of a teller and a camera to get a measly $100, so as a criminal endeavor, it would not be likely to last very long, and if there were a local trend of fraud in the hypothetical way your friend imagines, the bank would not have taken that risk.

Just wondering, was this a small local bank? Tell your friend he should be banking with a big mega-bank if he really wants to be treated like crap. They'll probably strip search him too, for a $25 fee, if he asks for it.

Re:Can happen in many different scenarios (1)

ilsaloving (1534307) | about a year and a half ago | (#40888449)

I had something similar happen. My spouse's ex transferred my car insurance to another car. I only found out by accident because I just happened to make an inquiry a few days later and the phone person started talking about an entirely different car.

It's unfortunate, but companies in general are going to have to start using better security, and consumers are just going to have to suck that up. If your life can be ruined by one wayward phone call, then there is simply no choice in the matter. It must be done.

Too much stuff in one place. (5, Insightful)

icebike (68054) | about a year and a half ago | (#40888345)

Had the user set up Two Factor authentication, his Google stuff probably would have been safe"

As for 2 factor authentication preventing this, it would have kept my google account from being deleted, and probably kept them off of my Twitter feed, but it wouldn’t have prevented my Macbook from being wiped. That, which is the worst effect of all this so far, was possible as soon as they were able to log into iCloud. Nonetheless, I’m setting it up on my Google account once I have access to it again.

As for all his devices being wiped by one single hack, relying on a single point of security, makes for a single point of failure.
I'm not sure I would have chosen this route even if I was a total Apple fan joined at the hip to iCloud.

Apple support has some serious 'splaining to do. But this is likely to happen again, probably not for a while, but any time you are tied so closely
to one single point of security.

And what would he have done if he was just Joe Corporate Drone?

He and Gawker’s Scott Kidder then got on the phone with contacts at Google and Twitter trying to help me put the brakes on. A friend at Twitter helped expedite the request to suspend the account, which stopped the tweeting.

Seriously? contacts at Google and Twitter?
1) very few people have that kind of contacts.
2) didn't those two companies just violate their own security standards by helping this guy kill accounts he couldn't prove were his??

Re:Too much stuff in one place. (1)

game kid (805301) | about a year and a half ago | (#40888761)

Seriously? contacts at Google and Twitter? 1) very few people have that kind of contacts. 2) didn't those two companies just violate their own security standards by helping this guy kill accounts he couldn't prove were his??

I agree; never heard of this guy and he has who-you-know power at those two places...I smell fish and not of the pleasant filet kind.

Re:Too much stuff in one place. (1)

icebike (68054) | about a year and a half ago | (#40888839)

That you never head of him means nothing.

Google Him. The story is everywhere.

Apparently a lot of people know him. And some of those guys reached into Google and Twitter for him. And Google and Twitter RESPONDED!!!

Could you do that?

WHO ?? (-1)

Anonymous Coward | about a year and a half ago | (#40888347)

And I should care ?? You give someone control of your stuff, don't be surprised if you lose it !! I'm safe because Google knows me, and looks out for my interests !!

My answers.. (2)

Ryanrule (1657199) | about a year and a half ago | (#40888367)

Mothers maiden name: sdfioufjhisej8()U*(yu980H(u*&a&*(ay

First pets name: sfjgksrl8kjdgjoijOIU*(U*&^&Tiuhkjlmkjniuhi8hiuh

City born in: KJNBJKNJKN(&*(&*Y*(njklKNLNLKJ8IJOkijYJ Nkj nTFe44esijaiojT^&*%*&*T(&

Re:My answers.. (4, Insightful)

icebike (68054) | about a year and a half ago | (#40888437)

Quick, now, without cut and paste could you please enter those again?

No.

Though not.
Fail.

Re:My answers.. (-1)

Anonymous Coward | about a year and a half ago | (#40888507)

Ever heard of KeePass, you moron?

Re:My answers.. (3, Funny)

icebike (68054) | about a year and a half ago | (#40888689)

Sure, just read that string over a the phone to a tech support operator in India some time, moron.

Re:My answers.. (0)

Anonymous Coward | about a year and a half ago | (#40888867)

Are you suggesting that India tech supporters are deaf? Just use less symbols and you'll be fine. Stop defending your ignorance or inability to solve very simple problems, moron.

Re:My answers.. (0)

Anonymous Coward | about a year and a half ago | (#40888519)

No, you are the one who is just a moron.
I can have passwords as equally complex as those, but they follow rules in typing them out.

3rae1apl4lpy1tlh5ees9usc3kus1ocd4akm1nsm5u9ch
There are 3 separate strings in there. See if you can find them.
I could add more if I wanted to, but it would be pointless since I would be easier off just writing a sentence with a number(s) as a spacer and it would outlive the known universe for the next centuries worth of computational evolution.

Re:My answers.. (1)

michelcolman (1208008) | about a year and a half ago | (#40888869)

2tyh7eor1eui8sfn2ooy8bre1tgw8eoe2ntt8hae4aln5des9utc0kt4e5r

So it looks like it was not so easy to type after all, or was it an intentional error?

By the way, I once filed a bug report with Apple because they had disabled cursor navigation in password fields, making schemes like yours very difficult. I got a "behaves correctly" reply, but a few system updates later they seemed to have changed their minds and reenabled it.

Re:My answers.. (1)

cjjjer (530715) | about a year and a half ago | (#40888953)

While upgrading some client software to implement one way hashed/salted passwords I came across this password while I was showing why the users of the system were vulnerable to simple brute force attacks.

"9the8quick7brown6fox5jumps4over3the2lazy1dog"

This one was by far the strongest in the data, the weakest was "god" (there were actually no "password" passwords)

Re:My answers.. (0)

Anonymous Coward | about a year and a half ago | (#40888445)

Thanks.

If you would be so kind to also provide your usernames for the various online services that you're using, it would be greatly appreciated.

Trust No One (1)

Anonymous Coward | about a year and a half ago | (#40888405)

Well you gave Apple permission to do all that stuff, and then they turned out to be untrustworthy, which shouldn't have been a surprise. You work for Gizmodo, surely you should have known about all the ways in which Apple has been incompetent and/or stupid in the past regarding security.

Nope, no sympathy here.

And this is why... (0)

Anonymous Coward | about a year and a half ago | (#40888425)

...I demand all employees to only use official company communication services for company related communications.
If you forget your password ask your system admin who knows your face for help.

For personal data, (which I don't care about) I suggest you do not put it into the "trusting" hands of corporates.
You have been warned.

Your friendly neighborhood,
BOFH

The problem is... (1)

ilsaloving (1534307) | about a year and a half ago | (#40888469)

You cannot stop a successful social engineering attack. Technology cannot solve a problem like this. Only a change in policy can.

Re:The problem is... (0)

MacGyver2210 (1053110) | about a year and a half ago | (#40888533)

Not using services where you can call at all would be a good start. Like, I don't know, hosting your own servers for your multimillion dollar tech site instead of using Apple nonsense?

Re:The problem is... (0)

Anonymous Coward | about a year and a half ago | (#40888545)

Well, a policy change on Apple's end could stop it, yes.

A policy change on the user's end could've prevented it from escalating.

Such as: Don't put all your eggs in one basket.
Yes, in this day and age single sign on is all the rage (because it means people like google or facebook can get all of your information easily), but don't.
Just don't.

We're all at fault for allowing ourselves to trust web services.

PFFT, iCloud (0)

MacGyver2210 (1053110) | about a year and a half ago | (#40888523)

Seems about right. For someone who purports to be in touch with tech and security trends, that guy is kind of fail. If you know what you're doing, iCloud, and anything involving iLife or .mac is NOT the right answer.

Oh for the love of... EDITORS, please EDIT! (5, Informative)

wonkey_monkey (2592601) | about a year and a half ago | (#40888595)

Yesterday a hacker gained access to Mat Honans...

Let me introduce to you to Mr Apostrophe [wikipedia.org].

(An editor at gizmodo)

(an editor at Gizmodo)

allowing him... He was also able...

No. Use "the hacker," firstly because it's otherwise ambiguous with respect to Honan's name, secondly because the hacker's gender is unknown (yes, "he" is the gender non-specific pronoun, but this works better.)

apple iCloud account... google and twitter accounts... apple customer support

Apple, Google and Twitter (and Gizmodo, above) should all be capitalised.

down to a brute force attack, however today it has come out

A semi-colon would be preferable to a comma, but I'll admit this is a pretty minor one compared to the rest.

Seriously, what the hell? I know we all have a good joke about the editors' incompetence, but this is a new low.

Re:Oh for the love of... EDITORS, please EDIT! (-1)

Robadob (1800074) | about a year and a half ago | (#40888667)

As far as i can tell, the editor only adjusted the title from what i submitted. Sorry if my failure to grammar correctly offended you.

Re:Oh for the love of... EDITORS, please EDIT! (-1, Troll)

Robadob (1800074) | about a year and a half ago | (#40888675)

Editor also added hyperlinks to the body of the submission to.

Re:Oh for the love of... EDITORS, please EDIT! (1)

Anonymous Coward | about a year and a half ago | (#40888923)

The offense is not meant at you. It's at the editors not doing their job.

those phreaks (-1)

Anonymous Coward | about a year and a half ago | (#40888609)

are hacking our telephone lines!!

Gizmodo (-1)

Anonymous Coward | about a year and a half ago | (#40888713)

Internet assholes.

Such resets SHOULD be possible, but HARD (5, Insightful)

davidwr (791652) | about a year and a half ago | (#40888733)

My bank will mail me a new temporary computer login if I ask. Yes, I have to wait for it to arrive through the post office.

Apple could have said "Okay, we'll snail-mail you a temporary password to an address we can verify against information we already have on file, such as a credit card number, product-warranty-registraiton-information, etc.," or,

"Okay, you are in a hurry, we understand that. We will give you half of your temporary password over the phone and fax the other half to your nearest Apple Store or Notary Public. Bring your drivers' license or passport with you. If you use a Notary, they will charge a fee which you will have to pay."

That would've at least made sure the crook would have to commit more crimes along the way, likely intimidating him. It would've also made it much more likely that the police would be able to put a face to one of the crooks.

Two step authorization (0)

Anonymous Coward | about a year and a half ago | (#40888743)

I wonder if Mat Honans had enabled the two step authorization steps for his Google account. A stolen cell phone would make that useless, but at least it would offer another hurdle for a hacker to jump off of.

And by coincidence. (0)

Anonymous Coward | about a year and a half ago | (#40888789)

The fact that the Apple account happened to be owned by a Gizmodo editor was just a coincidence. I'm sure Gizmodo wouldn't benefit from the increased traffic and this story isn't just a continuation of their suspected anti-Apple bias.

Gizmodo are assholes anyway (0)

Anonymous Coward | about a year and a half ago | (#40888809)

I don't have any sympathy for one of Gizmodo's shitty, asshole writers. Especially when every compromise other than iCloud is is own fault.

It is sad that it's still this easy to social engineer your way in to an account for which you have absolutely no proof of ownership.

sounds personal (1)

milkmage (795746) | about a year and a half ago | (#40888897)

the sheer destructive/malicious -ness of this attack makes it sound very personal (either something against the user or Gizmodo - the compromise gave access to Gizmodo's Twitter feed).

you can't execute a social engineering attack without knowing something about the user.... some random attacker might have been able to get enough info from past his blog posts to launch the attack, but this smells more personal. Apple uses out of wallet info for their security questions - the whole point of OOO is asking questions that ONLY the user (or someone close to them) would know.

I got asked OOO by my bank.. some of the questions
1) who is related to you (list of 4 names - none match)
2) what city have you visited before (list of 4 cities - one match)

You don't have this kind of info unless you know me.

Friends (0)

Anonymous Coward | about a year and a half ago | (#40888899)

Must be nice to have friends at Google and Twitter to get around the massive communication blocks that are normally put up. If this were to happen to us mortals, what could we have done? If we were not online writers with a reputation, would AppleCare have done anything in response to our emails? This reminds me of when Senator Kennedy found his name on the no-fly list, and he just called up Tom Ridge (three times).

Remote wipe? (1)

TCM (130219) | about a year and a half ago | (#40888903)

At 5:00 PM, they remote wiped my iPhone

At 5:01 PM, they remote wiped my iPad

At 5:05, they remote wiped my MacBook Air.

And no backups because the "Cloud" is the backup, right? HAHAHAHA. This is beyond stupid. Seriously.

If the best Apple can come up with against device theft is the ability to remotely wipe them, then their customer base deserves everything they get. Personal responsibility needs to be burned into those morons with pain. Lots of pain. Maybe then they'll pay attention to what the fuck they are doing.

No pity for this fool.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...