×

Announcing: Slashdot Deals - Explore geek apps, games, gadgets and more. (what is this?)

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

Australian iPhone and iPad Users Waylaid By Ransomware

timothy posted about 5 months ago | from the beware-the-jabberwock-my-son dept.

Australia 52

DavidGilbert99 (2607235) writes "Multiple iPhone/iPad/Mac users in Australia are reporting their devices being remotely locked and a ransom demand being made to get them unlocked again. However, unlike PC ransomware, the vector of attack here seems to be Apple's iCloud service with the attacker getting to a database of username/password credentials associated with the accounts. It is unclear if the database was one of Apple's or the hacker is simply using the fact that people reuse the same password for multiple accounts and is using data stolen from another source. Apple is yet to respond, but there has already been one report of the issue affecting a user in the UK."

Sorry! There are no comments related to the filter you selected.

My heart bleeds for them. (-1)

jaeztheangel (2644535) | about 5 months ago | (#47098617)

Apple is built on older versions of OpenSSL - this looks like it might be because they weren't quick enough to adapt, and someone snuck in under the radar. Lets hope they get it sorted quickly!

Re:My heart bleeds for them. (4, Informative)

Anonymous Coward | about 5 months ago | (#47098695)

Where do you get such misinformation? Apple deprecated the use of OpenSSL [appleinsider.com] when it deprecated CDSA back in 2011 for OS X in favor of Common Crypto. At the time there was some mumblings about how Apple didn't like standards. And Apple has never used OpenSSL in iOS.

. . . although OS X provides OpenSSL libraries, the OpenSSL libraries in OS X are deprecated, and OpenSSL has never been provided as part of iOS.

Re:My heart bleeds for them. (5, Insightful)

sribe (304414) | about 5 months ago | (#47098781)

Apple is built on older versions of OpenSSL - this looks like it might be because they weren't quick enough to adapt, and someone snuck in under the radar. Lets hope they get it sorted quickly!

Apple deprecated the use of OpenSSL in 2011, and the version shipped with OS X was never updated to the versions which introduced Heartbleed. Strike 1!

OpenSSL has never been used in iOS. Strike 2!

Apple also was not using affected versions in any of its online/cloud services. Strike 3!

You're out! Your post was ridiculously bad even by /. standards!

Re:My heart bleeds for them. (1, Insightful)

Anonymous Coward | about 5 months ago | (#47098935)

And iOS Users in Australia are so much better off for it!

Oh wait,,,.

Re:My heart bleeds for them. (3, Insightful)

UnknowingFool (672806) | about 5 months ago | (#47099119)

How does this have to do with Apple using or not using OpenSSL? Right now the source of the attack is unknown but speculation is that people reuse their username (email) and passwords from other sites that have been compromised. So if someone has a list of yahoo credentials from heartbleed they might be able to take over someone's Apple account regardless if Apple used or did not use OpenSSL.

Re:My heart bleeds for them. (1)

Noah Haders (3621429) | about 5 months ago | (#47099801)

I think the most important thing here is to not reuse your passwords. Otherwise breaches at one site can spill over into breaches at more important sites (like for your iphone, or your bank). the best thing to do is to have an easy approach to remember, so you end up with passwords like slashdotsucks666 and yahoosucks666.

Re:My heart bleeds for them. (3, Interesting)

tlhIngan (30335) | about 5 months ago | (#47100131)

How does this have to do with Apple using or not using OpenSSL? Right now the source of the attack is unknown but speculation is that people reuse their username (email) and passwords from other sites that have been compromised. So if someone has a list of yahoo credentials from heartbleed they might be able to take over someone's Apple account regardless if Apple used or did not use OpenSSL.

Hell, it could very well be a phishing attack - a couple of months ago I've been getting a ton of "Apple ID confirmation" and other crap email asking you to "verify" your Apple ID with Apple.

It's slowed down or gone now, but that could also very well be the problem. (Yes, those phishes were pretty obvious, but some were quite good).

Heck, I've gotten them in FRENCH, too. That one was interesting. (In Canada, the typical standard is one email in both English and French, but this was French only).

I wouldn't be surprised if this wasn't the result of said phishing attack.

Re: My heart bleeds for them. (1)

thorist (1859732) | about 5 months ago | (#47101069)

I fairly recently got a message on some Safari page (probably from an ad) that an app I didn't have needed to update. Maybe that's what happened?

Re:My heart bleeds for them. (0)

Anonymous Coward | about 5 months ago | (#47100249)

NOT.
If they were stupid enough to entrust somebody else with the power to lock them out of their devices then they deserve it.

Login to /. Get "Untrusted Connection" w/ Mozilla? (0, Informative)

Anonymous Coward | about 5 months ago | (#47098637)

Is anybody else getting this, or is it discussed elsewhere? When I try to login via Chrome I get a screen with "The site's security certificate has expired!", and a similar message w/ Mozilla (26.0). This is on Windows 7 (hey, my work machine). IIRC I've been getting this since the end of last week, and nothing in my setup has changed.

Re:Login to /. Get "Untrusted Connection" w/ Mozil (1)

thaylin (555395) | about 5 months ago | (#47098991)

The cert was showing expired, and now it seems to be redirecting https to http

Re:Login to /. Get "Untrusted Connection" w/ Mozil (0)

Anonymous Coward | about 5 months ago | (#47099015)

Looks like slashdot just replaced their certificate, maybe they only replaced it after expiry.

The cert I see was issued on May 27 2014 0:00:00 AM GMT.

SHA1 fingerprint 74:41:40:02:D6:79:4B:C2:9D:5C:B4:1A:7F:1A:B9:C6:8C:4B:79:C5

MD5 fingerprint 1E:D3:F7:70:37:CB:BE:D3:8E:66:92:59:50:A3:37:F1

Re:Login to /. Get "Untrusted Connection" w/ Mozil (0)

Anonymous Coward | about 5 months ago | (#47099255)

Thanks. At least I know that I'm not going crazy (or at least this issue isn't evidence of it). I'm glad you mentioned when it was renewed. I feel a little sheepish but both browsers had been open since yesterday. Close and re-open of the browser fixed it, but I know that wasn't the case the last few days.

Re:Login to /. Get "Untrusted Connection" w/ Mozil (0)

ebno-10db (1459097) | about 5 months ago | (#47099283)

Need more coffee. Since I fixed it, why did I post the PP as AC?

Slashdotters waylaid by Betaware! (0)

Anonymous Coward | about 5 months ago | (#47098643)

Oh, the humanity!

MITM attack (2)

johnjones (14274) | about 5 months ago | (#47098649)

seems like they might have been a target of MITM attack

personally I would advocate support for DANE in apple products :

http://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities

http://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities [wikipedia.org]

not a total solution but it would help

regards

John Jones

Re:MITM attack (5, Informative)

Anonymous Coward | about 5 months ago | (#47098743)

It's not a MITM atack, but rather the hackers are exploiting a vulnerability in iCloud. Then, using the "Find Device" option they block the phone and demand a 100 euro ransom to unlock them, which the user must pay via PayPal. If the user had enabled two-step authentication they could re-gain control of the phone, otherwise they would be forced to pay the ransom. Full article from the Sydney Morning Herald: http://www.smh.com.au/digital-life/consumer-security/australian-apple-idevices-hijacked-held-to-ransom-20140527-zrpbj.html

Re:MITM attack (0)

Anonymous Coward | about 6 months ago | (#47105225)

if by "vulnerability in icloud" you mean "possibly a vulnerability" vs. "likely abuse of icloud functionality via password reuse via info gleaned from Adobe, eBay and other recent high profile hacks involving hundreds of millions of accounts"

Nice font (2)

jones_supa (887896) | about 5 months ago | (#47098653)

The article font in the IBTimes website is really pleasing to read, because it has enough weight. Thin characters on many websites make my eyes bleed.

It's you (1, Insightful)

ArchieBunker (132337) | about 5 months ago | (#47099337)

Looks fine from here. X11 and web browsers have had ugly fonts forever. Even today the default fonts still look like something CDE vomited up.

Re:It's you (1)

jones_supa (887896) | about 5 months ago | (#47099447)

It's you. Looks fine from here.

What? I said that it is pleasing to read.

Re:It's you (0)

Anonymous Coward | about 5 months ago | (#47100115)

Ooops misread your comment. Well that troll comment backfired.

Re:Nice font (1)

AmiMoJo (196126) | about 5 months ago | (#47100547)

On the other hand, fuck them for overriding my font choices. Some decorative font use is fine, but the bulk of the article should always be in "sans-serif" or "serif".

How do they get the Money? (3, Insightful)

wisnoskij (1206448) | about 5 months ago | (#47098673)

Wouldn't the FBI/other put a trace on the account and prevent the criminals from withdrawing without revealing themselves, within a day or two?

It is not like the message is: "Leave 10,000 dollars under the bridge, and come alone or your data gets it."

Re:How do they get the Money? (0)

Anonymous Coward | about 5 months ago | (#47098755)

Wouldn't the FBI/other put a trace on the account and prevent the criminals from withdrawing without revealing themselves, within a day or two?

It is not like the message is: "Leave 10,000 dollars under the bridge, and come alone or your data gets it."

Ironically, this is where thieves could use bitcoin, if they trusted it enough to not get hacked.

Re:How do they get the Money? (2)

Registered Coward v2 (447531) | about 5 months ago | (#47098797)

Wouldn't the FBI/other put a trace on the account and prevent the criminals from withdrawing without revealing themselves, within a day or two?

It is not like the message is: "Leave 10,000 dollars under the bridge, and come alone or your data gets it."

That, and PayPal also says the account doesn't exist. Then again, just because they are smart enough to hack the Apple servers does';t mean they aren't stupid in other ways; or maybe are arrogant enough to feel they are untouchable?

Re:How do they get the Money? (3, Interesting)

Sockatume (732728) | about 5 months ago | (#47099173)

Maybe this was a proof-of-concept hack and they didn't want to take the risks involved in setting up an actual Paypal account they could extract money from until they were sure it worked?

Re:How do they get the Money? (1)

Registered Coward v2 (447531) | about 5 months ago | (#47099747)

Maybe this was a proof-of-concept hack and they didn't want to take the risks involved in setting up an actual Paypal account they could extract money from until they were sure it worked?

Possibly. Problem is now that they know it works how do they let people know where to pay; plus PayPal is unlikely to allow payment so they need to find another untraceable way to collect cash and notify their victims before Apple does a fix.

Re:How do they get the Money? (1)

Registered Coward v2 (447531) | about 5 months ago | (#47099763)

Maybe this was a proof-of-concept hack and they didn't want to take the risks involved in setting up an actual Paypal account they could extract money from until they were sure it worked?

Sorry about two replies. This could all be a eats for some more involved attack beyond simple locks and they don't care about the locked devices or payment.

good spirits waylaid by wmd on credit cabals (-1)

Anonymous Coward | about 5 months ago | (#47098705)

Oh, Great Spirit,
whose voice I hear in the winds
and whose breath gives life to all the world, hear me.
I am small and weak.
I need your strength and wisdom.

Let me walk in beauty and make my eyes
ever behold the red and purple sunset.
Make my hands respect the things you have made
and my ears sharp to hear your voice.
Make me wise so that I may understand
the things you have taught my people.
Let me learn the lessons you have hidden
in every leaf and rock.

I seek strength, not to be superior to my brother,
but to fight my greatest enemy - myself.
Make me always ready to come to you
with clean hands and straight eyes,
so when life fades, as the fading sunset,
my spirit will come to you
without shame.

Oblig (0)

Anonymous Coward | about 5 months ago | (#47098745)

Password Reuse [xkcd.com]

And this is why I don't backup to iCloud (0)

Anonymous Coward | about 5 months ago | (#47098773)

Over the years I've turned on more and more iCloud features on my iOS devices but I've yet to turn on Backups and never will.

I backup to my mac at home. So if someone ever gets my password they can remote wipe my phone if they want but then I'll just restore from my manual backup and change my password.

This is also why I won't turn on Find My Mac. The same people that might gain access to my account could easily wipe my phone and my Mac at the same time and then I'm screwed (although not really since I also have 2 by weekly on side backups and constant off site backups but you get my point).

Basic security measures? (2)

hcs_$reboot (1536101) | about 5 months ago | (#47098787)

If you happen to tap your Apple ID / password in a subway, in a crowded place or under a surveillance camera, and someone can see it, your account is not blocked, it's hijacked... and you know nothing about it! Thanks to iCloud, where is my i* and the like, that someone may see your personal data, where you are at this very moment, and where you go usually etc... As long as he doesn't alter your data, you don't know. It's been a recurring problem with Apple IDs. Google gmail shows a list of recent activity with IP adresses, and warns immediately about suspicious activity, like a connection from a far/different IP. http://www.forbes.com/sites/adriankingsleyhughes/2012/08/04/the-dangerous-side-of-apples-icloud/ [forbes.com] .

Re:Basic security measures? (0)

Anonymous Coward | about 5 months ago | (#47098923)

>> Google gmail shows a list of recent activity with IP adresses, and warns immediately about suspicious activity, like a connection from a far/different IP.

Do you have to set that up? I have never seen it.

Re:Basic security measures? (3)

hcs_$reboot (1536101) | about 5 months ago | (#47099043)

Gmail, bottom, right, "recent activity", Details.

Re:Basic security measures? (4, Interesting)

Sockatume (732728) | about 5 months ago | (#47099151)

Apple do have two-factor authentication these days. If you have that enabled, anyone attempting to log on to your account has to have access to one of your devices or one of your fall-back accounts. Frankly, that should be turned on by default.

My new rule of thumb is that anything I don't have protected by two-factor is something I can afford to lose access to. That's not to say that two-factor is a panacea - it's very easy to set it up so it's useless by, for example, giving a less-secure email address as a fall-back - but it's the minimum for anything I care about.

Re:Basic security measures? (2)

ducomputergeek (595742) | about 5 months ago | (#47100681)

Until it becomes a hassle. Example, I just got a new phone last week and didn't have a chance to update my google authenticator app to the new device. It was a vacation so the computer stayed at home. I ordered tickets online at went to print at the hotel only to realize I couldn't access my gmail account to print. I was still able to goto Will Call to pick up the tickets, but it still meant waiting in line for 15 minutes, something we had hoped to skip by purchasing online.

Re:Basic security measures? (0)

Anonymous Coward | about 5 months ago | (#47101303)

I avoid anything that requires two-factor identification. I don't want them to know my phone number, one of the most unique things about me. From it I'm easily tracked and not just from my actions. Anyone with my number who shares their contact list allows the company to instantly generate many different types of social graphs based on the fact that they know we're related in some way.

Re:Basic security measures? (1)

kwark (512736) | about 5 months ago | (#47102441)

Then I have good news for you: not all 2 factor auths need phonenumbers. Don't know what Apple uses/requires though.

I propose the Klingon solution... (0)

Anonymous Coward | about 5 months ago | (#47098907)

"...FIND HIM AND KILL HIM!"

[Start Trek: DS9, "Take Me Out To The Holosuite"]

if the phone is locked ... (1)

Sterculius (1675612) | about 5 months ago | (#47098925)

If the phone is locked, on wonders how they contact the owner to tell them their locked phone is being held for ransom.

Re:if the phone is locked ... (1)

thaylin (555395) | about 5 months ago | (#47099023)

By the email address tied to the account?

Re:if the phone is locked ... (3, Funny)

Sterculius (1675612) | about 5 months ago | (#47099081)

That assumes that iPhone users know how to access email without their phone.

Re:if the phone is locked ... (1)

Sockatume (732728) | about 5 months ago | (#47099117)

The same way they locked the phone: Find My iPhone lets you display a message on the device, along the lines of "Please return me to the front desk" or "Call me on *othernumber*".

Re:if the phone is locked ... (1)

Sterculius (1675612) | about 5 months ago | (#47099237)

That is a reasonable explanation. Kind of sad when we live in a society where phones can be kidnapped. I hope they don't start kidnapping my Taco Bell orders before I can get to the window.

Re:if the phone is locked ... (0)

Anonymous Coward | about 5 months ago | (#47101329)

No, but they'll start locking your car when those car thief prevention services become more popular (or legally mandated) and this type of attack is only going to happen more often as governments are thinking about requiring all phones to be brickable.

Skin That Bastard (0)

Anonymous Coward | about 5 months ago | (#47099311)

I hope someone hangs that asshole by his tiny balls.

Vuln’s work both ways (1)

Aaden42 (198257) | about 5 months ago | (#47099345)

I’ll be you my iCloud password, it’s a re-wrap of this:

http://soylentnews.org/article... [soylentnews.org]

If you can MitM a “consenting” user to unbrick a stolen phone, I can’t see any reason it doesn’t work the other way around.

Re:Vuln’s work both ways (1)

ruir (2709173) | about 5 months ago | (#47100515)

It is not that easy. For this variant to work, either an ISP operator has to be running an old/vulnerable DNS service, or the attacker has to poison the local network/DNS. The easiest way of all, is being in the same network as the victim, and even so, some newer infra-structure allows you to block intra-client talk, with pretty much invalidates this kind of protocol attacks. Nevertheless, this scheme works IF the victims have their host files in their Windows machines modified by some malware so much more easily. To finish this, I believe much more that accounts of stupid users that use the same combo email/password at all sites were compromised, then the use of more sophisticated attacks.

Irony, thy name is Apple (1)

Anonymous Coward | about 5 months ago | (#47099441)

Isn't Apple's "walled garden" itself a form of ransomware?

Oleg Pliss (0)

Anonymous Coward | about 5 months ago | (#47099533)

Oleg Pliss Stahp!

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?