
Apple Support Allowed Hacker Access to Reporter's iCloud Account - antr
http://www.macrumors.com/2012/08/05/apple-support-allowed-hacker-access-to-reporters-icloud-account/
======
steve8918
It seems logical that the easiest attack vector for any type of cloud storage
is through social engineering. You're essentially protecting potentially
valuable or incriminating data behind millions of dollars worth of firewalls,
encryption and other technology... or a customer service representative paid
$10-15/hr, if that.

Depending on how valuable the data is to you, it might be easier to just pay
off a CSR, and then fake a phone call where you pretend to convince that CSR
that you are that person. The person will get fired, but probably won't go to
jail unless they can prove collusion. And then they can either find a new job,
or depending on which country the person is living in, they can live nicely
off of the money for a while.

I'm not sure how to solve this problem, except by having highly paid and
specially trained CSRs that do the account resetting, or by never allowing
resetting ever, and if you forget your password and your security questions,
you're SOL.

I have to admit this only makes me more leery of putting anything on cloud
storage, although my own personal data is pretty useless to anyone, which is
my only saving grace. Others who are more important might need to think twice
about relying on these types of services.

~~~
thaumaturgy
I'll confess, I honestly didn't even consider the possibility that the hacker
just social-engineered Apple support. I mean, Mitnick wrote an entire book
about that kind of stuff, and the whole HBGary thing went down in sort of the
same way, but ... still, to be able to call up the support department of a
major technology (!) company, in 2012, pretending to be someone else and get
access to their account that way? Apple didn't send a text message to his
number-on-file? They didn't try a callback? Were there any challenge-response
questions at all?

That's absurd.

This should make every iCloud user reeeeeaally nervous.

~~~
Tloewald
On the positive side, perhaps the publicity will cause Apple to tighten up.
They have demonstrated that they are serious about security.

~~~
reinhardt
I don't know, I have mixed feelings about this. It's akin to building even
more inscrutable captchas or tightening up airport security measures every
time a new breach happens. At best it might close one particular loop hole but
at what cost and incovenience to millions of people and billions of
transactions?

I had the misfortune to lock myself out of my bank account once or twice and
the process for unlocking it was so dreadful (a 30 minutes interrogation with
questions like "when and where did I make my last ATM transaction") that since
then I keep the required sensitive info in a GPG encrypted file so that I
never have to call them again. Other equally frustrated but less tech savvy
customers are probably doing the same with post-it notes. Is this an
improvement?

~~~
orbitingpluto
I was out of town and went to make a large cash purchase. (The retailer added
a very hefty 10% for using debit or credit cards.) So I ran into the problem
of a daily cash withdrawal at the ATM. I also did not have anything with me
other than an ATM card and a Credit card with me (No ID). Turned out the bank
didn't even ask for my ID when I went in. I just explained my situation and
they just handed over a couple thousand...

Security at the bank seems discretionary at best.

~~~
rogerbinns
> Security at the bank seems discretionary at best

No, it is a cost benefit decision. Do you know they don't check the signature
on cheques or credit card transactions? Heck I bet if you mail in a change of
address they will go ahead and do it, possibly sending something to your old
address.

The reality is that fraud is at low levels compared to legitimate
transactions. Putting in lots of extra hoops just makes the legitimate
transactions harder, and chances are it won't affect those trying to commit
fraud since they have a wide variety of things to try while tellers don't (eg
fake id in this case).

In this specific case, anyone coming into the branch is on security cameras
inside and out. TV shows, the Internet and technology make it increasingly
easier to match up the footage with real people. And the bank doesn't bear the
full costs of any investigation since they are passed off to the police/FBI.

If you ran the bank would you add a dollar in expenses and one minute per
transaction that has a 10% chance of catching fraud, and fraud occurs one in
every 25,000 transactions? Would you have the same measures in every branch
across the country or have their expense and severity proportional to the
amount of fraud that does actually happen at any location?

Despite what we see in films and TV shows, bank robbery is pitiful way to not
make money:

[http://www.thefiscaltimes.com/Articles/2012/06/11/Why-
Robbin...](http://www.thefiscaltimes.com/Articles/2012/06/11/Why-Robbing-
Banks-Really-Doesnt-Pay.aspx)

[http://crimeblog.dallasnews.com/2009/04/new-bank-robbery-
sta...](http://crimeblog.dallasnews.com/2009/04/new-bank-robbery-stats-show-
lu.html/)

~~~
orbitingpluto
I totally agree with you but on two points:

1) Cost benefit analysis and discretionary security is not mutually exclusive.
It's cost benefit analysis ergo discretionary security.

2) Crime pays. You just have to be sophisticated and powerful enough to not be
indicted. (TARP?)

The interesting thing about your comment is when you apply your logic towards
combating terrorism. The cumulative harm of prevention of terrorism outweighs
the damage and death caused by the terrorism itself. The 'cost-benefit
analysis' must take into account the 'positive' externalities for those who
advocate those policies.

~~~
rogerbinns
On 1) that is what I meant. The level of security measures is proportional to
the risks, and a realisation that every measure costs time and money.

For 2) white collar crime certainly has shorter prison sentences in the US. It
is a little harder to apportion blame as directly as with a bank robber. The
general cause of problems has been the US government bailing out creditors.
Because of that creditors have been laxer in their standards, had lower
oversight and a greater tolerance for risk. This is virtually US government
policy and has been going on since the 1984 rescue of the creditors of
Continental Illinois. Ultimately fixing this involves fixing the US government
and the corruption of Congress - see Lawrence Lessig's talk about they operate
around money - and smaller things like regulatory capture.

The response to 9/11 has been to massively amplify the original effects,
giving a huge return on investment to Al-Qaeda. In the positive column has
been some of the security theatre - the appearance of improved security will
be reassuring to some people. But everything else has been negative - the
government expenditures, making new enemies in Iraq and Afghanistan, the loss
of freedom for Americans, the massive invasive spying on Americans, the use of
"terrorism" as an excuse for inexcusable things, the loss of American prestige
(Guantanamo Bay isn't good PR), the additional friction on American life in
both time and money (try taking a flight) and the list goes on.

I don't want to belittle 9/11, but the same number of people die each and
every single month on American roads. It happened that same month, and every
month since.

IMHO it would be a far better remembrance to the victims if we said "fuck you"
to the perpetrators and lived free and open lives despite them, rather than
the crippling effects that did happen.

~~~
xenophanes
Some of the people dying on roads are suicides.

Very few are murders. Murders and accidents are not the same thing and not
equally bad.

One difference: if you don't do anything about accidents, the rate stays the
same. If you don't do anything about murder and just let it happen, the rate
goes up as more people realize they can get away with it and serial killers or
terrorists get more bold.

------
tambourine_man
The thought hadn't cross my mind, but after reading this post it got me
thinking:

 _Sensa_

 _So, let's get this straight...a hacker "decides" to hack the account of a
semi-high profile tech guy and then after committing several serious crimes
like fraud that could land him in jail for an extended period of time
repeatedly contacts the person he hacked when he must know that Apple will
surely pursue this matter?_

 _I smell a rat..._

[http://forums.macrumors.com/showthread.php?p=15405091#post15...](http://forums.macrumors.com/showthread.php?p=15405091#post15405091)

~~~
mapgrep
What are you even alleging? What is the rat?

~~~
tambourine_man
I'm not alleging, I'm quoting a comment from MacRumors that got my attention.

The fact that a hacker would repeatedly contact its victim and that Gizmodo
has reasons for not being particularly found of Apple (after the lost iPhone
incident) was not something I had though of at first, but did strike me as
odd.

~~~
mapgrep
Honan no longer works at Gizmodo. It says so right in the OP, along with the
name of his new employer. So... ??

You say that post "got you thinking." Got you thinking what?

------
emergencynap
One of the main issues with the Apple ID is the ease of use vs security. Tying
the remote wipe functionality with the ability to purchase low cost content
(the primary use case for the Apple ID) is always going to have one group of
users unhappy.

I frequently want to quickly purchase a song on my iPhone. I also, frequently
tell my friends my password so they can do the same. How many of you have
typed your Apple ID password on your Apple TV with others watching? I wouldn't
really ask my friends to exit the room to type in a super secure and long
password with many characters groups (one that should be required for remote
wipe functionality).

How many users keep their password secure knowing the main place they enter it
is on their iOS device? For the many every day Apple users I know, they set
their passwords to something easy so they don't have to hit their keyboard too
many times when entering them.

If Apple, can separate the two authentication functions as they do with OS X
and FileVault it would go a long way to preventing these types of rare but
high impact events. Another suggestion would be to separate the remote wipe
into two phases, erasing the keys and cleaning up the data. The initialization
vectors (seed) do present a bit of a problem but I think the FileVault
solution is more than adequate. If the encryption keys and the key escrow
system is cleared remotely, that would leave me comfortable that my data is
still secure. If we really trust our crypto algorithms, then erasing data and
removing the encryption keys should really be no different. Users that do not
have iOS data protection and OS X FileVault turned on, cannot be considered
any level of secure anyway. And even with that data protection turned on,
there are still many issues due to each app needing to implement security
properly. It would be really great to see Apple improve their App Store to
really audit the security of each application more than they do today.

Most of the work lies with Apple but it is a hard problem that will take time.
I think Apple is going in the right direction by centralizing on iCloud rather
than the PC as the central hub. This will give them a lot more flexibility and
agility to move quicker and deliver secure results to the masses.

~~~
wd7
Absolutely. Forcing users to input their password each time they buy something
from iTunes, or log into iCloud in the browsers, encourages simpler passwords.
To have a single account in control of everything from buying a $1 song to
remote-wiping a computer is madness.

------
akeck
To connect or not to connect? I have been debating the advantages and
disadvantages of coupling both personal and work IT systems for some time now.
If you tie your IT systems together, you can manage them more easily and
efficiently. On the other hand, as in Mat's case, a single node failure can
cause an entire system to collapse. For another example, consider fully
automatic self-updating servers. Without safe-guards, a configuration bug can
bring them all down within minutes. At this point, I think some coupling, but
not total coupling, is best. Too little coupling won't allow enough
productivity; too much increases your risk of system-wide failure.

------
kristofferR
I hope he sues Apple for this and wins, behavior like this shouldn't be
allowed without consequences.

~~~
_delirium
From iCloud's ToS, it looks like it'd depend on whether a court finds this to
be either "failure to use reasonable skill and due care" or "gross
negligence":

 _APPLE SHALL USE REASONABLE SKILL AND DUE CARE IN PROVIDING THE SERVICE. THE
FOLLOWING LIMITATIONS DO NOT APPLY IN RESPECT OF LOSS RESULTING FROM (A)
APPLE'S FAILURE TO USE REASONABLE SKILL AND DUE CARE; (B) APPLE'S GROSS
NEGLIGENCE, WILFUL MISCONDUCT OR FRAUD; OR (C) DEATH OR PERSONAL INJURY.
[Blanket disclaimer of liability in all other cases follows.]_

I'd be curious if there is any good precedent on product liability for cloud
services.

~~~
jacques_chester
Just because a clause is in a contract, doesn't mean it has any effect.

A lot of terms are flat out bluffing to scare off folk like you.

This is why it is always a good investment to ask your lawyer.

~~~
mistercow
This is really, really important advice, and if more people understood it,
corporations would have a lot less power over people than they currently do.
You can open up just about any ToS and find a handful of unenforceable clauses
they're hoping you won't realize are unenforceable.

~~~
fl3tch
I suspect the vast majority of people never read the TOS and decide to sue, or
not, for completely independent reasons.

~~~
ams6110
In general, I'd say that if you are getting a lawyer involved, you need to
have fairly solid evidence of real loss of a value more than about $20,000,
otherwise the fees are going to eat up any award you might eventually get
(don't forget even if you get a favorable judgement the other side can appeal,
and will if they have staff lawyers who are getting a salary either way).

------
Jyaif
The remote wipe part is extremely scary. How do you disable this on your mac?

~~~
kristofferR
System Preferences - iCloud - Find My Mac (remove the checkmark)

~~~
prof_hobart
Is there any way to remove the wiping bit without removing the whole finding
functionality? That bit is extremely useful, and if a hacker managed to get
into my iCloud I wouldn't be that worried about them being able to locate it.
But being able to wipe everything as well is a different matter.

~~~
ConstantineXVI
IIRC it does the wipe via the recovery boot, so wiping that partition would
kill it.

BUT: you'd be hosed if you ever needed recovery, you wouldn't be able to use
full-disk encryption, and there's likely other bits of the OS that would break
in subtle and interesting ways without it there. Tread _very_ carefully.

~~~
ben1040
>IIRC it does the wipe via the recovery boot, so wiping that partition would
kill it.

Isn't this not an option in relatively recent Macs, which have the recovery
functionality baked into the EFI firmware and not as a partition on the disk?

Newer Macs have that functionality out of the box, and a bunch from 2010 and
early 2011 that did not originally ship with the recovery firmware ended up
getting it later via update: <http://support.apple.com/kb/HT4904>

~~~
ConstantineXVI
That's 'Internet Recovery', which is just enough to fire up WLAN and grab a
recovery image to netboot from in the event your disk is totally unreadable.
Unlikely it'd still be able to trigger a wipe this way. Recovery itself is
still it's own partition (from my mid-2011 Air):

    
    
        apaulin:~/ $ diskutil list                                                                                                                                                                       [13:38:41]
    
        /dev/disk0
       #:                       TYPE NAME                    SIZE       IDENTIFIER
       0:      GUID_partition_scheme                        *121.3 GB   disk0
       1:                        EFI                         209.7 MB   disk0s1
       2:                  Apple_HFS Macintosh HD            120.5 GB   disk0s2
       3:                 Apple_Boot Recovery HD             650.0 MB   disk0s3

------
Zenst
In all fairness to Apple and any support desk, it ain’t hard to bypass a
control system were one human talks to another exchanging information that is
mostly in the public domain or bypassed using emotional based social
engineering (sounding as if in a panic and your mother is in hospital for
example). Support is human.

I helped a friend set-up a account with some provider the other day and one of
the security question was the classic choice of mothers maiden name, favourite
colour or favourite number. All of which are hardly secure as they can be
obtained or educated-guessed a lot easier than most, but that’s another
discussion. He wanted his favourite football player's name, so I told him pick
mothers maiden name and use your favourite football players name. He knows
this, and even if somebody who knew his mothers maiden name would still fail
on that security check.

What could Apple do; And they will do something I suspect. Well they could add
voice recognition to there support call system or/and add preregister calling
numbers only (excluding device phone numbers already to cover losing said
device) like your office phone. But they will step up-to the plate and
hopefully turn this around, any good tech company will do that (even if it is
going oops and we added password salts now - they evolve).

The whole aspect about all this that concerned me was how you can have what
you perceive as a cloud backup that can then be taken away as well as your
copy of the data. That is a lesson for the user more than Apple though. But
will be reassuring to find out they have a backup system and maybe also
concerning. That is a individuals perception of thought for them to ascertain
for themselves, everybody is different.

I might also add that the chap who initial got hacked and subsequently also
had his twitter accounts hacked said in a tweet that he is leaving the hacked
tweets in the same way he does not go about removing scars on his body. Shows
a insightful mindset and in many ways shows that pride was not a part of this
and in that we would probably not of read about this had he been burdened by
pride. Respect has to be noted there for him stepping up and going, this
happened before he found out how it had been done and without knowing it was
not an act of his own doing.

------
yesimahuman
Creepy. Well, this book by Kevin Mitnick is still very relevant I guess:
[http://www.amazon.com/The-Art-Deception-Controlling-
Security...](http://www.amazon.com/The-Art-Deception-Controlling-
Security/dp/0471237124)

------
shawndumas
I am confused; did the hacker guess the security questions or obviate them?

If the former it's not Apple's fault. If the latter; that's inexcusable.

~~~
riobard
Actually, it appears to me that almost 100% of “security questions” used
during support phone calls are completely insecure.

Usually they'll ask a few (2~3 is normal) questions like your full name, date
of birth, address with zipcode, email address, etc. Notice the problem of
these? All of them, I mean, ALL, are PUBLIC INFORMATION THAT ANYONE KNOWS
SOMETHING ABOUT YOU WILL HAVE.

This is almost as silly as credit cards, where you are supposed to give the
card number, card holder's name (not required most of the time), expire date,
and the 3-digit PIN. Anyone who touches your card will have that information,
once and forever. Yes, ANYONE, that includes your grocery store cashiers, your
favorite bar tenders, your mobile phone billing representatives, etc. The list
could go on very, very long.

And I'm totally amazed that both systems persist as a fallback plan in this
digital world with countless attacking vectors.

~~~
shawndumas
As I've said elsewhere: "Keep in mind though; you can answer anything you
want. Use a 1password generated string for each and store the answers
redundantly. That's what I did."

~~~
riobard
Based on my experience, that's not how it works at all in practice. They will
ask these info about your real identity as recorded in their CRM systems. I
doubt you can list your name as BLAH BLAH BLAH there and still receive your
package delivered correctly.

------
greedo
Social Engineering will usually win out as long as a person is in the loop.
It's just not feasible to expect a poorly paid CSR to be able to cope with
this type of threat.

In the end, a company has to constantly weigh the cost of strong protections
versus the risk, and what this exposure will cost them in terms of customer
goodwill as well as any civil penalties that may arise.

------
libria
Are they saying Apple sent the password reset request to a different backup
email entirely? Or that they reset the password to a _requested password_
while one the phone?

Even if someone had properly identified themselves as Mat Honan, neither of
these should be permitted.

~~~
rogerchucker
Mat posted a screenshot of his Gmail inbox which showed an email about Apple's
password reset. So I'm guessing the hackers had compromised Gmail account
BEFORE they called up Apple tech support. Or maybe that email was just an
attempt and didn't help anyway with the actual password retrieval. I'm
confused about this...

~~~
maxerickson
The original blog post makes it quite clear that the .mac account was used to
compromise the Gmail account.

I think the screenshot is from after he regained control of the Gmail account.

~~~
rogerchucker
Oh... in that case, how can a .mac account be used to compromise a Gmail
account - using Forgot Password?

~~~
moreati
AIUI the .mac account was the backup email address of the Gmail account. So
1\. The attacker compromised the .mac account. 2\. The attacker used the I
forgot my password feature of Gmail - to get an account reset email for the
gmail account sent to the .mac account.

------
MarkMc
Why isn't this part of every password-reset procedure? "We'll mail a reset
code to the postal address you gave when you created your account"

This would mean that the attacker would have to commit mail fraud, which (a)
is quite difficult; and (b) carries heavy penalties in law.

~~~
ghshephard
One problem is I have no idea what physical address Apple has for me, but I'm
sure I have moved at least three times (as many as five) since I gave them
that address.

A better solution is require a notarized physical mail in the event of
password changes for high-security accounts. Everything else just goes to your
email account.

~~~
petitmiam
I had this problem with a website from the Australian Government. I was
actually trying to login to update my address, but I didn't know the password.
For that though, I was able to visit a store front and update it after
providing ID. I guess Apple could do a similar thing.

------
epo
I don't believe that things happened as they are being presented. This is
(ex-)Gizmodo we're talking about, people who have a long standing grudge with
Apple.

In the middle of a 'major crisis' this guy finds time to type up a story, on a
computer? He can still access work machines to submit? And then the hacker is
kind enough to tell him what happened? And oddly, there is no mention of
involving the police or the FBI?

This episode is either an inside job or a complete fabrication. My prediction
is it will fall apart within the week, rather like Gizmodo's exclusive story
based on the purchase of stolen prototype equipment.

------
stephenhess
Large amounts of personal data are collected by data brokers like Intelius,
Spokeo and Whitepages - which makes this easier to pull off. It's fairly
trivial to find answers to questions like "What's your DOB?" or "What's your
billing address" by looking in one of these places. Most data brokers will
have opt-out pages where you can request removal of your data - though they
don't make it easy. There are also services that help with this: MyPrivacy
(reputation.com/myprivacy) which I work on and Safe Shepherd
(safesheperd.com).

------
jws
We frequently see articles about well connected or influential people like
reporters getting preferential support from large companies. This might be the
dark side of special response.

------
jsmcallister
Hopefully the article on Honan's experience will open some eyes and make
everyone take the security of their personal accounts more seriously. The
money in your bank is insured, your online presence is not, and there is a
huge imbalance in how consumers address security for each. Some hackers don't
want money or notoriety - they just want to watch the world burn.

------
dennisgorelik
I wonder if attacker will be caught and would end up in jail. All password
change requests like that must be carefully recorded and are probably very
traceable. Considering public nature of this exploit, Apple might put quite
some effort to carefully investigate the incident.

~~~
elmuchoprez
The kid who hacked Sarah Palin's email got a year in jail. He was convicted of
"the felony of anticipatory obstruction of justice by destruction of records
and a misdemeanor of unauthorized access to a computer." [wikipedia]

The guy who hacked Honan is certainly guilty of the misdemeanor (which could
wind you up in jail) and depending on what he erased and how they want to
interpret his motives, he could be guilty of the same felony.

------
baldfat
Sarah Palin Hack was basically the same. People don't figure what is available
online gives the answers to their questions.

------
seagreen
Can iCould be enabled remotely? I know it _shouldn't_ be able to, but _could_
it?

------
rogerchucker
Everybody should read the account of an opposite situation with Apple tech
support and password retrieval:
[http://www.pcworld.com/businesscenter/article/260414/how_did...](http://www.pcworld.com/businesscenter/article/260414/how_did_apple_allow_hackers_to_access_icloud_account.html)

~~~
wklauss
Its a good interesting piece but in this case could easily be that the
employee in Mat's case didn't follow correct procedure or was not familiar
with it (new employee?). Even if he knew the procedure for this cases there
are all kinds of possible explanations: maybe the hacker pay him, maybe
himself is the attacker, etc...

~~~
rogerchucker
I totally agree that customer support is a very inconsistent department. I was
just hoping Apple would have stringent training for these reps to all follow
the strictest possible security checks. Who knows...

------
rogerchucker
Damn.. this is popcorn-worthy. Anti-Applites are gonna say "sue them!" and
Fanboys are gonna post a rebuttal to each of those posts.

~~~
ken
I'm sitting at home surrounded by a bunch of Apple hardware, and my first
reaction is "This is why you shouldn't use iCloud!". This is also why I
refused to connect my iOS device to an Exchange server at work (which grants
remote-wipe capability).

I don't think this is Apple versus non-Apple. I think this is everything-in-
the-cloud versus everything-local.

