How Apple let a hacker remotely wipe an iPhone, iPad, MacBook

[ThePythonicCow]

From zdnet.com, the story of how a user's data on his iPhone, iPad and Mac were lost and his accounts hacked:

On Friday, I wrote about how Gizmodo's Twitter account was hacked. It turns out that this was Apple's fault.

Let's take a step back. Over the weekend, it quickly became clear that the bigger story was how the whole thing started. First, former Gizmodo employee Mat Honan's iCloud account was hacked. The hacker then remotely wiped his iPhone, iPad, and MacBook Air, got into his Gmail account, his Twitter account, and finally Gizmodo's Twitter account.

When this came to light, I updated my article with a link to Honan's blog: Emptyage. Once Honan regained access to his iCloud account, he was able to retrace the hacker's steps through password reset emails. With this new Apple tidbit, however, it's worth looking at what Honan found:

More at How Apple let a hacker remotely wipe an iPhone, iPad, MacBook.

A couple of webpages suggesting ways to reduce one's risk to hacks such as these:

• How Not to Become Mat Honan: A Short Primer on Online Security
• Apple and Amazon Hacks: How to Minimize Your Risk

[ThePythonicCow]

Here's the original Wired.com article on this, from yesterday: How Apple and Amazon Security Flaws Led to My Epic Hacking. Good read.

CNet posted this: Apple responds to journalist's iCloud hack.

[astrid]

It seems really odd that Gizmodo writer, Mat Honan didn't have himself all backed up,
really odd.

The attack cost Honan most of his personal data (he didn’t backup the information) including family photos that may be unrecoverable.

( from this link)

http://www.pcworld.com/article/26051...your_risk.html

[Craig]

I think that no matter how secure we make our systems, communication protocols and the like the weakest link will always come back to the 'meat suit' social engineering will be the biggest concern especially if everything goes cloud like they say, personally I am scared of the cloud as being a holder of all information. How easy would it be to just stop access? If you are already in an area with patchy internet access having your life and business details on the web just chills my bones. It wouldn't take much for a hacker with moderate skill to hold businesses to ransom with data access restrictions either via simple DOS or DNS hijacking and other exploits. Most businesses would see the cloud as a $$ saver but not understand the realities of it all, why would they? they do their business well and expect the IT companies to keep their data safe, but how safe is it in the ether?

With social engineering would employees know they are divulging secret information in everyday conversation? What about facebook? It seems to be a sodium pentothal in the internet world, people feel the desire to share with the world all types of secrets, any black hat wanting to cause damage could easliy research targets using everyday free tools to gather a footprint and then attack. And there are special tools out there designed to penetrate and test networks and the list goes on. I have done some reading on ethical hacking from a prevention perspective and what is available out there is quite simply worrying.

But simple precautions like multiple passwords, changing them often, multiple email addresses, back ups and the like will help to make it harder, careful use of information, but like all things it is hard and tiresome to do, do I practice this? Not really except the multiple passwords across multiple email addresses though it does take a while to remember what password goes where!

remember what is on the internet stays on the internet, so always be careful with what you upload, and always be suspicious when using public terminals like internet cafes and the like, hardware keyloggers or micro cameras can catch a lot of details and can then be used against you,

safe internetting to you all.

[ThePythonicCow]

Posted by astrid (here)
It seems really odd that Gizmodo writer, Mat Honan didn't have himself all backed up,
really odd.

It doesn't seem so odd to me. Risk analysis, asking "what can go wrong", is not easy.

For example, one might ask "Why need I worry about backing up my data on some Apple/Amazon/Google/Microsoft/Yahoo/... website ... surely they have better backups than I could reasonably perform." And they likely do! But that left out other failure modes, such as getting your account hacked or losing access to your account or even to the web.

I suspect we are about to see a similar lack of sufficient imagination in our banking/financial/monetary system. Things could fail in sudden and dramatic ways that will cost many loss of billions, even trillions ... "who would have thought that could fail?"

Those of us who spend too much time looking for such "unexpected" failure modes know who we are ... our (former?) friends call us doomers and gloomers.

[ThePythonicCow]

Updates on the above vulnerabilities.

From http://www.wired.com/gadgetlab/2012/...ver-the-phone/

Amazon changed its customer privacy policies on Monday, closing security gaps that were exploited in the identity hacking of Wired reporter Mat Honan on Friday.

Previously, Amazon allowed people to call in and change the email address associated with an Amazon account or add a credit card number to an Amazon account as long as the caller could identify him or herself by name, email address and mailing address — three bits of personal information that are easily found online.

On Tuesday, Amazon handed down to its customer service department a policy change that no longer allows people to call in and change account settings, such as credit cards or email addresses associated with its user accounts.

From http://www.ipodnn.com/articles/12/08...devices.wiped/

On Tuesday, Apple ordered its telephone support staff to immediately cease AppleID password changes requests. The likely temporary change in procedure comes following the Wired reporter Mat Honan's identity hack over the weekend, resulting in completely deleted MacBook, iPad, iPhone, and GMail accounts as a result of an attacker tricking an AppleCare rep into resetting Honan's iCloud password, which started a chain of password reset procedures to access the next system, culminating in the reporter's Twitter accounts.

An Apple employee told Wired that the phone support password procedure change would last at least 24 hours, but MacNN was told that the block would be in place "as long as it takes" to update Apple's policies and procedures to prevent another event like the weekend's hack from taking place.

[Ilie Pandia]

I notice a fascinating trend...

Our email has become so tightly connected to our identity! Pretty soon nobody will ask: What is our SSN or Name but will ask: "What is your email address?" (or what is your Facebook account, or Open ID).

We are quickly shifting, without realizing towards a global means of identification and tracking .

I used to create and drop email accounts like crazy in the past, and today I see myself worrying about how to properly secure my email! (This would have been hilarious to me just a few short years ago...)

[CdnSirian]

I'm old fashioned...back everything up to an ext HD. Portable. Even things I like on the net, I copy them and back up. No, I have not yet built a faraday cage for all my stuff. Not that capable. But, I could learn...

[Anchor]

Had I been regularly backing up the data on my MacBook, I wouldn’t have had to worry about losing more than a year’s worth of photos, covering the entire lifespan of my daughter, or documents and e-mails that I had stored in no other location.

Ouch, but really. If you are not backing up your "important" stuff, consider it gone one day. **** will happen. BACK UP!

BACK UP!

This guy's pain is doing you non-backer-uppers a favour.

BACK IT ALL UP!