Scribe's mobe, MacBook pwned after hacker 'fast-talked Apple support'
iCloud burst in social engineering attack claim
Posted in Management, 6th August 2012 13:29 GMT
Free whitepaper – Hands on with Hyper-V 3.0 and virtual machine movement
Tech journo Mat Honan has told how he helplessly watched a hacker remotely erase and lock his iPhone, iPad and MacBook after his iCloud account was hijacked. It's a cautionary tale against relying too heavily on one cloud platform.
But the kicker?
It's alleged that the miscreant sweet-talked an Apple support staffer and bypassed Honan's preset security questions to wrestle control of his iCloud account.
As well as losing access to his cloud storage, associated Apple devices and Gmail account in the process, Honan also had his Twitter account compromised and saw his former employer's Twitter feed pwned too.
Honan, who used to work for gadget blog Gizmodo but now pens for WiReD, had linked Gizmodo's Twitter account to his personal @Mat profile - so when the hijacker from Clanvv3 got hold of his Twitter login, the hacker gained access to Giz's corporate account and used that to tweet racist and other offensive messages.
Gizmodo has since deleted the tweets and apologised after the hack on Friday:
To be clear, a former Gizmodo employee's Twitter account appears to have been hacked, and that is how those tweets appeared on
— Gizmodo (@Gizmodo) August 4, 2012@gizmodo.
Once the hacker had control of Honan's Apple iCloud storage account, the miscreant was able to order a remote wipe of any devices that backed up data to it, a step usually taken in response to a theft.
The first Honan knew of the hijack was when his iPhone went dead, shortly followed by his iPad and his MacBook laptop, as he explained on his Tumblr. His Gmail account was deleted in the attack and Apple tech support didn't have a clue who he was.
He eventually managed to get back into his iCloud profile and change his password, but Apple couldn't do anything about the fact that all his iDevices had been wiped - losing photos, documents and emails - other than getting him an appointment at one of their Genius bars for the MacBook.
The hack has raised questions about whether dumping everything in any cloud is asking for trouble, or if this was the fault of the Honan or the iCloud support staff.
Clanvv3 posted in a now suspended Twitter account that Honan was to blame for "using insecure email services, having a 3-letter Twitter [handle], and having access to [Gizmodo]".
But Paul Ducklin at security firm Sophos said that these kinds of social engineering attacks were "really hard to defend against".
"You can have - and enforce - utterly inflexible procedures for password reset, but in my opinion, the main reason companies endorse this sort of inflexibility in technical support isn't to improve security, it's to save money by taking humans out of the loop," he said. "The inflexibility means that legitimate users will, from time to time, be incontrovertibly incommoded.
"Or you can keep humans in the loop, and run the risk that their occasional helpfulness will occasionally be off the mark. That's what happened with Honan."
Apple had not returned a request for comment at the time of publication. ®
Free whitepaper – Hands on with Hyper-V 3.0 and virtual machine movement
COMMENTS
It's a cautionary tale against relying too heavily on one cloud platform.
It's a cautionary tale against relying too heavily on any cloud platform as your sole datastore .
Fixed it for ya.
If this guy worked for me he would already be at the jobcentre
"But Paul Ducklin at security firm Sophos said that these kinds of social engineering attacks were "really hard to defend against".
"You can have - and enforce - utterly inflexible procedures for password reset, but in my opinion, the main reason companies endorse this sort of inflexibility in technical support isn't to improve security, it's to save money by taking humans out of the loop," he said. "The inflexibility means that legitimate users will, from time to time, be incontrovertibly incommoded.
"Or you can keep humans in the loop, and run the risk that their occasional helpfulness will occasionally be off the mark. That's what happened with Honan."
===================
What a load of bollocks!
All of our account management is handled by people and we have rigid and inflexible processes for a reason, so that social engineering attacks using sweet talk will fail. Of course if someone can answer the security questions then they will get past security but if they fail they should stay failedregardless of how sweet they are on the phone.
If any of my team did what the Apple droid did they would be fired, no ifs or buts, its even in the job description.
Yes we piss off customers who cannot answer the security questions and yes I get the escalations and an earful of abuse from those who cannot get a password change or account details as they cant pass security and as I explain to them, would they be happy if I called up there bank, failed security but still got given all the money in it?
At the end of the day proper team training and an adherence to process will maintain security, but you would hope a security advisor would know that.
It's a cautionary tale against relying too heavily on any cloud platform as your sole datastore .
iCloud wasn't the sole datastore here, just backup. The problem is that access to this backup also grants access to delete the primary store.
-
Tricky one now for Apple - can they help him get anything back from his MacBook or not? And if they can what does that say for the security of their remote wipe procedure?
The problem with a walled garden
is once the tiger is inside the walls you've got nowhere to run and nowhere to hide.
You play with the devil
that's what happens...
Really, a tech journalist should know better. Apple can wipe everything you own, hardware or software at the press of a button.
It's a weekly occurrence here, that someone is crying because their computers HDD failed, and when they put a new one in, their iPod was wiped of all it's music. I just laugh as them and ask them what they expected when dealing with Apple.
The new Office Garage series:
