Welcome Guest.   Make a donation to an author on the site April 23, 2014, 11:39:00 AM  *

Please login or register.
Or did you miss your validation email?


Login with username and password (forgot your password?)
Why not become a lifetime supporting member of the site with a one-time donation of any amount? Your donation entitles you to a ton of additional benefits, including access to exclusive discounts and downloads, the ability to enter monthly free software drawings, and a single non-expiring license key for all of our programs.


You must sign up here before you can post and access some areas of the site. Registration is totally free and confidential.
 
Your Support Funds this Site: View the Supporter Yearbook.
   
   Forum Home   Thread Marks Chat! Downloads Search Login Register  
Pages: [1]   Go Down
  Reply  |  New Topic  |  Print  
Author Topic: Hacked "hard" via the cloud.  (Read 3564 times)
NigelH
Charter Member
***
Posts: 197

see users location on a map View Profile Give some DonationCredits to this forum member
« on: August 04, 2012, 12:43:53 PM »

A warning about having multiple interlinked devices and accounts.
hacked really hard
Logged
mouser
First Author
Administrator
*****
Posts: 32,693



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #1 on: August 04, 2012, 12:48:19 PM »

wow. scary.
Logged
NigelH
Charter Member
***
Posts: 197

see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #2 on: August 04, 2012, 01:04:30 PM »

Must admit, the remote wipe could be useful in certain circumstances.
But why was there no mandatory additional authentication to proceed with it?
Seems like just being just being logged in to the iCloud account was sufficient.

I own none of that particular vendors devices, nor use none of their services.
Don't intend to either, although MS seem to be heading down the wrong track.
Logged
wraith808
Supporting Member
**
Posts: 5,815



"In my dreams, I always do it right."

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #3 on: August 04, 2012, 01:40:13 PM »

I don't have remote wipe setup on my mbp.  That seemed quite silly at the time- to treat something that has a hard drive the same as something that doesn't.  I'm glad now that I don't.
Logged

Renegade
Charter Member
***
Posts: 10,364



Tell me something you don't know...

see users location on a map View Profile WWW Give some DonationCredits to this forum member
« Reply #4 on: August 04, 2012, 05:24:50 PM »

Ouch! That's gotta hurt!

Looking at the comments... Cripes... Go figure. They degenerate immediately. I think there was only 1 there that was worthwhile reading and not just full of vitriol and arrogance.

Here's the worthwhile one:
Logged

Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker
IainB
Supporting Member
**
Posts: 4,286


Slartibartfarst

see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #5 on: August 04, 2012, 06:15:55 PM »

A warning about having multiple interlinked devices and accounts.
hacked really hard
Maybe add "...without adequate security, built-in and secure redundancy or proper backup contingencies...".
Logged
rxantos
Supporting Member
**
Posts: 98


see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #6 on: August 05, 2012, 01:00:39 AM »

From the site:
Quote
Update Three: I know how it was done now. Confirmed with both the hacker and Apple. It wasn’t password related. They got in via Apple tech support and some clever social engineering that let them bypass  security questions. Apple has my Macbook and is trying to recover the data. I’m back in all my accounts that I know I was locked out of. Still trying to figure out where else they were.

This means that irrelevant of how good is your password is, your computer can be hacked by Apple.  Bottom line, TRUST NO ONE.
Logged
Tuxman
Supporting Member
**
Posts: 1,361


OMG not him again!

View Profile WWW Give some DonationCredits to this forum member
« Reply #7 on: August 05, 2012, 02:20:53 AM »

Don't use the cloud for sensitive data. Done.
Logged

I bet when Cheetahs race and one of them cheats, the other one goes "Man, you're such a Cheetah!" and they laugh & eat a zebra or whatever.
- @VeryGrumpyCat
Shades
Member
**
Posts: 1,553


see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #8 on: August 05, 2012, 08:05:08 AM »

Don't use the cloud for sensitive data. Done.

Don´t use the cloud. Period.  FTFY

Logged
cyberdiva
Supporting Member
**
Posts: 887


see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #9 on: August 05, 2012, 08:29:18 AM »

I was surprised to read that the hacker "got in through Apple tech support and some clever social engineering that let them bypass security questions."  Huh?  I don't use Apple stuff, but it's nonetheless disconcerting--make that alarming--that tech support is somehow involved/insecure and that one can somehow bypass security questions.  I wish I understood how this could happen.  If it could happen with Apple, I'm sure it could happen as well with MS.  I try to keep my paranoia level under control, but this has sent it sky high...um...to the cloud(s)? ohmy
Logged
Stoic Joker
Honorary Member
**
Posts: 4,880



View Profile WWW Give some DonationCredits to this forum member
« Reply #10 on: August 05, 2012, 09:34:25 AM »

I was surprised to read that the hacker "got in through Apple tech support and some clever social engineering that let them bypass security questions."  Huh?

Why? That is quite literally the oldest trick in the book. Scam artists have been using pieces of info to validate claims about one person to fool another since the beginning of time. A casual 5 minute conversation with anyone will glean enough info to do a google search for the rest of the details to answer security questions. ...And with folks putting their life story on FaceBook...the first two steps are academic.


Security question: High school mascot

Hay friend, where you from?? [Gets town name]

Really? I've got a friend/cousin/coworker who grew up there..said it was a nice place but their HS mascot sucked... [Answer: That's odd, what's wrong with xxxxx?] oops.
Logged
cyberdiva
Supporting Member
**
Posts: 887


see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #11 on: August 05, 2012, 11:58:18 AM »

I was surprised to read that the hacker "got in through Apple tech support and some clever social engineering that let them bypass security questions."  Huh?

Why? That is quite literally the oldest trick in the book. Scam artists have been using pieces of info to validate claims about one person to fool another since the beginning of time. A casual 5 minute conversation with anyone will glean enough info to do a google search for the rest of the details to answer security questions. ...And with folks putting their life story on FaceBook...the first two steps are academic.
Well, I guess I was assuming that other people are as cautious/paranoid as I am.  I put next-to-no personal info on Facebook and don't use security questions that can be answered via a Google search.  At least, I don't think I do.  ohmy   I do tend to be more truthful when I deal with tech support, but I frankly can't imagine someone knowing enough about me to be able to get personal info about me from tech support.  
Logged
wraith808
Supporting Member
**
Posts: 5,815



"In my dreams, I always do it right."

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #12 on: August 05, 2012, 12:04:24 PM »

^ Hah... I'm with you.  When they give you a limited number of questions to choose from, I usually use a totally unrelated answer that I've related somehow to that question in my mind.
Logged

40hz
Supporting Member
**
Posts: 9,870



A'Tuin

see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #13 on: August 05, 2012, 02:52:16 PM »

I found this part of Matt's blog account most interesting:

Quote
Update Three: I know how it was done now. Confirmed with both the hacker and Apple. It wasn’t password related. They got in via Apple tech support and some clever social engineering that let them bypass  security questions. Apple has my Macbook and is trying to recover the data.

The fact Apple now has his MacBook and is attempting to recover his data speaks volumes.

Guess that alone is enough to remove anybody's doubt Apple's Tech Support fell for some social engineering.

Which goes back to something Gerry Weinberg once observed: It's never a technical problem. It's always a "people" problem. And anytime you find something thats not, you need to check it again.
Logged

Don't you see? It's turtles all the way down!
rgdot
Supporting Member
**
Posts: 1,516


View Profile WWW Give some DonationCredits to this forum member
« Reply #14 on: August 05, 2012, 02:59:20 PM »

Apple tech support can see passwords?  huh Whatever happened to 'we can only send password reset link', etc?
Logged
Stoic Joker
Honorary Member
**
Posts: 4,880



View Profile WWW Give some DonationCredits to this forum member
« Reply #15 on: August 05, 2012, 03:17:21 PM »

I was surprised to read that the hacker "got in through Apple tech support and some clever social engineering that let them bypass security questions."  Huh?

Why? That is quite literally the oldest trick in the book. Scam artists have been using pieces of info to validate claims about one person to fool another since the beginning of time. A casual 5 minute conversation with anyone will glean enough info to do a google search for the rest of the details to answer security questions. ...And with folks putting their life story on FaceBook...the first two steps are academic.
Well, I guess I was assuming that other people are as cautious/paranoid as I am.  I put next-to-no personal info on Facebook and don't use security questions that can be answered via a Google search.  At least, I don't think I do.  ohmy   I do tend to be more truthful when I deal with tech support, but I frankly can't imagine someone knowing enough about me to be able to get personal info about me from tech support. 

^ Hah... I'm with you.  When they give you a limited number of questions to choose from, I usually use a totally unrelated answer that I've related somehow to that question in my mind.

Hay, I'm with you 1000%, I also use a fictitious history ... But... We. Ain't. "Normal"... Sheeple OTOH ...  wallbash ...Please don't make me say it... smiley
Logged
SeraphimLabs
Participant
*
Posts: 300


Be Ready

View Profile WWW Give some DonationCredits to this forum member
« Reply #16 on: August 05, 2012, 03:54:51 PM »

Just one more reason not to trust your data to anything that you can't fit in a bank's safe deposit box. And even then, better have at least 3 discrete devices with the same dataset if it is anything you can't replace.

I know I put one over on a lawyer using the triplicate backup approach. Had a sensitive file with case damaging contents stored on a server in a colocation facility. Though I can't prove who did it, I have a good reason to believe that the opposing lawyer hired someone to DDoS that server to oblivion, in an attempt to keep that file from reaching court and damaging their case.

Unfortunately for them, I had 3 copies of it- the remote, the original on my old laptop, and a third copy on a memory stick in my wallet.

Needless to say the look on the lawyer's face when that file successfully reached the courtroom and was entered as evidence. And I didn't even invoke the third copy, the copy that was entered into evidence was actually sourced from the original file on the laptop that had encoded it. It proved to be far more useful than I thought, completely blowing the opposition out of the water.

But that's where good practice triumphs over shady business. Always, always always if it is important enough that you can't remake it or download it easily, maintain at least 3 current copies of it stored separately.

And this whole hacked via the cloud thing? It certainly took long enough. I expected stuff like this to start happening last year when Cloud became the latest big thing in IT. It's going to be a long time before I put anything in the cloud, and even then they'll be individually encrypted with the key something I would carry on me at all times.
Logged
Pages: [1]   Go Up
  Reply  |  New Topic  |  Print  
 
Jump to:  
   Forum Home   Thread Marks Chat! Downloads Search Login Register  

DonationCoder.com | About Us
DonationCoder.com Forum | Powered by SMF
[ Page time: 0.047s | Server load: 0.14 ]