Hacked "hard" via the cloud.

[NigelH]

A warning about having multiple interlinked devices and accounts.
hacked really hard

[mouser]

wow. scary.

[NigelH]

Must admit, the remote wipe could be useful in certain circumstances.
But why was there no mandatory additional authentication to proceed with it?
Seems like just being just being logged in to the iCloud account was sufficient.

I own none of that particular vendors devices, nor use none of their services.
Don't intend to either, although MS seem to be heading down the wrong track.

[wraith808]

I don't have remote wipe setup on my mbp.  That seemed quite silly at the time- to treat something that has a hard drive the same as something that doesn't.  I'm glad now that I don't.

[Renegade]

Ouch! That's gotta hurt!

Looking at the comments... Cripes... Go figure. They degenerate immediately. I think there was only 1 there that was worthwhile reading and not just full of vitriol and arrogance.

Here's the worthwhile one:

Spoiler

1. I seriously doubt that the hacker brute forced the iCloud account password.  iCloud (as does Google) allows for only a limited number of password attempts before locking up. Then you have to answer two of three security questions (the two factor authentication).  Therefore, unless you use an extremely easy password to guess, brute force is going to fail since it will take too much time to do.

2. MORE LIKELY: The Hacker is someone the person knows who then got access to his password or someone who used a keylogger.  With a keylogger, if you ever log into any of your accounts on someone else's computer or public terminal, you are screwed immediately.

3. Since the iCloud account was used as the person's central account, any other account which uses that central account as the backup email address (such as his Google and Twitter accounts) became vulnerable to a password resent request.

4. The Hacker easily gained access to his Gmail Account and Twitter Account even without knowing the password by simply knowing those accounts' backup addresses and sending a password reset request.  This shows that Gmail and Twitter are also not very secure.

5. Remote Wipe is a good thing.  The only problem is if a Hacker gains access to the account that can do a remote wipe, you can be remote wiped.  Thus, to guard against this possibility, always do backups of your data.

6. Backups are clearly important.  If the person used Time Machine AND another app (such as ChronoSync) to do hourly backups AUTOMATICALLY AND WITHOUT SUPERVISION, then he would only lose 1 hour of work. 

7. Using only one backup email address is bad.  This can occur not only with iCloud but also Google and any other email accounts.  The key is that the person used his iCloud account as the backup email account for every other account he had - his Google account, his Twitter account, etc.  This links these other accounts to the original account.  This problem is the same if he used his Gmail account as his primary backup account. It isn't limited to using Apple's iCloud account.  Using only one email as the primary backup account makes every other account linked to it insecure and accessible because all these other accounts are easy to access via a password request - Google, Twitter are easily accessed.

8. Strong passwords and regularly changing passwords are important.  This helps protect against keyloggers and people you know from accessing your account if they don't do it immediately. Being able to mix numbers, capital letters, and small letters helps make the password more secure. Being able to add symbols (e.g. !
 or *, etc.) to the password increases security even more.

The most important lessons:
1. any account can be hacked.
2. backup, backup, backup, backup, backup, backup,...

[IainB]

A warning about having multiple interlinked devices and accounts.
hacked really hard

-NigelH (August 04, 2012, 12:43 PM)

Maybe add "...without adequate security, built-in and secure redundancy or proper backup contingencies...".

[rxantos]

From the site:

Update Three: I know how it was done now. Confirmed with both the hacker and Apple. It wasn’t password related. They got in via Apple tech support and some clever social engineering that let them bypass  security questions. Apple has my Macbook and is trying to recover the data. I’m back in all my accounts that I know I was locked out of. Still trying to figure out where else they were.

This means that irrelevant of how good is your password is, your computer can be hacked by Apple.  Bottom line, TRUST NO ONE.

[Tuxman]

Don't use the cloud for sensitive data. Done.

[Shades]

Don't use the cloud for sensitive data. Done.

-Tuxman (August 05, 2012, 02:20 AM)

Don´t use the cloud. Period.  FTFY

[cyberdiva]

I was surprised to read that the hacker "got in through Apple tech support and some clever social engineering that let them bypass security questions."  Huh?  I don't use Apple stuff, but it's nonetheless disconcerting--make that alarming--that tech support is somehow involved/insecure and that one can somehow bypass security questions.  I wish I understood how this could happen.  If it could happen with Apple, I'm sure it could happen as well with MS.  I try to keep my paranoia level under control, but this has sent it sky high...um...to the cloud(s)?

[Stoic Joker]

I was surprised to read that the hacker "got in through Apple tech support and some clever social engineering that let them bypass security questions."  Huh?

-cyberdiva (August 05, 2012, 08:29 AM)

Why? That is quite literally the oldest trick in the book. Scam artists have been using pieces of info to validate claims about one person to fool another since the beginning of time. A casual 5 minute conversation with anyone will glean enough info to do a google search for the rest of the details to answer security questions. ...And with folks putting their life story on FaceBook...the first two steps are academic.


Security question: High school mascot

Hay friend, where you from?? [Gets town name]

Really? I've got a friend/cousin/coworker who grew up there..said it was a nice place but their HS mascot sucked... [Answer: That's odd, what's wrong with xxxxx?] oops.

[cyberdiva]

I was surprised to read that the hacker "got in through Apple tech support and some clever social engineering that let them bypass security questions."  Huh?

-cyberdiva (August 05, 2012, 08:29 AM)

Why? That is quite literally the oldest trick in the book. Scam artists have been using pieces of info to validate claims about one person to fool another since the beginning of time. A casual 5 minute conversation with anyone will glean enough info to do a google search for the rest of the details to answer security questions. ...And with folks putting their life story on FaceBook...the first two steps are academic.

-Stoic Joker (August 05, 2012, 09:34 AM)

Well, I guess I was assuming that other people are as cautious/paranoid as I am.  I put next-to-no personal info on Facebook and don't use security questions that can be answered via a Google search.  At least, I don't think I do.     I do tend to be more truthful when I deal with tech support, but I frankly can't imagine someone knowing enough about me to be able to get personal info about me from tech support.  

[wraith808]

^ Hah... I'm with you.  When they give you a limited number of questions to choose from, I usually use a totally unrelated answer that I've related somehow to that question in my mind.

[40hz]

I found this part of Matt's blog account most interesting:

Update Three: I know how it was done now. Confirmed with both the hacker and Apple. It wasn’t password related. They got in via Apple tech support and some clever social engineering that let them bypass  security questions. Apple has my Macbook and is trying to recover the data.

The fact Apple now has his MacBook and is attempting to recover his data speaks volumes.

Guess that alone is enough to remove anybody's doubt Apple's Tech Support fell for some social engineering.

Which goes back to something Gerry Weinberg once observed: It's never a technical problem. It's always a "people" problem. And anytime you find something thats not, you need to check it again.

[rgdot]

Apple tech support can see passwords?  Whatever happened to 'we can only send password reset link', etc?

[Stoic Joker]

I was surprised to read that the hacker "got in through Apple tech support and some clever social engineering that let them bypass security questions."  Huh?

-cyberdiva (August 05, 2012, 08:29 AM)

Why? That is quite literally the oldest trick in the book. Scam artists have been using pieces of info to validate claims about one person to fool another since the beginning of time. A casual 5 minute conversation with anyone will glean enough info to do a google search for the rest of the details to answer security questions. ...And with folks putting their life story on FaceBook...the first two steps are academic.

-Stoic Joker (August 05, 2012, 09:34 AM)

Well, I guess I was assuming that other people are as cautious/paranoid as I am.  I put next-to-no personal info on Facebook and don't use security questions that can be answered via a Google search.  At least, I don't think I do.     I do tend to be more truthful when I deal with tech support, but I frankly can't imagine someone knowing enough about me to be able to get personal info about me from tech support. 

-cyberdiva (August 05, 2012, 11:58 AM)

^ Hah... I'm with you.  When they give you a limited number of questions to choose from, I usually use a totally unrelated answer that I've related somehow to that question in my mind.

-wraith808 (August 05, 2012, 12:04 PM)

Hay, I'm with you 1000%, I also use a fictitious history ... But... We. Ain't. "Normal"... Sheeple OTOH ...  ...Please don't make me say it...

[SeraphimLabs]

Just one more reason not to trust your data to anything that you can't fit in a bank's safe deposit box. And even then, better have at least 3 discrete devices with the same dataset if it is anything you can't replace.

I know I put one over on a lawyer using the triplicate backup approach. Had a sensitive file with case damaging contents stored on a server in a colocation facility. Though I can't prove who did it, I have a good reason to believe that the opposing lawyer hired someone to DDoS that server to oblivion, in an attempt to keep that file from reaching court and damaging their case.

Unfortunately for them, I had 3 copies of it- the remote, the original on my old laptop, and a third copy on a memory stick in my wallet.

Needless to say the look on the lawyer's face when that file successfully reached the courtroom and was entered as evidence. And I didn't even invoke the third copy, the copy that was entered into evidence was actually sourced from the original file on the laptop that had encoded it. It proved to be far more useful than I thought, completely blowing the opposition out of the water.

But that's where good practice triumphs over shady business. Always, always always if it is important enough that you can't remake it or download it easily, maintain at least 3 current copies of it stored separately.

And this whole hacked via the cloud thing? It certainly took long enough. I expected stuff like this to start happening last year when Cloud became the latest big thing in IT. It's going to be a long time before I put anything in the cloud, and even then they'll be individually encrypted with the key something I would carry on me at all times.