or Connect
AppleInsider › Forums › General › General Discussion › Apple tech support 'socially engineered' in hack of journalist's iCloud account
New Posts  All Forums:Forum Nav:

Apple tech support 'socially engineered' in hack of journalist's iCloud account

post #1 of 121
Thread Starter 
Tech reporter Mat Honan's iCloud account was compromised on Friday, wreaking havoc on both his personal machines as well as Gizmodo's Twitter feed, and it was discovered on Sunday that Apple tech support was partly to blame for the breach.

The hack was first thought to be a simple brute force attack on Honan's seven-digit alphanumeric iCloud password, which he has used for "years and years," though in the process of reconfiguring accounts it was confirmed that the issue wasn't a password, but the "social engineering" of an Apple tech support employee.

In recounting the experience on his blog, Honan first realized something was amiss when his iPhone rebooted to the default setup screen. He couldn't log in to iCloud to restore the handset's previous settings from the device itself, so Honan connected the iPhone to his MacBook Air which displayed an iCal error message before its screen went gray and asked for a four digit PIN.

"I didn?t have a four digit pin," Honan wrote. "By now, I knew something was very, very wrong. I walked to the hallway to grab my iPad from my work bag. It had been reset too. I couldn?t turn on my computer, my iPad, or iPhone."


Things got progressively worse from there as Honan's Google account was deleted, the only way to restore it would be via text message to the iPhone he no longer had access to. The tech writer's Twitter feed, along with his previous employer Gizmodo's, were also compromised. Perhaps most troubling was that his MacBook Air was being remotely wiped, along with his iPad and iPhone, using Apple's Find My Device feature. The wipe may be recoverable, however, as Honan stopped the process by powering the MacBook Air down before an over-write began.

Find my Device
Find my iPhone on iOS 5.


Honan noted in a blog update that a person claiming to be the hacker made contact and told him " didn't ur password or use bruteforce. i have my own guide on how to secure emails."

From Honan's blog:
I know how it was done now. Confirmed with both the hacker and Apple. It wasn?t password related. They got in via Apple tech support and some clever social engineering that let them bypass security questions. Apple has my Macbook and is trying to recover the data. I?m back in all my accounts that I know I was locked out of. Still trying to figure out where else they were.
In the last update to Honan's saga, AppleCare was able to confirm the hacker's claims of bypassing iCloud's password protection by going through an employee. A more detailed account of how this was done will be made public in a Wired report on Monday.

Honan reached out to Apple Corporate as well as the company's PR team, though no response has been given at the time of this writing.
post #2 of 121
Now that should not be possible. If it's true then I'll bet Apple are scrambling to roll out some new training.
post #3 of 121
A brave new world, this "cloud." Makes me long for the days when I owned my own data. Oh wait, I still do (pats Snow Leopard on the head).

"Apple should pull the plug on the iPhone."

John C. Dvorak, 2007
Reply

"Apple should pull the plug on the iPhone."

John C. Dvorak, 2007
Reply
post #4 of 121

Just wondering, If you set really easy questions for the "confirm it's you" bit, then Google searches may have the answers. (E.G. if you haven't got a private FaceBook account, quite a lot of info will be publicly avaliable, therefore making it very easy for a clever person to bluff their way through proving that they're "you"!

Having said that, I have backups of important data that is stored in iCloud (Contacts, photos etc), since if iCloud dies, or goes offline, I don't want to loose it all.

I work in IT, and I keep having to tell users than you can never have too many backups!
 

Replace user and press any key to continue!
Reply
Replace user and press any key to continue!
Reply
post #5 of 121
ICloud as a service is extremely flawed. If nothing else the service should have a way to backup to an owners Mac OS machine. Further saving a copy of an iCloud file locally shouldn't be so damn difficult. ICloud is like 80% of the way there but Apple certainly missed important use cases and seems to have forgotten about user control.
post #6 of 121

I smell a rat. 

post #7 of 121

I sure hope that AI is not going to make this a major story. Yes, a tech support guy (or gal) screwed up. Yes, Apple is going to tighten the process. But AI is going to blow this way out of porportion. AI give it a rest......

post #8 of 121
Quote:
Originally Posted by Ed Steinberg View Post

I sure hope that AI is not going to make this a major story. Yes, a tech support guy (or gal) screwed up. Yes, Apple is going to tighten the process. But AI is going to blow this way out of porportion. AI give it a rest......

Well to be fair - if it is true then it is a real issue, since it implies that the controls against it happening are administrative, rather than engineered. That said, I'm sure Apple will fix it, and quickly.
post #9 of 121
Quote:
Originally Posted by wizard69 View Post

ICloud as a service is extremely flawed. If nothing else the service should have a way to backup to an owners Mac OS machine. Further saving a copy of an iCloud file locally shouldn't be so damn difficult. ICloud is like 80% of the way there but Apple certainly missed important use cases and seems to have forgotten about user control.

 

Supposedly you just drag the file from the iCloud view wherever you want, and you have a local copy. I’m not rushing into Mountain Lion so I can’t say.

 

I’m approaching all cloud-based services from DropBox to iCloud cautiously and slowly. Using them strategically to solve problems (like keeping my calendars in sync) but not jumping in with both feet. This event, like that DropBox password incident, reinforces my plan! I still like DropBox and iCloud as far as I use them, but my trust for them will be growing veeeeryyyy slooowlllyyy.

 

And I’ll always have multiple backups of my own! If anyone somehow attacks me, I’ll be back up and running in a matter of hours with no loss. (I even do my backups in multiple different ways and store them in different places, but I know most won’t go THAT far. For most, the “cloud" is potentially a great thing in case of fire!)

 

In any case, I hope the attacker does some SERIOUS JAIL TIME. That’s like breaking into an artist’s house and burning his paintings, his art supplies, his family photos, and his address book. Apple’s rep needs to be looking for a new job (and Apple needs policies to make such failures impossible), but the attacker needs to be looking for a cellmate.

post #10 of 121

This story has an extremely misleading introduction.  Apple are not "partly" to blame.  Apple are entirely to blame.

 

When the hacker was unable to answer the security questions, the tech support employee should have put the hacker on hold, phoned Mat Honan's iPhone, and asked if he had just phoned Apple tech support to change his iCloud password.

Mac user since August 1983.
Reply
Mac user since August 1983.
Reply
post #11 of 121

Payback.    ;)

 

 

 

1000

post #12 of 121

The only way Apple does resolve anything is if a big deal is made.
 

post #13 of 121
Quote:
Originally Posted by Bryce Yates View Post

The only way Apple does resolve anything is if a big deal is made.

 

I doubt that would be the case this time.
post #14 of 121
Quote:
Originally Posted by Ed Steinberg View Post

I sure hope that AI is not going to make this a major story. Yes, a tech support guy (or gal) screwed up. Yes, Apple is going to tighten the process. But AI is going to blow this way out of porportion. AI give it a rest......


Isn't this precisely the type of story that should be on this site? A whole lot more relevant to Apple customers than what Microsoft Surface is about?

post #15 of 121

Jizzmodo?

The same bottom feeding scum, short attention span whores; Jizzmodo?

Really?

There must be a lot more to this. A whole lot.

 

I think If it was this easy, why not someone else?. Why not a whole lot of other accounts?

It just happened to be the one Jizzmodo?

post #16 of 121
That Apple tech support rep is about to be fired.. If not, should be.
post #17 of 121
Quote:
Originally Posted by Bryce Yates View Post

The only way Apple does resolve anything is if a big deal is made.

 

How can they? There's no software to stop social engineering.
"Few things are harder to put up with than the annoyance of a good example" Mark Twain
"Just because something is deemed the law doesn't make it just" - SolipsismX
Reply
"Few things are harder to put up with than the annoyance of a good example" Mark Twain
"Just because something is deemed the law doesn't make it just" - SolipsismX
Reply
post #18 of 121
Quote:
Originally Posted by dasanman69 View Post

Quote:
Originally Posted by Bryce Yates View Post

The only way Apple does resolve anything is if a big deal is made.

 

How can they? There's no software to stop social engineering.

But you can make it almost impossible.
post #19 of 121
Quote:
Originally Posted by Quadra 610 View Post

Payback.    ;)

 

 

 

1000

 

Because some other dude got his e-life wiped?

post #20 of 121
Quote:
Originally Posted by djsherly View Post

 

Because some other dude got his e-life wiped?

 

Gizmodo. 

post #21 of 121

I only put stuff on the cloud I can get back easily or that I dont need. I do manual cloud syncs only. 

post #22 of 121

Here's a possibly dumb question:

 

Is there any way to remove the ability for your Mac to be remotely wiped aside from simply turning off "Find My Mac" from the iCloud prefpane? I'd like to be able to turn off the ability to wipe my Mac without turning off my ability to FIND the Mac, but I suspect this isn't possible.

post #23 of 121
Quote:
Originally Posted by jonyo View Post

Here's a possibly dumb question:

Is there any way to remove the ability for your Mac to be remotely wiped aside from simply turning off "Find My Mac" from the iCloud prefpane? I'd like to be able to turn off the ability to wipe my Mac without turning off my ability to FIND the Mac, but I suspect this isn't possible.

That's one of the things I wish Apple would add. Under the Security panel in System Administrators I'd like for a list of options of what Find My Mac can show and do about your Mac from a remote location.

This bot has been removed from circulation due to a malfunctioning morality chip.

Reply

This bot has been removed from circulation due to a malfunctioning morality chip.

Reply
post #24 of 121

In about two weeks I will be going the way of many soldiers.  Take care.

 

http://youtu.be/g8m4zsZnKlM

An Apple man since 1977
Reply
An Apple man since 1977
Reply
post #25 of 121
Quote:
Originally Posted by sabuga View Post

[....]private FaceBook account[....]

 

Being an oxymoron, was that stated for irony?

post #26 of 121
Quote:
Originally Posted by nagromme View Post

And I’ll always have multiple backups of my own! If anyone somehow attacks me, I’ll be back up and running in a matter of hours with no loss. (I even do my backups in multiple different ways and store them in different places, but I know most won’t go THAT far. For most, the “cloud" is potentially a great thing in case of fire!)

I just turned off Find-My-Mac on my Mac Pro, which I use as a Time Machine backup server. I knew this wasn't ideal since it's not off site, but I didn't realize until now that if someone hacked into my iCloud account, they could erase all of my machines, including the one that contains all my backups of my other machines!
post #27 of 121
Quote:
Originally Posted by AppleInsider View Post

The hack was first thought to be a simple brute force attack on Honan's seven-digit alphanumeric iCloud password, which he has used for "years and years,

iCloud is less than one year old.

and not changing a password for "years and years"?

and then broadcasting the fact that he never changes his passwords?

and that he uses 7 digits?

 

As Red Foreman would say,,,

post #28 of 121
Quote:
Originally Posted by Bryce Yates View Post

The only way any organization in the world does resolve anything is if a big deal is made.
 

 

There I fixed that for you. A city won't put in a stop sign at a dangerous crosswalk until a pedestrian is killed in traffic. Websites that hold your financial/personal information don't beef up their security or encryption until some "Anonymous" hacks their site and steals thousands of individual's sensitive data. It's how the world works 99% of the time. We are reactive instead of proactive for the most part. So while this seems to be Apple's fault, you can't single Apple or any organization out for what the world accepts as common practice.

 

Quote:
Originally Posted by jonyo View Post

Here's a possibly dumb question:

 

Is there any way to remove the ability for your Mac to be remotely wiped aside from simply turning off "Find My Mac" from the iCloud prefpane? I'd like to be able to turn off the ability to wipe my Mac without turning off my ability to FIND the Mac, but I suspect this isn't possible.

 

Maybe this unfortunate incident will motivate Apple to separate those features, however, what's to prevent someone whose hacked or let into your account from checking the "Ok to wipe" box then wiping your drive? Also, I can see certain specific situations where someone might need the "Find My Mac" function, but I'm still laughing imagining someone forgetting where they left their laptop and needing that feature, lol.

When a company stops chasing profit and start chasing the betterment of their products, services, workforce, and customers, that will be the most valuable company in the world.
Reply
When a company stops chasing profit and start chasing the betterment of their products, services, workforce, and customers, that will be the most valuable company in the world.
Reply
post #29 of 121
Quote:
Originally Posted by Chris_CA View Post

iCloud is less than one year old.
and not changing a password for "years and years"?
and then broadcasting the fact that he never changes his passwords?
and that he uses 7 digits?

As Red Foreman would say,,,

And that is an issue, but if this article is to be believed (and I think it is) then having a 32 digit password with random letters, numbers and special characters wouldn't have made a difference.
Edited by SolipsismX - 8/5/12 at 10:00pm

This bot has been removed from circulation due to a malfunctioning morality chip.

Reply

This bot has been removed from circulation due to a malfunctioning morality chip.

Reply
post #30 of 121
Quote:
Originally Posted by muppetry View Post


Well to be fair - if it is true then it is a real issue, since it implies that the controls against it happening are administrative, rather than engineered. That said, I'm sure Apple will fix it, and quickly.

It's to do with Apple retail  support as a customer service being too helpful in this particular case, it seems.

 

There's a time to deny and a time to be firm - a time for everything under the sun...

 

You cast pearls before swine and they will trample them underfoot...

post #31 of 121

To me looks like Honan got a friend to pretend to be him, let him know the answers and trick the tech support to do all that stuff and then come as a victim and generate some attention... Look at his tweets.. he is not anger at all, like he doesn't care about his lost of data..  Anyone else would had the blood pressure up high, it would be totally normal to be angry. But Honan is not..

Then, the use of the word "hacker" exaggerated... yes... Guy didn't hacked that equipment, not iCloud, tricked a tech support agent.. But thats it.

post #32 of 121
Quote:
Originally Posted by silverpraxis View Post

 

There I fixed that for you. A city won't put in a stop sign at a dangerous crosswalk until a pedestrian is killed in traffic. Websites that hold your financial/personal information don't beef up their security or encryption until some "Anonymous" hacks their site and steals thousands of individual's sensitive data. It's how the world works 99% of the time. We are reactive instead of proactive for the most part. So while this seems to be Apple's fault, you can't single Apple or any organization out for what the world accepts as common practice.

 

 

Maybe this unfortunate incident will motivate Apple to separate those features, however, what's to prevent someone whose hacked or let into your account from checking the "Ok to wipe" box then wiping your drive? Also, I can see certain specific situations where someone might need the "Find My Mac" function, but I'm still laughing imagining someone forgetting where they left their laptop and needing that feature, lol.

 

It's about the possibility of attack from 2 sides, the 1st being if your icloud account is hacked or somehow compromised, and the 2nd being if your mac is stolen. If my laptop is stolen, I'd like to be able to use find my mac to possibly locate it on a map, maybe increasing the possibility that it could be recovered. At the same time, if my icloud were hacked, then someone could wipe my Mac, and I wouldn't know it until it happened, and I don't want that either. I do have local backups, as I use time machine and I also make period bootable clones of the drive. Because of the way icloud connects your computer and your icloud account, you essentially have to make a choice on what's more likely, your icloud account being hacked/compromised, or your Mac itself being stolen, and set your icloud settings accordingly both online and on the Mac.

 

I have a desktop Mac as well, and since I don't worry as much about that one being stolen as I do my laptop, I have Find My Mac turned off on that one.

post #33 of 121
Quote:
Originally Posted by plokoonpma View Post

To me looks like Honan got a friend to pretend to be him, let him know the answers and trick the tech support to do all that stuff and then come as a victim and generate some attention... Look at his tweets.. he is not anger at all, like he doesn't care about his lost of data..  Anyone else would had the blood pressure up high, it would be totally normal to be angry. But Honan is not..

 

Given Jizmodo's history, this wouldn't surprise me even a little bit.

post #34 of 121
Quote:

Originally Posted by mcarroll View Post
 

Quote:

Originally Posted by sabuga View Post
 

[....]private FaceBook account[....]

 

 

Being an oxymoron, was that stated for irony?

 

 

Another option is use some other name on facebork.

e.g. they wanted me to fax a copy of my driver's license to create an account with my real name, but they had no problem with me creating one for Hank Hill from Arlen TX, where I'm the assistant manager at Strickland Propane, tell ya wut.

post #35 of 121

How about roll out voice prints for an additional layer of security.  It is NOT that difficult.

post #36 of 121
I'd like to know more about the "social engineering" as I suspect it would involve identity theft.

"This is my name, my date of birth, my home address, my phone number, my email address, I've forgotten my password and my questions don't work, can you help me out here, is there any more information I need to give you?"

I doubt Apple reps (like anyone else working for a holder of secure information) would have access to credit card and social security numbers, maybe the last 3 or 4 digits but not the whole number.

It will be interesting to see what this "social engineering" involved.
Better than my Bose, better than my Skullcandy's, listening to Mozart through my LeBron James limited edition PowerBeats by Dre is almost as good as my Sennheisers.
Reply
Better than my Bose, better than my Skullcandy's, listening to Mozart through my LeBron James limited edition PowerBeats by Dre is almost as good as my Sennheisers.
Reply
post #37 of 121
Quote:
Originally Posted by Quadra 610 View Post

Gizmodo. 

Only if you think those at giz are douches to a man/woman. As best I can tell its just the douche holding the phone that's the douche.
post #38 of 121
Quote:
Originally Posted by BoC View Post

How about roll out voice prints for an additional layer of security.  It is NOT that difficult.

There is no biometric that is secure; especially not a voice print. The best security is still something you store in memory.

Now adding voice print to a list of other items can help with security but it's also a bit of a "TSA" in that it's mostly a false sense of security. Would the voice print even work if you have a cold or right after you wake up in the morning?

Quote:
Originally Posted by hill60 View Post

I'd like to know more about the "social engineering" as I suspect it would involve identity theft.
"This is my name, my date of birth, my home address, my phone number, my email address, I've forgotten my password and my questions don't work, can you help me out here, is there any more information I need to give you?"
I doubt Apple reps (like anyone else working for a holder of secure information) would have access to credit card and social security numbers, maybe the last 3 or 4 digits but not the whole number.
It will be interesting to see what this "social engineering" involved.

Assuming everything Honan has stated is accurate this is just identity theft, not hacking.

This bot has been removed from circulation due to a malfunctioning morality chip.

Reply

This bot has been removed from circulation due to a malfunctioning morality chip.

Reply
post #39 of 121
Quote:
Originally Posted by plokoonpma View Post

To me looks like Honan got a friend to pretend to be him, let him know the answers and trick the tech support to do all that stuff and then come as a victim and generate some attention... Look at his tweets.. he is not anger at all, like he doesn't care about his lost of data..  Anyone else would had the blood pressure up high, it would be totally normal to be angry. But Honan is not..

Then, the use of the word "hacker" exaggerated... yes... Guy didn't hacked that equipment, not iCloud, tricked a tech support agent.. But thats it.

thats what I was thinking....some clever social engineering my ass...

post #40 of 121
Quote:
Originally Posted by Quadra 610 View Post

Payback.    1wink.gif



Or at the very least, karma.

We've always been at war with Eastasia...

Reply

We've always been at war with Eastasia...

Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: General Discussion
AppleInsider › Forums › General › General Discussion › Apple tech support 'socially engineered' in hack of journalist's iCloud account