Apple tech support 'socially engineered' in hack of journalist's iCloud account - Page 2

Just identity theft....nothing major like hacking.

Definitely ID theft. It happens all the time. BTW, with that many iCloud-enabled IT equipments, he would be fool not to have offline/site backups. I guess either he is or this is just, what they call it, a stunt, if the way this story developed (as per post #31 above) is true. Either way, ID theft. Not traditional hacking..

I was quite worried by this story until I saw the bit about it being a Gizmodo article.  I used to be a big fan of that site until the stolen iPhone incident. However now I don't trust that site at all. They are a bunch of Apple hating crooks and I couldn't care less about what they say. 

 

Any time I see a story link to a Gizmodo article, I automatically ignore.

 

Yeah, i usually don't open links to Giz or Engad. Those sites seem to only worship specs and cores.

 

Unfortunately there is more than one person without morales in that bunch of 'journalists'.

 

I must admit to being extremely suspicious of this report as well.

 

 

 

How predictable that this story is plastered as a headline on every tech blog and website, I thought maybe this site would have a little more self control/discipline and refrain from the sensationalism, but I guess not. Every website has become like an RSS feed of every other site, just a different layout with the same stories. Regardless, if this story is indeed true, this Matt guy is an absolute moron and grossly negligent- expecially considering that he's a tech blogger (!). Everyone is asking for the head of the Apple tech support guy, but we don't know if he actually did anything wrong or not. What if he followed the official guidelines, and the guy was able to answer every security question and give enough detail/personal info? Regardless, let's look at the facts, and how this tech cloumnist got himself to this point, and the choices he made:

 

- He CHOSE to somehow not have a single backup of his data. On OSX this couldn't be easier. Open time machine, turn on the massive ON button, and boom- data is backed up completely, automatically, consistently on an external volume. Not to mention the myriad of free cloud syncing services available like dropbox, etc. But no, he lost 'years' of data because this tech blogger couldn't be bothered to make a single backup of his data. Brilliant. My neighbor who once asked me if the printer was her computer knows how to backup on OSX. 

 

- He CHOSE to not once change his passwords for 'many years'. Again, brilliant. 

 

- He CHOSE to link up all his online accounts, so once iCloud was compromised access to his gmail/twitter/etc were also wide open. Genius. 

 

- He CHOSE to turn on the find my device/wipe options for all his devices, knowing that he didn't have any backups and that he'd be screwed if he had to use the option. Thats some foresight for you. 

 

- He CHOSE to put his entire digital online and offline life behind a single password with absolutely no fallbacks. 

 

These are just the few things he mentioned, any of which would be considered bad security practise, but all together present the picture of someone who is grossly negligent considered his supposed knowledge of tech and the industry he covers. And he's in a position to advise others about tech? It's why I can't scrounge up an ounce of sympathy for him. Shit happens. Hard drives crash. Stuff gets stolen. There's no excuse for him not to have a backup. There's less excuse for all that other stuff. Before attacking Apple's security practises and calling for heads to roll, why not demand some personal responsibility? Yeah, he got unlucky, but he left the door wide, wide open for catastrophic damage. If someone got access to my iCloud, the damage would be temporary and reversible. I'd have some downtime but would be up and running within a few hours. If I was him I'd be embarrassed to post this story, but hey, there's no such thing as shame these days. He need to publicize his massive mistakes to the world so he can point the blame to someone else. Practise some common sense people, and something like this could never ever happen to you. 

I second that emotion. I have Time Machine plus I have Carbon Copy Cloner making a bootable backup of my main hard drive. No sympathy at all.

 

 

100% agree with these comments. I don't believe Anything coming from Gizmo... this was completely faked. Apple did update security for cloud accts. minimum of 8 characters 1 capital, 1 lower case, and at least 1 number. They also added 3 more security questions in addition to the original security question, plus birth date.  If you are too lazy to make a GOOD STRONG password, update that password once in a while, and use the added security provided to you, then getting hacked is no ones fault but your own. 

The story says that wasn't a factor because they didn't use brute force.

According to the story I read his account passwords were all different. It was having access to the one email account that allowed for the password retrieval process for the other accounts.

While he should have backups having Find My Device turned on is a good thing in case it's lost. I've taken issue with Find My Device on many occasion on this site for the lack of a passcode for turning it on/off and for the lack of additional authentication for accessing the data. There should be an additional link between devices, much like BT pairing, and an additional code, even just a PIN after you've inputed the iCloud password.

That isn't what I read. Still, it does sound like he did use real answers to security questions which is a big mistake for anyone serious about security. I also sounds like that info wasn't used in Apple's reseting of his account.

Regardless of whether it's staged or not there are valuable lessons to be learned here.

1. Use a strong password
2. Use passwords that are unique across systems and accounts so a single breach will be compartmentalized
3. Don't use your real birthday and answers for security questions. This can be tricky if you use the same "false answers" across accounts but it does protect you social snooping.

I use 1Password. There are only 3 passwords I know by heart. My 1Password, my Mac password, and my iCloud password. These are complete and unique but human readable. All others were created using the 1Password generator. I do worry about my Dropbox being hacked and my 1Password file being decrypted but I have taken all measures I can on that front and can't think of anything I can do to make it more secure.

People also need to know that when they use WiFi, especially public WiFi, they need to make sure that anything they send is using SSL. Unfortunately most apps don't encrypt data sent via their apps. I wish Apple would make this a requirement or at least have a badge on their App Store to indicate which apps are secure. I blame Apple for not being diligent on this front.

I always thought it would be right up Google's alley to offer a free VPN service that would allow you to have all sessions encrypted between your Mac and their VPN servers. They could not only data mine everything you send but also show relevant ads in a window. While I don't trust Google I trust them more than someone in a Starbucks who could be capturing all my traffic, like this post I'm sending to AI.

PS: I find it odd that the financial institutions I deal with have requirements for passwords that are comparatively short and without special characters. In a way this makes sense because leting users create passwords that are too complex to remember will lead to more password resets which really should be done in person in a branch, but it still strikes me as odd that I can't even use a 24 character password with most of them.
Edited by SolipsismX - 8/6/12 at 1:26am

 

Attention-whore much? I'm thinking a book deal might be in the works. 

Me too. I think the whole thing is a put on.

 

Mmmm. That actually points to a big security hole in the other password retrieval systems then. Presumably they just reset the password on the basis of a publicly known email address?

 

I'd love to know what was said to make the tech support chap reset the password. 

Edited by Rayz - 8/6/12 at 12:51am

 

Now this is all starting to look a little bit suspect.

So for the benefit of the less enlightened, elucidate.

Point is, Apple DOESN'T want users to "worry about data". Apple has a point (most users are hopeless about understanding data), but Apple is, imho, wrong. Or just has an agenda about selling cloud storage, who knows?

There used to be a time when the Library was not hidden, where installing "non signed code" did not force you to ctr+click or disable some setting on your Mac. I call this "iPadization".

A TECH journalist that doesn't have any backups. 

A blogger is not a journalist!

 

Alright!

 

A TECH blogger/reporter who works in Gizmodo that doesn't have any backups.

 

Nope, Gizmodo is a rotten tech blog that will resort to any tactic to generate page views.

That's why I smell a rat. A tech geek without a hard-drive back-up = Unbelievable!

 

And this is a site/company known for receiving stolen property then lying about it.  

 

The breach might well be real but I see no reason to believe it until independently confirmed.

 

And if confirmed, that only confirms that Apple staff can be conned and that the Giz journo is an idiot. 

 

Enz

I wish Apple would comment on this

I would love to see Apple come out with the specifics of this story - which questions (if any) were bypassed by the hacker and then show how the answers to the questions were easily discoverable, An Apple press release detailing exactly what went down would slap a richly-deserved STFU to a site that's been begging for it for at least 3 years.

Gizmodo has no integrity. As people have already pointed out, the fact that a person supposedly knowledgable about technology would allow his digital life to exist without backup is laughable or a deliberate attempt to make the story more dramatic. Given what I know about these shitheads, I'm inclined to believe the latter. Maybe it's just a simple screwup on the part of a single person, but I'm firmly in the skeptic's camp.

Why does everyone keep saying he works for Gizmodo? He USED to work for Gizmodo, he now works for WIRED. I find WIRED to be much higher quality than Gizmodo and tends to attract good writers.

Not everyone that was attached to Gizmodo in the past is trash, so get the stick out of your ass.

 

I hadn't really thought about it before but this would be a good idea - some additional warning and pin code before you can remotely wipe your device - of course how often will you do that and how likely might you be to forget the PIN code. 

 

Using fake info when setting up some accounts may sound like a good idea but I have a buddy who got locked out of an account and when trying to reset his password he could not remember what fake info he used when he set it up. So best to do something that you can remember perhaps if our real birthdate is 2/4 use 4/2 instead, or 3/5. 

 

Still. Gizmodo or Wired he's an idiot for not making any backups especially his works as a reporter/blogger are probably drafted on his computer.

 

Did he seriously think that his hard drive will last forever? Even servers have mirroring RAID.

I won't disagree with you there. I'm just saying that people are using the name "Gizmodo" to sweep this incident under the rug because it's seen as some "stunt".

I seriously doubt that a respected magazine/site like Wired would want to be part of such shenanigans.
Edited by Mazda 3s - 8/6/12 at 4:58am

Yes, we certainly wouldn't want to embarrass Apple just because a customer's security was compromised by a "glitch" resulting in the customer's ownership being stolen and data destroyed. No, preserve Apple's image at any cost!

Same here - except that Time Machine backup is on a RAID 5 device. Plus, I have the entire thing backed up on SkyDrive so I have an off-site.

There are just too few facts here to be of any use. What information did the criminal have? If he had personal information given to him by the 'victim', it's not a crime.

Oh, and btw, he confirmed it with the 'hacker'. So why hasn't he filed a criminal complaint? This is a clear violation of DMCA. If that law were enforced a little more frequently, maybe security would increase. The blogger could probably do more good by turning the criminal over to the authorities than by writing a sensationalistic article about something that may or may not have involved negligence on Apple's part (if the 'hacker' had the answers to all the security questions, Apple is SUPPOSED to release the information.)

I hate these stupid security questions. Often, I can't remember or don't know the answers. "whose birthday party did you attend when you were 4?" or "what is the name of your first girlfriend's pet snail?" or "where did you go for your first vacation?" or other such nonsense.

Is it wrong for me to not care about or have much sympathy for tech bloggers, especially ones that are referred to as "Apple fanboys"? Maybe it's just me being cynical because most of the tech sites these days are so anti-Apple it isn't even funny. And why is it that only users of Apple products get labeled as "fanboys" by the media. So the 50M people who bought Samsung phones last quarter aren't Samsung fanboys? And pro-Android posters on just about every tech site aren't fanboys, but Apple customers are?

We don't know if anything was stolen.

The only thing we know (and none of it has been confirmed by anyone outside of the publicity hounds):
- Apple allegedly released information
- The 'hacker' allegedly had access to the security passwords
- The author (who is a tech blogger) didn't have any backups - and doesn't seem too concerned about the loss of data, anyway
- The author knows the 'hacker' since he was able to confirm what happened
- The author did not file a criminal complaint

Now, that doesn't guarantee that Apple didn't do anything wrong. It does, however, raise some questions about the entire incident. From what is presented, it looks as though Apple was presented with the right answers to the security questions and therefore released the information as they were supposed to do. I'm not sure what you wanted them to do.

 

LOL.

 

That's twice.

From what I read/heard on twit with Leo laporte.
He was very upset he lost his data
Apple did release information
He did backup his other home computers.
The hacker/thief sent a twitter message after he made a comment on his blog. They just wanted his twitter account (how in the world did you jumped to 'knows the hacker' ... Did you assume.)
They bypassed the security message/answer at apple tech support(which is the real story if true.)

Until we know in detail what happened, no blame can really be placed.

The 4chan of the guy claiming to be the hacker says he did it because he was pissed at Honan for putting up a front that he's a tech expert when it was 'obvious he's a total moron'. The hacker wanted to teach Honan a lesson. That Honan had no backups was not a smart move for sure and if he is as tech stupid as this hacker claims we can't take him saying it was 'social engineering' at face value as who knows how he is defining that term

Honan was on TWiT yesterday and it was a mess. What little he did answer didn't make sense and felt more like a pitch for his upcoming article about he whole thing. Frankly I was left with the feeling the hacker is right and Honan is basically clueless. So the suggestion that Apple did everything by a very strict book and the caller had plenty of info, given out by Honan at one time or another, to prove who he was is a viable one to me

It would be interesting to see how the supposed social engineering worked. If it was guessing the security questions it would be the user mistake. Otherwise I doubt if calling Apple would work easily, let's see what his excuse is. I bet we will find out that he gave some information, which could be used on the phone, to somebody to do this.

 

The whole thing sounds so rehearsed. Somebody worked out that if you got someones email  iCloud or other - you could use it go retrieve other emails, and reset passwords, and close down systems. Since the iCloud password couldnt be hacked he is claiming some kind of social engineering. Possible,  the people in AppleCare might relent with someone who genuinely forgot his password and had lost email, if there was some other information which only the user should know. 

 

So I could see this happening, if it didnt then some people would lose their iCloud for ever. However, how likely is that it happened to a gizmodo journalist, and not to a random guy on the street who then called gizmodo? Think about that. There are no known social engineering cases except a journalist for Gizmodo. 

But according to Honan that's not what happened. He wants us to believe that this hacker called Apple bad basically 'hi my name is Mat Honan and my password isn't working and I can't remember the answers to my security questions' and they just said okay and reset them.

Other reporters have tried the same call over the past year or so, even recently, and said it was hell to get anything. And yet Honan wants us to believe someone broke protocol cause it was tea time or such.

What do they mean by "clever social engineering"...thanks for the deets...NOT

Wired is much worse, in fact.  They are largely responsible for the indefinite detention of an American whistleblower:

http://www.salon.com/2010/06/18/wikileaks_3/

 

It would not surprise me if this latest story is just another attempt at giving Apple a black eye and getting them to kowtow to the US government in some way or another.  Stay tuned...the next piece of news we'll hear is that some congressmen will be demanding that Tim Cook appear before them and provide answers regarding what occurred here.

There is, it's called iTunes. Been there since before iCloud.

Not that it would help Honan cause he didn't back up his laptop and chances are that Apple won't have any method to unwipe it and they will refer him back to the warranty terms where it says they don't cover personal data

IF someone at Apple screwed up then I'm fine with them making it a major story, but only if they can prove it was an Apple screw up. At this point the deck is still equally spilt on yea or nay.