Apple says iCloud not compromised in Australian ransom scheme
Two days following initial reports from iCloud users in Australia who had their accounts breached and devices held for "ransom," Apple issued a statement saying its cloud service was not compromised in the attack.
Message from hacked iMac. | Source: The Age
In a brief statement issued to press outlets on Wednesday, Apple expressed its concern over a recent situation that found Australian iCloud users locked out of their own iPhones, iPads and Macs by nefarious hackers, reports ZDnet. The attacks have since spread to New Zealand, the U.S. and Canada.
Apple's statement:
It is speculated that the hacker, or hackers, gained access to affected iCloud accounts through password reuse. As noted in posts to Apple's Support Communities forum, users who previously set a device passcode were able to unlock their machines. By design, Find My iPhone's functionality only allows users to set a password for devices that don't already have one assigned.
Those who did not have a password set prior to the attack were forced to take the issue to Apple.
Message from hacked iMac. | Source: The Age
In a brief statement issued to press outlets on Wednesday, Apple expressed its concern over a recent situation that found Australian iCloud users locked out of their own iPhones, iPads and Macs by nefarious hackers, reports ZDnet. The attacks have since spread to New Zealand, the U.S. and Canada.
Apple's statement:
A number of Mac and iOS device owners in Australia were reportedly affected by the hack, which apparently used Find My iPhone and Find My Mac to lock targeted devices and send a ransom message that read, "Device hacked by Oleg Pliss." Users were then directed to send $50 to $100 to a PayPal account in return for a device unlock.Apple takes security very seriously and iCloud was not compromised during this incident. Impacted users should change their Apple ID password as soon as possible and avoid using the same user name and password for multiple services. Any users who need additional help can contact AppleCare or visit their local Apple Retail Store.
It is speculated that the hacker, or hackers, gained access to affected iCloud accounts through password reuse. As noted in posts to Apple's Support Communities forum, users who previously set a device passcode were able to unlock their machines. By design, Find My iPhone's functionality only allows users to set a password for devices that don't already have one assigned.
Those who did not have a password set prior to the attack were forced to take the issue to Apple.
Comments
What in the Hell is the writer trying to say in the last paragraph of this story!!
"...users who previously set a device passcode were able to regain control of their machine shortly after receiving the ransom note."
That is total gibrish! Is the writer struggling to say the users had a passcode set for their iPhone, or they didn't have a unique passcode as the rest of the story implies? Then they received a ransom note and then mysterious regained control without paying the ransom? Or maybe they did pay the ransom, who's to know??
And what is this about LOGGING a passcode?? The rest of the story talks about SETTING a password, then suddenly, in the LAST paragraph it becomes "LOGGING a passcode." Did someone go to lunch and leave it up to someone else to type the last paragraph?
What I got out of this piece of pathetic prose is that something happened in Australia that spread to other countries. The iCloud had nothing to do with it...or maybe it did, but it's not Apple's fault if it did. Then it was all mysteriously cleared up in the last paragraph.. or maybe it wasn't. The solution seems to change a passcode on either your device or iCloud or somewhere it can be LOGGED. or maybe set... who's to know???
What in the Hell is the writer trying to say in the last paragraph of this story!!
"...users who previously set a device passcode were able to regain control of their machine shortly after receiving the ransom note."
That is total gibrish!
The reason why it's "gibish" is that somehow you think a device passcode or password and a iCloud/Apple ID password are the same thing.
What in the Hell is the writer trying to say in the last paragraph of this story!!
"...users who previously set a device passcode were able to regain control of their machine shortly after receiving the ransom note."
That is total gibrish! Is the writer struggling to say the users had a passcode set for their iPhone, or they didn't have a unique passcode as the rest of the story implies? Then they received a ransom note and then mysterious regained control without paying the ransom? Or maybe they did pay the ransom, who's to know??
And what is this about LOGGING a passcode?? The rest of the story talks about SETTING a password, then suddenly, in the LAST paragraph it becomes "LOGGING a passcode." Did someone go to lunch and leave it up to someone else to type the last paragraph?
What I got out of this piece of pathetic prose is that something happened in Australia that spread to other countries. The iCloud had nothing to do with it...or maybe it did, but it's not Apple's fault if it did. Then it was all mysteriously cleared up in the last paragraph.. or maybe it wasn't. The solution seems to change a passcode on either your device or iCloud or somewhere it can be LOGGED. or maybe set... who's to know???
What's so hard to understand? A hacker got hold of some users iCloud passwords because it was the same password they used on the account that the hacker actually hacked. While in iClould they used the "Find My iPhone (iPad)" function and locked out the device. As if the owner of the device had it lost or stolen and got into his iCloud account to lock it out. If the device had a passcode already entered, the "Find My Device" uses that passcode to regain access if the owner gets it back. The hacker couldn't change it. But if there was no passcode entered, the "Find My Device" lets you enter a passcode. The "Find My Device" also lets you put a message on the lost of stolen device. Which is how the hacker got his ransom message to display. So users that already had a passcode could still unlock their device because they know the passcode. Users that didn't have a passcode were stuck because the hacker put in a passcode that they didn't know. I assume that if the hacker changed the iCloud password, the account owner can still get into his account by going through the "forgot my password" function and answering a few security questions.
It would be good if the Internet Accounts preference pane in OS X would warn you if you're using the same password for multiple services.
I think a close reading of the paragraph Konqerror quoted shows the Author may (or may not) have thought they were the same thing as well. That paragraph is clearly gibberish. If you know the difference you can guess the author's intent. However, that does not reduce the level of gibberocity.
The use of password in the first paragraph makes the unneeded switch from passcode to password in the last two sentences confusing. I knew what the author meant. What he wrote was technically correct. Technical correctness does not mean it was the best way to write it. Just changing the last password to passcode makes the paragraph 100x better.
I am not sure about the whole "log" a password thing. If that statement was previously part of the paragraph (it has since changed) and if it actually used to say log, it was 100x worse than the bad paragraph I just went through. Even the updated version would be clearer if the use of password was also changed to passcode.
Maybe Konqerror overreacted a little, but blaming him for being confused is silly. It could have easily been written clearly and wasn't. There was no benefit to the reader by switching from passcode to password.
It would be good if the Internet Accounts preference pane in OS X would warn you if you're using the same password for multiple services.
That's not at all a good idea as the Internet Accounts pane doesn't have access to every account and password you use around the web and could lead to a false sense of security. It's bad enough that users already don't take responsibility for their own security, thinking that the computer is going to do it for them just makes matters worse.
If these people want to make sure they're safe, their best bet is to use Apple's iCloud Keychain along with Safari's password suggestion feature. This way every site they log in to will have a different and completely safe password. All they need to do is make sure their Keychain password is kept safe and not used anywhere else around the internet.
I've gone one step further and created iCloud email aliases that I use when creating accounts on the web; I have different email addresses for posting on messages boards, online shopping, and accounts for other online services. None of which can be used to log into my iCloud account and none of which do I ever use the same password as my iCloud account or system password on my computers at home.
No wonder Apple cloud is not compromised in the scheme, social engineering is the mother of all hacking and Fishing is a new form of Social engineering. I constantly receive fishing email from fake Apple services asking me to log in my AppleID account, no wonder someone somewhere being catch.
Here is my word of wisdom: never click on a link within a email to log in any online services.
You have to verify a bank account with PayPal to set-it-up, so at some point, there has to be some type of "legitimacy" and point of reference to the person, no?
But who wants "easier and more secure"... pay the ransom and just keep up with the herd...
Good news, though still no word on the previous hack. The one that allowed the unlocking of locked iPhones using a fake server. Makes me think in that case there definitely is a problem, else Apple would already have issued a clarification/denial as is the case here. No evidence that in that hack user data is at risk though. But still a problem that needs solving.
The only way to resolve security issue based on social engineering like the one exposed in this article are to eliminate the user idiocy constant from the equation, which is pretty much impossible.
I assume that if the hacker changed the iCloud password, the account owner can still get into his account by going through the "forgot my password" function and answering a few security questions.
No completely true. What if the hacker actually hijacked the iCloud accounts or Apple ID in which they reset all security questions? Now, your iCloud/Apple ID is no longer yours and your idevice is permanently unusable due to the Activation Lock (you don't pay, they remotely wipe the phone and you can't reactivate it after restoring iOS)
No completely true. What if the hacker actually hijacked the iCloud accounts or Apple ID in which they reset all security questions? Now, your iCloud/Apple ID is no longer yours and your idevice is permanently unusable due to the Activation Lock (you don't pay, they remotely wipe the phone and you can't reactivate it after restoring iOS)
Not sure how the reset password is set up in iCloud. But on eBay, when you request a password reset, eBay will email you a message and you have to click on the link provided to reset your password. So a hacker can't reset the password because he wouldn't be the one getting the email.
What would really worry me if some hacker accessed my iCloud account is whether the hacker can copied the back up files of the devices I have and then use it to restore another iPhone or iPad or Mac and end up seeing all my info.
However, if I log into to iCloud in Safari, it does not engage the two step auth. Why is that?
That is by design. Apple doesn't want to inconvenience people by making them dig out their phones every time they access iCloud. (It is a real impediment: I find myself not bothering with Google and such 2-factor and choosing to wait until I get back to my desk instead of pulling out my phone, unlocking it, starting the app, copying the number. Even worse is my bank which you have to wait for the text.)
This way 2-factor protects your account from hijacking where an attacker changes the e-mail and password, while not getting in the way of lower-value things like your e-mail.
That is by design. Apple doesn't want to inconvenience people by making them dig out their phones every time they access iCloud. (It is a real impediment: I find myself not bothering with Google and such 2-factor and choosing to wait until I get back to my desk instead of pulling out my phone, unlocking it, starting the app, copying the number. Even worse is my bank which you have to wait for the text.)
This way 2-factor protects your account from hijacking where an attacker changes the e-mail and password, while not getting in the way of lower-value things like your e-mail.
Makes sense. However, if someone had my laptop, and my iCloud login, they could then remotely erase my iPhones and iPads yes?
Makes sense. However, if someone had my laptop, and my iCloud login, they could then remotely erase my iPhones and iPads yes?
If they had your iCloud login, they could remotely erase your stuff, yes, but that isn't what computer crime is targeting. Criminals are going to change your e-mail and password and demand money for your account. They can't erase your laptop and say "give me money now".