Users raise questions about Apple's security after iCloud hacks
A small number of iCloud accounts reportedly protected by secure, randomly generated passwords have been compromised, prompting speculation by users that a security breach may have occurred on Apple's servers.
The details come from a thread on the Apple Support Communities forum, where users of Apple's iCloud service have voiced concern that their accounts were compromised. One of the affected people, with the username "solargaze," said their Me.com e-mail address was hacked into and began sending out spam on Wednesday.
"I never use my @me email for anything, and I guarantee someone didn't break into the account by guessing my password (or brute force methods) — it's a pseudoly randomly generated string of 15 numbers, letters (upper and lower case) and symbols (I worked in IT for many years and am perhaps overly zealous about password security, which makes memorization a real pain)," they wrote.
"I'm worried that Apple's iCloud servers themselves got hacked, as I see there are a few other people on the forums who are reporting that their account was used for spam in the last few hours."
A second thread was also started this week by another user experiencing similar issues. The threads have a relatively small number of replies and reader views, suggesting any possible coordinated hacking of iCloud accounts was not widespread.
Users affected by the apparent string of hacks say they found a series of spam e-mails in the "Sent" folder of their iCloud e-mail account. The advertisements were sent to users' contacts that were synced with iCloud, and were related to "making money on your home computer."
"I'm an IT professional with 10 years experience, and wouldn't fall for a phishing scam even on my drunkest of days," user "tsnow20" wrote in the same thread. "No, my password wasn't guessed either. Trust me."
That person said the spam messages were sent out to contacts that were only synced with iCloud. Contacts stored with Microsoft Outlook and Mozilla Thunderbird did not receive any spam from their account.
Most of the users on the thread said they do not use their iCloud or MobileMe e-mail addresses. They discovered their account had been compromised after they received text messages and e-mails from friends notifying them that their accounts were sending out spam e-mails.
One user, with the handle "?ivindfromoslo," said they spoke with an Apple support representative who assisted them in removing all of their contacts from iCloud. They said they hadn't logged on to the iCloud.com website in six months and never used their Me.com e-mail address.
"I suspect that the entire issue is caused by some weakness on (Apple's) end," they wrote, "either in the icloud.com logon part or in the iOS software (one might be able to extract iCloud logon info with a specifically crafted website or something, who knows)."
The details come from a thread on the Apple Support Communities forum, where users of Apple's iCloud service have voiced concern that their accounts were compromised. One of the affected people, with the username "solargaze," said their Me.com e-mail address was hacked into and began sending out spam on Wednesday.
"I never use my @me email for anything, and I guarantee someone didn't break into the account by guessing my password (or brute force methods) — it's a pseudoly randomly generated string of 15 numbers, letters (upper and lower case) and symbols (I worked in IT for many years and am perhaps overly zealous about password security, which makes memorization a real pain)," they wrote.
"I'm worried that Apple's iCloud servers themselves got hacked, as I see there are a few other people on the forums who are reporting that their account was used for spam in the last few hours."
A second thread was also started this week by another user experiencing similar issues. The threads have a relatively small number of replies and reader views, suggesting any possible coordinated hacking of iCloud accounts was not widespread.
Users affected by the apparent string of hacks say they found a series of spam e-mails in the "Sent" folder of their iCloud e-mail account. The advertisements were sent to users' contacts that were synced with iCloud, and were related to "making money on your home computer."
"I'm an IT professional with 10 years experience, and wouldn't fall for a phishing scam even on my drunkest of days," user "tsnow20" wrote in the same thread. "No, my password wasn't guessed either. Trust me."
That person said the spam messages were sent out to contacts that were only synced with iCloud. Contacts stored with Microsoft Outlook and Mozilla Thunderbird did not receive any spam from their account.
Most of the users on the thread said they do not use their iCloud or MobileMe e-mail addresses. They discovered their account had been compromised after they received text messages and e-mails from friends notifying them that their accounts were sending out spam e-mails.
One user, with the handle "?ivindfromoslo," said they spoke with an Apple support representative who assisted them in removing all of their contacts from iCloud. They said they hadn't logged on to the iCloud.com website in six months and never used their Me.com e-mail address.
"I suspect that the entire issue is caused by some weakness on (Apple's) end," they wrote, "either in the icloud.com logon part or in the iOS software (one might be able to extract iCloud logon info with a specifically crafted website or something, who knows)."
Comments
A bit off topic: One thing I'd like Apple to add to iCloud is to see what devices and what IP addresses (for web based access) are connecting to iCloud for any services. This is important because my Mail, Photos, iMessage, Contacts, Calendar and Find My iDevices are all syncs via one account which makes it easy for a single person to spy on your activates and whereabouts.
Quote:
"I'm an IT professional with 10 years experience, and wouldn't fall for a phishing scam even on my drunkest of days," user "tsnow20" wrote in the same thread. "No, my password wasn't guessed either. Trust me."
The fact that this person is an IT professional with 10 years experience does not add validity to his statement. I've known plenty of IT professionals - some smart, some not as smart. Why should we just "trust him?" Maybe a coworker watched him type his password. Or someone was looking over his shoulder while he typed on his iOS device (where the last character is shown as you type it) Maybe someone put a key logger on his computer at his job.
Very curious circumstances ("I never use my iCloud account") with a complete denial of mea culpa by all posters. Several of the posters are convinced their passwords are nigh impenetrable (randomly generated, alphanumeric and special characters with caps and lower case letters) and they are not "n00bs" who call tech support.
I believe if iCloud were hacked we would see wide spread instances of spam rather than ten posters. While there are likely ten or one hundred times more people who aren't posting about the spam that is still a drop in the bucket of iCloud users.
Or he logged into a machine that was compromised.
This guy being a Pro means that he knows that it's still possible to brute force a random password. That was something like less than 100 out of millions of users actually shows that Apple's security is tight and someone did just get lucky with the randomizers.
I know a white hat that tried this kind of stunt just to prove to a client that it was possible. He had his script drop all passwords that had words, was less than 12 characters, didn't have at least one number and one symbol. He also checked all number sequences against the zip code listings in the country and removed any password with that sequence. Took something like 5 days but the clients 'totally impossible to break' password was broken.
This particular white hat actually said that most of the time when he hacks a password for a client to show security issues it's not the password that gets him in, it's the security question. As the WH put it, the best password in the world doesn't mean jack if your question is "who is Sir Fluffy Barks A Lot" and he can go to Facebook, search the same email and there is your dog in bold living color all over the page. And he's seen it. A lot. Even with corporate clients. They have where they work on their page so even though the emails are different he can still match it up and 99% of the time the answer to the question is there
It's also possible that these folks are just lying about how good their passwords were or that they got phished and are too embarrassed to admit it so they are blaming Apple. Even IT Pros can be fooled because their arrogance makes them sloppy
Quote:
Originally Posted by SolipsismX
A bit off topic: One thing I'd like Apple to add to iCloud is to see what devices and what IP addresses (for web based access) are connecting to iCloud for any services. This is important because my Mail, Photos, iMessage, Contacts, Calendar and Find My iDevices are all syncs via one account which makes it easy for a single person to spy on your activates and whereabouts.
I don't consider that "off topic" and I agree entirely. In fact, everyone please submit a feature request here. You can just copy and paste SolipsismX's text.
If you would like to make my day, you can copy and paste the following text into another feature request for iTunes Security Info here:
Greetings,
I beseech you to add or change questions in iTunes security. While I applaud the additional scrutiny, the questions are too restrictive and quite honestly I can't remember the answers to most of the questions. Unfortunately, since the questions are too restrictive I am unable to purchase any new content from Apple until this is resolved.
Here are examples of questions which Apple is asking:
What was the first care you owned?
Who was your first teacher?
What was the first album you owned?
Where was your first job?
In which city were you first kissed?
Which of the cars you've owned has been your favorite?
Who was your favorite teacher?
What was the first concert you attended?
Where was your favorite job?
Who was your best childhood friend?
Which of the cars you've owned has been your least favorite?
Who was your least favorite teacher?
Where was your least favorite job?
In which city did your mother and father meet?
Where were you on January 1, 2000?
Many of these questions contradict or are contraindicated by good security question principles:
The answer to a good security question should be easy to remember but still not available to others. Ideally, the user should immediately know the answer without doing research or looking up a reference or remembering too far back in time.
Bad examples:
What is your driver's license number? (I haven't memorized mine, have you?)
Car registration number (this may be easy for others to find on the web anyway)
But don't use questions that go back to childhood, or for that matter last year for someone like me.
Bad examples:
What was the name of your first pet?
What was your first car, favorite elementary school teacher, first kiss, etc.
http://www.goodsecurityquestions.com/designing.htm
Please add questions that the average person over 40 can actually remember, more imporantly see the website listed above for security question best practices:
In which city, county and state were you born?
What is your maternal grandmother's maiden name?
Thank you very much for your time and consideration,
"MacBook Pro"
Interesting that most of hacked people claim to be IT. Why I am not feeling better about IT people now?!
Quote:
Originally Posted by SolipsismX
A bit off topic: One thing I'd like Apple to add to iCloud is to see what devices and what IP addresses (for web based access) are connecting to iCloud for any services. This is important because my Mail, Photos, iMessage, Contacts, Calendar and Find My iDevices are all syncs via one account which makes it easy for a single person to spy on your activates and whereabouts.
It was possible to see your devices with MobileMe. I don't know why you can't with iCloud. I think this is a basic feature that needs to be added. If you write a feature request for this we can then copy and paste it into Apple feedback form.
Quote:
Originally Posted by Gustav
The fact that this person is an IT professional with 10 years experience does not add validity to his statement. I've known plenty of IT professionals - some smart, some not as smart. Why should we just "trust him?" Maybe a coworker watched him type his password. Or someone was looking over his shoulder while he typed on his iOS device (where the last character is shown as you type it) Maybe someone put a key logger on his computer at his job.
Quote:
Originally Posted by SolipsismX
Or he logged into a machine that was compromised.
Or someone is capturing his wireless network traffic.
Or someone hacked the random password generator (and those 10 posters all using the same application).
Or someone really did use a brute force attack on their password.
It took me about 30 seconds to figure out a "crack" for iCloud if I have someone's Apple ID and considering the ubiquity of iCloud you can probably just try any name at iCloud.com with some small chance of success. Unfortunately, iCloud is very vulnerable to social hacks apparently (based on the 30 second "crack"). I should add that I am no Charlie Miller either so this is something any computer savvy person could discover (disclaimer: I do have formal education in network administration).
Quote:
Originally Posted by NasserAE
It was possible to see your devices with MobileMe. I don't know why you can't with iCloud. I think this is a basic feature that needs to be added. If you write a feature request for this we can then copy and paste it into Apple feedback form.
Haha. See the post immediately preceding yours. I just copied and pasted his text verbatim.
As for security questions, I always answer them with nonsensical answers.
What was your mother's maiden name?
Traffic light is green.
What is your pet's name?
Do you like yellow?
Where were you born?
I ate a pear.
And answer them differently for each site. Store them in an encrypted file or write them down and store the paper securely and you're good.
If these are randomly generated passwords that are too complex to remember, and only iCloud contacts are being spammed, then it's pretty obvious these people are using password managers, and most likely that is where the security breach lies. They probably have some kind of phishing derived malware on their machines. At least one of them is a Windows based user. I wonder if they all are.
Quote:
Originally Posted by NasserAE
Interesting that most of hacked people claim to be IT. Why I am not feeling better about IT people now?!
Does this fact suggest that IT people are more susceptible to being hacked or they are more likely to detect the intrusion? Causation vs correlation...
Did these people use the same "uncrackable" password on yahoo.com, hotmail.com or elsewhere? If so, a breach of security at potentially any of these sites could have led to their me.com account being compromised.
I avoid iCloud (and Goople) privacy and security issues by using Mac OS X Server, by the way. e-mail, caldav, carddav.
This is deeply worrying news for consumers who are actively living in the iCloud.
Quote:
Originally Posted by eksodos
This is deeply worrying news for anyone dumb enough to use the same password everywhere they go and exhibit unsafe logging practices.
You mean.
I don't understand why people think it's so impossible to crack a password. It's possible and it happens a lot. My friend with a yahoo mail account sent me spam the other day. I was even hacked some time ago when I was using yahoo mail. That password was pretty damn good, I thought. It happens everywhere. With a 20 million people using something, 10 are bound to get hacked sooner or later. When there are 50,000 getting hacked, well then I'll care about it....
I like how everyone initially points the finger at the service provider when they have been hacked. This is right before they discover one or more of the following:
1. Their password was their name/address/dob/password/password00/passw0rd etc
2. Their PC in infected or they logged onto an infected machine which grabbed their stored passwords.
3. They logged onto a phishing site.
4. They use their icloud account email address and same password for Facebook etc and it was hacked from there. This happens A LOT!!
The weakest link in this is the user and then to cover up their stupidness they blame the system.
Quote:
Originally Posted by AppleInsider
I guarantee someone didn't break into the account by guessing my password (or brute force methods) — it's a pseudoly randomly generated string of 15 numbers, letters
lol, and then he goes on to say he has IT experience. I guess he never heard of key loggers, malware, password hashing, social engineering, etc, etc, etc, in all that time eh?
Eight characters and a capital!
/blonde