Feeds

back to article Scribe's mobe, MacBook pwned after hacker 'fast-talked Apple support'

Tech journo Mat Honan has told how he helplessly watched a hacker remotely erase and lock his iPhone, iPad and MacBook after his iCloud account was hijacked. It's a cautionary tale against relying too heavily on one cloud platform. But the kicker? It's alleged that the miscreant sweet-talked an Apple support staffer and …

COMMENTS

This topic is closed for new posts.

Page:

"having a 3-letter Twitter [handle]"

Sorry, what? What difference does it make what his username is? That's not privileged information, does he mean the password?

4
0
Anonymous Coward

Probably they mean that it would make him a higher profile target.

2
0
Anonymous Coward

Oops

He must really have piss*d someone off with one of his stories.

0
0
Silver badge
FAIL

Account hacked?

You're using it wrong.

8
3
Anonymous Coward

Re: Account hacked?

Looks like the HSBC error message is more accurate than first thought.

0
0

It's a cautionary tale against relying too heavily on one cloud platform.

It's a cautionary tale against relying too heavily on any cloud platform as your sole datastore .

Fixed it for ya.

23
2
Silver badge
Boffin

Fixing the fix

It's a cautionary tale against having a sole datastore, or having none which are offline.

7
0
Bronze badge

It's a cautionary tale against relying too heavily on any cloud platform as your sole datastore .

iCloud wasn't the sole datastore here, just backup. The problem is that access to this backup also grants access to delete the primary store.

-

Tricky one now for Apple - can they help him get anything back from his MacBook or not? And if they can what does that say for the security of their remote wipe procedure?

18
0

This post has been deleted by its author

Tricky one now for Apple - can they help him get anything back from his MacBook or not? And if they can what does that say for the security of their remote wipe procedure?

He said in his Tumblr post that he removed power from the Macbook before it had the chance to begin the data overwrite phase of the secure wipe process, and that that is why Apple think they might be able to restore the data for him.

1
0
Law
Black Helicopters

"iCloud wasn't the sole datastore here, just backup. The problem is that access to this backup also grants access to delete the primary store."

I have a primary store (my mac), an offsite backup (livedrive) and an offline backup (removable hdd backup timemachine). Once a month I'll back up locally using my ext hdd, the rest of the month livedrive syncs.

My main worry is my gmail account which I do attempt to export occasionally. That basically has all my live drive details in it, any software serials, contacts, calendars, and god knows how many years of my emails with random info on there.... if I lost that, I'd be pretty screwed.

0
0
WTF?

Don't Apple do backups?

Surely they must have a copy of the stuff he had in their cloud, somewhere?

4
0
FAIL

Re: Don't Apple do backups?

My thoughts exactly. His docs, pics, etc should be mirrored out there in the iCloud. If the remote wipe feature purges all data from the computer, whether the iCloud has a copy or not, and the question remains of why not, that's a fairly scarey situation to be in. Someone hacks Apple and now you run the risk of losing everything on all your iDevices before you get notification from Apple.

If I lose my laptop, remote wipe isn't my savior, it's the full-disk encryption and long password that saves me.

1
0
Facepalm

Re: Don't Apple do backups?

A bit more difficult to turn it off these days being you can't remove the batteries and they wake up on lan and silently update whilst asleep.

Remote wipe on the iphone doesn't actually wipe the data, it merely throws away the keys used by the hardware encryption.

1
0
Trollface

"Apple had not returned a request for comment at the time of publication. ®"

Surely, you can drop this line at the end of your reports now ;-)

2
11

iGnore?

11
0
Windows

RE: @"Apple had not returned a request for comment at the time of publication. ®"

It's part of El Reg's page template

9
0
Headmaster

Re: Apple had not returned a request for comment

They do seem to have gone off you again.

Anyway, about this turn of phrase: please see the last BFOH story and learn the lesson of speaking plain English, as, for example, Apple had not responded....

A returned request would be like a returned letter.

I do admit, though, that this is not nearly as bad as inviting someone to revert to you --- when they were not you in the first place!

And to the victim of this tale, I say ... keep backups, for god's sake. Backups you can take from a drawer and connect to your computer, not just backups that rely on someone else's service.

1
1
Meh

While it's no excuse to be smug, how can anyone who is familiar with computers possibly rely on the 'cloud' for backup.

11
0
Silver badge
Trollface

While it's no excuse to be smug, how can anyone who is familiar with computers possibly use apple.

there fixed it for you!

3
6
Silver badge

rely? I would rely on my cloud backup if my local HDD overnight backup failed, and the overnight NAS backup to separate building failed and the rolling tape backup failed. Then the cloud backup would be relied upon.

In this case it wasnt so much the cloud backup failed, it was that the cloud backup along with primaries were wiped by a third party.

0
0
Big Brother

Due Diligence

I'm sympathetic to Mr. Honan's loss. I've been burned myself and in retrospect I could have avoided it by more carefully considering what exactly it was I should be doing.

The Apple iCloud and the like have been rammed down the publics' neck in a marketing blitzkrieg to gain and further control of users data, apps, hardware, communications, location, and travel, spending and social behaviors. What gives?

It's ok to 'just say no'.

8
1
FAIL

You play with the devil

that's what happens...

Really, a tech journalist should know better. Apple can wipe everything you own, hardware or software at the press of a button.

It's a weekly occurrence here, that someone is crying because their computers HDD failed, and when they put a new one in, their iPod was wiped of all it's music. I just laugh as them and ask them what they expected when dealing with Apple.

17
5
Anonymous Coward

Re: You play with the devil

Goodness, are you really so technically ignorant that you can not explain to them about syncronisation? Or are you just a nasty, conceited piece of work?

2
1
Bronze badge

The Gizmodo thing is Gizmodo's fault. They say themselves he was an ex-staffer who still had access. Why?

Most of the rest is Apple's "fault" for allowing the bypass of their security procedures.

But not having other backups of the data, or other ways to access it? That would be the victim's fault.

Don't rely on the cloud. It's just not worth it. Don't rely on any one company, entity, connection, location, storage, it's a simple rule.

The only other difference, I think, is really how much control you voluntarily give to the people behind the OS running on your phone / laptop. Personally, my phone being wiped or blocked wouldn't be that much of a chore. I'd hunt down a replacement and copy back over my contacts list. My laptop, on the other hand, I would not be pleased to find had been wiped remotely. Yes, I have backups but the SETUP of that machine and the ACCESS to a facility that can remote-wipe the drive is not something I'd trust anyone else with. Hell, I'm not sure I'd trust ME with a button that did that (hence, I don't use remote-wipe software for laptops).

I would not trust Apple with that facility. I would not trust Google with that facility. I would not trust any brand-name with that facility. There's just too much inconvenience if they get it wrong or do it by accident. If you want that, encrypt the drive and make MASSIVE amounts of backups of the keyfiles. If it's stolen, it's already "remote-wiped" with undecipherable random data that's useless without the key. But the difference is, if it's returned you can restore access and know it was untouched and you can also do so without reliance on ANY brand-name company whatsoever to do it for you (or, in this case, not do it for you).

Remote-wipe is for people that haven't found TrueCrypt yet, or are too thick to not keep their keyfile/passphrase scribbled on a post-it stuck to the machine that would get stolen along with it, and those who implicitly trust a multi-billion dollar company to work in their interest, perfectly, all the time.

6
0
Silver badge

I would guess the Apple staffer is a soon to be if not already ex-staffer. Anyone who allows all security questions to be bypassed is clearly not fit to carry out the role they have been given.

0
0
Stop

I think the fault lies with the person who hacked the accounts and wiped it.

Its a bit like saying someones house was burgled was their fault because they used a 3 lever lock and not a 5 lever lock. You might as well blame him for using the internet without a degree in cyber security.

0
0
Anonymous Coward

Pwnage?

There's an app for that.

7
0
Trollface

He eventually managed to get back into his iCloud profile and change his password, but Apple couldn't do anything about the fact that all his iDevices had been wiped - losing photos, documents and emails - other than getting him an appointment at one of their Genius bars for the MacBook.

Genius' ? really ? This line alone made me ROFL - started LOL when MacBook appeared....still LOL now.

9
1
Gold badge

I have just a single question for this techno journalist

WHY DID YOU NOT MAKE YOUR OWN BACKUP, YOU MORON?

Honestly, someone with just the smallest smidgeon of a clue would have backed up at least his laptop (it's harder with iDevices because iTunes only keeps 1 backup, thus erasing the very thing you need when you connect the device for recovery - duh). It's not like it's hard on a Mac, even if you don't use stuff like Carbon Copy for a bare-metal backup you can even just boot from in case of emergency there is still Time Machine.

Personally, I will not go near iCloud, but Apple is trying to brute-force people down that route by making it the only resource through which you can keep notes and reminders in sync (you an use groupware for calendar and contact sharing). As a matter of fact, the very first thing it does when you enable iCloud is make an immediate copy of your contacts - it doesn't even ask. Only after it has gone live can you kill that off - you then have to log into iCloud to zap what it has copied. AFAIK that breaks Data Protection rules in Europe, but IANAL.

Anyway, nice single point of failure. True Cloud services - the data went up in smoke..

7
3
FAIL

Re: I have just a single question for this techno journalist

+1. The Cloud is not a suitable backup strategy. All it does is keep your devices in sync. Anyone who thinks that Apple / Google / MS / Dropbox is keeping all their stuff safe deserves to lose it all.

Back your stuff up yourself. It doesn't matter what you use; Time Machine, CCC, rsync, as long as you have at least one (bootable) copy in the event that your main HDD goes south. It's YOUR data and YOUR responsibility to ensure its safety.

3
0
Anonymous Coward

Re: I have just a single question for this techno journalist

Nonsense. Cloud storage is convenient and saved a friend of mine's iPhone data twice when she managed to lose the lot, being a normal user in a normal job, whose obsessions, work and spare time do not involve understanding computing or any technology,. But there are other, easy, if less handy and hands-free ways to synchronise your devices.

I do not use iCloud because it entails storing data on USA hosted machines and I do not trust USA legal access rights. But I still sync data perfectly well.

These cloud servces are not meant to be ultimate back-up services. They are a convenient way for the normal user, from school child to pensioner, to get some modest data security and universality (I know Google would have it otherwise; but that does not make them right).

0
1
Silver badge

Re: I have just a single question for this techno journalist

I am not totally up to date on apple stuff. However I imagine there is an app similar to windows backup? On my personal machine at home I use windows 7 inbuilt backup to an external drive. This is my nightly incremental backup. I also backup to my personal web server hosted "somewhere" via webdav mapped drive and a simple robocopy script (pretty much "cloud"). I can bare metal from the hdd or get my essential stuff back from the web server if need be. Im sure apple can do the same with a HDD that wouldnt have been wiped.

0
0
Anonymous Coward

As much as people will make out this is a technology problem, the weak point is as ever a human being on the phone.

This is a confidence trick as old as the hills. It can affect any company and any platform if the human at the other end of the phone is fooled.

4
0
Gold badge

Yes; the weak point was a human being, but not because of confidence tricks.

Seriously think about it. It is a system that contains a mechanism to permanantly erase all the primary data and the back-up at the same time! How many other backup systems do you know with this feature?

3
2
Anonymous Coward

Pardon

It's not a back-up system.

0
0
Bronze badge
FAIL

If this guy worked for me he would already be at the jobcentre

"But Paul Ducklin at security firm Sophos said that these kinds of social engineering attacks were "really hard to defend against".

"You can have - and enforce - utterly inflexible procedures for password reset, but in my opinion, the main reason companies endorse this sort of inflexibility in technical support isn't to improve security, it's to save money by taking humans out of the loop," he said. "The inflexibility means that legitimate users will, from time to time, be incontrovertibly incommoded.

"Or you can keep humans in the loop, and run the risk that their occasional helpfulness will occasionally be off the mark. That's what happened with Honan."

===================

What a load of bollocks!

All of our account management is handled by people and we have rigid and inflexible processes for a reason, so that social engineering attacks using sweet talk will fail. Of course if someone can answer the security questions then they will get past security but if they fail they should stay failedregardless of how sweet they are on the phone.

If any of my team did what the Apple droid did they would be fired, no ifs or buts, its even in the job description.

Yes we piss off customers who cannot answer the security questions and yes I get the escalations and an earful of abuse from those who cannot get a password change or account details as they cant pass security and as I explain to them, would they be happy if I called up there bank, failed security but still got given all the money in it?

At the end of the day proper team training and an adherence to process will maintain security, but you would hope a security advisor would know that.

21
2
Silver badge

Re: If this guy worked for me he would already be at the jobcentre

not sure why you got downvoted. Seems pointless having security questions if they can be bypassed.

1
0
Gold badge

Apple fail

In a way it is good that Apple has demonstrated that having good quality passwords counts for nothing if you have helpdesk staff capable of overriding it (I guess the same goes for Google's two-factor login - insiders beat front end any time). What I want to know is why it wasn't possible to start such a reset process with a code send via iMessage to all his devices? They had his Apple ID, so they had an address, and by sending a reset code which needed entering together with some private details such as last iTunes purchase or something it would have stopped the hack attempt dead and would have alerted him to the attempt in progress..

1
1

Re: Apple fail

Sorry, but you're missing the point of remote wipe completely!. The idea (and it's useful in many circumstances) is that if your device is stolen, the thief can be prevented from accessing any sensitive data. Kinda hard to do, if the thief has to give permission for the wipe to happen.

"Mr. thief, would you mind terribly if we eliminated all the data you've tried to obtain (Y/N)?"

2
1
Gold badge

Re: Apple fail

Umm, no, the helpdesk was asked for a password reset, not a remote wipe. The remote wipe was initiated by the hacker after he gained access - if helpdesk had given the actual owner a heads up that such was in progress it would have never gotten to the remote wipe stage. In addition, call me paranoid but especially the ability to reset my password by a 3rd party would have me worried - I have an obligation to protect client data, and some untrusted 3rd party resetting my password would not go down well in an audit. QED..

On the topic of remote wipe on iPhones, all the lucky finder has to do is to kill location services on the iPhone so one hopes you have at least a timed password/PIN set.. I have the "try 10 times and I nuke the device" option enabled - the cost of the device pales in significance to the potential costs of data disclosure, and my nervousness about any organisation having remote control access to my machine has been proven correct.

Personally, I would prefer Prey (preyproject) for my laptop if it wasn't for exactly that 3rd party control risk.. It works, and does a lot more if there is a problem, but I can't use that either. Sigh.

0
1
Silver badge

Re: Apple fail

remote wipes are also part and parcel of an exchange account too. This isnt the domain of apple entirely. Get your android tablet or phone to sync with exchange and see the warnings pop up.

1
0
Thumb Down

Re: Apple fail

Yup.

My work just switched email systems from FirstClass [AKA "FirstCrap" ] to Outlook and, after I linked to the Outlook account with my iPhone, I noticed a new option to remotely wipe the device appeared in Outlook's preferences. Needless to say, I promptly unlinked my phone from the account again and, if I need to access my work email on my phone, I use the Outlook web app.

0
0
Meh

Backups and Passwords

I really don't get this obsession for backing up to the cloud. Yes I use Dropbox for some of my data, but most of it resides on my mirrored drives in my machine. Every night an incremental backup gets made which is copied to a backup drive, then once per week this backup is copied to an external hard disk which is then locked in a fire safe. Yes it's overkill, but it means that should my machine be corrupted, damaged or stolen, my data will be safe.

As for his gmail being deleted, it sounds like he used the same password in multiple places, since gmail requires that you enter your password to make certain account changes, plus any really important mail should be backed up!

If this was some ordinary user I would have to feel a little sorry for them, and would perhaps offer them some helpful advice to avoid it happening again. As a tech journalist however, they should have known better than to rely on 3rd party services!

0
0

Re: Backups and Passwords

"As for his gmail being deleted, it sounds like he used the same password in multiple places, since gmail requires that you enter your password to make certain account changes, plus any really important mail should be backed up!"

The attackers never had the password, mate. Apple let them in without knowing password or security questions. How could the journalist protect himself once they owned his phone?

0
0
Facepalm

It's not clear from the article that any data that had been backed up to the icloud was deleted, only that the remote wipe cleared data from the various idevices.

A physical backup would have helped, but most people are unlikely to have a backup schedule to prevent precious documents/photos/contacts etc. from being deleted.

0
2
FAIL

"A physical backup would have helped, but most people are unlikely to have a backup schedule to prevent precious documents/photos/contacts etc. from being deleted."

This is precisely why Apple introduced Time Machine; something like 7% of user regularly backed up their data at the time. It's not exactly difficult; you plug in a USB / Firewire HDD (or connect to a network share) and it does a backup of your HDD, a full one first and then incrementals. Anyone who has a Mac has NO EXCUSE for not having a recent backup. I rather suspect that the first question the Genius asks will be along those lines. At which point he'll look embarrassed and mutter "no".

3
1
Bronze badge
Pint

Can this from Woz be any MORE appropriate?

http://www.zdnet.com/wozniak-i-really-worry-about-everything-going-to-the-cloud-7000002193/

I'll pass on "The Cloud" thanks.

3
0
Gold badge

Re: Can this from Woz be any MORE appropriate?

Never gone near the whole idea. From my perspective, all this "sharing" just makes life easier for unlawful intercept and identity thieves to get what they need to make people's life miserable. No thanks.

0
0
Anonymous Coward

The problem with a walled garden

is once the tiger is inside the walls you've got nowhere to run and nowhere to hide.

14
0

Page:

This topic is closed for new posts.