End of the world?
"Apple Australia has contacted The Reg..." Surely one of the signs of the Apocalypse?
Apple has denied that a breach of its iCloud service is the reason for an outbreak of ransomware infecting Australian iThing users. Australian Apple owners yesterday complained that their beloved hardware iStuff had been remotely locked by a chap identifying himself as Oleg Pliss and demanding a PayPal transfer of $AUD50 to …
"If Oleg Pliss is the vanguard of such efforts, millions of people are in peril."
No, millions of plebs who can't be bothered coming up with reasonable or even DIFFERENT passwords are in peril. Or, worse still, if they're from the "I have nothing to hide" wanker brigade, perhaps now they'll learn they DO have something to hide after all. Or not. I just don't care anymore.
That's only partly true - well the initial bit - though, isn't it?
If the entirely predictable eBay fiasco has yielded 145-million email addresses, (maybe encrypted) passwords, names, addresses, phone numbers, dates of birth ... then that's what, 5-10% of all internet users?
If the only thing to blame users for, is using the system; then really its the system that should be blamed.
Billions of people are in peril, at least in the first-world sense. And have been for some considerable time. Because the system is rubbish. And yet billions of people have been utterly convinced that it is the single most fantastic thing since spacehoppers. And worse, have been convinced to divulge detailed personal - and in many cases / circumstances, highly confidential - information, to lord only knows who. (And, as the lord probably knows, those people couldn't keep it secret).
Even if (and unless, maybe) you really do know what you are doing - and if we are all brutally honest; if only here, amongst ourselves - you would need a massively important reason to use such a system, given the peril to which you expose yourself.
If you had to shout out loud, most of your personal details - even if you did so using a code - before you could use an ATM; how many people would go queue inside the bank instead?
Then the system is up the chute because its abjectly failed the people its supposed to be serving, and if you can't see that but carry on bleating about secure passwords etc then you are part of the problem.
The complacency in our industry that blames the user when the systems we provide for them are demonstrably not secure is a big part of the problem.
Millions are not in trouble, they're in PERIL!!!!!
I can imagine the movie now, a mile-wide meteorite is heading toward Los Angeles, Godzilla is attacking Brisbane, Transformers are pulling apart the Pyramids, giant worms are swallowing people alive in Swansea and, to make things worse, billions of people are also in peril!
I think though that this is serious and recent events may finally move us into an era where normal, unwary users finally realise that passwords are important and are more than just a means to stop your kid sending 'sdkjfhkaefhwueafgwe' in a text message to your boss.
I don't want people to realise how important passwords are and so come up with decent passwords. I want people to realise how important passwords are and so put electoral pressure on our lords & masters to make the storing of unhashed passwords and unencrypted personal data a criminal offence. It's not 1998; the Web is not new: there is no excuse for this shit.
Needless to say, no matter how much they bleat Apple have to provide a fix for this.
By not adding security via CAPTCHA etc to Icloud they have opened themselves up to this sort of cross device vulnerability.
I seem to recall something similar with mains adaptors, ie plugging in an IDevice in can not only result in total ownage but this can't be detected from the outside.
The latest version even fakes the update process complete with download bar and fake install routine.
Even worse, there are counterfeit chargers with this built right in albeit only seen in thankfully small quantities and only in the lab as of yet.
Apple devices are uniquely vulnerable as they are power hungry and need charging every day,
That thought occurred to me, too. If it were the result of a large-scale breach at $OTHER_PLACE, we would not likely see the exploits so localized.
It could even be the result of something as mundane and ho-hum as a phishing attack. Hell, I get phish emails asking me to "verify my Apple credentials" at least once a month.
A coordinated phish attack is less sexy than hackers trawling through troves of stolen eBay data and targeting people who reuse passwords, but it seems a bit more plausible to me.
Though payment in AUD might be the spearhead... wait for USD, GBP, EUR, JPY to follow, maybe.
Can you factory reset an iThing without external hardware? e.g. Power + vol down + home from poweroff on some (all?) Android devices. I guess not otherwise this might be mentioned as a last resort recovery option.
If the 'ware prevents you switching off your phone to do that you can always take the battery out to reboot it and perform a reset combo. Oh. hang on.
"Pliss is likely in possession of usernames and passwords gleaned from sources other than Apple and has attacked users who use the same identifier for multiple services including iCloud"
Maybe not in this case.
It seems several users have changed their password and got "captured" again by Pliss.
This may indicate that the breach is more interesting than just re-used password... maybe even a DNS poisoning at ISP level
My understanding is that this only affects users who don't have an unlock passcode on their device, because they have disabled screen lock. If so, Apple will want to force all users to set an unlock passcode that is active even when screen lock is disabled, so they have a way of unlocking their device to mitigate any future versions of this attack.
Using your real name in the ransom demand? Asking for payment via Paypal rather than something less traceable like bitcoin? Nobody could be that stupid.
Seems someone is trying pretty hard to frame this Oleg Pliss chap, in the hope he's gonna have his dog shot/all his hardware seized for months/his life made a living hell.
Also, multiple hacks of the same people's devices suggests hacked routers which could explain a lot as people tend to recycle passwords.
It suggests that more is going on than simple phishing, this looks more like either spear phishing or some less than sophisticated extortion attempt.
Biting the hand that feeds IT © 1998–2019