back to article Australia iOS ransom gizmo-snatch OUTRAGE not our FAULT: Apple

Apple has denied that a breach of its iCloud service is the reason for an outbreak of ransomware infecting Australian iThing users. Australian Apple owners yesterday complained that their beloved hardware iStuff had been remotely locked by a chap identifying himself as Oleg Pliss and demanding a PayPal transfer of $AUD50 to …

COMMENTS

This topic is closed for new posts.
  1. Neoc

    End of the world?

    "Apple Australia has contacted The Reg..." Surely one of the signs of the Apocalypse?

    1. Mark 85 Silver badge

      Re: End of the world?

      Have an upvote for that. The end life, the universe, and all that, Shirley.

    2. g e

      Re: End of the world?

      Hats and warm coats handed out in Hell, snowmen sighted.

      Cats & dogs living together

      USPTO reformed

      1. Cliff

        Re: End of the world?

        Jagwiregate is over!

  2. John Tserkezis

    "If Oleg Pliss is the vanguard of such efforts, millions of people are in peril."

    No, millions of plebs who can't be bothered coming up with reasonable or even DIFFERENT passwords are in peril. Or, worse still, if they're from the "I have nothing to hide" wanker brigade, perhaps now they'll learn they DO have something to hide after all. Or not. I just don't care anymore.

    1. cracked

      That's only partly true - well the initial bit - though, isn't it?

      If the entirely predictable eBay fiasco has yielded 145-million email addresses, (maybe encrypted) passwords, names, addresses, phone numbers, dates of birth ... then that's what, 5-10% of all internet users?

      If the only thing to blame users for, is using the system; then really its the system that should be blamed.

      Billions of people are in peril, at least in the first-world sense. And have been for some considerable time. Because the system is rubbish. And yet billions of people have been utterly convinced that it is the single most fantastic thing since spacehoppers. And worse, have been convinced to divulge detailed personal - and in many cases / circumstances, highly confidential - information, to lord only knows who. (And, as the lord probably knows, those people couldn't keep it secret).

      Even if (and unless, maybe) you really do know what you are doing - and if we are all brutally honest; if only here, amongst ourselves - you would need a massively important reason to use such a system, given the peril to which you expose yourself.

      If you had to shout out loud, most of your personal details - even if you did so using a code - before you could use an ATM; how many people would go queue inside the bank instead?

    2. JimC Silver badge

      if millions are in trouble

      Then the system is up the chute because its abjectly failed the people its supposed to be serving, and if you can't see that but carry on bleating about secure passwords etc then you are part of the problem.

      The complacency in our industry that blames the user when the systems we provide for them are demonstrably not secure is a big part of the problem.

      1. Anonymous Coward
        Alert

        Re: if millions are in trouble

        Millions are not in trouble, they're in PERIL!!!!!

        I can imagine the movie now, a mile-wide meteorite is heading toward Los Angeles, Godzilla is attacking Brisbane, Transformers are pulling apart the Pyramids, giant worms are swallowing people alive in Swansea and, to make things worse, billions of people are also in peril!

        I think though that this is serious and recent events may finally move us into an era where normal, unwary users finally realise that passwords are important and are more than just a means to stop your kid sending 'sdkjfhkaefhwueafgwe' in a text message to your boss.

        1. Squander Two

          Vote with your feet. And your votes.

          I don't want people to realise how important passwords are and so come up with decent passwords. I want people to realise how important passwords are and so put electoral pressure on our lords & masters to make the storing of unhashed passwords and unencrypted personal data a criminal offence. It's not 1998; the Web is not new: there is no excuse for this shit.

  3. Anonymous Coward
    Anonymous Coward

    Re. Icloud

    Needless to say, no matter how much they bleat Apple have to provide a fix for this.

    By not adding security via CAPTCHA etc to Icloud they have opened themselves up to this sort of cross device vulnerability.

    I seem to recall something similar with mains adaptors, ie plugging in an IDevice in can not only result in total ownage but this can't be detected from the outside.

    The latest version even fakes the update process complete with download bar and fake install routine.

    Even worse, there are counterfeit chargers with this built right in albeit only seen in thankfully small quantities and only in the lab as of yet.

    Apple devices are uniquely vulnerable as they are power hungry and need charging every day,

    1. tony
      Happy

      Re: Re. Icloud

      "I Seem to recall..."

      &

      "The latest version..."

      Along with being anonymous = concern trolling.

      Thanks for trying though.

    2. Andy Watt

      "Apple devices are uniquely vulnerable as they are power hungry and need charging every day,"

      Utter twaddle.

  4. Eradicate all BB entrants

    Other sites have statements ....

    ..... from other affected users and most seem to be in or from Australia. I wouldn't have thought that if the miscreant was using details obtained in major breaches that it would be so localised.

    1. Franklin

      Re: Other sites have statements ....

      That thought occurred to me, too. If it were the result of a large-scale breach at $OTHER_PLACE, we would not likely see the exploits so localized.

      It could even be the result of something as mundane and ho-hum as a phishing attack. Hell, I get phish emails asking me to "verify my Apple credentials" at least once a month.

      A coordinated phish attack is less sexy than hackers trawling through troves of stolen eBay data and targeting people who reuse passwords, but it seems a bit more plausible to me.

    2. g e

      Re: Other sites have statements ....

      Though payment in AUD might be the spearhead... wait for USD, GBP, EUR, JPY to follow, maybe.

      Can you factory reset an iThing without external hardware? e.g. Power + vol down + home from poweroff on some (all?) Android devices. I guess not otherwise this might be mentioned as a last resort recovery option.

      If the 'ware prevents you switching off your phone to do that you can always take the battery out to reboot it and perform a reset combo. Oh. hang on.

      1. a53

        Re: Other sites have statements ....

        If the 'ware prevents you switching off your phone to do that you can always take the battery out to reboot it and perform a reset combo. Oh. hang on. === No, you twerp, you just wait for the battery to die .........

        1. Cliff

          Re: Other sites have statements ....

          ^^^battery to die...

          Wouldn't the firmware push the phone into deep sleep with core files written to some kind of semi permanent memory? It's how I'd design a premium device anyway, so the use couldn't accidentally wipe themselves out.

    3. DougS Silver badge

      Re: Other sites have statements ....

      Obviously we don't know the details yet, but I wouldn't be surprised if we hear about a compromise of an Australian ISP later this week that turns out to be where the passwords were obtained.

  5. Crisp Silver badge
    Coat

    Are Apple taking the Pliss?

    Coat with the locked iPad in the pocket...

  6. John Smith 19 Gold badge
    Coat

    Perfectly good headline wasted.

    "Taking the Pliss" "Pliss taking the cash" etc.

    No?

    Suit yourself.

  7. Anonymous Coward
    Anonymous Coward

    Meh

    Apple users are rich, they can afford it.

    Cite: They had enough spare money to spunk on overpriced-Cupertino tat

  8. Anonymous Coward
    Anonymous Coward

    It'll be manbags at dawn.

    iRritation down under.

    That day not a single vlog was given.

  9. pigor

    "Pliss is likely in possession of usernames and passwords gleaned from sources other than Apple and has attacked users who use the same identifier for multiple services including iCloud"

    Maybe not in this case.

    It seems several users have changed their password and got "captured" again by Pliss.

    This may indicate that the breach is more interesting than just re-used password... maybe even a DNS poisoning at ISP level

  10. DougS Silver badge

    Apple may want to tweak its policies

    My understanding is that this only affects users who don't have an unlock passcode on their device, because they have disabled screen lock. If so, Apple will want to force all users to set an unlock passcode that is active even when screen lock is disabled, so they have a way of unlocking their device to mitigate any future versions of this attack.

  11. Anonymous Coward
    Anonymous Coward

    You know very well

    It's never Apple's fault. And if it's not somebody else's fault, it must be a feature.

  12. Anonymous Coward
    Anonymous Coward

    Pliss poor user choices

    Much as I'd like to blame Apple I have to agree that the fault will most likely lie with the user's password habits.

    But I am rather curious about how malware infected the ivory tower without going through the App store?

  13. Anonymous Coward
    Anonymous Coward

    Using your real name in the ransom demand? Asking for payment via Paypal rather than something less traceable like bitcoin? Nobody could be that stupid.

    Seems someone is trying pretty hard to frame this Oleg Pliss chap, in the hope he's gonna have his dog shot/all his hardware seized for months/his life made a living hell.

  14. Anonymous Coward
    Anonymous Coward

    Re. chargers

    http://gizmodo.com/your-iphone-can-be-hacked-with-a-modified-charger-510988017

    Also, multiple hacks of the same people's devices suggests hacked routers which could explain a lot as people tend to recycle passwords.

    It suggests that more is going on than simple phishing, this looks more like either spear phishing or some less than sophisticated extortion attempt.

  15. Anonymous Coward
    Anonymous Coward

    Pliss off

    Just checked, all good.

    I'm fine.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019