Londoner who tried to blackmail Apple with 300m+ iCloud account resets was reusing stale old creds A 22-year-old Londoner has been given 300 hours of community service and a State-enforced bedtime after trying to blackmail Apple with hundreds of millions of previously compromised login credentials. Kerem Albayrak, 22, demanded Apple give him $75,000 in crypto-currency or a thousand $100 iTunes gift cards. If the maker of …
But some of them still worked apparently. I hope Apple has some mass restore functions available to anyone who may have had their accounts squashed if he did carry out his threat. I guess saying not to reuse passwords is preaching to the choir here, but it’s still an uphill battle for the great unwashed...
Capital idea, old chap. Let's force all people to register with the government if they want to use the internet and present to each and every site the credentials issued. Make it a capital crime using any form of hiding your real identity on the internet.
Oh, wait. It won't work if we don't force the people to use only government issued computers/phones/tablets loaded with approved software which can't be removed.
There, much better. Now we won't have to worry about identity theft and data breaches.
You say just “force the user to prove it’s them”, which is a spectacularly circular argument. The definition of authentication is asking the user to prove who they are - and if you had a better method of doing so than the password, you wouldn’t need the password. It also ignores the possibility that accounts may be pseudonymous, and therefore have no corresponding real world identity at all.
Finally, it’s unclear from the article whether Apple knew which accounts were potentially affected. Forcing a password reset on the entire user population would have been disproportionate, particularly as it turns out that most of the credentials were stale and there had in fact *been no data breach” (from Apple).
“ If one of those two parts is cellphone text messages then it is unsafe as hell.”
Please stop repeating that old trope without understanding where it comes from. As always, it depends wholly on your threat model. Who exactly do you believe is both capable of, and willing to perform 300 million SIM swaps? Answers on a postcard...
SMS MFA is better than no MFA. Ofc that’s a relative assessment. Is it good enough? That’s a different question and depends on your particular threat model. For my cloud account? Sure. For a celebrity, investigative journalist, union leader etc? Quite probably not.
Repeating “SMS MFA is insecure” is actively unhelpful and wrong. I’m paid to breach perimeter security. If you ain’t got MFA I’ll bet good money on getting in to the vast majority of organisations. All I need are creds, which is nothing more than a numbers game. Creds + MFA is a whole other game. It’s probably the easiest way to handle your dumb ass users picking Christmas123! as their password.
SMS 2FA is in some ways the equivalent of 'security through obscurity'.
Because yes, 'security through obscurity' actually works just fucking great for most people.
Sure, it's of very little use to a targeted attack, but most people aren't subject to targetted attacks, instead it's just the random drive-by attacks, like the one in TFA.
If your device is just that little bit out of the ordinary, say your ssh is on port 2222, you're going to be avoiding a lot of the random port scanning for vulnerabilities that might be a problem anyway.
Okay, I get that he didn't kill anyone, but he attempted blackmail on a grand scale. He threatened (baselessly as it turns out) tens of thousands of possible victims to extort money.
Again, he didn't kill anyone, but that level of threat, to me, means he should have gone to prison for six months, not just have an electronic curfew.
The sentence seems a bit light, in other words. I guess the judge found him to not be that much of a threat after all. Either that or he's setting the guy up for a major sentence next time around.
I'd say he's setting him up for next time around. I'd rather not have the prisons full of guys like this who pose no danger to life and have not had a substantial impact on people's lives generally. If you put his crime against those of the utter knobs that crippled the NHS, that's all the perspective I need.
As part of a hacker group, my guess is he cut a deal to sell out his partners in crime.
But even if Albayrak was a loner and his "group" was a mere fantasy, I'm sure the NCU won't treat it as such, because today's "everything is terrorism" paranoid approach to criminal investigation will ensure he becomes a permanent addition to their watchlist.
Of course, in order for the NCU to have something to watch, useful or otherwise, Albayrak has to be cut loose.
So in reality this sentence is more sinister than it first appears, although in fairness Albayrak only has himself to blame.
For apple to have taken the demand seriously and spend 10s to 100s of K on this matter you cannot help to think that there is something fishy in the iCloud. Have we already forgotten what a little kiddie from Melbourne was able to do a few years ago.
Why all of you want to send him to the chair anyway? Were there any threats of violence? Sure there was extortion, but we've seen what happen to hackers when you send them to Belmash.
This person strikes me as someone at the "a little knowledge is a dangerous thing" stage rather than a member of the hacking elite. It looks like he tried to bluff Apple without having the ability to deliver or to adequately mask his tracks.
"For apple to have taken the demand seriously and spend 10s to 100s of K on this matter you cannot help to think that there is something fishy in the iCloud. Have we already forgotten what a little kiddie from Melbourne was able to do a few years ago."
Whilst this is possible, there are some companies who will throw money way in excess of the value of a crime at going after someone just to send a message "Don't try this on us" for the deterrent effect. If your company gets a reputation as one not to mess with, the savings made by having to investigate less crimes and the increased customer confidence from showing you're on top of such things may be worth it. Other companies that have government contracts or that work in regulated industries may have no choice but to report an attempted crime and go after the perp.
0 day exploits happen...and surprise companies...otherwise they wouldn't 0dayers.
I have some sympathy with your second comment, sloppy systems are not just a fault of the criminal.
Insurances companies don't pay out for buglaries when you leave the house unlocked for a reason. They also increase your premiums when you claim for items you lose/damage.
>For apple to have taken the demand seriously and spend 10s to 100s of K on this matter you cannot >help to think that there is something fishy in the iCloud
Yeah, but to play Devil's advocate, having had issues previously, isn't it better to have an investigation and get a third party (NCA) involved and say "we've found no issues on this occasion" rather than just cover up and go "nothing to see here guv"? What they spend on marketing would make this a drop in the ocean, and it would be better for them to be seen to doing something rather than ignoring a potential issue. Or maybe I'm just holding it wrong.
Ok, 20 years old at time of offence, and the effort wasn't particularly difficult....so in my mind all he is is a Scrpt Kiddie. He gets the 'plus' elevation not for tech skills, but learning how to bluff with confidence.
He's a knob, who has probably made himself unemployable in the I.T. industry, unless he does the 'poacher turned gamekeeper' and becomes a white-or-neutral hatted 'Security Researcher'.
Please don't employ this total twonk in anything that requires a degree of trust or credability, it won't end well..
If I was inclined to hack Apple, instead of trying to blackmail them I would set them up to be embarrassed, reset the accounts wordlessly, and then do it again, post various secrets... Etc.
All too temporarily drive down the market confidence in the company
The idea is to predictably drive their stock down, and bet against them on the stock market in conjunction, to make that money.
Then leave a trail for them to follow to re-secure their Network, bet in their favor on the stock market using the gains from the previous Gamble, when stock rises again In response to the press reports are they more secure than ever.
Rinse and repeat.
I know in stock market they tend to use other words to describe these processes but I'm not here to argue semantics. An investment it's just a gamble by another name. I identify operations Identify by functions, it makes it easier not to be tricked Into false distinguishment and ethical whitewashing through clever wording
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
