Apple Aware of iCloud Login Harvesting in China, Launches Browser Security Guide

Discussion in 'Politics, Religion, Social Issues' started by MacRumors, Oct 21, 2014.

  1. MacRumors macrumors bot

    MacRumors

    Joined:
    Apr 12, 2001
    #1
    [​IMG]


    Earlier this week, web censorship blog Great Fire suggested that hackers aligned with Chinese authorities were using man-in-the-middle attacks in order to harvest Apple ID information from Chinese users that visited Apple's iCloud.com website.

    In a newly released support document (via The Wall Street Journal), Apple has confirmed that it is aware of the "intermittent organized network attacks" on iCloud users, but says that its own servers have not been compromised.
    Apple's support document goes on to stress the importance of digital certificates, suggesting that users who see an invalid certificate warning in their browser while visiting iCloud.com should not proceed. The company also outlines how users can verify that their browser is connected to iCloud.com and not a third-party man-in-the-middle website.

    [​IMG]
    Apple asks users to make sure that a green lock icon is visible in Safari and that the message "Safari is using an encrypted connection to www.icloud.com" is displayed when the lock icon is clicked. Apple also has verification instructions for both Chrome and Firefox.

    Unfortunately, many of the victims falling prey to the fake iCloud sites are not using secure browsers that issue warnings when fake websites are visited. According to Great Fire, many Chinese users access the Internet through popular Chinese browser Qihoo, which does not let users know that a fake site is harvesting their information.

    The attack works by redirecting Chinese users attempting to access iCloud.com to a fake website that resembles the iCloud website. Users that log into the fake site provide attackers with logins and passwords that can be used to access contacts, messages, photos, and documents stored within iCloud.

    Though Great Fire has suggested that Chinese authorities may be involved in the attacks, a spokeswoman for China's Foreign Ministry (via CNBC) said that Beijing was "resolutely opposed" to hacking.

    Chinese users should switch to a trusted browser like Firefox or Chrome to avoid falling prey to the fake iCloud.com website, or use a VPN to bypass the redirection and log in directly to iCloud.com. Two-factor authentication should also be turned on as it can prevent unauthorized users from logging into an iCloud account even when a username and password are obtained.

    Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.

    Article Link: Apple Aware of iCloud Login Harvesting in China, Launches Browser Security Guide
     
  2. farewelwilliams macrumors 65816

    Joined:
    Jun 18, 2014
    #2
    and then everyone blames Apple even though it's not their fault
     
  3. jrswizzle macrumors 603

    jrswizzle

    Joined:
    Aug 23, 2012
    Location:
    McKinney, TX
    #3
    Two factor authentication for the win.

    Yes, its a little bit of an additional pain. But more than worth it.
     
  4. nutjob macrumors 6502a

    Joined:
    Feb 7, 2010
    #4
    I love how half-assed Apple security is.

    ----------

    So Apple, the "innovators" makers of "magical and revolutionary" products, can't seem to figure out internet security? My boring old bank does a great job of it, yet this is not Apple's fault?
     
  5. Deelron macrumors regular

    Joined:
    Jan 30, 2009
    #5
    You keep using that word, I do not think it means what you think it means.
     
  6. Glassed Silver, Oct 21, 2014
    Last edited: Oct 22, 2014

    Glassed Silver macrumors 68020

    Glassed Silver

    Joined:
    Mar 10, 2007
    Location:
    Kassel, Germany
    #6
    This.
    I'm mad at any place that doesn't let me use that which is of some level of importance.

    Obviously don't expect it to have on MacRumors, but places like email, online-banking, Paypal (*shudders* unfortunately I need it), etc...

    Glassed Silver:mac
     
  7. iphonedude2008 macrumors 65816

    iphonedude2008

    Joined:
    Nov 7, 2009
    Location:
    Irvine, CA
    #7
    I don't think 2 factor would actually help. Its redirecting to a different site where they enter their user name and password. Once they have that, there are always ways to get around the second factor.
     
  8. Deelron macrumors regular

    Joined:
    Jan 30, 2009
    #8
    I'm fairly sure your boring old bank would fail if their direct access to the Internet was compromised.
     
  9. iphonedude2008 macrumors 65816

    iphonedude2008

    Joined:
    Nov 7, 2009
    Location:
    Irvine, CA
    #9
    He's saying its not apples fault because this is a phishing scam. The browser goes to a scam site instead of apple's. All they can do is tell user to check for the correct certificate, reset passwords, and enable 2 factor.
     
  10. Bahroo macrumors 68000

    Joined:
    Jul 21, 2012
    #10

    Are you on drugs bro? this isn't Apple's fault at all, its people in China , they made a fake iCloud website that looks just like the real one and if your using a 3rd party browser, you get routed to this fake website, and its very easy to spot that there is no SSL protection/no green box next to the website link, this is common sense, and isn't Apple's fault in any way at all. This is not a issue if you use reliable browsers like Firefox, Chrome, IE, etc
     
  11. iphonedude2008 macrumors 65816

    iphonedude2008

    Joined:
    Nov 7, 2009
    Location:
    Irvine, CA
    #11
    This. Someone here gets it.
     
  12. TWSS37 macrumors 65816

    Joined:
    Feb 4, 2011
    #12
    I like to imagine that every nefarious hack/exploit by a foreign government or cell is actually orchestrated by Samsung.
     
  13. Jazper macrumors 6502a

    Joined:
    Jun 16, 2012
    #13
    It does help, it prevents anyone from logging in from an unusual location - this is if you're not using that login password for your emails.
     
  14. Small White Car macrumors G4

    Small White Car

    Joined:
    Aug 29, 2006
    Location:
    Washington DC
    #14
    Your boring old bank is open to EXACTLY this kind of attack in EXACTLY the same ways.

    Furthermore, if I called your bank and asked them what to do about it they'd give the EXACT same advice Mac Rumors has given here.

    EDIT: And before you come back and tell me about how your bank requires a picture of a parrot or a soccer ball or something, ask yourself if you think the people who don't know what an SSL lock looks like will be at all deterred from signing in when their favorite kind of bird doesn't show up this one time.
     
  15. iphonedude2008 macrumors 65816

    iphonedude2008

    Joined:
    Nov 7, 2009
    Location:
    Irvine, CA
    #15
    This is the problem with a country like China where people are constantly being lied to by the government and having their security compromised by them. This is why American companies don't trust the government. They see what happens when a country has access to user data and controls the internet. Our FBI chief may have good motives, he just doesn't see the other side.
     
  16. doboy macrumors 68000

    Joined:
    Jul 6, 2007
    #16
    How is it half-assed? They now support two-factor and their site is EV-certified.
     
  17. iphonedude2008 macrumors 65816

    iphonedude2008

    Joined:
    Nov 7, 2009
    Location:
    Irvine, CA
    #17
    What I'm saying is that you can bypass the phone number code by using the companies reset procedure. We're still too reliant on passwords.
     
  18. jrswizzle macrumors 603

    jrswizzle

    Joined:
    Aug 23, 2012
    Location:
    McKinney, TX
    #18
    Enlighten me.

    If someone tried to login to iCloud.com using my credentials, regardless of whether or not they have the correct login information, it will ask for a code that is sent to one of my trusted devices.

    Unless they have one of those devices or there is some way to spoof one of them, it can't be bypassed.
     
  19. iphonedude2008 macrumors 65816

    iphonedude2008

    Joined:
    Nov 7, 2009
    Location:
    Irvine, CA
    #19
    If you loose your phone, they provide a way to reset it. Most people don't have strong security questions.
     
  20. nutjob macrumors 6502a

    Joined:
    Feb 7, 2010
    #20
    Ah, no. They use a simple device. They show me a picture that I chose when opening my account. I have to verify it's the right picture before I log in.

    Simple, effective, foolproof. Now that's not too hard, is it?

    Apple just doesn't care about your info or your security, obviously.
     
  21. jrswizzle macrumors 603

    jrswizzle

    Joined:
    Aug 23, 2012
    Location:
    McKinney, TX
    #21
    The reset procedure requires a specific pass code generated at the time of 2-factor setup.

    No way the hacker knows it. And even if it were to get reset, the owner receives emails every step along the way and by that time will be able to change passwords and alert the authorities.

    Perhaps its not that its completely uncrackable - I don't think anything is. But the time necessary and the alerts that happen make it difficult.
     
  22. nutjob macrumors 6502a

    Joined:
    Feb 7, 2010
    #22
    Not true, there are simple steps you can take to make it more secure, but they failed.
     
  23. iphonedude2008 macrumors 65816

    iphonedude2008

    Joined:
    Nov 7, 2009
    Location:
    Irvine, CA
    #23
    Really? I didnt know they were using pass codes. I still haven't set up 2 factor yet for iCloud. I set it up for my google account and I find it a pain to use.
     
  24. nutjob macrumors 6502a

    Joined:
    Feb 7, 2010
    #24
    So because there are endless bad people who want to get your login details, it's not Apple's fault? Isn't the opposite true? Are you sure I'm the one on drugs?

    There are very simple ways of defeating phishing, banks do an effective job of it why can't Apple?

    ----------

    It's half assed because it's trivial to defeat. You can't delegate responsibility, even if you are "EV-certified."

    ----------

    It works. It's simple. People understand it. Some tiny icon and the technical information it reveals is incomprehensible to most people.

    As I said, half-assed. Apple was supposed to be "easy" yet they want people to understand how SSL certificates work?
     
  25. Deelron macrumors regular

    Joined:
    Jan 30, 2009
    #25
    Some of mine do, and some don't (and some ask for multiple sets of personal trivia any time I use them) but I doubt it'd mean a lick of difference if the government was actually interested and motivated in intercepting the information.
     

Share This Page