Apple Says No Personal Data Was Compromised in Australian Teenager Hacking Incident

[apolloa]

Quick the police are coming, place the files where no one will ever know..... I got it!!! “Hacky hack hack”.... (insert evil laugh) #facepalm

To a 16 year old that was probably hilarious at the time.

 

[psapp]

IPv4 doesn't route mac address over the internet so the furthest mac address you'll see is your internet router's mac address. And, MacOS since Sierra 10.12 from 2016 uses IPv6 privacy extensions to randomize the mac address encoded into IPv6 address.

Inquiring minds want to know how Apple are tracking its customers.

Did they state he was using a Mac during the hack? Didn’t see it.

 

[belvdr]

Did they state he was using a Mac during the hack? Didn’t see it.

I think it's arguably the case, given the info that's been reported.

 

[Darmok N Jalad]

Did they state he was using a Mac during the hack? Didn’t see it.

Checking the original article:

”Two Apple laptops were seized and the serial numbers matched the serial numbers of the devices which accessed the internal systems,” a prosecutor said.

There was also mention of an iPhone matching the IP of the intruder.

 

[psapp]

Checking the original article:


There was also mention of an iPhone matching the IP of the intruder.

This is interesting then, there has to be something sent in the network traffic that allowed Apple to ID the machines.

 

[Mr. Heckles]

Checking the original article:


There was also mention of an iPhone matching the IP of the intruder.

Doesn’t say what operating system he was running. It could have been El Capitan for all we know.... or even Windows.

 

[belvdr]

This is interesting then, there has to be something sent in the network traffic that allowed Apple to ID the machines.

Again, depending on the service access, it could very well pass the serial number along. I have not seen any mention of what service was used during this attach.

 

[mi7chy]

Did they state he was using a Mac during the hack? Didn’t see it.

Real pros that don't get caught use something like Parabola Linux on Thinkpad flashed with Libreboot BIOS.

 

[pl1984]

What I always find amazing that these massive corporation have infrastructure that can be hacked by a child.
That tells us few things. However, considering how Apple is proud of their privacy stands it begs the question how secure things really are.
Regardless of this kid's talent, a child got in. What would a professional group of hackers with proper resources etc. be able to do if a kid from home can get in?

There's nothing puzzling about it. The companies are just too large and not everything can be protected. I know two individual who are responsible for Apple's security. They're both excellent individuals who really know their stuff. But the reality is a network the size of Apple is impossible to secure. Even if the business wasn't constantly overriding security professionals advice there's only so much you can do. The reality is a business which hasn't been hacked will be hacked (or has been hacked and they either don't know it or haven't reported it). So business / individuals need to just suck it up and accept this it the world we live in today.

 

[upnorth85]

Give the child a job for Apple when he gets out of jail, lol.

0 chance he will do any jail time. In any case it will be wiped off his record when he turns 18.

 

[dannys1]

How can someone Still hack Apple with their "encrypted" software.Makes you wonder how vulnerable Our data is to the hands of anyone that can hack...how can a Trillion $$ Dollar company be so exposed.

I don't think you know what encrypted means.

It's got nothing to do with preventing a hack. It prevents the hacker from reading any data from the hack.

In all likelihood the data the kid download was encrypted, which means totally useless to him, just data blocks he can't make sense of - and if it wasn't encrypted then it wasn't important.

 

[fairuz]

According to this article: https://bgr.com/2018/08/16/apple-servers-hacked-teen-sensitive-data-year/

Apple was able to access his computer's serial number. How is this possible?

That was my first thought. Makes me wonder what my Mac is sending to Apple. Maybe he left the "send diagnostics to Apple" box checked, then some hacking tool crashed and sent a report?

 

[pl1984]

I don't think you know what encrypted means.

It's got nothing to do with preventing a hack. It prevents the hacker from reading any data from the hack.

In all likelihood the data the kid download was encrypted, which means totally useless to him, just data blocks he can't make sense of - and if it wasn't encrypted then it wasn't important.

I haven't read the details of the hack but I'm going to disagree with you. Data can be encrypted at rest or in transit. You appear to be referring to the former (i.e. he downloaded an encrypted file and therefore is useless). A lot of remote data compromises happen via DB, typically through the application layer. An application which has valid need for the data. As such the data would not be encrypted (otherwise it would be useless to the application). SQL injection is a prime example of how encrypted (at rest) data can be obtained in clear text.

Likewise don't assume just because it wasn't encrypted it was therefore unimportant. Too much important data is left unencrypted.

 

[fairuz]

What's with everyone cheering for this guy? He's a criminal and should be punished. Do you reward burglars after they break into someone else's home? No! people shouldn't get incentives for their crimes.

Cyber-crime is a bit different, with the blame falling more on the victim than the attacker because the security is supposed to be flawless. Provided the attacker doesn't abuse the stolen data, which it sounds like he didn't, and that the attack isn't something dumb and destructive like DDoS.

 

[pl1984]

That was my first thought. Makes me wonder what my Mac is sending to Apple. Maybe he left the "send diagnostics to Apple" box checked, then some hacking tool crashed and sent a report?

I had to laugh at the following:

"Apple’s servers are widely believed to be unhackable…"

Those who think that are naïve.
[doublepost=1534535919][/doublepost]

Cyber-crime is a bit different, with the blame falling more on the victim than the attacker because the security is supposed to be flawless.

Only if you're an Apple fanboy who believes Apple is infallible.

 

[fairuz]

0 chance he will do any jail time. In any case it will be wiped off his record when he turns 18.

Dang, I should've done all my hacking before I turned 18. Now I'd go to real jail if I did it.

 

[psapp]

Real pros that don't get caught use something like Parabola Linux on Thinkpad flashed with Libreboot BIOS.

So GNU/FSF nuts, because who needs modern hardware right? That's for normies.

 

[2013.1]

So what was in those 90 GB?

Most likely encrypted files.

 

[fairuz]

I haven't read the details of the hack but I'm going to disagree with you. Data can be encrypted at rest or in transit. You appear to be referring to the former (i.e. he downloaded an encrypted file and therefore is useless). A lot of remote data compromises happen via DB, typically through the application layer. An application which has valid need for the data. As such the data would not be encrypted (otherwise it would be useless to the application). SQL injection is a prime example of how encrypted (at rest) data can be obtained in clear text.

Likewise don't assume just because it wasn't encrypted it was therefore unimportant. Too much important data is left unencrypted.

A standard database client-server setup will use TLS to secure the connection, so the data is also encrypted in transit between the DB and the app server. Sometimes this is disabled on a private network because that's already encrypted at a lower layer, but I'd think they'd leave it enabled.

 

[mi7chy]

So GNU/FSF nuts, because who needs modern hardware right? That's for normies.

Real pros use their brain and not brawn and aren't full of excuses. Plus, there are options other than DYI.

https://puri.sm/

 

[pl1984]

A standard database client-server setup will use TLS to secure the connection, so the data is also encrypted in transit between the DB and the app server. Sometimes this is disabled on a private network because that's already encrypted at a lower layer, but I'd think they'd leave it enabled.

Which is irrelevant if the compromise is through the app server.

 

[psapp]

Real pros use their brain and not brawn and aren't full of excuses. Plus, there are options other than DYI.

https://puri.sm/

Don’t get me wrong, when you posted that you immediately reminded me of a guy I goto school with who walks around with his $100 thinkpad from eBay, libreboot, etc. and he’s absolutely brilliant... if just a bit paranoid. Haha

 

[DjanSeriyAnaplian]

Sure! and people who steal cars and houses should be hired by insurance companies.

It's a child, what exactly is wrong with you?

 

[Piggie]

This story from Apple does not smell right.

They say they noticed it, nothing was taken and reported to the police.
That story would stand up, were it not for the fact that he'd been doing it for a year or more.

So they did not notice it for a year or what ?

 

[where is it]

The largest full iOS update size has been less than 3GB. 90GB is the size of large companies' Oracle database.

https://ipsw.me

Seriously? It was a joke
[doublepost=1534541283][/doublepost]Chinny chin chin