I don't know, I was responding to solving a login by brute force. All their services presumably uses SSL.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Support Allowed Hacker Access to Reporter's iCloud Account
- Thread starter MacRumors
- Start date
- Sort by reaction score
I don't know, I was responding to solving a login by brute force. All their services presumably uses SSL.
It was Apple banning them from events etc that makes Gizmodo hate Apple. The tone of their articles after that event made it clear that Giz was not happy and still isnt (as they like still aren't invited)
Without actual information regarding the architecture this is kind of FUDish and detracts from the real problem (that being that it is easy to social engineer Apple into handing over your AppleID to a stranger).
It is true that using one password for every log in is bad that isn't the immediate problem here (and honestly it speaks more to how the current username/password combo is stupid and not designed for human authentication but rather computer authentication and should be replaced).
This is extremely disturbing. I had my iCloud account in iTunes hacked last year by someone who put $19.99 on my account by someone in China.
Apple fixed everything but it was still worrisome. Makes you wonder if having one account handle email, iTunes, Mac app store, and the ability to wipe all your devices.
Apple fixed everything but it was still worrisome. Makes you wonder if having one account handle email, iTunes, Mac app store, and the ability to wipe all your devices.
Why is all this so important to you? Do you really keep a mental note of who his pro-Apple and anti-Apple out there?
Also just because Mat Honan was a FORMER gizmodo contributor doesn't immediately confirm he hates Apple and has an axe to grind. As I said in my previous post, he appears to be well liked by people who write a lot of good things about Apple. And if he hates Apple so much, it's sure as hell surprising he owns all these Apple products that got remote wiped last night.
Important to me? It's Sunday morning and I'm goofing off on the internet. Why is it so important to you? I think you're overestimating the effort required to remember the Gizmodo/iPhone 4 episode.
I don't know anything about Mat Honan. I would hope this all went down exactly as he says it did. (Well, I would rather it not happened at all because having all your devices wiped would suck.) If Apple screwed up in their security procedures then they deserve to get nailed for it. Unfortunately there is no such thing as absolute security and even with "security questions" these things can fall to social engineering.
All that it turns off is automatic backups. You can still manually do an itunes backup. Something you and Mat would know if you really were the experts you pose to be. Or bothered to check
----------
Hacker wanted to teach the guy a lesson. First thing he'd do after the wipe is erase all the device backups.
The problem is that it seems Apple is very easy to social engineer compared to other companies. We have no quantitative data on this but this is hardly the first time an AppleID was "hacked" mysteriously. The victim is blamed usually with someone accusing them of having a poorly constructed password. When someone actually follows up it usually ends up that it was either Apple who handed over the account or the person used the password somewhere else the password was stored insecurely and obtained when the server was hacked. The later isn't really Apple's fault but the former definitely is (which you agree with). While I agree that perfect security is impossible (and I think username/passwords as security is about as secure as kids playing outside and having their club house password be five knocks or the phrase "girls smell") Apple seems to be less secure from social engineering attacks when compared to others.
Indeed. What the post you quoted was referring to was how it would be okay if the hacker deleted it if Apple was able to restore within a certain period of time (i.e. server deletion was not immediate but rather had a 10 day queue or something). As clarification, my post was pure suggestion and probably isn't implemented by Apple.
Who here claimed to be an expert?
The fact is that the UI is oddly designed.
It appears to be iCloud OR iTunes backup.
Why can't it backup to both automatically? That's what I'd want.
I choose to backup solely to iTunes because of how that works.
People generally don't pick random passwords. What they usually do is pick a word and do a standard number swap of one or two letters, and think that makes them safe.
But those sorts of word variants are found in standard hacker "dictionaries".
You are new to technology aren't you?
Different devices are not a backup.
Media, in the technology world, means different types of storage. For example, have one back up on hard disk, have another on DVD storage, have a third on a flash type device.
As for your irrational fear of the 'cloud' I suggest you start your education here...http://www.truecrypt.org/
1password could have, with a slight change in his practices. On the password reset questions, instead of using the real answers, you generate and enter long random strings and then save them in 1password. Of course, he would have needed a backup of his data file to access the answers, but doing that is a no brainer.
Quite easily, actually.
I made a hypothesis based on observation. It is true that I have no quantitative data to be able to call it a viable theory (as I said) but that does not mean the hypothesis has no merit and Apple should not bother themselves with auditing their security. It would be really nice if they explained this to their customers too. It isn't like it is impossible for a company to explain their security to their customers.
We're not dealing with spurious correlations here and so far there has been no public investigation by Apple into the matter other than "we fixed the iTunes gift card stuff".
Social engineering is a type of fraud or deception played on a help desk individual in order to gain access to some form of unauthorized info...If you have seen movies like Hackers or WarGames, its when they call and pretend to be someone else, in order to get a modem/router ID to hack, or in this case, pretend to be that person, and have enough knowledge to convince them that they are said person, and gain access to their password reset model.
With all the security and 2 part authentication, I knew social engineering still existed, just not as robust because the levels of security have been ramped up, and people's tech knowledge have evolved since the 80's and 90's...
Not really ever seen doctors smoking cigars, knowing better does not mean you follow logic or recommendations.
It is also employed against end users (such as having people install dedicated software for watching porn that is really a keylogger or some other piece of malware).
Because your so great. This happen all over the place and what needs to happen is a better system agains social engineering. Firing people for doing what the policy dictates is American laziness. You don't fire, you learn you interview and you find out what system was used. These are large highly skilled companies, not childish people freaking out over something that needs better procedures not childish thinking.
Can't believe people click up something so childish.
That is assuming that the reset questions were the entry point into the account, and not blagging.
Surely the issue at hand is that in a world where not everyone backs-up their data perhaps as often as they should (if at all), being able to blag customer support combined with remote wipe features are extremely dangerous. A layman could well stand to lose a lot more than just some pictures and contact details.
When you push the iOS ecosystem as the media hub and productivity tool for all, security procedures and product features must be aligned and working properly. A slew of fanboys deriding someone for not buying and using an additional £250 accessory helps nobody
Yes, because people who do this kind of thing never do it to try to express a message. I mean we all know that it was Sony who released the credit card information because they wanted people to talk about Sony in the media.
It's hard to imagine security is not enhanced by having the answer to "what is your mother's maiden name" be pyfEPaTnFiCZ8gD]s>cV3P instead of Smith.
Social engineering is massively still in use, and has evolved tremendously as enthusiasts practiced and honed their craft. It's also a dominant force in politics and the economy. What pundits call rhetoric is a form of social engineering. In fact, any persuasive argument is considered a form of social engineering. There are actually courses taught at some colleges and universities about these techniques, generally within the theater and stage acting disciplines.