Hackers Remotely Locking Some Macs and iOS Devices in Australia for Ransom

[WallToWallMacs]

No, they should fine Apple for allowing people to have passwords like 'password123'. That would be a good incentive to do more for security.

Either that or people should have to have a suitability exam before being allowed to purchase Apple hardware.

If someone buys a car and fails to get a licence or fails to follow the rules then who do we blame - the car manufacturer or the driver? same situation here - do we blame Apple who advise people when creating the password:

Or do we blame the person for ignoring the advice just as we blame the person who drives a car without a licence or doesn't follow the laws relating to the road?

 

[rmatthewware]

Death penalty for trolls.

I'll see you in the gas chamber, then.

Seriously, though, hackers, along with persons who create viruses and malware should be given high penalties. This crap shouldn't exist.

 

[jamezr]

If there is no second device, how do you access "Find my iPhone"? Of course you have to have a second device or access to a computer.

And to be able to log in in case you lose your phone, Apple can simply do what every other major implementation of 2-factor authentication (Google, Outlook.com, Dropbox etc. pp) does: Allow multiple different channels for delivery of the secondary authentication code (e.g. Apple push and email).
Exactly. And to make things worse, it's a password that you have to frequently enter on mobile devices, so it's not practical for users to use a secure, long password.

I somewhat agree with you......I think two factor authentication should be the standard these days. It is very easy to implement and deliver. It could be a text message to a phone...it could be an email.....it could be an phone call to numerous numbers listed in the users profile.

 

[Amazing Iceman]

We are forgetting something

We are forgetting some hackers were able to reverse engineer the iCloud protocols this week using a man-in-the-middle tap to capture in/out data.

Now the report says this problem is so far happening only in Australia.

My guess is this is a localized issue; someone is tapping communications, either by providing free access points or has access to a data backbone (maybe he works for an ISP or was able to hack it and add code to retrieve the data he needs to gain access to these iCloud accounts).

There must be a common ground for all the people having this problem. When discovered, it will help to either capture the hackers or at least end the problem.

 

[gotluck]

I'll see you in the gas chamber, then.

Seriously, though, hackers, along with persons who create viruses and malware should be given high penalties. This crap shouldn't exist.

Same with white collar criminals, death penalty for them too... no more club fed

they do far more damage than hackers (and many regular criminals)

 

[applerocks]

If there is no second device, how do you access "Find my iPhone"? Of course you have to have a second device or access to a computer.

And to be able to log in in case you lose your phone, Apple can simply do what every other major implementation of 2-factor authentication (Google, Outlook.com, Dropbox etc. pp) does: Allow multiple different channels for delivery of the secondary authentication code (e.g. Apple push and email).

The second device is a foreign device (e.g. a friend's iPhone), which creates the challenge. Apple would be sending your security code to your lost iPhone. The issue with sending the code via email is that, arguably, the compromised device could be unlocked and have the email open. The minute that code is sent to email, the attacker has it.

Of course, there are options, as you said. I think many of them interfere with the point of the service. Having it set up to call a separate friend (who's number you may not know without your address book) could work. Either way, all of these seriously impede the speed at which you can trace your phone if lost. (Maybe that's okay...just thinking out loud.)

My point is, there is clearly a real issue here. It's just not as easy as doing what every other company has done, since the one time you need this second-step is when the actual device is gone. I think a PIN, just like they've done with iCloud, is the easiest band-aid, pending what I hope is a total rethink of how we do passwords / authentication.

Most importantly, there is zero incentive to use good passwords, as you said. I for one have started relying heavily on iCloud Keychain, and no longer duplicate passwords. (Even here, I don't even know my MR password -- it's just saved.) I just wish I had a way to access on a PC, since I can't get in at work now.

 

[Amazing Iceman]

You probably mix Australia with Austria. This is something that used to happen a lot but it does actually happen only very infrequently nowadays.

Population:
Australia: 23 M
Austria: 8.5 M = about Sydney + Melbourne

Size:
Australia: 3.00 M mi² = 0.8 times the US; world rank: 6
Austria: 0.03 M mi²; world rank: 115

Geographic position:
Australia: entirely in southern hemisphere, center at 27°S, 133°E
Austria: in Europe, center at 47° 19' 48"N, 13° 19' 48"E

Trivia:
Australia: home of kangaroos
Austria: no kangaroos in wild life

But hey, we have got a lot of mountains, so it might not be just that easy to drive over to someone's home, as well.

For some reason this confusion happens very often, specially here in the U.S.
One time I was buying wine and an apparently educated man approached me and asked me for advice. After asking him a few questions related to his wine taste, I recommended Rosemount States Cabernet Sauvignon from Australia.
Then he told me didn't want to get a European wine... LOL!

BTW, you used != instead of <>, so you must be a programmer...

 

[Rigby]

The second device is a foreign device (e.g. a friend's iPhone), which creates the challenge. Apple would be sending your security code to your lost iPhone. The issue with sending the code via email is that, arguably, the compromised device could be unlocked and have the email open. The minute that code is sent to email, the attacker has it.

If the phone is unlocked, the attacker also gets the code with the current way Apple delivers it (Apple push notification). If you don't lock your phone via passcode or fingerprint sensor, it's your own fault.

Of course, there are options, as you said. I think many of them interfere with the point of the service.

2-factor authentication is of course a potential inconvenience (not just when you lose the phone, but every time you log in), which is probably why Apple hasn't implemented it on icloud.com yet. But IMO Apple should give users the choice to trade a little convenience for more security if they want to do so.

 

[bobr1952]

An odd story--but a good enough reason I suppose to set up the two-step verification process--pretty easy to do--and as mentioned above--good idea to lock your device with a pass code.

 

[Alenore]

I'll see you in the gas chamber, then.

Seriously, though, hackers, along with persons who create viruses and malware should be given high penalties. This crap shouldn't exist.

You have no idea what a "hacker" is.

 

[zerofour]

All this debating reminds me of the two most recent times I've been in The US (Missouri and Colorado). On both occasions in both places (with a fairly standard English accent, not even a Cockney accent which I guess could sound similar to some), people are always mistaking me as Australian (not a problem, just kind of amusing)... Last time in a store in Kansas City I put on an Australian accent (I'm sure it was a bad one, sorry) to try to illustrate the difference but the shop assistant just went red and nervously giggled !

 

[lyceumHQ]

So what do we do to try and avoid it? Disable iCloud? Disable find my phone? Two step verification? Change passwords?

How can we defend against it until apple actually do the right thing and tell us how it's happening?

So today I went to check my email and one of my accounts says wrong password. I checked on my laptop which is set up obviously using the same password. It works fine. I've changed nothing on the phone. And it was working fine last night. Now after reading this I'm reluctant to actually go and input the password again because nobody has any real idea how this hack works.

 

[nostaws]

It goes both ways. I was living in Chile and a guy asked where I was from (I am from Arizona, USA). He asked if I knew some other guy in New York. I showed him on a map that the USA is roughly as wide as Chile is long, and the distance between the two.

He felt kind of dumb - he wasn't. He just hadn't thought about it before.

It's like when I get asked by Americans some times. "Hey England is pretty small, do you know John Smith, in London?"

Oh yes, we meet every day for the Queen-mandated 5pm Tea-time.

 

[rmatthewware]

You have no idea what a "hacker" is.

"In the computer security context, a hacker is someone who seeks and exploits weaknesses in a computer system or computer network. Hackers may be motivated by a multitude of reasons, such as profit, protest, or challenge."

- Sterling, Bruce (1993). "Part 2(d)". The Hacker Crackdown. McLean, Virginia: IndyPublish.com. p. 61. ISBN 1-4043-0641-2.

Does that about cover it for you?

----------

Same with white collar criminals, death penalty for them too... no more club fed

they do far more damage than hackers (and many regular criminals)

Sounds good to me.

 

[iSee]

Seeing Americans talking about other countries makes me sad.

It's also pretty sad when someone comments that the people of an entire country have a uniform level of ignorance.

So sad.

 

[SeattleMoose]

So glad I never use iCloud.

Amen...the same kind of herd mentality that embraced "Social Media" also has embraced "The Cloud". Sheep to slaughter....

 

[abhibeckert]

This hacking of iOS devices makes no sense, so let's think it over again.

Instead of rushing to blame Apple, why not consider these simple possibilities:

1) iCloud passwords that are easy to guess. A lot of uneducated or uneducable people still use dumb passwords like their daughter's name, their dog's name, etc. The username is not secret. All a hacker needs to know is the password, and a few guesses or dictionary attack may be enough.

Again, let me reiterate.

My friend's password was not weak, it cannot have been cracked unless it was stored as plain text somewhere. Apple does not store or transmit plain text passwords and the password was not used anywhere else.

Security questions were not used, emails and logs of this are created and my friend only received emails about find my iPhone and spoke to Apple several times over 9 hours to resolve the issue - they would have told her if the security questions had been used.

Now, the most probable cause:
2) A hacker could add code on a website to pop-up a fake iCloud or GameCenter login prompt. The user would then enter the credentials, and the hacker will use them later to take control of the account and lock it.

Here the flaw is in the naive user; some innocent, some stupid.
This is the same approach hackers use to access the big corporations.
Hackers don't try to hack the firewall or the servers directly; instead they find access among the weakest links: the users.

My friend was not a naive user. She's a colleague of mine and we are a company that builds and supports secure online services, she knows what the common attack possibilities are because she sees customers of ours hacked regularly as part of her job.

I think it is highly unlikely the user or the password was attacked. Somebody got access to some kind of database inside Apple's Australia division. We'll probably never find out.

 

[bsolar]

"In the computer security context, a hacker is someone who seeks and exploits weaknesses in a computer system or computer network. Hackers may be motivated by a multitude of reasons, such as profit, protest, or challenge."

- Sterling, Bruce (1993). "Part 2(d)". The Hacker Crackdown. McLean, Virginia: IndyPublish.com. p. 61. ISBN 1-4043-0641-2.

Does that about cover it for you?

I guess the point he was trying to make is that hacking itself is not necessarily unlawful or malicious and not all hackers deserve hate and punishments like the criminals involved in the article's unlawful activities. If (as I think) you lifted the description from the article on Wikipedia you should also have noticed the large paragraph about hacker classification and the category of white hats:

A white hat hacker breaks security for non-malicious reasons, perhaps to test their own security system or while working for a security company which makes security software. The term "white hat" in Internet slang refers to an ethical hacker. This classification also includes individuals who perform penetration tests and vulnerability assessments within a contractual agreement. The EC-Council, also known as the International Council of Electronic Commerce Consultants, is one of those organizations that have developed certifications, courseware, classes, and online training covering the diverse arena of Ethical Hacking.

 

[Krayzkat]

Same things here, both Ipads got the "hacked by Oleg Pliss" message, both have passcodes. In Western Australia also. I've chatted with Apple Chat and they said "this is very serious." They've set up a phone call back from the correct department (whoever they are) tomorrow morning so we'll see what happens then. We can access the ipads because they both had passcodes but when an app is used, it comes up with GameCentre password request; we didn't put it in.[/url]

Oh come on guys...... why has no one suggested anagrams of the hackers claimed name?

I'll start...... "e.g. Piss Lol"

 

[madsci954]

Oh come on guys...... why has no one suggested anagrams of the hackers claimed name?

I'll start...... "e.g. Piss Lol"

http://www.linkedin.com/pub/oleg-pliss/9/6a6/65a

 

[APlotdevice]

Yea, I implied continental US.

Well please be more clear about it. There are 23 separate countries in North America. The US isn't even [physically] the largest.
(e.g. Canada has slightly more landmass than all fifty states combined)

 

[Mockenrue]

Oh come on guys...... why has no one suggested anagrams of the hackers claimed name?

I'll start...... "e.g. Piss Lol"

Ego Spills?

Seriously though... "logs" is in there. Could they have hacked into log files of some kind? elisp logs? s pile logs? spiel logs?

 

[mw360]

Again, let me reiterate.

My friend's password was not weak, it cannot have been cracked unless it was stored as plain text somewhere. Apple does not store or transmit plain text passwords and the password was not used anywhere else.

Security questions were not used, emails and logs of this are created and my friend only received emails about find my iPhone and spoke to Apple several times over 9 hours to resolve the issue - they would have told her if the security questions had been used.


My friend was not a naive user. She's a colleague of mine and we are a company that builds and supports secure online services, she knows what the common attack possibilities are because she sees customers of ours hacked regularly as part of her job.

I think it is highly unlikely the user or the password was attacked. Somebody got access to some kind of database inside Apple's Australia division. We'll probably never find out.

What about a phishing app on iOS? Possibly only available on the Australian App store. My devices throw up so many random 'enter your iCloud password' dialogs without giving any reason or explanation, that I'm starting to think its ripe for exploitation.

 

[Krayzkat]

Ego Spills?

Seriously though... "logs" is in there. Could they have hacked into log files of some kind? elisp logs? s pile logs? spiel logs?

maybe the hacker is french?... 'le logs spi' (spy)


-go sell pis
-lego lisps

 

[jennyp]

On Apple's FAQ about 2FA for iCloud, it says that it's evoked "any time you sign in to manage your Apple ID at My Apple ID or make an iTunes, App Store, or iBooks Store purchase from a new device"

How does that work if I have one Apple ID for iCloud, and a different one for iTunes, App Store & Mac App Store purchases?