Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
How a Hacker Gained Access to a Reporter's iCloud Account
- Thread starter MacRumors
- Start date
- Sort by reaction score
I just read the guy's story and find it to be suspect. Sounds a lot like a situation where they looked at the way various web sites handled security and password resetting and then set the whole thing up so that they could manufacture this story. Here's one of Mat's previous gems:
http://gizmodo.com/5835410/wikileaks-accidentally-released-dangerous-unredacted-cables
What a great propagandist for the state. And now he works for Wired, who has done far worse:
http://www.salon.com/2010/12/27/wired_5/
He has no credibility, IMO.
Regarding the specifics of his story...why does he have his @me account (which he claims to never use for anything, so he never checks it) set up as a backup email for several sites, instead of, say, his @wired.com email address?
Cool that he was able to deal with all of this stress in just a couple of days, remain calm, write a 4-page article about it, and appear for the photo shoot.
So what's the key takeaway from this article? I suspect it can be found in this quote:
Look for a some politician to propose legislation for some sort of improved security on the internet, all designed around giving the US government further control over the internet.
http://gizmodo.com/5835410/wikileaks-accidentally-released-dangerous-unredacted-cables
What a great propagandist for the state. And now he works for Wired, who has done far worse:
http://www.salon.com/2010/12/27/wired_5/
He has no credibility, IMO.
Regarding the specifics of his story...why does he have his @me account (which he claims to never use for anything, so he never checks it) set up as a backup email for several sites, instead of, say, his @wired.com email address?
Cool that he was able to deal with all of this stress in just a couple of days, remain calm, write a 4-page article about it, and appear for the photo shoot.
So what's the key takeaway from this article? I suspect it can be found in this quote:
Look for a some politician to propose legislation for some sort of improved security on the internet, all designed around giving the US government further control over the internet.
Last edited:
The original tale was that they dissed him cause he fronts that he's a tech expert when he clearly is not. They wanted to teach him a lesson by, it seems, getting into his twitter and posting one smack. Like the guy that saw a lost iPhone in a bar and decided to keep it only to have it turn out to be a prototype, they got into more than they expected
Secure Credit card info
I'm not sure how your banking works on your country.
I'm from Portugal and I can tell you that our ATM services works great with tons of features.
In my case we have a feature called MBNet, that allow us to create a temporary Visa credit card, with the amount of cash that you want and expiration date as well, and that is the card that I use for buying apps and basically everything on the web.
Like this, my real credit card is never on risk.
Check with your bank about those features, since your privacy is also your responsibility.
I'm not sure how your banking works on your country.
I'm from Portugal and I can tell you that our ATM services works great with tons of features.
In my case we have a feature called MBNet, that allow us to create a temporary Visa credit card, with the amount of cash that you want and expiration date as well, and that is the card that I use for buying apps and basically everything on the web.
Like this, my real credit card is never on risk.
Check with your bank about those features, since your privacy is also your responsibility.
A few things I take away from this article...
1) The "hack" did not require knowledge of any of his passwords and did not rely on Mat Honan reusing passwords or using weak passwords. (Even though I'd argue that, from a security point of view, a 7 character password does not cut it but in this case password strength was not the cause of the breach.)
2) The chain of events clearly shows that the one truly weak link in all of this is wetware (i.e. in this case person to person customer support.) As soon as you involve two human beings it eventually comes down to one thing: trust. Your account security basically depends on one human (customer support) trusting the information from another (the caller) which is always going to involve a certain measure of risk. Especially if some of that personally identifiable information can be obtained elsewhere by a dishonest individual.
3) Human users, if given the choice to pick their own password and choose their own password strength, often pick easy to guess passwords that lack the needed entropy to withstand a focused brute force attack. Cue password managers with the ability to generate random and sufficiently strong passwords. Also, two factor authentication for important services (e-mail, banking, anything that stores your credit card numbers etc) will seriously reduce the risk of falling victim to security breaches for the end user. The username/password model is going to become more and more fundamentally flawed over time as password brute forcing technologies (e.g. GPU accelerated brute forcing etc) evolve.
4) Secure your e-mail! It's basically the one major point of failure in your online life. If someone gets access to your main e-mail address it's game over and all other services depending on that e-mail for password resets are at risk. Optional two factor authentication should be the industry standard for web based e-mail. (When do we get optional two factor auth for iCloud, Apple?) If you secure your e-mail accounts properly using two factor authentication then you can mitigate some of the risks of unnecessarily having to involve human beings during a password reset. In fact, I'd go as far as to say that, especially if you have activated two factor authentication, a password reset shouldn't even be allowed over the phone using person to person customer support.
Bottom line: humans and security do not go well together.
Cheers, fb0r
1) The "hack" did not require knowledge of any of his passwords and did not rely on Mat Honan reusing passwords or using weak passwords. (Even though I'd argue that, from a security point of view, a 7 character password does not cut it but in this case password strength was not the cause of the breach.)
2) The chain of events clearly shows that the one truly weak link in all of this is wetware (i.e. in this case person to person customer support.) As soon as you involve two human beings it eventually comes down to one thing: trust. Your account security basically depends on one human (customer support) trusting the information from another (the caller) which is always going to involve a certain measure of risk. Especially if some of that personally identifiable information can be obtained elsewhere by a dishonest individual.
3) Human users, if given the choice to pick their own password and choose their own password strength, often pick easy to guess passwords that lack the needed entropy to withstand a focused brute force attack. Cue password managers with the ability to generate random and sufficiently strong passwords. Also, two factor authentication for important services (e-mail, banking, anything that stores your credit card numbers etc) will seriously reduce the risk of falling victim to security breaches for the end user. The username/password model is going to become more and more fundamentally flawed over time as password brute forcing technologies (e.g. GPU accelerated brute forcing etc) evolve.
4) Secure your e-mail! It's basically the one major point of failure in your online life. If someone gets access to your main e-mail address it's game over and all other services depending on that e-mail for password resets are at risk. Optional two factor authentication should be the industry standard for web based e-mail. (When do we get optional two factor auth for iCloud, Apple?) If you secure your e-mail accounts properly using two factor authentication then you can mitigate some of the risks of unnecessarily having to involve human beings during a password reset. In fact, I'd go as far as to say that, especially if you have activated two factor authentication, a password reset shouldn't even be allowed over the phone using person to person customer support.
Bottom line: humans and security do not go well together.
Cheers, fb0r
Ok, I'll bite. So what if they did 'manufacture' the event (which, by the way I don't believe they did)? If it can be done then it does constitute a security risk and it needs to be addressed. Period.
As to why he uses certain accounts for different things? Who knows and who cares. That's his business.
And I doubt any legislation will come out of this. I think you can take off your tin foil hat over that. There was no money involved, no huge data breach, no political points to be made. Sorry, one tech blogger (who is mildly know in the small world of tech sites) losing his data just won't freak out many people other than the few who frequent tech forums.
Even Apple can't tell if hacker and hacked "journalist" isn't one and the same person or if they are very good friends. Maybe they should check their phone call records. Shouldn't be too difficult to find that out. But I'm afraid the whole weak story isn't worth it.
While not completely secure ... rolling multiple email accounts for things like 'all forums aka non pay related sites', 'house utilities', 'banking', 'general internet shopping' will go a long way in insulating your different worlds.
No matter how many 'forums' get hacked ... I am assured 10000% that the email and password they steal will be of little value to them at any 'important' sites.
Rolling unique email accounts for Amazon, PayPal, ebay, iTunes would also be wise since they are such HUGE targets... Same for xbox live , the sony service etc etc.
With OS X the mail client does a fantastic job managing all the accounts and to make things simple when email comes in they get auto-filed to a mailbox I have setup on my local machine (backed up) and deleted from its specific imap server.
Clean and simple... with very little down side that I can see - email accounts are free and easy to come by.. just spend a little time writing up the rules / filters and you're done.
I doubt the story is fabricated. If Mat was found to be lying, his career is over.
I do agree with you on this part.
Which is why Apple already publicly acknowledged that their Genius Support did not follow proper protocol.
"Apple spokesperson Natalie Kerris told Honan that some internal policies were not followed in his case"
Your tinfoil hat is slipping.
[/quote]
Not, that is not "established," nor does the site you linked support that statement in any way. Maybe you should post your made up "facts" on newsrumors.com and leave the rest of us in peace.
----------
Both have problems, and Apple's is more severe than Amazon's because Amazon won't wipe your computer.
Why do you think this isn't a security risk? It's a huge security risk.
Completely wrong. Most places *** out everything *except for* the last four digits of your card. Making this information trivial to obtain and stupid to use for security.
Yeah, well, your blame-the-victim schtick is idiotic. We don't excuse criminals because the victim didn't have insurance. And your argument - that the hackers would go to jail if Honan had backups, but shouldn't go to jail because he didn't have backups - is completely irrational.
All you're really trying to do is feel superior because you have backups, and it makes you feel superior to think that anyone less prepared than you should be penalized for their lack of preparation. Thus making the fact that you have prepared *even more valuable.* Would you feel even better if Honan were killed because he didn't have backups?
No way! Making more than the 4-digits and billing address available to a large group of Apple support employees is too high a risk. PCI (Payment Card Industries) mandates that no more than the last 4 digits be available or visible to anyone without a high security clearance.
But, requiring additional information would be a good idea.
Too late. Obama has already been bestowed the power to shut down the internet and test messaging at the snap of his fingers under the latest verson of the Communications Act.
They both have the same problem: Insufficient authentication methods.
Really? Think about how many people have access to your credit card number and billing address. Every time you book a rental car or hotel room or order something online or over the phone, you hand over this information. Way too many people have access to this information even without any social engineering to use it as a secure authentication mechanism for important accounts.
Bad example. AT&T gives you the option of adding a security code that protects both online access and phone support.
Yeah
The other thing - if you change something like that you should be contacted and be asked "did YOU really mean to do this?" It's unlikely a hacker will have physical access to your phone.
The other thing - if you change something like that you should be contacted and be asked "did YOU really mean to do this?" It's unlikely a hacker will have physical access to your phone.
You are missing the point. The guy should go to jail for breaking laws, not for the emotional effects on Honan. Law isn't about emotion, it's about facts. Losing pictures is Honan's fault, having his accounts hacked is not. Separate points, and YES, it is possible to talk about them separately.
And wearing YOUR emotions on your sleeve for posting on MacRumors is pretty bizarre.
Really?
From what I can see it was two things:
-He had a three character twitter account:
It's just as desirable as short usernames, hostnames or domains when you view it from a computer guy perspective. But in some circles, if you "wear the hat without the skills" it makes you a target perhaps.
-I read a post from someone in another thread who claimed that the person who did the majority of the deleting didn't like the fact that he was a technology journalist who "didn't seem to know all that much about computers".
My view on that last bit is that while he's a journalist reporting on technology he is not necessarily a technologist first and a journalist second.
His major strength might be writing and tech is just one of a few things he's reported on in the past.
This would be like expecting cycling journalists to be able to perform on the level of Lance Armstrong rather than might just being a weekend cyclist who might do a few triathlons.
So, yeah, those two things were part of it. All the deleting and mass destruction makes you wonder if Mat had a run-in with this guy and the guy held a grudge. Or he just saw the opportunity to make a mess and did it because he knew it would get people talking. See? We're talking about it.
Attention is a powerful drug.
The problem is: unless those guys are really good at what they do they've left a trail of IP address crumbs all over the internet in their little fun which seems to indicate they could be caught. Anonymizers, spoofers and working out of an internet cafe might help but I wonder where they conducted this operation from. They certainly thought about it a while before proceeding.
From what I can see it was two things:
-He had a three character twitter account:
It's just as desirable as short usernames, hostnames or domains when you view it from a computer guy perspective. But in some circles, if you "wear the hat without the skills" it makes you a target perhaps.
-I read a post from someone in another thread who claimed that the person who did the majority of the deleting didn't like the fact that he was a technology journalist who "didn't seem to know all that much about computers".
My view on that last bit is that while he's a journalist reporting on technology he is not necessarily a technologist first and a journalist second.
His major strength might be writing and tech is just one of a few things he's reported on in the past.
This would be like expecting cycling journalists to be able to perform on the level of Lance Armstrong rather than might just being a weekend cyclist who might do a few triathlons.
So, yeah, those two things were part of it. All the deleting and mass destruction makes you wonder if Mat had a run-in with this guy and the guy held a grudge. Or he just saw the opportunity to make a mess and did it because he knew it would get people talking. See? We're talking about it.
Attention is a powerful drug.
The problem is: unless those guys are really good at what they do they've left a trail of IP address crumbs all over the internet in their little fun which seems to indicate they could be caught. Anonymizers, spoofers and working out of an internet cafe might help but I wonder where they conducted this operation from. They certainly thought about it a while before proceeding.
Last edited:
Identity theft is a much bigger problem than most people realize. And no, I don't want to spend $10/month to some company to make sure no bad things happen which aren't my fault. The whole password/security stuff needs to go away and get replaced by something ten times better.
frightening just how easy it is to get into people's personal information. not even hacking. just call and ask a few questions. another reason for me not to use iCloud.
Yahoo offers two factor authentication as well
Your point being?
Learn to read please. I said Google was ONE OF (i.e not the only one) the big boys offering it.
There has been a better system in general use for years. Send the secure password recovery link to the pre-defined recovery email address. More recently companies have pre-defined recovery cellphones as well, which they can text a message to. I'm dismayed that Apple didn't take that standard and simple precaution for something as sensitive as an iCloud password.