|
|
AppleID Hacked, Everything Remote Wiped
|
|
|
|
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status:
Offline
|
|
http://www.tuaw.com/2012/08/04/hacked-icloud-password-leads-to-nightmare/
There seems to be evidence now the password was socially engineered out of Apple Tech Support.
|
|
|
|
|
|
|
|
|
Moderator
Join Date: Jun 2000
Location: inside 128, north of 90
Status:
Offline
|
|
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status:
Offline
|
|
You know, the more I think about this, the more I think something is fishy.
What was this guy's motive? Why go through the effort to socially engineer a password, for a journalist, just to wipe their computer, and then confess your methods to said journalist?
I'm not a conspiracy type, but the simplest explanation I can think of which fits these data points is someone wanting to give Apple a black eye.
|
|
|
|
|
|
|
|
|
Moderator
Join Date: Jun 2000
Location: inside 128, north of 90
Status:
Offline
|
|
well, and the hacker messaging the journalist was surprising. Then the journalist promising not to press charges for more messaging. I'd be extremely po'd.
http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/
|
|
|
|
|
|
|
|
|
Moderator
Join Date: Jun 2000
Location: inside 128, north of 90
Status:
Offline
|
|
So everyone's saying that you should use Google's two-step verification process to prevent this type of thing.
I watched this guide:
https://support.google.com/accounts/bin/answer.py?hl=en&topic=1056283&answer=180744&rd=1
and said to hell with it. The best way of keeping things from destroying your whole life is not to link them at all. The hell I'm connecting my phone to google.
|
|
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: Feb 2001
Location: Your Anus
Status:
Offline
|
|
Yeah, it looks like a major pain in the ass.
I think the secondary, MOST important lesson here is... back up your stuff!!!
|
My sig is 1 pixel too big.
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status:
Offline
|
|
Seeing as how the guy says his motive was to slam people with bad security, I'd say I more or less called it.
I'm going to suggest an alternate system, which wouldn't have stopped the social engineering exploits, but would have stopped him from leveraging it against Google.
I call it one-factor authentication, which means there is only one factor which can identify you: your unique high-entropy password.
All recovery question responses should be gibberish, and your account should only be able to email itself with reset information.
AFAIK, if you do this, there is no way get into that account without the correct password. Even if you somehow convince Google to send you a reset, the only way the attacker could access it is if they had the original password in the first place.
As should be obvious, the requirement for this system is you must never lose your passwords. Settimg up a system for that will take some effort, but isn't to difficult in this day and age of cloud computing. I use 1password. LastPass is supposedly excellent, though I haven't used it.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Forum Rules
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|