Damn, poor dude. The remote wipe was a pretty big asshole move.
I'm pretty curious about the initial break-in on his .mac account. I suspect that either he's misremembering and he has used the password elsewhere (and it was compromised there -- easy to happen over so many years of use), or it wasn't very strong to begin with and it got guessed after a handful of attempts.
There are a handful of takeaways from this:
- Backups, obviously. A lot of people here so far are mentioning online backup services, but those would be just as vulnerable to this kind of attack, since they're accessible online and use an email account for password resets. Online backup services and physical offline backups solve different problems and it's a good idea to use both.
- Since I haven't seen this mentioned anywhere else: I wonder if it's time to consider keeping a "secret" email account that's only used as the password-reset account for all of your services? Something that you never use for communication, never publish anywhere, something with its own entirely separate password.
- Be careful about owning multiple devices from a single vendor that provides remote access and other kinds of control to those devices. Mobile devices are inherently insecure; they shouldn't carry sensitive personal information, ever. There are a lot of really good reasons for going with a single vendor, and remote wipe is a really valuable tool in case of theft, but the downside is ... well, this.
- Use some kind of password storage mechanism. (I prefer something that's not tied in to a publicly-accessible service.) I've made a game out of memorizing horrible passwords, and can recall quite a few without any patterns or mnemonics or the like. Still, I use KeePass every day anyway.
And maybe most of all: I doubt there's a single one of us that has a moral high horse to ride on this. Everybody always has something better to do than set up a new backup system or dick around with something that will only maybe hurt them someday. I'm constantly harping on other people about backups, but only a couple of days ago got my development machine on our network backup system; I'm pretty anal about passwords, but still I'll panic pretty badly if my laptop is ever stolen, because in there, somewhere, is probably a plain text password stored in a file that I've forgotten about, and there'll be a chance that I'll forget to change that particular password if I find myself having to suddenly change every single password for everything I've got access to.
+1 for the moral high horse. Everytime something gets hacked the hacker community blames the victim for using less-than-optimal security. Well guess what? There is no foolproof system. The same reactions are seen when sites go down. 'Oh, but they should have used a distributed, redundant buzzword compliant system in a multitude of nuclear bunkers and this would never have happened'. Every system has weaknesses. And every person or team is imperfect. Sure there are lessons to learn, but lets show some sympathy and ask the persons involved what they would improve, not assume that we understand everything and dictate what they should have done.
Except in this case we're talking about a solved problem. The simple rule - and is really is simple - is 3/2/1: three copies, two local, and one remote. Anything less is "backup", not backup.
Time Machine (a free utility that ships with OSX, not a military-grade absurdity) would have handled the full restoration of the laptop, which could then restore the wiped iPad and iPhone fully. He'd still have the email hacks to contend with, but at least he'd have his tools back.
It's not his fault that he became a target, and blame for the attack should be firmly limited to the agressor. But the severity of the consequence was clearly amplified by substantial incompetence and / or indifference on his part.
I recently tried a full system restore from Time Machine (from the Disk Utility in Recovery) on a zeroed out partition and it kept failing midway giving me a generic error. Ended up installing OS fresh and restoring files selectively inside Time Machine.
I've lost a lot of respect for Time Machine since then.
As a counterpoint, I have an office full of Macs and TimeMachine on a Synology NAS. Everybody lurvs it. I have done 3 full restores and 2 migrations with it (not even going to count the number of "oh, shit!" events). It couldn't be any simpler. As the office Mac expert I have to do very little except boot into recovery mode and get it on the network.
I'm not sure what your error was but it might have been for the best. If there was corruption in the backup image then you'd be complaining about how it restored a corrupt backup.
I also failed my TM restore but that was back in 2007 - it's since improved a lot, but I still keep a roughly 2-3mo old imaged disk - ie, SuperDuper/CarbonCopyCloner. This restore also takes only minutes, as you can boot from external.
I'm curious how remote wipe acts when a computer has multiple partitions or multiple drives (internal or otherwise); would a remote wipe with a connected USB drive for time machine nuke that too?
How is it even possibl? iOS devices back themselves up every time they are plugged into a Mac automatically, and it's really difficult not to have a Mac backup, time machine just does it automatically whenever it feels like it. I find that within the Mac ecosphere, it's hard not to have backups.
I backup gmail with gmvault to a thumb drive, which I suppose is beyond many non technical people, but I'm sure google will figure out how to restore his account without much difficulty.
I wish I knew how this person knew how his password was compromised, it sounds reasonably secure.
I suspect a lot of people ONLY have the devices, and have not spent the extra few hundred on any kind of backup. A Time Capsule? A third-party remote backup service? An external HD? That costs MONEY!
I personally haven't plugged my iPad into my Mac in ages. Then again I've also made damn sure it's backing itself up to the cloud. I'm not sure if this is the default setting. It should be, IMHO.
(And I gotta say, it's really freeing to know that even if all my possessions are destroyed, I will have lost at most a day or so of work.)
Backing up to the cloud isn't going to help in this guys situation. The malicious user had access to his iCloud account to remote wipe his devices, they would (did?) just as easily delete his cloud backups
I have apps in the App Store and have to deal with a certain level of technical support. You'd be amazed how few people still plug their iOS devices into the master computer.
Gmvault stores your Gmail password locally. An alternative is using an email client which can download your Gmail using POP3. Most clients let you choose whether to store the password. You can set up your own folders and filters if you email client supports it.
Gmvault uses mainly OAuth to authenticate you so there is no need to store any passwords. The token will only allow you to access your Gmail account via IMAP.
As an alternative there is a mode where you can use your Gmail passowrd and it can be saved but this is not recommended.
I had no idea about a Gmail backup solution. I just had a network of duplicate accounts which get copies of mails and password resets if my primary ever got hacked.
> +1 for the moral high horse. Everytime something gets hacked the hacker community blames the victim for using less-than-optimal security. Well guess what? There is no foolproof system. The same reactions are seen when sites go down. 'Oh, but they should have used a distributed, redundant buzzword compliant system in a multitude of nuclear bunkers and this would never have happened'. Every system has weaknesses.
In this case, the guy had ALL his shit wiped. Not a clumsy move at work causing months of extra work, or some dickhead hacker having some fun with your account credentials, no they actually thoroughly deleted a huge chunk of his personal data.
See it's like, if a pyromaniac burns down someone's home, maybe there were ways to prevent that, but you don't go blaming the victim then either. Some times the first thing is sympathy. There's times to be heartless and times to be not.
Remote-wiping all his personal stuff was so unnecessarily malicious, sympathy comes first. And besides, in this case, not having any non-remote-wipeable backups, the only thing you could possibly maybe blame him for is putting all his stuff in the cloud. Yeah no not smart, maybe, but it simply doesn't weigh up to the fact that someone actually went through the trouble of meticulously deleting all of it. Not stealing, or defacing, but deleting.
OK, so now I know that I need to hack your dns server or your registrar instead - then I'd just publish MX records for your domain and head off to all the "I forgot my password" links I can find.
It's turtles^h^h^h^h^h^h^hsecurity problems all the way down…
Yes. I am aware that there a further attacks, and I mention that in the blog post. There is still significant security value in doing what I'm doing though.
For sure - sorry if I gave the impression that I thought otherwise. There's a big win in making it impossible for me to trawl through all your old mail looking for "interesting" things. It's a very nice idea.
No it's not, but anyone who runs their own mail server can do it, and anyone who provides a mail service for others could provide it as an option. Hell, even Google could implement it, and add a simple "Upload your public key" option to their preferences page. Maybe doing it as one of their Google Labs things. Obviously, they could implement it in a much more efficient fashion than the implementation I provided.
I really like the idea, but what if someone hacks into your email server and just turns off the encryption step / reads the incoming traffic? I assume they won't have your private key in that case, but crazy-few sites require and check (or even allow?) encrypted emails as validation, so they could still masquerade as you until someone checked the numbers.
"There are obvious caveats to this solution though. If somebody gets root on my server or access to the network, they can sniff the emails on the way in before they're encrypted. This wont help them access historical email which was encrypted before they started though. Also, if somebody installs a trojan on my laptop it's game over; they can grab my private PGP key, and use a keylogger to get the password for the key."
There is no "perfect" solution. There will always be attack vectors. I just removed a few. Specifically, compromising my email account, or compromising one of my clients (in certain ways).
Two-factor authentication should make it much harder for somebody to break into your email account (secret or otherwise) and reset your passwords.
Instead of memorizing horrible passwords, have you tried making a non-horrible passphrase by rolling dice and picking words out of a dictionary? Arnold Reinhold calls it Diceware:
It isn't easy to develop these habits, but my data is priceless to me. I know that too well because I've lost some of it, and it still hurts. So I've made it a tradition to chip away at it on daylight savings sundays: update clocks, check smoke detectors, work on backups, shame friends into doing same....
While two-factor authentication may be a good idea to gain access to sensitive information, I'm not sure it would be practical to use it for remote wiping devices. Typically the device you would want to wipe is one of the two factors.
(Which underlines the point that you need to do backups...)
Google's 2-factor auth comes with a list of onetime disposable keys one can use in place of not having their smartphone. I've had to use one specifically because I flashed a new Rom onto the Android device I was using before I thought about how I would setup the new Rom as a new device, which required me to log into my Google account. Almost the same idea as having the device get remote wiped unexpectedly. I keep a printed list of these keys in my fire safe at home with other important documents, like my birth certificate and passport.
Google will also call your home phone number and audibly speak a code to you if desired.
(Incidentally, you can backup and restore /data/data/com.google.android.apps.authenticator2/databases/databases via adb pull/adb push and you don't have to do the "painful" restore. It's slightly less secure, but I keep a copy on my SD card.)
Giant-flashing-neon-warning: if your phone's rooted (needs to be to pull /data), an attacker can pull it too. Use a passcode and enable full-device encryption (passcodes don't block recovery) to defend against this. If you're making full-image backups, wherever they're stored (on-device or elsewhere) needs to be secure too.
PS: even if you aren't rooted, if your device can be rooted w/o a wipe, should consider yourself just as vulnerable and enable FDE as well.
Yup, absolutely. I run FDE mostly just out of a personal policy that anything that someone can pick up and walk off with is encrypted, but this is a very good point.
The DB is a Sqlite3 database containing plaintext tokens and the account names they are used with, so while the attacker would still need your password, they can generate new tokens with that data.
Good policy upon losing any device that contains 2FA information is to use one of your backup codes to log into your account, remove the 2FA, and re-add it, thereby invalidating the old token secret. Thus, even if someone has your unprotected DB, they can't generate tokens for your account.
I think it's a bit hyperbolic to call it half the web. Only a small handful of sites cap password lengths. They might happen to be sites you use, but it's not nearly as common a practice as you seem to think.
I don't think you're correct. Anyone who's storing a password in plaintext is probably going to use a fixed-width field to do so. I'd bet half the internet stores plaintext passwords. A lot of the web is one-off e-commerce systems that no one should trust anything with.
> but still I'll panic pretty badly if my laptop is ever stolen, because in there, somewhere, is probably a plain text password stored in a file
You really should consider using using whole disk encryption like FileVault or PGP-WDE. Encrypting a single directory or a home directory is not a good solution.
I use TrueCrypt. I put all the files I create into a single encrypted volume. I copy that encrypted file to a thumb drive and bury it in the backyard. I don't encrypt the entire hard drive, though, something I should probably do to protect the recycle bin and whatnot.
I suspect that either he's misremembering and he has used the password elsewhere (and it was compromised there -- easy to happen over so many years of use), or it wasn't very strong to begin with and it got guessed after a handful of attempts.
This may not be the case. Computers are very fast at checking passwords, and if Apple doesn't deliberately slow the login process for all authentication scenarios it is easy to check a lot of passwords in parallel.
The secret email account only for password recoveries is a great idea. Same issue cloudflare had back when they were hacked.
I use Google apps for business for email hosting and even setup a secret email account that is used as the admin account (which can setup users and change passwords). I think most people that use google apps set up their primary email address as the admin account, but if that account gets compromised its incredibly easy to reset the password on every account on your domain.
Online backup systems should, generally, be ok even if temporarily compromised since they will keep copies of stuff even if you delete it. (Dropbox does this for FREE accounts.)
The problem is backing up big stuff -- I've got my working docs backed up the wazoo (I can even backup large multimedia/game projects to Dropbox) but my photo and media libraries are unmanageable.
"The only secure computer is one that's unplugged, locked in a safe, and buried 20 feet under the ground in a secret location..."
-- Dennis Huges, FBI.
The same goes for USB disks. I prefer to have one of my backup drives inactive most of the time and out of plain sight (in case of theft from my home).
Because he was a mac user, he should've been using Time Machine. It can be hosted on a network partition at your home so you don't even have to remember to plug in a backup drive. And in OS X 10.8, you can assign multiple disks and it'll keep them all up to date if they're accessible at the time. So one can be on your home network, another at your work network, and yet another on a physical drive that you can keep locked away in a safe or something. Just pull it out once a month to back up all your macs.
Echoing this, because it happened to me. And in that case I was very happy I backed up my most important things to some sort of "cloud" (a combination of GMail, creative portfolio stuff on a few webservers, projects I had sent to friends and a couple of those filelocker sites).
Additionally, SD Cards turn out to be some the most resilient data storage media I've personally witnessed. Probably helped it was encased in a camera, which was kaput, but the photos on it were fine, not even data-bent.
And a year later I found in a box of my damaged CDs some more treasures on a couple of really old DVD backups that actually still worked :D (I never bothered to really unpack the boxes of partially blackened and warped CDs--there's no need in the age of MP3, and after a while you've really seen enough boxes of sooty crap smelling like burnt plastic)
My basic lesson from this is: spread your data and risks around.
Though, none of that stuff was encrypted. Just the stuff I kept online was passworded and do friends count as a two-factor auth? :-)
Sorry to hear about your house fire. I wonder, would it be feasible to bury a small portable hard drive in the garden or something, and have a conduit running up near the house? It'd be cute to have a USB port on the wall which you plug your laptop into when you want to make a physical backup. No thief (or house fire) is going to trace down a USB lead that's poking out from the ground or wall.
It's taking Apple's "Time Capsule" branding to the extreme literal sense.
Hahaha! No idea if it'd be feasible (my apt is at 1st floor anyway, I have no garden), but it'd be cool as hell to load your backups onto a USB cable that goes underground :-)
Every week or so a potential client comes to us and describes, in one way or another, this general scenario. They ask "what if someone breaks into my server that I am backing up to you, and then using the SSH key, logs into my rsync.net account and wipes all of that out as well.
So for the last 6 years or so (we've been providing offsite backup since 2001) we have offered "pull backups" to our customers that request it. We give them our public SSH key, and we log in and rsync their data back to us.
Also, RE: the previous comment about not having your data consolidated to a single provider, we run an ad on reddit regularly making the same point:
One additional thing you can do is add a "command=..." parameter to your ssh authorized_keys file to limit what can be done with that key. For example, you can set it to run a script which only allows new files to be added to the backup, but not deleted.
Happy to see someone else not willing or not able to let files disappear in the cloud. For photo and media I keep them on two 500Gb usb drives, one at home and one at office, and keep them in sync with the wonderful tool unison.
I have redundant backups. Everything's gets backed up locally with Time Machine very regularly. Then nightly (or more, depending on volume) it gets shipped off to Backblaze.
It gives me quick responses if I need to restore something, but if my house blows up, I'm only $100 and a FedEx visit away from having everything back.
Best guess for initial break-in is phishing. I've always thought there should be a "sudo" light/display on the monitor that can only be accessed by the superuser, making attackers unable to completely mimic a dialog requesting secure access.
One thing that worries me about iCloud is that it puts a lot of data and services behind one single password.
Said password is therefor used a lot, with a lot of chances for interception. But most of all, it's used for trivial matters in which password typing is a nuisance (installing a cheap iPhone app), which pretty much invites people to use a weak, easy to type password.
iCloud should have multiple, completely separate forms of authentication for services like Find My Mac, instead of using the same login for wiping all your Apple hardware as you use to download Angry Birds...
Your email, contacts, calendar, location, phone security, documents, files, music, videos, games, apps, credit card details, merchant account, search history, web app hosting, etc., all on one account.
Google 2 factor authentication needs 3 things: your Google username, your password, and the token number generated by the authentication application. Stealing your phone gets one of those things.
Or, what if my iCloud gets hacked and my iPhone is remotely erased, can I still access my Gmail and Facebook enough to remove my phone from them?
You get 10 single-use codes to print out for this situation. You can revoke these code and generate new ones whenever and as often as you like.
Your concerns were all similar to what I had. Another was that I have programs that need programatic access to my Google account and I don't want to rewrite them to use 2-factor authentication. That is solved by generating a revokable application specific password.
I found that turning it on and trying it out answered a lot of concerns I had.
How many recovery codes can you print out, and how many can you use? My cell provider (Avea, in Turkey) doesn't seem to pass automated SMS messages on, which has stopped me from using two-factor.
lolwut. and you still keep on using their services? Dude, get to Turkcell or Vodafone and use two-factor if you value your data.
edit:
downgrade if you want to but it will be the day of my death when I let a provider dictate my needs and wants with its stupid rules and regulations. I pay for their services and barring unreasonable ones they have to provide what I need. And passing automated smsses are something that is not unreasonable.
Google Authenticator is available for iOS, Android and BlackBerry, and there are compatible third-party implementations for Windows Phone 7, Windows Mobile, J2ME, PalmOS and webOS. Just search for OATH - it's the open algorithm that Google Authenticator implements.
I don't have a Turkish bank, so I can't speak to that, and every time I have needed it was an out of country issue.
And not having the bank because I'm still waiting for a residence permit, which means I'm still doing the kontor thing rather than having a plan, something that's much cheaper with AVEA.
Phone companies are often quite stupid about letting phone numbers (with their texts) get redirected. Like you don't have to know any private information, just have a good story stupid.
I'd hardly say people routinely bypass Google's two factor authentication (using the smartphone application), which is what I'm suggesting here.
I'm aware of one incident (the Cloudflare hack), but that seemed to be more a vulnerability in the password reset functionality than the authentication mechanism.
whilst this might be true - I get the feeling this is more of a "targeted attacked" - rather than a target of opportunity. 2factor is surely one of the best options we currently have to secure ourselves?
They are gradually adding more options. There are now single use passwords for some services (I have them for Chrome and Android). Plus they support two factor authentication.
That damn account password kills me. A single password which you have to enter heaps of times on iOS. If having one password meant you only entered it once id cope, but its for email, iCloud, imessage, home sharing music, home sharing video, notes, find my phone, AppStore. It's so slow to set a device up, especially if you have a decent pasword. I wish they would fix it.
I know. But if I could enter it once as some kind of 'log into everything' option it would be great. It's so annoying to do on phone, iPad, laptop, appletv etc that I change my password too rarely as its so painful. Nasty aftershocks too (oh, so I have to find the appletv remote i to enable my account so that I can accept my phone as the remote).
Perhaps it should ask an additional security question or passphrase for 'dangerous' operations like remote wipe.
Two-factor authentication (using say your phone like Google) wouldn't work however because typically it's your phone that is stolen and you are trying to wipe.
"He and Gawker’s Scott Kidder then got on the phone with contacts at Google and Twitter trying to help me put the brakes on."
Of all the issues surrounding this event, this one concerns me most. Most users would not be able to escalate like this. Hosted services need to be providing this level of support to all customers 24/7/365 - or at least offer it as a premium option.
I have this - and I had reason to call it recently due to a technical issue.
In short: I'd advanced paid for a 1 year Apps account a month before the monthly billing came in to place. My credit card expired with 11 months of the contract left, but they suspended the account as that appears to be policy with new monthly billing system. I received no email asking to update the card prior to suspension. This suspended all the services it was connected to. Call centre couldn't help, account was down for 18h - they just said wait for new card to propagate.
I'm sure if a journalist from Gawker had posted this to HN it would have been resolved with more urgency.
Everyone's focusing on the security of the password and iCloud, but I just wanted to take a second to say: fuck who did this. Yes he should have backups, but erasing someone's things is such a juvenile thing to enjoy.
Edit: Surprised to see Cloudflare is proxying their website. I understand wanting to be impartial, but I think it's fairly easy to draw the line at groups breaking the law.
erasing someone's things is such a juvenile thing to enjoy
I don't know what part of the world you're in, but here (in the UK) it'd actually be a criminal offense carrying a multi-year prison sentence under the Computer Misuse Act.
I'm wondering at what point the police or law enforcement get involved in the US?
This is the only case I can think of where non-classified information leaks were prosecuted: http://en.wikipedia.org/wiki/Sarah_Palin_email_hack (There are probably more, but I can't imagine any would actually disprove my point.)
Usually the FBI is the agency that you go to with this stuff, and they usually don't help unless you can claim X hundreds of thousands of dollars in losses. Basically, they only care about rich people and corporations. Hackers are given a blank cheque so long as they only do small amounts of financially quantifiable damage.
As with so many other things in the United States, it is de facto only a crime if it happens to someone rich or well-connected. Mr. Honan is probably on the bubble, there. If it happened to me, a no-namer with skimpy assets, the thought of the FBI getting involved would be a punchline.
I'm sure most feel bad for the guy, but although the hacker's actions were malicious, that doesn't allow the victim to just get off the hook for having a silly password - if that was the case.
If he really hasn't used that password anywhere else and it was not based on a dictionary word, then I highly doubt OP's password was brute-forced.
Brute-forcing the iCloud password is an online attack and would probably (hopefully) be caught by apple.
What is more likely is a keylogger or similar malware at which point even a longer password would not have helped. The days where macs are free of malware are unfortunately over.
Or maybe there's a problem with the iCloud auth protocol, and it was snooped? For example, that in-app purchase hack (which involved a MITM attack after installing a custom SSL CA) revealed passwords were being sent "in the clear" inside the SSL transport.
My first impression is that either a session token or password was intercepted from iCloud either via malware or MITM. But the post mentions that the iCloud password was reset, which means the account may have been hacked via Apple ID security questions[1]
When I just did this for my own account, the first security question is your date of birth, which is easy to find for anybody via Facebook. The second was a generic security question.
These are easy to guess or to find out via social media. You could spearfish a user by sending them a free account to a web service and asking them the same security questions on registration.
The security isn't adequate, considering the data that is held behind an Apple ID. I also can't believe they have a delete feature that can not be undone.
For my own account I have done a few things. First I have a secret email address for online accounts that require higher security. These emails are unique for each service and are not published anywhere. I have also removed all of my personal information from my social accounts, such as date of birth, name of school, etc. and my security answers are always random strings.
The other option is that malware was used, or a transparent proxy. If iCloud doesn't verify the server certificate it would be straight forward to proxy the HTTPS requests. iCloud will also always send out connection attempts every x minutes, so if you accidentally connect to a public WiFI hotspot or personal network with an intercepting proxy setup, you can have your password stolen in a matter of minutes.
I am also not super-confident about two-factor auth. I noticed that with Google Apps the verification SMS messages can be read using the web interface for my telco provider. A web interface that is protected by nothing more than an email address and password with the same weak security questions.
I think it is very feasible to hack around second-factor SMS notifications by first hacking the telco provider web interface and reading then deleting the SMS alerts. You are only as secure as the weakest link in the chain.
"I am also not super-confident about two-factor auth. I noticed that with Google Apps the verification SMS messages can be read using the web interface for my telco provider. A web interface that is protected by nothing more than an email address and password with the same weak security questions."
While google DOES have an SMS seconds factor, I highly recommend use their Google Authenticator app [1] instead, which generates the code directly on your phone, sans network communication.
I like your method of:
- Separate, secret accounts for signups
- Random strings (i.e. passwords) as answers for security questions
I've always used a pseudo-password (i.e. it's a standard response of mine that isin't related to the question) for security questions given how weak they are.
Very good point. As a reporter of Gizmodo he might have tried the hack.
I do believe though that sending a password "in the clear" over SSL is totally sufficient. SSL was designed exactly for sending sensitive information like passwords.
We can't blame Apple for not designing a protocol (it might be just plain HTTP basic over SSL) with people in mind that turn off SSL security in order to get access to paid content without paying.
In this case you are betting on captured SSL traffic never being able to be cracked in the future, offline. (Consider: Someone logs SSL traffic and waits for the next Debian OpenSSL bug (DSA-1571-1) to be revealed)
I think it would be a great improvement to have some kind of challenge-response nonce/timestamp hash thing going. So that even if the plaintext of an SSL connection were to be revealed at some point, you couldn't deduce the password-equivalent.
The problem with challenge/response and nonces is that the server and the client both need to have access to something secret to encrypt the nonce with. This usually means storing the plain text password on the server or at least a hash of it which then would be used to encrypt the nonce.
But this also means that when your user database gets lost, all accounts are instantly compromised without the attacker having to do any kind of brute-forcing.
Unless you notice an intrusion immediately, the damage that can be done in such a configuration is way bigger than if the server gets the secret thing from the client and does the hashing there, because now an attacker has to individually brute-force the various accounts (keeping at least those who chose a strong password safe).
Even if perfect forward secrecy was not doable, I assume it's far less likely for an attacker to brute force my SSL private key than it is for them to acquire my user database - not that I want that to happen of course.
That's a good point. On the other hand, with the ECDHE / PFS scheme, aren't you still at risk for an implementation specific bug like the Debian incident? (I.e. the server or client only ever picks the a/b factors from a very limited range?)
Anyways, your suggestion sounds much better than my initial nonce suggestion. :)
Hi, I'm Mat Honan (the guy who was hacked). I've been in touch with the person who hacked my account. He says it wasn't brute force, or guessed. I'll publish more when I know more.
To be clear, the password was unique. I use 1password as a password manager and even double checked to make sure that I wasn't using it anywhere else.
That's it, I'm disabling "Find my mac". I guess it wouldn't work anyways if a thief is far away from my home or work wifi. So in essence, it's a remote wipe backdoor for when the device is in my possession, and useless if it's stolen.
FileVault2 should take care of the theft problem anyways.
Too bad you can't partially-enable Find my mac for the location service, while disabling the remote wipe and lock services.
Instead of only disabling Find my Mac, please make sure your backups are functional and enabled. That way, if your machine fails or gets wiped (whether it's by you, a thief or someone with your iCloud password), you can still recover everything.
Sure. But should something like this happen, I'd prefer to not waste time having to sit through a complete reinstall before I can start damage control by changing passwords online, etc.
I don't think getting hold of the iCloud password would let anyone "own" my mac. (The only things they should be able to do with that would be messing with my synced address book, notes and photostream - and if "find my mac" was enabled, perform a remote wipe).
Use FileVault 2 and remote wipe is no longer necessary.
On current Macs, a live USB stick might be a better idea than a live CD. Or even better a bootable backup created with Carbon Copy Cloner (CCC) or SuperDuper.
Think of the trade off: what's the likelihood that you won't be able to find a computer...ANY computer...to login to your accounts...versus the likelihood that someone can compromise the stolen computer's entire HD?
(this is less of an issue if you're encrypting everything)
How would it connect to the iCloud services? The mac doesn't have a built-in 3G connection, so the only way it can go online is through previously-stored wifi associations.
The hostility towards this guy in the comments is astounding. I already had low expectations for comments on blogs, but this took it to a whole new level.
Honestly, it gives the impression that some of the commenters are from the internet. As sad as it is, you can kind of expect shit like that from completely disinterested parties who just want to be assholes.
Wandering a bit OT, admittedly, but I feel obliged to push back against this notion. I know you didn't mean it this way, but I see it too often to wave away worse examples of abusive behavior, and it's just not healthy.
The "nicest guy" would not use language like "bitch" or "fag" in comments (to pull the first example I saw in that post's responses), because this implies an assumption that comparing the target to a woman or a gay man should be received as a deeply cutting insult. And this alone acts as enough of a cover for me to judge that book, really.
No, these are in fact rather horrible little people, and it wouldn't surprise me if they were in league with the perps who erased this guy's stuff for teh lulz or whatever.
Yeah, you're right, the behaviour is intensified on the Internet, probably because of a greater perceived sense of anonymity. On the road, you've got license plates, people with cameras, cops, the risk of getting into an accident, etc. to occasionally keep people in check.
But to clarify my earlier point, if the nicest guy can turn into a bad person on the road, imagine what a not-so-nice person can turn into.
Since the password is no longer in use (only assuming), it would be interesting to know what it was - perhaps the reason that it was hacked was that it simply was easy to brute force due to common dictionary words?
That still rasies some questions. You're either implying Apple allow enough login attempts for brute force against their live web services to be possible, or that someon somehow got hold of the password hash.
Without knowing the guy, I strongly suspect a reused password that was exposed somewhere other than Apple/iCloud. Anyone want to bet against this Gizmodo guy's password being in the Gawker password dump?
This is why I use two factor authentication for my email. It's a usability nightmare, but not as much of a nightmare as losing all my accounts everywhere.
Two factor is magnitudes better than password only, but it's not foolproof.
Security is only as strong as the weakest link. CloudFlare was hacked recently because the attacker was able to redirect voicemail to another account, then use the two-factor backup recovery phone option to take control of Google Authenticator.
You can no longer recover a Google account via a voicemail message, and AT&T now allows you to lock changes to your account with a passcode. And, the people that committed this particular attack are now in jail awaiting trial.
Google's is pretty easy to use, but the problem is that it doesn't scale to other providers. In addition to my phone, I also have a PayPal credit-card-sized token, and my brokerage only issues key-chain RSA keys. So now I have to have my phone, my wallet, and my keys with me in case I need to use certain websites. It would be better if everyone agreed on a standard algorithm and used it, but that's not what's happened.
This is one of the reasons why I have different Apple ID for app purchases (with weaker password which I'm more comfortable to type over and over again when purchasing apps) and different for iCloud (which I need to type only once, configuring the device).
I saw many people buying their apps in public and the password input in iOS isn't really secure from bystanders. As a Gizmodo reporter he probably went to dozens of events where he was pitched to try someone's app and maybe even given App Store codes. If he used to download apps on such events that might be the source of his leaked password. Someone could simply see what password is he typing.
As long as Apple requires you to type the password with each purchase, it is wise to separate your sensitive data/services with the App Store credentials.
If you get the chance to watch a kid playing with an iPhone it's an eye opener. The 15min no auth required again window after an app purchase is the devil's time.
What difference does it make how strong the password is? It was a seven-digit alphanumeric password, right? Is iCloud going to permit up to 36^7-1 failed login attempts in a row without rate-limiting, banning, or launching missiles at the owner of the offending IP address?
Assuming the answer is no, there are only two remaining alternatives: 1) Someone targeted and keylogged him to obtain the password, in which case it doesn't matter how strong the password is; or 2) Someone hacked iCloud itself and stole their (presumably unsalted) password file.
In that case, yeah, a stronger password might've helped. Bad user. No cookie.
But if he thinks he's having a rough night, consider what scenario #2 would mean to Apple. The impact of an iCloud hack would be measured in multiple billions of dollars of market capitalization.
It's a good point actually - does iCloud in any way prevent multiple account logins?
There's another possibility: he re-used his iCloud password on another account, that was compromised, and someone tried that successfully against his iCloud account.
The bigger issue, as someone else has said, is putting so much remote control behind a single point of security.
The strength of the password is relevant in the scenario where the password was actually brute-forced through an interface. If it was jesus01 (or something else common - typically religious), then it may be an easy hack for the hacker.
iCloud would surely block consecutive, failed login attempts. From the post, reading years and years, opens up the possibility that it may have been something the hacker was following for some time. Therefore, he would have been blocked, but may have come back in 1 week to try again.
The possibility is a bit far-fetched, but it exists. The likelihood that this was actually the case is extremely low.
I _strongly_ suspect the iCloud web login will block brute force attempts. What I do wonder though, is if there's some other place an iCloud/AppleID login can be brute forced without appropriate rate limiting? Maybe an IAP API endpoint? Or an in app advertising endpoint? I wonder if the "check whether an IAP succeeded" API that the "just redirect you dns to my server and add my root cert" "exploit" uses is failing to block brute force attempts?
Even if iCloud allowed 10 failed logins before locking out for an hour, every hour, every day for seven years, that would still only let you crack a 4 digit lowercase-alphanumeric password. I'd be willing to bet that either the attacker took the password from something or that 'alphanumeric' is a misleadingly good description for the password.
The issue I have is that in this case, your AppleID is (normally, by default) the ID you use for everything Apple related - including the iTunes Store.
I really have problems typing long 20 character passwords comprised of every kind of symbol on the iPhone keyboard. It was annoying enough trying to type my Twitter and FB passwords correctly the first time. To type that every time I want to update my applications for free, is not a nice experience for me.
This means someone could wipe my iPod remotely, but I would note that I don't have (use?) any kind of Apple controlled email, so the impact for me would be limited to my card being charged for iTunes purchases.
> Well, if you will put complete remote control of all your devices behind a single, weak password.....
From the post:
> My password was a 7 digit alphanumeric that I didn’t use elsewhere.*
It sucks, but when you've got control of someone's iCloud account (email, and remote wipe of presumably their primary devices), you've put them in a tight spot. One of the many reasons that I use iCloud for my phone and iPad, but certainly not my primary machines (or email).
On your primary machines, you should have at least some form of local backup. I'm using Time Machine with a network drive. If my primary machine fails or gets wiped (whether I did it myself or someone obtained my iCloud password), I can still recover everything from the backup.
Every machine we have has local backup in the form of a sizable external USB drive. Some also backup to a network drive. Windows and Mac. With dozens of machines it is hard to justify paying for remote backup. Although, every time I say or think this I also think: fire, theft, earthquake. I wish there were a reasonably priced multi-machine remote backup service at an affordable price with storage measured in terabytes. One hundred gigs doesn't even begin to scratch the surface.
My wife recently started using this. She wanted to have another source backing up her photography (being a photographer and all...), and this was highly recommended by all her friends with expensive cameras and even more expensive lenses.
I was shocked, mostly because the price was fairly inexpensive, and her lot love to spend lots of money on small things.
Like was suggested earlier, Crashplan. It can do both local and remote backup, and remote backup to multiple locations if you know other people who also run it and have free space for you to use. Home plan is multi-machine unlimited; however, in practice, I only use about 800GB or so.
I checked out CrashPlan+ and it looks good, except that I am having trouble finding their definition of "personal data". It says that CrashPlan+ is licensed for "personal data" but I am not sure what this means.
Very well written story and also very educational on the faith peopl put in cloud backups. Even if you have a cloud backup/syncronised it is still worth popping over your mum's or a good freinds with a some burned DVD's or external USB drive (if you have two you can swap them every time you visit). This approach is good as a cheap offsite backup and also social at the same time.
As for linked accounts, that again is another education many of us have probably overlooked and I would say if you do have a 2-factor facility that uses SMS, maybe think about digging out an old phone and getting a PAYG SIM with a token credit and using that number. But security is a never ending drive bordering on paranoia and in that you do what is enough to help you sleep at night after reading the article.
Don't think I have seen a article doing a test on how easiy it is to recover a hacked account and how long it takes. I certainly have never seen any speed comparisions, nor consumer reviews in that area. Anybody know of any at all?
Unfortunately, my AppleID password is one I _do_ need to remember - I need to use it often, and in places that 1Password won't auto fill. At least: the iCloud website login, various iDevices when using app store, and iTunes on several machines (all on the home sharing network). The alternative seems to be to have all those devices "remember" my AppleID password, which seems like a security lose.
A random string of characters in a wallet doesn't have a lot of value. Of course, don't write down what that string is for, and make sure you have another copy at home. If you are really concerned, leave off the first character of your password and remember that.
The truth is that 2-factor authentication is the real solution. But one has to make do with imperfect solutions
Writing your password / passphrase down allows you to chose a good, strong password. You do not give anything that links that password to a particular service.
Most people will only need to refer to the written password for a week or so, and then they will remember it.
You put the piece of paper in the wallet because you want people to treat it like a 50 dollar bill. People leave bits of paper anywhere, but they don't leave 50 dollar bills everywhere.
It is baffling to me that authenticating to computers, software, and services is still so weirdly broken. Especially since there is now billions of dollars involved in it.
I know that you're not suggesting that people should reuse one password across multiple services. In your model:
1) I have to lose my wallet and
2) Not change my password and
3) You have to know my login email address and
4) You have to find which service the email and password work for
...and all of these have to happen in the time between setting a new strong password and learning that strong password. Because when you've learnt the pass you stop carrying it around.
If you lose your wallet there's a bunch of stuff you need to do. You need to cancel your cards, for example. Keeping a single password in there (for the short time it takes you to remember it) means that there is one more step added - you need to change that password.
You're also failing to do a sensible risk analysis. The threat model for passwords is "hackers, anywhere in the world". The venn diagram of that very big set has a teeny tiny intersection with the much smaller set of "people who have access to my wallet if I happen to lose it".
Writing down a good password means that you get to use a good password. You get to choose a properly strong password, with many characters of mixed case including numbers and specials; or a 6 word passphrase.
If you label the passwords you're probably doing it wrong. If someone pulls out a piece of paper that says "QWhXnLv0qzi1h1m" out of my wallet, how are they going to use it?
If you're worried about someone stealing it, just shift the password over, so it's now "mQWhXnLv0qzi1h1 > 1" on paper.
Any tech savy person knows that has a strong possibility of being a password. Grab an ID, google "your name gmail", log in.
The kind of weak encrypting scheme you can remember is easily defeatable, this is still very vulnerable even if you leave one or two letters off (which you'll have to remember in addition to the scheme). So, going back to the parent, no, this isn't safer than a password in your head.
but this isn't the password for gmail. This is the password for the password manager account. So you need to know the password manager they are using and the username to match with the password. They have to find this out within the time that we've realised we have lost our wallet and are changing the password.
Obviously this is still less secure than no password in the wallet at all, but I don't think it's "very vulnerable" as you are claiming.
having a 20-30 character long password is fairly easy, it may not be 100% random, but (correct me if i'm wrong) a password that long with just a handful of random extra letters and numbers is going to be rather easy to remember and probably going to be just as had to brute-force.
You have to be careful when adding some random characters, because most cracking software includes dictionary mangling options.
Thus, option 0ption opt1on etc all get mangled into a wordlist, while )*&HD@IHU don't. Yes, it still increases difficulty, and they are much easier to remember, but people need to be careful.
Software: Don't install shit you don't trust. Don't trust shit you can't verify.
This one is pretty tricky. There's a lot of little tools out there that I find invaluable, and haven't screwed me over yet (as far as I know), but fall firmly in the "downloaded it off someone's little personal website" category.
I'd say we need better fine-grained permission systems for software, so people can install programs without needing to trust them, safe in the knowledge that they'll get the opportunity to deny any malicious behaviour before it actually happens.
That's what the Mac App Store is starting to do, but unfortunately, it's "completely sandboxed in the store" or "not in the store". I'd like a model that started completely sandboxed but let me choose if I want to let it out of the sandbox in certain, well-monitored cases.
let me choose if I want to let it out of the sandbox in certain, well-monitored cases
That's exactly what I mean. I envisage something kinda like Windows 7's UAC dialogs, but more specific than "this program wants root! [allow] [deny]" -- more along the lines of "this program wants to install a driver / write to such-and-such protected files (its own program folder/anywhere in Program Files/the Windows folder/...) / low-level disk access / to run at startup / etcetc [allow] [deny]".
Actually, I'd specifically forbid "all permissions" as an option; an enumeration of every permission a program wants would make the user more likely to notice unreasonable requests than a single item would, even if that single item's actually "everything". I get the impression, from seeing ordinary users dealing with UAC, that they don't usually appreciate quite how much power they're giving programs when they hit "allow".
I believe that's similer to what SELinux does, although I've never used it beyond observing its presence on university-owned computers.
That's what Apple's shooting for with the App Store's sandboxing requirements, but I'm sure the typical HNer will continue to have a few programs that need to operate outside the limited entitlements that the App Store allows. Still, it'll be better to have a single digit count of those on your computer instead of anything being able to erase your home folder without asking.
CrashPlan has swooped in and knocked every cloud backup system I previously used to use out of contention.
They've made an awesome product and they provide it at an awesome price.
Previously, I was a user and big proponent of Jungle Disk, but that product has become all but completely abandoned since being gobbled up by Rackspace. (I love how their solution to comments about going radio silent and not updating their blog in over a year was to just take the blog down and put up a "The Jungle Disk blog is currently unavailable" message, as if the blog were just temporarily offline. One of their last blog posts was a "Future of JungleDisk" post, outlining tons of features that, 16 months later, were nowhere to be seen).
I had been recommending Carbonite to friends and family for an easy-for-normal-people backup solution, but their performance falls short of CrashPlan, and their heinous near-silent default exclusion of video files from backups would have led to serious tears if we had ever actually needed to restore from backup. (Automatic backing up of video files is reserved as a feature for the new $150/yr HomePremier plan - which at least now makes this fact somewhat visible. Previously, there was damn little to indicate that this exclusion was happening). That made Carbonite something much less than the "set it and forget it" backup for my non-technical friends and family that it was supposed to be.
CrashPlan is nice and friendly, has no hidden "gotchas" that I have found yet, and has a great PRO service as well. The client GUI can even be made to connect to the daemon on a headless server through an SSH tunnel, just with a simple change in port number in the config and forwarding the remote port through the tunnel.
I absolutely love CrashPlan, but it is only friendly if you never need to change the backup selection. It gets tough when you want to deselect just the right folders to avoid spamming your backup destinations with useless crap like Xcode docsets and Safari caches.
Crashplan does not require you to use its cloud storage, FWIW.
And after you've logged in to Crashplan, it's not clear to me that you can do a whole lot of damage via the website; the password used to encrypt your data is specified on the client side, and there is no reset mechanism for it. I mean, they could update the credit card settings, or modify the configuration options like excluded directories or send rates, but not a whole lot else.
You can configure CrashPlan to encrypt your archives such that you must have your password to decrypt them. There's a big warning that if you lose your password you're screwed.
Also, you can just specify your own encryption key. Everything is encrypted locally.
I haven't tried Crashplan, but I recommend either Backblaze or SpiderOak. I used SpiderOak in the past when I had both a Windows and a Linux PC I needed to keep backed up, but now that I have one Windows PC I use Backblaze.
Backblaze really shines if you have a single Windows or OS X PC with a lot of data. For $50/year, it will allow you to backup unlimited data for a single computer. As far as I know there is no student discount.
SpiderOak really shines if you have multiple Windows, OS X or Linux PCs with a small amount of data between them. For $100/year, it will allow you to store up to 100GB of data between as many computers as you want to back up. If you're a student, it will only cost $50/year.
Crashplan has a home plan that lets you back up unlimited data for all your machines. It works on Windows, OS X, Linux and Solaris, which is great for me; I back up all my machines to both the cloud and my Nexenta/Solaris NAS, as well as backing up the NAS. In fact, if you know other people who have lots of storage, you don't have to pay for Crashplan at all; you can back up to them, with encrypted data.
Custom backups using Duplicity+GPG to multiple clouds. Wuala[1] if you want something working out of the box. I have 18.5 GB of free storage just from coupons found with little Googling[2].
"Wuala is completely private and secure. When you store a file in Wuala, the file [..]gets encrypted before it leaves your computer. [..]Your own password is very important here: it never leaves your computer, so we do not know it. Hence, not even we can access your data."
Currently not. Opening the source code of Wuala would consume quite some time and effort, and commitment to maintain it. If you are a software engineer and would like to see how Wuala works, feel free to apply for a job at Wuala."
It would be trivially easy for them to hide a backdoor and/or leak data in their closed-source code. So at the end of the day, the message is "Trust us." So what purpose does the client-side encryption serve? Empty marketing. At best, it makes it _slightly_ harder for them to read your files.
Tarsnap (www.tarsnap.com), which does have client source code available, doesn't suffer from this problem. Unfortunately it's a fair bit more expensive.
I'm Luzius Meisser, cofounder of Wuala. Yes, some trust in Wuala is still required, namely trusting us that we won't put a backdoor into the client. Much more trust is required in services without client-side encryption. Adding a backdoor would ruin our reputation once someone found out, while companies like Dropbox won't suffer much when they hand over data to a government agency as it is known that they can and will do it. Also, bugs like accidentally disabling the password verification can be ruled by design with client-side encryption.
Also, please note that laws are often constructed such that companies can be forced to hand over data they possess, however not to collect data they do not possess yet. E.g. there are many laws in many jurisdictions that could be used to force Google to hand over data you have stored in Google Drive, but the same laws cannot be used to force us to add a backdoor to Wuala. So legally, it is much much easier to obtain data stored in Google Drive than to obtain data stored in Wuala (or another service that uses client-side encryption). Noone has ever asked us to add a backdoor to Wuala and we would fight against it if someone did.
I agree that it would be nicer to open the source code so our security would be independently verifiable, but claiming that what we do is "empty marketing" is clearly wrong.
Thanks for the reply. I see what you mean and agree there is some difference. Let me put it this way: I would feel confident my Wuala backup is secure from my boss or ex-girlfriend, but not from a hostile government. If I were an activist or otherwise doing something very controversial, I wouldn't trust it. And honestly, that's the same way I feel about Dropbox. It's not the most secure thing around, but as long as I'm just another J. Random Hacker, who cares? So to me there isn't a distinction.
For why not to trust a closed-source system's claims of security, see Skype. If I remember correctly what I have read, they boasted about using "end-to-end encryption", strongly implying that your Skype calls could not be wiretapped. The catch? The encryption keys were stored on the server! And there was a story where someone (a drug smuggler, I think) was busted seemingly as a result of intercepted Skype calls. The misleading claims of security didn't ruin Skype's reputation - people still use it.
I'm glad you replied to my comment as it shows you're at least thinking about these things. I hope you will consider opening your source code in the future. At that point Wuala might be of interest to me.
EU laws give you some protection. Still, this is why I don’t use it for backups myself. Their technology is quite good though, it uses similar snapshot based model that Tarsnap does and has very small footprint, considering. Hopefully they will be able opensource it at some point.
Wuala is great but not recommendable for backups if you care for Mac metadata and an app running silently in the background. I have no idea why Wuala has not implemented these features after all the years. Crashplan is Java-based too and has both features.
I recommend BackBlaze to my friends for the simple reason that it's saved my bacon once, after a laptop theft. I'd have lost years of data otherwise. It also helped me give the police information that resulted in my laptop's physical recovery.
So via your iCloud account someone can remote wipe all your Apple devices? That seems like a questionable design. Does anyone know the rationale behind this? I guess it would be useful to deny access to your data in the case where your device is physically stolen.
Maybe there should be a significant time period (hours?) after a password change where this functionality (and any other data-destruction functionality) is disabled. Or maybe a password change should require you to re-auth every device before data remote deletion features can be used on it.
It's so that you can remote wipe your own devices if you lose them, in case you have sensitive data on them. For example, my employer requires that you enable this feature if you want to get your work email on your phone.
For this one reason alone, I have a pain-in-the-ass long AppleID password - 100+ bits entropy. It's a right pain to setup a new device (or even app) that can't be imaged off an existing backup, but it's worth it.
The most visible consequence was that the entire user DB was compromised and the site rooted. But other consequences were that the hackers had cracked a large number of Gawker staff accounts and even had access to internal emails and chats.
I think it feasible that enough internal info was linked to compromise Gawker's staff for years. Some of them probably thought resetting their gawker.com account was enough, and forgetting that that password might have been used elsewhere. Also unclear is how long the hackers were snooping around before the hack was discovered...in that time, they could have download dumps of staff email and gmail accounts.
The upshot: someone out there might have several GB of personal gawker staff info. Ever email yourself your ID number to your email account? Has anyone ever emailed you credentials that you forgot in the heat of the moment? How many times does your social security number appear in your Gmail, thanks to attached billing/app files at you originated from there.
And remember that the hackers had root access to everything at Gawker, even the site source code. How positive is everyone there (remember that the owner's laughable password is one of the main reason that Gawker got crushed) that no key-loggers had been secretly installed and have been running all this time? It doesn't even require anything that sophisticated...all it takes is one security-unsavvy staff member...and this is a staff of mostly culture writers...to do something insecure.
I'm not sure if Mat was employed by Gawker all this time but even if he came after the hack, you can see how one massive data breach can have almost permanent implications within an organization.
That said, what an awful incident and thank you to him for writing a thorough account of how he coped...this is a valuable lesson to everyone and I hope they find the punks who did it.
* To underscore my point, I didn't realize that Honan is recently a former Gawker employee. Yet he had enough credentialed access for an outsider to break into Gizmodo's twitter account. I bet Gizmodo didn't think that an amicable departure of an employee was enough to warrant a password change to Twitter...but if his emails contained the password, then it's an easy hack. If I were Gawker, I would change EVERYTHING...not just gizmodo info, but all of its sister Gawker site credentials. They should assume the worst and that someone out there has all of Honan's emails, including every time he might have been emailed credentials in plaintext
also, Honan's current employer, Wired, should do the same. Change all the keys.
After hearing how this attacker was able move from one linked account to the next, ultimately gaining a snow-ball effect of moving through, defacing and wiping your data, from a security standpoint i can't say i'm surprised (of course that doesn't mean i don't feel for you and wish it never happened to you). I've made several avenues available to mitigate these types of effects, none of which involve administration at Twitter like most of the world.
Now i don't mean to insult you, but one basic avenue is two physical, offline & secure back-ups of everything i have on and off of the Cloud... with no connection to any network. I do have to say that it took a little bit of time to realize i did actually have to do this because my reliance on that data crept up like a ninja! And before i knew it i had well over 30Gigs of data up there in the Cloud, not backed-up.
I actually didn't even know that enabling "find my X" also enabled that remove wipe option. I just disabled it for my MacBook Pro, Undercover is a much better solution anyway: http://www.orbicule.com/undercover/
Do people really think these services are actually much good though?
Sure there's a few amazing stories they use for the marketing campaign, but that's about it.
If you actually loose it (i.e. not stolen) then they work.
Most people that steal them though know exactly what they're doing and how to wipe them properly. Same with mobile phones etc.
I guess something is better than nothing, but really it seems to me they're selling you the same as the dream of winning lotto without mentioning the actual odds.
> When I set it up, years and years ago, that seemed pretty secure at the time.
If you did not change your password in those many years, an attacker had years and years of time to find or crack it. Regularly change your passwords. And use special characters.
It's both better than and worse than it appeared/feared. It turns out it wasn't a password hack, it was a social hack against Apple. Looks like someone recently watched the movie Hackers and wanted to see if that stuff still works. Hint: It still works.
Update Three: I know how it was done now. Confirmed with both the hacker and Apple. It wasn’t password related. They got in via Apple tech support and some clever social engineering that let them bypass security questions. Apple has my Macbook and is trying to recover the data. I’m back in all my accounts that I know I was locked out of. Still trying to figure out where else they were.
The thing I keep thinking about when reading this is how many others, perhaps thousands or more, get hacked like that but don't have his clout? No direct line to Twitter, Google, etc..
Once again another cautionary tale about why you should be paranoid about the security of your devices and accounts.
When securing anything, the best philosophy is to just assume you're going to get hacked and act accordingly. Linking accounts, weak passwords, and no encryption? You're just putting a target on yourself.
Best advice? Keepass, Whole disk encryption and using anonymous information is a good start. Keep your stuff and accounts in separate silos, and stay in the shadows.
When you enable Two-Factor Authentication, they give you the option of printing a "one time pad" with six codes on it. You then print this out and keep it safe somewhere. That way you can get into your account even if your phone and other contact points are compromised.
This won't do you any good if someone has deleted your google accounts or reset the 2FA system, but for more "normal" scenarios it can be a life-saver.
Probably was hacked through email, then iCloud password recovered through it.
I wish there were a special high security password recovery email mailbox, separate from routine communications mailbox, in apps. Would be really hard to get adopted, and t that point, you might as well push for something better than passwords.
The online backup service advice sounds good but what about the people, like me, who have an upload speed of only 64kb/s? No Blackblaze or Crashplan for me... Neither can I upgrade my internet connection.
So what to do? I have two Time Machine backups (one hourly at home and one daily at another place).
I wonder why the article author was (seemingly) targeted? And who else might the criminal be targeting?
Or could this be completely untargeted? That might mean that anyone with a password vulnerability is at risk of having their digital life wiped out. That seems pretty extreme for lulz.
Why would anyone store that much data behind one password? Apple really shouldn't give the ability to remotely destroy all data on multiple devices with a single password.
I love my MacBook and all, but I would never use such a stupidly insecure service.
Wow, who would give a program like "iCloud" access such that it could wipe your mobile, tablet, and PC? I hope the author can recover his data, but it sounds like he set himself up for disaster by linking all his systems so strongly.
In a sense it does. They provide different random 16 characters passwords for each of the client that request access to your data and does not support two-factor.
So if someone hacks your gmail password, they still cannot login via IMAP or POP, as they require different password (which you shouldn't write down or remember anyway).
This article inspired me to begin using a password manager instead of putting everything in `.netrc`, `getmailrc`, and plaintext passwords everywhere else. Thanks.
Personally I think all web services should be using aliases (so you don't login with the username that other people see) and pass phrases rather than passwords.
Because it shows people the effect that someone getting your iTunes password can have, especially if you've enabled Find my X in your account?
It shows that (maybe) it's possible to brute force an Apple password?
Because it's generally interesting reading, in the same way that people like to rubberneck at car crashes. I'm not saying that's right, but it's human nature.
What? My first comment was sarcastic. When I have my laptop within arm's reach at home the data is safe without relying on a third party. Except when someone installs a backdoor.
I'm pretty curious about the initial break-in on his .mac account. I suspect that either he's misremembering and he has used the password elsewhere (and it was compromised there -- easy to happen over so many years of use), or it wasn't very strong to begin with and it got guessed after a handful of attempts.
There are a handful of takeaways from this:
- Backups, obviously. A lot of people here so far are mentioning online backup services, but those would be just as vulnerable to this kind of attack, since they're accessible online and use an email account for password resets. Online backup services and physical offline backups solve different problems and it's a good idea to use both.
- Since I haven't seen this mentioned anywhere else: I wonder if it's time to consider keeping a "secret" email account that's only used as the password-reset account for all of your services? Something that you never use for communication, never publish anywhere, something with its own entirely separate password.
- Be careful about owning multiple devices from a single vendor that provides remote access and other kinds of control to those devices. Mobile devices are inherently insecure; they shouldn't carry sensitive personal information, ever. There are a lot of really good reasons for going with a single vendor, and remote wipe is a really valuable tool in case of theft, but the downside is ... well, this.
- Use some kind of password storage mechanism. (I prefer something that's not tied in to a publicly-accessible service.) I've made a game out of memorizing horrible passwords, and can recall quite a few without any patterns or mnemonics or the like. Still, I use KeePass every day anyway.
And maybe most of all: I doubt there's a single one of us that has a moral high horse to ride on this. Everybody always has something better to do than set up a new backup system or dick around with something that will only maybe hurt them someday. I'm constantly harping on other people about backups, but only a couple of days ago got my development machine on our network backup system; I'm pretty anal about passwords, but still I'll panic pretty badly if my laptop is ever stolen, because in there, somewhere, is probably a plain text password stored in a file that I've forgotten about, and there'll be a chance that I'll forget to change that particular password if I find myself having to suddenly change every single password for everything I've got access to.