Warning about some sort of iCloud "hack"
Just be aware that something has been going on (in Australia and New Zealand so far) which involves people being locked out of their iDevices. I'm not aware of any announcement from Apple yet but it would seem to be good practice to ensure:
your iDevices use lock codes;
you enable two-step verification for your Apple ID;
you change any weak iCloud password to a stronger one, not used on any other site.
I'm sure this is obvious to readers of this forum but I thought I'd mention it. There is a long thread here on the Apple iPhone forum.
I've used the word "hack" very loosely in the title to this thread as at present nobody seems quite sure how this has all happened.
Stephen
Comments
-
Thank you for mentioning this, @Stephen_C. The details do appear to be vague at this time, but strong, unique passwords are always a good idea. Your advice is solid.
If you have a link with more details, please do post it. For now, this is one of the earlier sources I found:
Australian Apple iDevices hijacked, held to ransom
0 -
There is some sound advice posted here (but nothing more yet about the attack vector):
How to defend against Apple's Oleg Pliss iCloud attack
Stephen
0 -
Here is a further report on zdnet:
iCloud not compromised in Apple ID attack: Apple
Edit: and on The Register:
Oleg Pliss Australian iWare ransom gizmo-snatch OUTRAGE not our FAULT, claims Apple
Stephen
0 -
And from the article in the Register:
Impacted users should change their Apple ID password as soon as possible and avoid using the same user name and password for multiple services.
I think I've heard this before.
0 -
I won't keep adding to this thread but this from Cult of Mac may be interesting to some:
How the iPhone Activation Lock hack works
Stephen
0 -
MacRumours is reporting "Hackers Involved in Locking and Ransoming Apple Devices in Australia Arrested" (similar reports are in other media).
MacRumours says:
"According to Russian site MKRU , the two hackers were caught after appearing on camera withdrawing a victim's ransom money from an ATM. The site also confirms the hackers gained access to Apple IDs and passwords via phishing pages and social engineering techniques, then used that information to lock devices. Russian users were also affected, which led to the investigation.
One method of obtaining login information involved a pre-owned account filled with movies and music that was sold to an unsuspecting victim. Once the person linked their own details with the account, it was vulnerable to being hijacked."
Clearly this does not preclude the possibility of access to iCloud from re-use of login details as one technique (e.g. same ID and password as on the breached Ebay system http://www.smh.com.au/it-pro/security-it/ebay-hit-by-cyber-attack-urges-users-to-change-passwords-20140521-zrkiu.html) but does indicate some new aspects that I thought interesting, particularly the "pre-owned account" aspect.
The MacRumours report is at http://www.macrumors.com/2014/06/09/australia-device-hackers-arrested/
MKRU article is at http://www.mk.ru/incident/2014/06/09/kibermoshenniki-shantazhirovali-rossiyan-poluchaya-virtualnyy-dostup-k-ikh-smartfonam-i-planshetam.html
0 -
Very interesting. I guess the moral of the story is that if something (cheap movies, music, apps etc.) seems too good to be true, it probably is. It makes me sad to think someone would pay money for an account from someone else and not change the password and security questions first thing. I think we still have a long way to go in educating the public about account security. :(
0 -
Sometimes, I would give a demonstration on discovering people's passwords. I would ask a volunteer to pick a password, and be sure to pick one that they wouldn't mind me reading in front of the audience because I will figure it out and say.
Once they've picked their password I ask my volunteer to write it down and put it in an envelope I provide and bring that sealed envelope up to me. After they have done so and have sat back down, I open the envelope and read out the password they have written down in there.
The lesson, of course, is that the easiest way to get someone's password is to ask them for it. Phishing is just that.
0
![[Deleted User]](https://wa.vanillicon.com/v2/aa551b5e3bb9d35655a15cf30ed1e3f1.svg)