Insights For Success

Strategy, Innovation, Leadership and Security

icloud

iCloud attack was really a phishing

GeneralEdward KiledjianComment
Image by  Christiaan Cole  used under Creative Commons License

Image by Christiaan Cole used under Creative Commons License

Remember the "iCcloud hacking" where celebrity photos were stolen and published? Well the man behind it (aka Celebgate) was convicted of accessing more than 300 iCloud and Gmail accounts (30 of which belonged to real legitimate celebrities). You can read the district attorney brief if interested.

Now this is the story that wasn't... While most media outlets were shocked that Apple would allow hackers to "break into" iCloud accounts and steal pictures, it turns out, Apple couldn't have done much. The attack relied on good old fashioned phishing.

Phishing is the act of faking a popular website or service and tricking users to enter their credentials on the harvesting page.

So iClous was never compromised but Apple probably could have done more to detect the unauthorized access' and protect its user data. 

So the moral of the story is :

  • be extra vigilant where you use your passwords
  • never re-use the same password for more than one site
  • use complicated (non dictionary) passwords
  • turn on 2 factor authentication

Did iCloud just get hacked?

technologyEdward KiledjianComment
Image by  Johan Viirok  used under Creative Commons License

Image by Johan Viirok used under Creative Commons License

Ordinarily, a bad actor would have to steal some of your information before breaking into your 2-factor protected iCloud account. They would need your AppleID, your password and a 2-factor authentication code (or a digital token stolen from an authenticated device like a laptop or desktop).

Now everyone's favorite russian purveyor of fine cracking software, Elcomsoft (link), has a tool called Phone Breaker. This new software requires the aforementioned information but then creates a permanent authentication token which means they won't have to re-authenticate until you change your password. 

It also has a long list of "wonderful" features to make stealing information easier. Sure law enforcement uses this but does anyone believe they use it for legal purposes with a warrant or that other more nefarious bad actors won't use it?

Hackers bypass Apple's iCloud and Activation lock for iPhone

technologyEdward KiledjianComment
icloud.png

Apple touts the advanced security features built into its devices and its linked cloud services. One such security feature is Activation Lock that should prevent a thief from using a stolen iPhone that is locked. 

A Dutch and Moroccan hacker group called "Team DoulCl" are reporting that they have been able to bypass Apple's Activation Lock control. 

De Telegraaf (link), a Dutch news organization, claims the group was able to buy locked iPhones and unlock them. Thieves can use this hack to resell stolen iPhones for huge profits. To be fair to Apple, I haven't personally verified this groups claims so I take everything with a grain of salt. Additionally hacks like this against Apple are rare.

2 other hacker groups AquaXetine (Dutch) (link) and Merriktechnolog (Moroccan) claim to have unlocked 30,000 devices in just a few days. 

The trick is a simple man in the middle attack where the hackers trick the locked devices that their servers are Apple's activation servers and they instruct the device to unlock. It is conceivable that this type of attack could be used to extract other information from the device (if it truly believes it is talking to Apple's iCloud infrastructure such as syncing pictures, calendar, contacts, etc. )

The hackers claim they disclosed the vulnerability to Apple security in March but the report was never followed-up by Apple. The silence is why the hackers went public. 

You can checkout the original hacker group's website at doulCi.nl (link). I scanned the website and didn't find any malware or hack attempting to compromise your browser. 

Dropbox competing with iCloud

technologyEdward KiledjianComment
Dropbox held its first developer conference and surprised attendees by announcing that they have 175,000,000 users. The real  big news is something called the Dropbox Datastore API for developers.
The introduction paragraph in the announcement blog post says:
"Today, we're excited for you try out the beta release of the Datastore API — simple databases for your apps with Dropbox sync built-in! Use datastores to save your app's data — settings, contacts, or any other content that users create — and Dropbox will take care of all the syncing for you. People who use your Datastore-enabled app can be sure their information will always be up-to-date and available, no matter what device or platform they use."
You would be forgiven if you thought this sounds a lot like iCloud because it does. It is a direct attack on iCloud but brings many advantages like cross-platform/cross-app synchronization. I am happy when I see companies competing to provide better and mroe innovative technologies.
I love the concept of Dropbox but find them too expensive. If they cut their prices by 50%, I would sign-up in a second.