Apple Support Allowed Hackers Access To User's iCloud Account 266
Robadob writes "Yesterday a hacker gained access to Mat Honan's (An editor at Gizmodo) Apple iCloud account allowing the attacker to reset his iPhone, iPad, and Macbook. The attacker was also able to gain access to Google and Twitter accounts by sending password recovery emails. At the time this was believed to be down to a brute-force attack, however today it has come out that the hacker used social engineering to convince Apple customer support to allow him to bypass the security questions on the account."
Easy to demand more security (Score:5, Insightful)
But understand that it will cause massive unhappiness for the majority of cases where(for example) one's 75 year-old grandmother, who has forgotten her password and can't figure out how she phrased the answer to the security question, is about to permanently lose access to the last 5 years of her grand-children's emails.
The trouble is that the security appropriate for someone's professional e-mail accounts and security appropriate to the occasional elderly e-mail user are so far apart that having a single policy is guaranteed to serve one of the two market segments very badly.
Re: (Score:2)
Then have optional 2-factor auth. It's not that hard...
Re: (Score:2)
Recovery will still be the weak point.
Parent is on the right track though. You need some way to decide in advance how much of a pain it will be to recover down the road. Personally I'd love an option where they made it very difficult, even if at a cost to myself (like they actually verify my identity.. and charge me $200 for the time..).
Re: (Score:3)
I'd say a modified version of it covers MOST scenarios. I mean they already use locationbased patterning to discover illicit use of your credit card... If you've made purchases in NY on a wednesday morning, it's unlikely you're suddenly trying to empty your accounts in Singapore a few hours later. These people have use-logs already, so it would be trivial to throw up an automated red flag if a password reset request comes from a strange place.
As for covering the rest of the cases, well... the red flag has b
Re:Easy to demand more security (Score:4, Informative)
Re:Easy to demand more security (Score:5, Informative)
Actually, it's entirely possible she could, because Apple's iCloud makes it that easy.
Re: (Score:2)
Why not?
Gain access to my email and you got at least 5 years worth of data to plow through, you should be able to figure out what sites I'm using and get password resets on most of them - and it's indexed by Google to make life easier for hackers.
On top of that, even the sites that require more information, you would probably be able to get through my mail account.
Re: (Score:3)
Re: (Score:2)
I don't see that massive unhappiness when banking security locks people accounts or any other measure taken when suspicious activities are detected.
On the other hand, I don't see someone of a Bank's help desk doing such mistake neither.
On the long run, you really gets what you paid for.
Re:Easy to demand more security (Score:5, Interesting)
Funny, I just read a story about how HSBC had basically locked a young women's college fund (~$10K) away until she personally visits their offices in Great Britian along with appropriate documentation. (They closed the branches in her country...) It will cost her half the money (and a week's wages) to go and collect it.
So, not *everybody* is happy with a bank making absolutely sure that they don't give it to the wrong people :-).
Re: (Score:2)
I'm just amazed that there is no two-factor authentication for remotely wiping devices.
Re:Easy to demand more security (Score:5, Interesting)
But understand that it will cause massive unhappiness for the majority of cases where(for example) one's 75 year-old grandmother, who has forgotten her password and can't figure out how she phrased the answer to the security question, is about to permanently lose access to the last 5 years of her grand-children's emails.
This is a problem that bites both ends. Consider this real-world scenario that happened to me last week:
I work for a senior care organization. One of our resident, a cheerful 92-year-old woman, uses her AT&T email frequently to communicate with family and friends; she's fairly savvy, actually. However, she is starting to suffer from cognitive problems, which have caused her to forget her password. When we tried to reset her password and walked through security questions, she's also having trouble remembering the answers to those questions. We called AT&T and explained the situation, but they understandably (and rightfully) treated our request as a hostile attempt to access the account and would not help us.
She's the legitimate owner of her account -- how can she be helped? This may seem like an extreme situation, but these problems will only increase as we all continue our digital lives and begin to age.
Password and account verification is a difficult problem to solve. If there's a silver bullet, I haven't heard of it yet.
Re:Easy to demand more security (Score:4, Insightful)
Yeah, because people blaming others for their own mistakes was invented in 1963.
Re: (Score:2)
Weak security questions (Score:4, Insightful)
This is why I hate it when "security questions" are obvious things that anyone who knows me even slightly can figure out easily.
"What was the name of your first pet?" Hell you can find that with Google.
"What was the name of your Elementary School?" I sometimes talk about my childhood; people might know this.
Really, it's like they're asking for accounts to be hacked. There needs to be more preventing a password reset than weak "security questions".
Re:Weak security questions (Score:5, Informative)
This is why I hate it when "security questions" are obvious things that anyone who knows me even slightly can figure out easily.
"What was the name of your first pet?" Hell you can find that with Google.
"What was the name of your Elementary School?" I sometimes talk about my childhood; people might know this.
Really, it's like they're asking for accounts to be hacked. There needs to be more preventing a password reset than weak "security questions".
Perhaps you should go back and read the article (just the summary will do): the "hacker" socially engineered an Apple support "engineer" to bypass the security questions. So he did not even need to google them.
Re: (Score:3)
So far the quote "They got in via Apple tech support and some clever social engineering that let them bypass security questions." is the only bit of information. It's hard to say what is covered under "clever social engineering" or "bypass" without more details. Did the hacker just do an incredible job of fast talking or is this a case where "clever social engineering" means they dug up security question answers that the author (and tech support) figured were un-discoverable?
Re: (Score:3)
And this report is coming from someone associated with Gizmodo.
This whole report could be staged.
Re: (Score:3)
It's hard to say what is covered under "clever social engineering" or "bypass" without more details
But you can do some educated guess. 99% of the time, the victim of the scam claims the intellectual superiority of the scam to disguise the intellectual inferiority of themselves.
Paint the perpetrator as a genius, and perhaps people will not figure out how actually stupid you were.
Smells conspicuously like... (Score:2)
Re: (Score:3)
What, do you think they verify if your answer is factually correct?
A person could find out what school you went to, while no one but you is going to know you put in "The Napoleonic Wars" as the acceptable response.
Re: (Score:2)
You don't have to use the real answer to these questions. Its just another password, but one with a hint.
Now that I am thinking of it, time to change all the security questions to the same hard to guess answer.
Re: (Score:2)
I actually use completely unrelated responses to these question and store them in a password manager as well. Of course with a password manager, they're never really needed.
Re: (Score:2)
I actually use completely unrelated responses to these question and store them in a password manager as well. Of course with a password manager, they're never really needed.
Some sites ask for security questions when they detect no cookie.
Re: (Score:3)
I did that on my online banking once, and then they changed their banking systems to randomly challenge you with those questions when attempting a transaction. I ended up locked out of my accounts in no time flat.
Re: (Score:2)
Re: (Score:3)
True that, but some sites let you define questions. "Street your best friend lived on when she was twelve plus last name of her then-crush." My sister can't guess these. (Ofc her memory's shot to shit from opiates but w/e).
Re: (Score:2)
Never answer the question accurately. Instead, use the question as a hint for your real answer. If it asks for the name of your elementary school, try to pick out something of interest like a fond memory or fact regarding the school that you don't blab to everyone, for example.
However, this has little to do with the article at hand. The question was completely bypassed without needing an answer. Apple just let him right in.
Re: (Score:2)
Just use a password safe, and generate passwords to use as the answers to those questions. You could have a special password file which contains all the answers, in case your primary password file is corrupted.
You can put anything in those fields. It doesn't have to be the actual answer. It doesn't even have to be words.
Re: (Score:3)
This is why I hate it when "security questions" are obvious things that anyone who knows me even slightly can figure out easily.
I'm more pissed by the fact that the questions *can't be changed* and everyone asks the same ones. Seriously, how is it possible that both my bank and a torrent site make me tell them the name of the first school?
Questions must be user defined (a fucking string) instead of coming from a list of the same 5 or 6 questions that everyone asks.
Plus some of them just don't apply worldwide. The 'maiden name' of a mother may be something not trivial in the US, but in many countries the wife never changes her
Re:Weak security questions (Score:5, Informative)
This is why I hate it when "security questions" are obvious things that anyone who knows me even slightly can figure out easily.
"What was the name of your first pet?" Hell you can find that with Google.
If it's so easy, kindly tell me my first pet's name, my date of birth, the city I was born in, the make of the first car I drove, my first school's name, my mother's maiden name, and the answer (or even question) to my 'other' security question? Keep in mind these need to be formatted exactly as I have entered them, and not as you may have copied them from a public record.
Security questions are plenty secure, as long as you don't have a path to just avoid them entirely, as Apple so kindly provided here.
Re: (Score:2)
I was born in "ew0M-?6IMpZr". At least, that's what my password generator told me this time. It'll tell me something different for the next website I create an account on.
Re: (Score:2)
Which is another problem these days.
Re: (Score:3)
Why do you have to answer the questions with the correct answers? As long as you remember how you answered them, it doesn't matter if the answers are actually correct. Your first pet could be George W. Bush. Your elementary school could be Starfleet Academy.
Re: (Score:2)
If my first pet was a goat, I think 'George W. Bush' would be the perfect name for it.
Re: (Score:2)
Wanna make a bet on that?
Re: (Score:2)
Would Apple be liable for the damages? (Score:3)
Re: (Score:3)
Re: (Score:2)
Until, of course, he's hacked again.
then he'll have two new idevices!
Can happen in many different scenarios (Score:2)
A neighbor had a similar problem several years ago - but that was with her bank account. Someone convinced the online support person to help her and as a result she lost the contents of her checking and savings accounts. No, the bank did not refund the money.
All this shows is that if a hacker knows enough about you to convince someone else that they are you, you can lose a great deal. This guy should count himself lucky.
It's a very fine line between providing good customer support and helping them, and b
Re: (Score:3)
Did she try suing the bank? I can't imagine what judge would seriously allow the bank to get away with that if it were through no fault of her own.
Re: (Score:2)
Honestly, his neighbor sounds like my neighbor.
My neighbor is not a native English speaker, he doesn't read English very well, and he's the least likely to fight back when somebody scams him because on one hand he doesn't know it's even possible to fight back and on the other hand he doesn't have a good support network (unless you count me, and personally, I'm not too keen on doing his paperwork for him).
Re: (Score:2)
A friend of mine once forgot his wallet, needed money, so went to a branch of his bank near my place. He convinced them to give him a couple of hundred bucks from his account even though he had no ID. He got the money, and them yelled at them for giving it to him ... a bit rude, but I can understand his concern. People are very easy to talk into things. Nice people feel like dicks for turning down a perfectly reasonable request from a 'nice' person.
Re: (Score:2)
I had something similar happen. My spouse's ex transferred my car insurance to another car. I only found out by accident because I just happened to make an inquiry a few days later and the phone person started talking about an entirely different car.
It's unfortunate, but companies in general are going to have to start using better security, and consumers are just going to have to suck that up. If your life can be ruined by one wayward phone call, then there is simply no choice in the matter. It must be
Too much stuff in one place. (Score:5, Insightful)
Had the user set up Two Factor authentication, his Google stuff probably would have been safe"
As for 2 factor authentication preventing this, it would have kept my google account from being deleted, and probably kept them off of my Twitter feed, but it wouldn’t have prevented my Macbook from being wiped. That, which is the worst effect of all this so far, was possible as soon as they were able to log into iCloud. Nonetheless, I’m setting it up on my Google account once I have access to it again.
As for all his devices being wiped by one single hack, relying on a single point of security, makes for a single point of failure.
I'm not sure I would have chosen this route even if I was a total Apple fan joined at the hip to iCloud.
Apple support has some serious 'splaining to do. But this is likely to happen again, probably not for a while, but any time you are tied so closely
to one single point of security.
And what would he have done if he was just Joe Corporate Drone?
He and Gawker’s Scott Kidder then got on the phone with contacts at Google and Twitter trying to help me put the brakes on. A friend at Twitter helped expedite the request to suspend the account, which stopped the tweeting.
Seriously? contacts at Google and Twitter?
1) very few people have that kind of contacts.
2) didn't those two companies just violate their own security standards by helping this guy kill accounts he couldn't prove were his??
Re: (Score:2)
I agree; never heard of this guy and he has who-you-know power at those two places...I smell fish and not of the pleasant filet kind.
Re: (Score:2)
That you never head of him means nothing.
Google Him. The story is everywhere.
Apparently a lot of people know him. And some of those guys reached into Google and Twitter for him. And Google and Twitter RESPONDED!!!
Could you do that?
My answers.. (Score:3)
Mothers maiden name: sdfioufjhisej8()U*(yu980H(u*&a&*(ay
First pets name: sfjgksrl8kjdgjoijOIU*(U*&^&Tiuhkjlmkjniuhi8hiuh
City born in: KJNBJKNJKN(&*(&*Y*(njklKNLNLKJ8IJOkijYJ Nkj nTFe44esijaiojT^&*%*&*T(&
Re:My answers.. (Score:5, Insightful)
Quick, now, without cut and paste could you please enter those again?
No.
Though not.
Fail.
Re: (Score:2)
Re: (Score:2)
If you never forget your password, why do you need to enter them again?
Maybe because you got hacked?
You did read this story didn't you?
Re:My answers.. (Score:4, Funny)
Sure, just read that string over a the phone to a tech support operator in India some time, moron.
Re: (Score:2)
The GP is on the right lines though. Just lie and make up a name rather than using the real one. You have to remember which lies to told to whom, but it does an excellent job of thwarting identity theft.
Re: (Score:2)
You must be Icelandic!
Re:My answers.. (Score:5, Funny)
Mothers maiden name: sdfioufjhisej8()U*(yu980H(u*&a&*(ay
First pets name: sfjgksrl8kjdgjoijOIU*(U*&^&Tiuhkjlmkjniuhi8hiuh
City born in: KJNBJKNJKN(&*(&*Y*(njklKNLNLKJ8IJOkijYJ Nkj nTFe44esijaiojT^&*%*&*T(&
I see you are Welsh.
The problem is... (Score:2)
You cannot stop a successful social engineering attack. Technology cannot solve a problem like this. Only a change in policy can.
Oh for the love of... EDITORS, please EDIT! (Score:5, Informative)
Yesterday a hacker gained access to Mat Honans...
Let me introduce to you to Mr Apostrophe [wikipedia.org].
(An editor at gizmodo)
(an editor at Gizmodo)
allowing him... He was also able...
No. Use "the hacker," firstly because it's otherwise ambiguous with respect to Honan's name, secondly because the hacker's gender is unknown (yes, "he" is the gender non-specific pronoun, but this works better.)
apple iCloud account... google and twitter accounts... apple customer support
Apple, Google and Twitter (and Gizmodo, above) should all be capitalised.
down to a brute force attack, however today it has come out
A semi-colon would be preferable to a comma, but I'll admit this is a pretty minor one compared to the rest.
Seriously, what the hell? I know we all have a good joke about the editors' incompetence, but this is a new low.
Re: (Score:2)
Thank you. Please keep those posts coming.
I may not be one of the editors, but I find myself making some of the same mistakes the editor made.
Re:Oh for the love of... EDITORS, please EDIT! (Score:4, Funny)
I may not be one of the editors, but I find myself making some of the same mistakes the editor made.
Which is fine, since your job title probably doesn't include the word 'editor'.
...and a correction about Mat's employment. (Score:4, Interesting)
(an editor at Gizmodo)
And furthermore, Mat Honan works for Wired, not Gizmodo [twitter.com].
Such resets SHOULD be possible, but HARD (Score:5, Insightful)
My bank will mail me a new temporary computer login if I ask. Yes, I have to wait for it to arrive through the post office.
Apple could have said "Okay, we'll snail-mail you a temporary password to an address we can verify against information we already have on file, such as a credit card number, product-warranty-registraiton-information, etc.," or,
"Okay, you are in a hurry, we understand that. We will give you half of your temporary password over the phone and fax the other half to your nearest Apple Store or Notary Public. Bring your drivers' license or passport with you. If you use a Notary, they will charge a fee which you will have to pay."
That would've at least made sure the crook would have to commit more crimes along the way, likely intimidating him. It would've also made it much more likely that the police would be able to put a face to one of the crooks.
Re:Such resets SHOULD be possible, but HARD (Score:5, Insightful)
"Okay, you are in a hurry, we understand that. We will give you half of your temporary password over the phone and fax the other half to your nearest Apple Store or Notary Public. Bring your drivers' license or passport with you. If you use a Notary, they will charge a fee which you will have to pay."
"Listen I'm in Istanbul (or where ever), I've just been robbed. They took everything, including my wallet!!! I don't know if there is an Apple Store around here. Please help me mitigate the damage before they get access to my emails and my bank accounts through my iPad (I was in the middle of using my iPad so the screen wasn't locked). "
Now, I'm not saying this is the script they used, most likely not. I'm sure the hacker used a much better one, probably one that's based on the hard-earned experience and real world testing of thousands of other hackers and scam artists that came before him.
I'm just saying that it takes excellent ongoing training to make sure none of your staff gets bamboozled by this kind of scenario. Hard coded corporate rules and security manuals are all well and good for 99% of the scenarios that come up during the normal course of business hours. But what happens if someone tells you a very plausible story and tells you they could very well die if you don't give them access to their account. Most likely that scenario is not listed in your security manual, and the manual prevents you from disclosing their account information, but it's not the first time, nor the last time, that a customer service representative will ignore the poorly written manual that came from above, and use their own personal judgement to make a quick decision on the spot for the perceived welfare of the caller.
Apple's revenge (Score:2)
sounds personal (Score:2)
the sheer destructive/malicious -ness of this attack makes it sound very personal (either something against the user or Gizmodo - the compromise gave access to Gizmodo's Twitter feed).
you can't execute a social engineering attack without knowing something about the user.... some random attacker might have been able to get enough info from past his blog posts to launch the attack, but this smells more personal. Apple uses out of wallet info for their security questions - the whole point of OOO is asking ques
Remote wipe? (Score:2)
And no backups because the "Cloud" is the backup, right? HAHAHAHA. This is beyond stupid. Seriously.
If the best Apple can come up with against device theft is the ability to remotely wipe them, then their customer base deserves everything they get. Personal responsibility needs to be burned into those morons with pain. Lots of pain. Maybe then they'll pay attention to what the fuck they are
Is it too hard to read the summary? (Score:5, Funny)
Reading the article is hard, I know. But come on, at LEAST read to the end of the summary.
Re: (Score:2)
I actually did (well, yesterday). I seem to remember him saying the only thing that would have survived the attack was his Google account ... if he'd enabled 2 factor. Of course, if his phone was wiped, he still would have been in trouble.
Re: (Score:3)
I actually did (well, yesterday). I seem to remember him saying the only thing that would have survived the attack was his Google account ... if he'd enabled 2 factor. Of course, if his phone was wiped, he still would have been in trouble.
With Google's two factor authentication you also have the option of printing a set of verification codes for when you do not have or have lost access to your phone.
Re: (Score:2)
True, plus there's a backup phone number. These are very handy things when you forget about 2 factor when you forget and test ROMs on your phone.
Re: (Score:3, Insightful)
In addition. the walled garden approach means a single point of failure (in this case, social engineering) will cost you everything. Apple should have recognised that and provided better internal security.
Re:They Know Best (Score:5, Insightful)
The absolute problem is that no matter how many authentication factors you add, recovery will always be the weakest link.
People will always lose their tokens, and they will always need a way of getting access to their account.. and that way is usually someone making minimum wage with 3 weeks of training.
Personally I wish there was a way to opt out of recovery. Basically a "I accept the risk, if I ever lose my token and forget my recovery questions / password.. I'm shit out of luck" option. This option would have to make it literally impossible for a support person to greant access to the account.. because if they technically can, someone will social engineer one to do so...
Re:They Know Best (Score:5, Informative)
This is how SpiderOak [spideroak.com] does it. https://spideroak.com/faq/questions/13/what_if_i_forget_my_spideroak_password/ [spideroak.com]
Re:They Know Best (Score:5, Funny)
I prefer the solution at webex - I have a weblink, that opens to a page showing my current password in cleartext.... ...others should really implement this, seeing how userfriendly it is!
Re: (Score:2)
Re: (Score:2)
You *can* more or less do that just encipher everything you store on others peoples systems before you upload it. They don't need the keys. My friends and I use drop box a fair amount, to trade files asynchronously but we run all our files thru openssl first and the certificates have never been anywhere near dropbox.
Unless someone can break AES or gets the certs and the passwords protecting them via rubber-hose crypto analysis its safe and nobody will enable *recovery*.
Re:They Know Best (Score:4, Informative)
Sure, but getting the data wasn't a goal here. Infact, they appear to specifically wiped out the data. It's the accounts that are valuable, not what is in them.
Re: (Score:2)
2 factor authentication solves nothing if you have a good social engineer: http://it.slashdot.org/story/11/12/06/0321250/scammers-work-around-two-factor-authentication-with-social-engineering [slashdot.org]
Re:They Know Best (Score:5, Insightful)
I'd prefer Microsoft and Apple not evolve towards banks, actually. In fact, I'd rather my bank evolve towards Blizzard Entertainment and offer me some real security.
It never ceases to amaze me that my Diablo III loot is better protected than my salary.
Re: (Score:3)
Totally.
I can't even find a bank that will offer me two factor authentication here in Atlantic Canada. RBC will do it for _corproate_ customers.. which is even more maddening because it means they have the infrastruction in place, they just won't let us peons down here use it..
Paypal offers better security than my bank. If I'd said that not to long ago people would look at me funny.. kinda sad!
Re: (Score:3)
XBox live was getting hit by this a couple of years ago too
You know how Xbox Live "solved" the problem? You have security questions. And if you can't remember them, and paid with paypal, they tell you they "can't" terminate your membership, and will therefore steal your money. Well, they don't admit that it's stealing, of course. They will let you sign up for Xbox Live with just your Xbox, but you can't terminate it from there, and you have to use Internet Explorer to access their site. Then they will keep trying to charge your paypal account for months (sending yo
Re: (Score:2)
If he put enough ads on the page he might just be coining it... especially if the ads are for i[Phone|Pad|Pod] accessories.
Re: (Score:3)
The poster says he was contacted by someone who says he is the hacker. Nothing was confirmed about AppleCare involvement, though it is a possibility - especially if the hacker knows his victim.
Wrong. Read all the way to the end of the article: Apple already fessed up.
Update Three: I know how it was done now. Confirmed with both the hacker and Apple. It wasn’t password related. They got in via Apple tech support and some clever social engineering that let them bypass security questions.
Re: (Score:2)
Wrong. Read all the way to the end of the article: Apple already fessed up.
The article written by the someone who could be making it all up?
Re: (Score:3)
Seriously?
After calling out Tim Cook personally, getting Gawker Media involved, Gizmodo [gizmodo.com] also carrying the story written by a different editor, Cnet [cnet.com] carrying the story, and Mat posting under his own name, you are still going with the denial angle?
CNET doesn't back the story (Score:2)
CNET just reports it. Every one of their sentences about the info says "according to..." or "journalist blames".
Careful, multiple stories written by reading one report is not any kind of confirmation, it's just repetition.
Re: (Score:2)
The poster says he was contacted by someone who says he is the hacker. Nothing was confirmed about AppleCare involvement, though it is a possibility - especially if the hacker knows his victim.
You didn't read until the end. The guy posted an update long before you even posted your comment.
But the best part? The INSANE posts to the original article:
The guy needs a better crowdsourced moderation system.
Obviously, the guy is a popular blogger. That's probably why there is so much noise in the comments.
I'm not trying to blame him for the comments he has, I'm just suggesting that now that he's getting so much more traffic, that he should consider moving to a different blogging platform that allows him to still accept anonymous comments, but with better up_voti
Re:Why believe the hacker? (Score:5, Insightful)
That's a password with somewhere around ~20 bits of entropy. Let's be generous to weak passwords and consider one with 16 bits of entropy, meaning that a dictionary attack has to make (around half of) 60000 attempts to crack it.
If you've got the hashed password, this is trivial to do. But if you're trying to break a remote login and the computer on the other side lets you make 60000 attempts, then there are far bigger issues at work than a weak password.
Re: (Score:2)
On occasion the xkcd "correct horse battery staple" comic comes up, and when people compare the password strength to other methods, they calculate the strength of the random words password based on (number of words in dictionary used)^(number of words in password).
This makes no sense to me. When an attacker is trying to brute force your password, he has no idea how you created your password, so calculating a random-wor
Re: (Score:2)
Because if you RTFA, Apple confirmed that this occurred. Probably via the notes in the call log.
Re: (Score:3, Interesting)
Because if you RTFA, Apple confirmed that this occurred. Probably via the notes in the call log.
I did RTFA. Everything we're currently aware of comes from this guy's point of view. I'm not saying it's incorrect - but it's usually smart to wait for corroboration before drawing conclusions on anything.
Re:Yeah but.... (Score:5, Insightful)
This is really unrelated to any specific company. It *is* an excellent lesson in relying only on online backups.
Re:Yeah but.... (Score:4, Insightful)
It's also a lesson in not putting all your eggs in one basket.
That one _is_ apple specific. Tight integration has it's price. If someone gets into my email, I won't lose access to every damn piece of technology I own. I actually find it pretty damn impressive how much damage they managed to pull off.
Re: (Score:2)
Re:Yeah but.... (Score:4, Insightful)
Uhm... no? Gmail has no function in it to remotely wipe an android phone.
Re: (Score:2)
Re: (Score:2)
What is your age and date of birth?
*Reads directly from targets facebook*
Thank you sir. Please hold one moment...
We've verified your account what can I do for you today? Change shipping address? Change password? Change email? Purchase 30,000 worth of fetish gear?
No problem Mr Shimomura.
WHAT... is the airspeed velocity of an unladen sparrow?
Re: (Score:2)
Hell, device backup is even built into iTunes.
Yep, it backs up to the computer your iPhone or iPad was set up on. Which in this case meant his Macbook Pro. Which was remotely wiped by the attacker at the same time as his iPhone and iPad. Whoops!
Not to worry, though, Apple now offers cloud-based backups of your iDevices to your iCloud account. Oh wait, the entire reason that the attacker could wipe this guy's data was because he'd gained access to the iCloud account they were linked to, so he could just delete those backups at the same time as well. Dou
Re: (Score:2)
Where was his MacBook backed up? Oh, it wasn't? Tough shit. If he had it backed up with a Time Machine backup (whether to a Time Capsule, an external hard drive, a stack of floppies, or whatever), you merely restore the laptop from that backup, and then restore the iOS devices from the Mac.
Re: (Score:2)
Well, until Apple iCloud-enables Time Capsule too...