Australian iPhone and iPad Users Waylaid By Ransomware 52
DavidGilbert99 (2607235) writes "Multiple iPhone/iPad/Mac users in Australia are reporting their devices being remotely locked and a ransom demand being made to get them unlocked again. However, unlike PC ransomware, the vector of attack here seems to be Apple's iCloud service with the attacker getting to a database of username/password credentials associated with the accounts. It is unclear if the database was one of Apple's or the hacker is simply using the fact that people reuse the same password for multiple accounts and is using data stolen from another source. Apple is yet to respond, but there has already been one report of the issue affecting a user in the UK."
Re:My heart bleeds for them. (Score:4, Informative)
Where do you get such misinformation? Apple deprecated the use of OpenSSL [appleinsider.com] when it deprecated CDSA back in 2011 for OS X in favor of Common Crypto. At the time there was some mumblings about how Apple didn't like standards. And Apple has never used OpenSSL in iOS.
. . . although OS X provides OpenSSL libraries, the OpenSSL libraries in OS X are deprecated, and OpenSSL has never been provided as part of iOS.
Re:My heart bleeds for them. (Score:5, Insightful)
Apple is built on older versions of OpenSSL - this looks like it might be because they weren't quick enough to adapt, and someone snuck in under the radar. Lets hope they get it sorted quickly!
Apple deprecated the use of OpenSSL in 2011, and the version shipped with OS X was never updated to the versions which introduced Heartbleed. Strike 1!
OpenSSL has never been used in iOS. Strike 2!
Apple also was not using affected versions in any of its online/cloud services. Strike 3!
You're out! Your post was ridiculously bad even by /. standards!
Re: (Score:1, Insightful)
And iOS Users in Australia are so much better off for it!
Oh wait,,,.
Re:My heart bleeds for them. (Score:4, Insightful)
Re: (Score:2)
Re:My heart bleeds for them. (Score:4, Interesting)
Hell, it could very well be a phishing attack - a couple of months ago I've been getting a ton of "Apple ID confirmation" and other crap email asking you to "verify" your Apple ID with Apple.
It's slowed down or gone now, but that could also very well be the problem. (Yes, those phishes were pretty obvious, but some were quite good).
Heck, I've gotten them in FRENCH, too. That one was interesting. (In Canada, the typical standard is one email in both English and French, but this was French only).
I wouldn't be surprised if this wasn't the result of said phishing attack.
Re: My heart bleeds for them. (Score:1)
Re: (Score:2)
Re: (Score:1)
Need more coffee. Since I fixed it, why did I post the PP as AC?
MITM attack (Score:3)
seems like they might have been a target of MITM attack
personally I would advocate support for DANE in apple products :
http://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities
http://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities [wikipedia.org]
not a total solution but it would help
regards
John Jones
Re:MITM attack (Score:5, Informative)
It's not a MITM atack, but rather the hackers are exploiting a vulnerability in iCloud. Then, using the "Find Device" option they block the phone and demand a 100 euro ransom to unlock them, which the user must pay via PayPal. If the user had enabled two-step authentication they could re-gain control of the phone, otherwise they would be forced to pay the ransom. Full article from the Sydney Morning Herald: http://www.smh.com.au/digital-life/consumer-security/australian-apple-idevices-hijacked-held-to-ransom-20140527-zrpbj.html
Nice font (Score:3)
It's you (Score:2, Insightful)
Looks fine from here. X11 and web browsers have had ugly fonts forever. Even today the default fonts still look like something CDE vomited up.
Re: (Score:2)
It's you. Looks fine from here.
What? I said that it is pleasing to read.
Re: (Score:2)
On the other hand, fuck them for overriding my font choices. Some decorative font use is fine, but the bulk of the article should always be in "sans-serif" or "serif".
How do they get the Money? (Score:4, Insightful)
Wouldn't the FBI/other put a trace on the account and prevent the criminals from withdrawing without revealing themselves, within a day or two?
It is not like the message is: "Leave 10,000 dollars under the bridge, and come alone or your data gets it."
Re: (Score:3)
Wouldn't the FBI/other put a trace on the account and prevent the criminals from withdrawing without revealing themselves, within a day or two?
It is not like the message is: "Leave 10,000 dollars under the bridge, and come alone or your data gets it."
That, and PayPal also says the account doesn't exist. Then again, just because they are smart enough to hack the Apple servers does';t mean they aren't stupid in other ways; or maybe are arrogant enough to feel they are untouchable?
Re:How do they get the Money? (Score:4, Interesting)
Maybe this was a proof-of-concept hack and they didn't want to take the risks involved in setting up an actual Paypal account they could extract money from until they were sure it worked?
Re: (Score:2)
Maybe this was a proof-of-concept hack and they didn't want to take the risks involved in setting up an actual Paypal account they could extract money from until they were sure it worked?
Possibly. Problem is now that they know it works how do they let people know where to pay; plus PayPal is unlikely to allow payment so they need to find another untraceable way to collect cash and notify their victims before Apple does a fix.
Re: (Score:2)
Maybe this was a proof-of-concept hack and they didn't want to take the risks involved in setting up an actual Paypal account they could extract money from until they were sure it worked?
Sorry about two replies. This could all be a eats for some more involved attack beyond simple locks and they don't care about the locked devices or payment.
Basic security measures? (Score:3)
Re:Basic security measures? (Score:4)
Re:Basic security measures? (Score:5, Interesting)
Apple do have two-factor authentication these days. If you have that enabled, anyone attempting to log on to your account has to have access to one of your devices or one of your fall-back accounts. Frankly, that should be turned on by default.
My new rule of thumb is that anything I don't have protected by two-factor is something I can afford to lose access to. That's not to say that two-factor is a panacea - it's very easy to set it up so it's useless by, for example, giving a less-secure email address as a fall-back - but it's the minimum for anything I care about.
Re: (Score:3)
Until it becomes a hassle. Example, I just got a new phone last week and didn't have a chance to update my google authenticator app to the new device. It was a vacation so the computer stayed at home. I ordered tickets online at went to print at the hotel only to realize I couldn't access my gmail account to print. I was still able to goto Will Call to pick up the tickets, but it still meant waiting in line for 15 minutes, something we had hoped to skip by purchasing online.
Re: (Score:1)
Then I have good news for you: not all 2 factor auths need phonenumbers. Don't know what Apple uses/requires though.
if the phone is locked ... (Score:1)
Re: (Score:2)
Re: (Score:3, Funny)
Re: (Score:2)
The same way they locked the phone: Find My iPhone lets you display a message on the device, along the lines of "Please return me to the front desk" or "Call me on *othernumber*".
Re: (Score:1)
Vuln’s work both ways (Score:2)
I’ll be you my iCloud password, it’s a re-wrap of this:
http://soylentnews.org/article... [soylentnews.org]
If you can MitM a “consenting” user to unbrick a stolen phone, I can’t see any reason it doesn’t work the other way around.
Re: (Score:2)
Irony, thy name is Apple (Score:1)
Isn't Apple's "walled garden" itself a form of ransomware?