To all those that say they don't care about phone security.
- Read this article
https://t.co/j7B8BwfG
it is the story of a journalist that was hacked not because of his journalist title but because they wanted his twitter handle name. They got his apple I'd,amazon I'd etc.
Its a lengthy read but it is very worth it to us techies that are hesitant on believing in cloud security. I back my berry up to my computer which is not connected to a cloud network even with all the alerts apple sends me to connect it to the icloud.
Trust me this story needs to get out there to increase security measures on all fronts.
Sent from my Bold using Tapatalkanjali_jain and Alex_Hong like this.08-06-12 11:58 PMLike 2 - Its actually only partly related to phone security. Though it could very well have happened to BlackBerry ID as well depending what type of verification/authentication process RIM uses and what not, and what kind of information the hacker has from you. BB Protect is able to remote wipe devices as well. Its actually more about cyber security in general imo. Basically the security of all your digital life.
But i agree, it is a must read.08-07-12 12:15 AMLike 0 - People fail to realize how un-secure everything on the internet is. While cloud is a great innovation you are trusting your information/documents to un-secure systems. Anyone with enough patience and motivation could hack your accounts and make off with your personal information. Just think of all the information your email gets. Bank info, billing info, online retail accounts etc.08-07-12 02:41 AMLike 0
-
- amazinglygracelessRetired ModI still say this IS NOT a phone security issue. This is an breakdown of internal / organizational controls at the Customer Service level. Absent the failures at the human level this would simply not be a story.
Originally Posted by Mat HonanBut what happened to me exposes vital security flaws in several customer service systems, most notably Apple�s and Amazon�s. Apple tech support gave the hackers access to my iCloud account. Amazon tech support gave them the ability to see a piece of information � a partial credit card number � that Apple used to release information. In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification. The disconnect exposes flaws in data management policies endemic to the entire technology industry, and points to a looming nightmare as we enter the era of cloud computing and connected devices.Last edited by amazinglygraceless; 08-07-12 at 07:58 AM.
08-07-12 07:54 AMLike 9 - Sith_ApprenticeMod Team Emeritus
+5000
This is a social engineering attack and had nothing to do with phone security. It does however show the potentially nasty consequences of having everything linked from a central point.08-07-12 09:07 AMLike 6 - amazinglygracelessRetired ModI see what you did there.......
Just to be clear, I agree with this and am in no way trying to minimize this aspect.pantlesspenguin and Sith_Apprentice like this.08-07-12 09:12 AMLike 2 - What is posted here is applicable to anyone, even if he/she does not have Apple ID nor uses iCloud.
Until Apple fixes its porous iCloud security, here are some things you can do to protect yourself:
1. Make sure that you have a strong iCloud/Apple ID password. (Here's how to change it).
2. Use unique passwords to protect different accounts (I recommend 1Password for this). If you're using the same password for your online banking as your webmail account you're asking to be hacked. At a minimum, use tiered passwords: a superstrong one for anything financial, another one for your email and a third for everything else.
3. Use a throwaway email address (that's not linked to anything) for forms and retail-related spam. The less personal information that's in it, the better.
4. Enable two-step verification on your Google account and protect it. Don't use your primary email address for every retailer and web form that asks for it. (See #3 above.)
5. Buy a domain name, host it with an ISP you trust and set up email accounts on that domain for your high security/financial accounts. Use email accounts you control (not webmail) for high security applications and for password recovery .
6. Use different credit cards for Amazon and your Apple ID.
7. Back up your most important data to physical media that you control. Ideally two copies on-site and one off-site (at work, your parent's or a friend's house).08-07-12 09:24 AMLike 3 - Sith_ApprenticeMod Team EmeritusAt minimum, in this day and age, you should have a 10 character complex password. Recommended would be something 15+ but most users would balk at that. Never use a word or name or date of birth, nothing "real". You can even turn a standard word into a seemingly random password by changing letters for similar numbers and symbols.
While this tool should be taken with a massive grain of salt, play around with different combinations and see how it changes the number of guesses it would take.
How Secure Is My Password?
also this thread has a good deal about this.
http://forums.crackberry.com/general...ml#post7414288Last edited by Sith_Apprentice; 08-07-12 at 09:43 AM.
amazinglygraceless likes this.08-07-12 09:35 AMLike 1 - amazinglygracelessRetired ModWhile this tool should be taken with a massive grain of salt, play around with different combinations and see how it changes the number of guesses it would take.
How Secure Is My Password?
Last edited by amazinglygraceless; 08-07-12 at 09:59 AM.
08-07-12 09:53 AMLike 0 -
-
- Then you'd need to steal my yubikey neo off me as well. :-)
Last edited by cgk; 08-07-12 at 10:04 AM.
Sith_Apprentice likes this.08-07-12 10:01 AMLike 1 - Sith_ApprenticeMod Team EmeritusTwo factor authentication (or higher) is always much better than just a password.
RIM did experiment with three factor authentication but decided on the two factor for their smart card readers. The original design was a fingerprint scanner built in as well.Last edited by Sith_Apprentice; 08-07-12 at 11:00 AM.
08-07-12 10:57 AMLike 0 -
My buddy has a motorola android device that has a finger scanner and it is kind of cool. Works great too.
Sent from my Bold using Tapatalkamazinglygraceless likes this.08-13-12 09:05 AMLike 1 - amazinglygracelessRetired Mod
For relatively insignificant material that you would like access to wherever you are and on whatever device you are using the cloud makes sense.FigureThisOut likes this.08-13-12 10:00 AMLike 1 - This has nothing to do with phone security, BTW. It has to do with the lax privacy and account access policies at companies like Apple and Amazon. The person should have not been able to access what they did if they didn't have such gaping holes in their system or willfully allowed people to reset others' passwords at the drop of a hat.
All that person did was reset the iPhone/Mac using Find my iPhone/Mac after getting the password reset by Apple. He didn't even steal anything off the device. And they did it mostly as an inconvenience to make him unable to quickly recover his twitter account. How is using a security feature from an external website somehow a display that the iMac or iPhone was unsecure, especially using the methods described???08-13-12 10:18 AMLike 0 -
I mean, seriously, they used the 4 credit card digits that EVERYONE SHOWS for secure ID authentication!!??08-13-12 10:22 AMLike 0 -
**13+ pseudo random ACSII printable charaters from a cryptographically strong random character generator.08-13-12 01:37 PMLike 0 - It is still another way to access the phone and they left it vulnerable. It's kinda like your sucurity team saying "We locked all the doors, so its not our fault they climbed in an open window..."
I mean, seriously, they used the 4 credit card digits that EVERYONE SHOWS for secure ID authentication!!??
In other, completely unrelated news, the Department of Justice and MIT's Technology Review say Apple's data encryption is pretty good: The iPhone Has Passed a Key Security Threshold - Technology Review08-13-12 02:18 PMLike 0 -
Couldn't the person in control of the iCloud account simply add another iPhone and do a restore? He's lucky they were after his Twitter handle and not his info...08-13-12 02:53 PMLike 0 - The remote wipe command accessed the phone. It's like saying it's OK to break in and smash everything, as long as you didn't "take" it. And getting your iPhone, iPad AND macbook as well as your iCloud account wiped is just "annoying"? OK...
Couldn't the person in control of the iCloud account simply add another iPhone and do a restore? He's lucky they were after his Twitter handle and not his info...
If you want to continue believing this is something peculiar to Apple and not just the cost of doing business 'in the cloud' then go for it, you obviously have an axe to grind against Apple in particular but the fact is the phone itself wasn't compromised.08-13-12 03:21 PMLike 0 - Please explain how the phone responding correctly to a properly issued command means the phone was compromised. You're twisting definitions in order to fit your desired narrative. iCloud was compromised after the hacker manipulated both Amazon and Apple's customer service into gaining access. He then used that access to perform a routine operation.
It's really not any different than if I left the administrator password on my BES server blank and someone was able to remote desktop into it and wipe all of our devices. That's not a fault in the phone, it's a faulty security mechanism on the service level.08-13-12 04:51 PMLike 0
- Forum
- Popular at CrackBerry
- General BlackBerry News, Discussion & Rumors
To all those that say they don't care about phone security.
LINK TO POST COPIED TO CLIPBOARD