08-15-12 01:13 PM
47 12
tools
  1. eve6er69's Avatar
    Read this article

    https://t.co/j7B8BwfG

    it is the story of a journalist that was hacked not because of his journalist title but because they wanted his twitter handle name. They got his apple I'd,amazon I'd etc.

    Its a lengthy read but it is very worth it to us techies that are hesitant on believing in cloud security. I back my berry up to my computer which is not connected to a cloud network even with all the alerts apple sends me to connect it to the icloud.

    Trust me this story needs to get out there to increase security measures on all fronts.

    Sent from my Bold using Tapatalk
    anjali_jain and Alex_Hong like this.
    08-06-12 11:58 PM
  2. Alex_Hong's Avatar
    Its actually only partly related to phone security. Though it could very well have happened to BlackBerry ID as well depending what type of verification/authentication process RIM uses and what not, and what kind of information the hacker has from you. BB Protect is able to remote wipe devices as well. Its actually more about cyber security in general imo. Basically the security of all your digital life.

    But i agree, it is a must read.
    08-07-12 12:15 AM
  3. anjali_jain's Avatar
    People fail to realize how un-secure everything on the internet is. While cloud is a great innovation you are trusting your information/documents to un-secure systems. Anyone with enough patience and motivation could hack your accounts and make off with your personal information. Just think of all the information your email gets. Bank info, billing info, online retail accounts etc.
    08-07-12 02:41 AM
  4. hootyhoo's Avatar
    08-07-12 05:44 AM
  5. amazinglygraceless's Avatar
    I still say this IS NOT a phone security issue. This is an breakdown of internal / organizational controls at the Customer Service level. Absent the failures at the human level this would simply not be a story.

    But what happened to me exposes vital security flaws in several customer service systems, most notably Apple’s and Amazon’s. Apple tech support gave the hackers access to my iCloud account. Amazon tech support gave them the ability to see a piece of information — a partial credit card number — that Apple used to release information. In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification. The disconnect exposes flaws in data management policies endemic to the entire technology industry, and points to a looming nightmare as we enter the era of cloud computing and connected devices.
    Last edited by amazinglygraceless; 08-07-12 at 07:58 AM.
    08-07-12 07:54 AM
  6. Sith_Apprentice's Avatar
    I still say this IS NOT a phone security issue. This is an breakdown of internal / organizational controls at the Customer Service level. Absent the failures at the human level this would simply not be a story.

    +5000

    This is a social engineering attack and had nothing to do with phone security. It does however show the potentially nasty consequences of having everything linked from a central point.
    Laura Knotek, kraski, JR A and 3 others like this.
    08-07-12 09:07 AM
  7. amazinglygraceless's Avatar
    +5000
    I see what you did there.......

    This is a social engineering attack and had nothing to do with phone security. It does however show the potentially nasty consequences of having everything linked from a central point.
    Just to be clear, I agree with this and am in no way trying to minimize this aspect.
    08-07-12 09:12 AM
  8. Laura Knotek's Avatar
    What is posted here is applicable to anyone, even if he/she does not have Apple ID nor uses iCloud.
    Until Apple fixes its porous iCloud security, here are some things you can do to protect yourself:

    1. Make sure that you have a strong iCloud/Apple ID password. (Here's how to change it).

    2. Use unique passwords to protect different accounts (I recommend 1Password for this). If you're using the same password for your online banking as your webmail account you're asking to be hacked. At a minimum, use tiered passwords: a superstrong one for anything financial, another one for your email and a third for everything else.

    3. Use a throwaway email address (that's not linked to anything) for forms and retail-related spam. The less personal information that's in it, the better.

    4. Enable two-step verification on your Google account and protect it. Don't use your primary email address for every retailer and web form that asks for it. (See #3 above.)

    5. Buy a domain name, host it with an ISP you trust and set up email accounts on that domain for your high security/financial accounts. Use email accounts you control (not webmail) for high security applications and for password recovery .

    6. Use different credit cards for Amazon and your Apple ID.

    7. Back up your most important data to physical media that you control. Ideally two copies on-site and one off-site (at work, your parent's or a friend's house).
    08-07-12 09:24 AM
  9. Sith_Apprentice's Avatar
    At minimum, in this day and age, you should have a 10 character complex password. Recommended would be something 15+ but most users would balk at that. Never use a word or name or date of birth, nothing "real". You can even turn a standard word into a seemingly random password by changing letters for similar numbers and symbols.

    While this tool should be taken with a massive grain of salt, play around with different combinations and see how it changes the number of guesses it would take.

    How Secure Is My Password?


    also this thread has a good deal about this.

    http://forums.crackberry.com/general...ml#post7414288
    Last edited by Sith_Apprentice; 08-07-12 at 09:43 AM.
    amazinglygraceless likes this.
    08-07-12 09:35 AM
  10. amazinglygraceless's Avatar
    While this tool should be taken with a massive grain of salt, play around with different combinations and see how it changes the number of guesses it would take.

    How Secure Is My Password?
    Interesting.

    Last edited by amazinglygraceless; 08-07-12 at 09:59 AM.
    08-07-12 09:53 AM
  11. cgk's Avatar
    It told me it would take 334 sesvigintillion years

    pantlesspenguin likes this.
    08-07-12 09:58 AM
  12. Sith_Apprentice's Avatar
    It told me it would take 334 sesvigintillion years


    Not secure enough.... lol
    08-07-12 10:00 AM
  13. cgk's Avatar
    Not secure enough.... lol
    Then you'd need to steal my yubikey neo off me as well. :-)
    Last edited by cgk; 08-07-12 at 10:04 AM.
    Sith_Apprentice likes this.
    08-07-12 10:01 AM
  14. Sith_Apprentice's Avatar
    Two factor authentication (or higher) is always much better than just a password.

    RIM did experiment with three factor authentication but decided on the two factor for their smart card readers. The original design was a fingerprint scanner built in as well.
    Last edited by Sith_Apprentice; 08-07-12 at 11:00 AM.
    08-07-12 10:57 AM
  15. eve6er69's Avatar
    Two factor authentication (or higher) is always much better than just a password.

    RIM did experiment with three factor authentication but decided on the two factor for their smart card readers. The original design was a fingerprint scanner built in as well.

    My buddy has a motorola android device that has a finger scanner and it is kind of cool. Works great too.


    Sent from my Bold using Tapatalk
    amazinglygraceless likes this.
    08-13-12 09:05 AM
  16. WES51's Avatar
    Memory is getting cheaper and cheaper for all of us. Why would anybody want to store anything in the cloud?

    This cloud services benefit really only the cloud providers.

    Once they have your data, they have control over the user.

    And who wants that?
    08-13-12 09:53 AM
  17. amazinglygraceless's Avatar
    Memory is getting cheaper and cheaper for all of us. Why would anybody want to store anything in the cloud?

    This cloud services benefit really only the cloud providers.

    Once they have your data, they have control over the user.

    And who wants that?
    It all depends what you store in the cloud. If it is important data that you rely on or could cause you material harm were it to fall into other hands then one would be a fool to store that on any medium for which they do not have complete control.

    For relatively insignificant material that you would like access to wherever you are and on whatever device you are using the cloud makes sense.
    FigureThisOut likes this.
    08-13-12 10:00 AM
  18. iN8ter's Avatar
    This has nothing to do with phone security, BTW. It has to do with the lax privacy and account access policies at companies like Apple and Amazon. The person should have not been able to access what they did if they didn't have such gaping holes in their system or willfully allowed people to reset others' passwords at the drop of a hat.

    All that person did was reset the iPhone/Mac using Find my iPhone/Mac after getting the password reset by Apple. He didn't even steal anything off the device. And they did it mostly as an inconvenience to make him unable to quickly recover his twitter account. How is using a security feature from an external website somehow a display that the iMac or iPhone was unsecure, especially using the methods described???
    08-13-12 10:18 AM
  19. TheScionicMan's Avatar
    +5000

    This is a social engineering attack and had nothing to do with phone security. It does however show the potentially nasty consequences of having everything linked from a central point.
    It is still another way to access the phone and they left it vulnerable. It's kinda like your sucurity team saying "We locked all the doors, so its not our fault they climbed in an open window..."

    I mean, seriously, they used the 4 credit card digits that EVERYONE SHOWS for secure ID authentication!!??
    08-13-12 10:22 AM
  20. hornlovah's Avatar
    Memory is getting cheaper and cheaper for all of us. Why would anybody want to store anything in the cloud?
    Convenience, and in some cases, additional security. Some cloud storage solutions are disasters waiting to happen, but you don't want to lump all cloud providers together. Some can be used to store data that is already encrypted, and others are built from the ground up with your privacy and security in mind. I sure wouldn't store unencrypted data in my Dropbox account, but Dropbox performs a nice incremental backup of TrueCrypt drives once they're dismounted. I also use a cloud based password manager. It sounds risky at first, but they have no abililty to decrypt my data, so they are essentially providing access to an encrypted file over a secure connection. My password data is always current, I don't have to sync with other devices, and I can share passwords securely with public key encryption. If you're willing to do some research and use a strong password**, there is no reason to avoid all cloud based storage services.

    **13+ pseudo random ACSII printable charaters from a cryptographically strong random character generator.
    08-13-12 01:37 PM
  21. westcoastit's Avatar
    It is still another way to access the phone and they left it vulnerable. It's kinda like your sucurity team saying "We locked all the doors, so its not our fault they climbed in an open window..."

    I mean, seriously, they used the 4 credit card digits that EVERYONE SHOWS for secure ID authentication!!??
    They didn't 'access the phone' though. They triggered a remote wipe which, while annoying, doesn't give anyone else access to your data.

    In other, completely unrelated news, the Department of Justice and MIT's Technology Review say Apple's data encryption is pretty good: The iPhone Has Passed a Key Security Threshold - Technology Review
    08-13-12 02:18 PM
  22. TheScionicMan's Avatar
    They didn't 'access the phone' though. They triggered a remote wipe which, while annoying, doesn't give anyone else access to your data.
    The remote wipe command accessed the phone. It's like saying it's OK to break in and smash everything, as long as you didn't "take" it. And getting your iPhone, iPad AND macbook as well as your iCloud account wiped is just "annoying"? OK...

    Couldn't the person in control of the iCloud account simply add another iPhone and do a restore? He's lucky they were after his Twitter handle and not his info...
    08-13-12 02:53 PM
  23. westcoastit's Avatar
    The remote wipe command accessed the phone. It's like saying it's OK to break in and smash everything, as long as you didn't "take" it. And getting your iPhone, iPad AND macbook as well as your iCloud account wiped is just "annoying"? OK...

    Couldn't the person in control of the iCloud account simply add another iPhone and do a restore? He's lucky they were after his Twitter handle and not his info...
    They could possibly have done so but that depends entirely on the settings he had on his actual device. You can limit your iCloud backups to things like wallpapers and photos if you like.

    If you want to continue believing this is something peculiar to Apple and not just the cost of doing business 'in the cloud' then go for it, you obviously have an axe to grind against Apple in particular but the fact is the phone itself wasn't compromised.
    08-13-12 03:21 PM
  24. kbz1960's Avatar
    The phone wasn't compromised? I'd say being wiped yes it was.
    08-13-12 03:43 PM
  25. westcoastit's Avatar
    The phone wasn't compromised? I'd say being wiped yes it was.
    Please explain how the phone responding correctly to a properly issued command means the phone was compromised. You're twisting definitions in order to fit your desired narrative. iCloud was compromised after the hacker manipulated both Amazon and Apple's customer service into gaining access. He then used that access to perform a routine operation.

    It's really not any different than if I left the administrator password on my BES server blank and someone was able to remote desktop into it and wipe all of our devices. That's not a fault in the phone, it's a faulty security mechanism on the service level.
    08-13-12 04:51 PM
47 12
LINK TO POST COPIED TO CLIPBOARD