It's kind of funny. When you look into cyber security, the papers are all about controlled rate limiting, advanced anomaly detection, client fingerprinting, the likes, but in practice, very little companies will actually pick out abuse like this.
This creep didn't need advanced tooling, exploits or deep knowledge of the backing system. All he needed was a basic phishing scam to work well enough, and the official iCloud software (either from his browser or his computer).
All the supposedly advanced algorithms that often arbitrarily ban accounts by mistake managed to miss some random dude behind his laptop, shamelessly leaking private pictures.
To be fair, phishing is just the path of least resistance due to overall security improvements getting rid of other low-hanging fruit. If security became worse overall, phishing would fall a bit more out of favor.
It’s not too weird for 306 accounts to be using iCloud from the same IP, considering stadiums, universities, etc. It’s probably highly unusual for that many of them to do an account recovery… unless the IP is an Apple store.
It's not weird for 1000 users to be simultaneously connected via the same IP because of CGNAT. This is where you would have to do something like browser fingerprinting to try to work out if they are the same person.
Browser fingerprinting works best on the Wintel and Android ecosystems, but fails on apple's devices because they are extremely uniform, and apple has been working on making them even more uniform. As apple products are designed to be used on apple devices first (and I guess also tested on them first), it would be unlikely that they employ fingerprinting.
This is trivial to overcome with a VPN. There's nothing that suggests that he was connecting from the same IP each time. Based on the article, he could have just easily forgot to sign in to a VPN before logging in and that mistake unraveled the whole thing.
> tricked into clicking links or downloading attachments
Is that "phishing"? Those actions should be secure to perform in a browser. The security model of browsers/computers is such that I don't need to establish authenticity/trust in order to click the link or even download something.
Of course, that security model sometimes has holes, but if for example clicking the link enables an XSS attack, I'd call it (primarily) an XSS attack. Same story if downloading an attachment did much more than just creating a file on disk.
"Phishing is a type of social engineering where an attacker sends a fraudulent ("spoofed") message designed to trick a human victim into revealing sensitive information to the attacker or to deploy malicious software on the victim's infrastructure like ransomware."[0]
>Is that "phishing"? Those actions should be secure to perform in a browser. The security model of browsers/computers is such that I don't need to establish authenticity/trust in order to click the link or even download something.
You don't understand how hacking and planting of malware works. Hackers abuse zero day vulnerabilities in order to drive by download malware onto user's PC. They use exploit kits in order to manage and plant malware by abusing browser's or computer's zero day exploits. So when you visit a malicious website with vulnerable browser malware silently gets downloaded(drive by download) onto your PC.
On the other hand one of the most common email attachments is Microsoft Word document and again just like with browsers Microsoft Office and Microsoft Word have many zero day exploits or simply existing vulnerabilities(exploits) which user didn't patch so attacker abuses these kinds of exploits in order to drop malware when user opens Microsoft Word document and interacts with it.
Summa summarum: Hackers use zeroday or existing exploits to plant malware or they make lookalike websites or documents to trick you into giving your login credentials and/or payment information(credit card, bank account information etc.)
>The security model of browsers/computers is such that I don't need to establish authenticity/trust in order to click the link or even download something.
You do; websites use SSL certificates and computer files get digitally signed as well.
The cross site requests thing has thankfully been fixed. Modern browsers will soon (or already do?) stop sending another sites cookies when making a request from a different domain.
Apple makes phishing easier by always prompting the user their apple account password. Do anything including installing free apps and it requires the password.
This helps the user remember their password. Forgetting your apple id password makes all of your apple devices essentially bricks as you need it to unlink your account or factory reset.
It doesn't always prompt for a password or, more accurately, fingerprint scan on newish devices. In fact, standard applications that live in /Applications don't need it.
Nor do free apps downloaded via the App Store, as I just tried. Although this may be a setting somewhere.
But does it matter? You know what doesn't need a password? Accessing your photos. There's really very little you can do after authentication that you can't do otherwise. Maybe, after exfiltrating all the user data, you can also update macOS.
Sandboxing is really far more important than protecting sudo privileges, and I believe Apple is doing a fairly good job in that regard.
This was also a common technique used in Runescape back in the day. Takes me back. The much more innocent version was all chatting "Press alt q q for free gold" in Warcraft 3. Alt+q+q was the keyboard shortcut to abandon the match, which I learned the hard way.
Bearing in mind 10,000 [0], for anyone who's confused, hunter2 is a reference to an irc conversation submitted to bash.org back in 2004ish, the definitive "paste your password" thing.
Google will alert the account owner (across all channels -- devices they own, and Gmail) when there's a login from a new device. Doesn't Apple do the same?
Yes they do. But don't underestimate how much people don't actually read their emails. They have 20 newsletters coming in every day and quickly check if anything is related to them, they have no idea what that iCloud email says. They just fell victim to a phishing attempt, they are already not that tech savvy.
I had this idea for a service just the other night : a means of overlaying real time messages and alerts direct to any app you are using at the time. Kind of Class 0 "flash" SMS.
EDIT : it chould be a OS graphics layer service capable of drawing alerts on your active window. But I don't see why display manufacturers couldn't make this useful : the number of screens and applications anyone is logged into at any one time is increasing, and the primary screens we're using commonly have Windows Hello and Face ID type of biometric capabilities, which would be very useful for establishing the likelihood of unlawful access elsewhere.
EDIT 2: So Apple has a good position from which to offer this kind of "where are you working from?" heuristic check available to other security system software.
EDIT 3: Biometric presence data as a service to increase security for administration changes and logins hasn't come to my attention as being explored yet. I'm semi retired and extremely interested in this area if anyone is interested in a wider discussion in London - not burdened with any expectations or intentions and able to arrange professional legal cover if desired / necessary - I am interested in derivative applications for services that don't yet exist
Apple makes me authenticate the new login using a six digit code from one of my other Apple devices, which is generated if I hit "Yes" in answer to a push notification asking if it's really me trying to log in. All logged in devices get the notification, and then upon a successful login all devices get notified of the new login.
> Not very sophisticated, but very effective, glad they shut him down but we really need to teach basic internet security in schools.
They could start by following basic security. My kid's school sets everyone's passwords to various forms of "temp123" (same password for every kid) and often talks about them in cleartext. It sets a very bad example, and it occasionally gives me hives just thinking about it.
A friend worked at a UK government site that one week complained about an increase in "Russian" attempted intrusions and literally the next week issued an instruction in an unsigned email to all staff to change their password to a new password given in plaintext in the email.
The instruction, they thought, had to be a poor phishing attempt - but no, it was a genuine email from the IT department and the friend was punished (!!) for questioning the instruction and not immediately complying.
It may not have been the same password across the organisation but their's was reportedly word based and quite short.
I worked at an ed tech company that provided services for schools and this was very common in my experience.
Schools wanted to store the students' passwords in clear text in an excel basically to get less complaints from parents.
Students didn't store their password after logging in. If they needed to log in again they did not know (or did not care) how to reset their passwords. Then the problem would fall unto the parents which would then complain to the school.
I agree that better education around Internet security is needed, especially for basic phishing attacks like this.
OTOH, I believe Apple could be doing more to deter and/or detect this type of broad access, especially with the lack of sophistication behind this scheme! I feel like even Netflix does a better job at alerting me to access from a new device, and they aren't storing any of my personal photos.
If you have two factor enabled, which is required for many iCloud features, every single Apple device you own will receive an alert with the location of login before you can reveal the 2FA code, even for iCloud logins. What more would you like to see?
They would just get an email saying that icloudbackupsupport@gmail.com (his phony address) accessed the account immediately after giving their info to icloudbackupsupport@gmail.com. He could even have told them to expect and ignore such an email.
There should be a request for approving the login attempt, and if you say yes, you get a six digit code to enter on the device trying to connect. Then when that succeeds, you get another push notification about it succeeding.
Perhaps something in that 2FA request saying "Apple will only ask for your password in-person in a store or other authorized repair provider. Only allow this request if you know who requested it"?
You need to spend more time around non technologists. Many folks just dismiss computer prompts without reading, ignore emails, or any number of other similar behaviors that would likely drive you and I crazy by their lack of attention to detail.
> Investigators soon discovered that a log-in to the victim’s iCloud account had come from an internet address at Chi’s house
If the attacker was really not covering his tracks, perhaps Apple may have flagged hundreds of different iCloud account logins originating from the same location as something to look into?
> my previous employer had like 20,000 employees NATed behind a single IP.
If so, it’s incredibly unlikely that all 20k were online simultaneously. If they were, each person could only open ~3 TCP sockets to the internet (even if via a proxy if dealing with individual login sessions) at a time before you’ve run out of ports.
even though you're probably right on the first part, the second part is false. while most NAT implementations operate as you describe, called "port-restricted cone NAT", some implementations allocate the external port only for a specific destination address, called "symmetric NAT".
It’s better than nothing but still not great because the login area they present is too broad. For example, if you live in a large city and the phisher is somebody you know, seeing “New login from Your City” is not going to make you think twice.
If you refuse to think, even when prompted, that's on you. You should think about whether you logged in from the city and device/OS named in the alert.
Not just better education around security practices, but better understanding around control of your content, where it's stored, what happens to content when you press that button in an app. I don't want to victim blame here, and this guy is a total creep, but the victims uploaded their nudes to the Internet. At that point, the cat was out of the bag.
Part safely using the Internet is having the knowledge and being aware of where (in your apps) the boundary is between your local device and the global network that everyone has access to. People need to understand: When you sync to a cloud service, you're sending your content to someone's computer unknown to you. Yes, in this case, it's Apple's computer, but that didn't stop this guy. Once you sync something online, it's out of your hands, and on the Internet now.
I personally treat all cloud services as if they were accessible publicly and anonymously, and will inevitably be printed in my local newspaper, and only upload content to those services where I am comfortable with that level of exposure.
EDIT: To clarify, I wish applications would stop blurring the line between "on my device" and "on the Internet". I've used applications where, to an unsophisticated user, the save dialog looks like it's saving to their computer but it's actually in the cloud. Add to it all these apps that try to be helpful by seamlessly (and invisibly) keeping local content in sync with the cloud versions and you have a recipe for disasters like this. Have an explicit "upload this thing to the Internet" button, please!
It boggles my mind that people have nudes of themselves on any digital medium. I say if you want to dabble in that, get a film camera and develop the pictures in your own basement.
Or get a non-wifi digital camera and manage your photos on a non cloudy computer. Maybe even take it a step further and use tools to remove EXIF data that has your camera's serial number and other metadata in the images. Photos taken from cell phones often give away GPS coordinates.
Yeah, Netflix is actually annoying with it - I was using my "ultra low security" password which is in... probably every public password dump around for years, got dozens of logins, just ignored them til someone finally tried to change it and I had to reset it.
I can't believe Facebook haven't stopped the "your mother's maiden name and your first pets name is your pornstar name, post yours below" posts on Facebook. These companies clearly don't care their platforms are used to enable scammers so long as they're getting their cut of the money.
I posted this link and I named it the way I did to draw attention to this in context of CSAM enforcement... this man could have easily uploaded any photos to these hacked iCloud accounts, which would've been synced down to end user devices.
Apple didn't catch on to this, despite him not using VPN or Tor... it wasn't until the FBI investigated a public figure's hacked and posted photos that this came to light.
[EDIT]: Not the FBI, but a private company noticed this (h/t codeecan)
The problem with the US statute for CSAM is that possession is illegal, not just intentional creation/collection/distribution. The person being hacked has technically broken the law, even if they don’t get prosecuted.
I don’t know how often unintentional possessors are prosecuted, but the US system of prosecution makes it easy for an innocent to get railroaded by threats of massive charges and comparatively leanient plea deals, combined with punitive sentencing for those who reject the plea bargain. Think Aaron Schwartz, but without any intent to violate the law.
> The person being hacked would still be investigated by the FBI
As someone with family in the FBI (one on a relevant team) and a local LEO that was deputized to do this work for the US Marshals, that doesn’t reassure me. The best forensics employees in the FBI with enough resources can identify that there was a hack and that the account owner is innocent. We live in a world of scarcity where that much effort is not always invested.
I think the client-side versus server side is more about relative trade offs of who owns the client device (and what “ownership” means) and whether the equivalent server side search is technologically feasible (might not be if the client encrypts with a key only the client owns, as some have speculated about Apple’s future plans).
Well Apple differentiates themselves on privacy. I would prefer to do business with a company that never looks at my data for any reason. The problem with on-device scanning is the implicit backdoor.
It's only an attack vector in the minds of people who haven't given it more than 10 seconds of thought.
Apple knows the sync dates of all of the photos that are uploaded. So unless someone has hacked your account and has been directly trickle feeding CSAM for years (without you noticing) then it's going to look suspicious. A big dump of lots of CSAM at one particular timestamp is a pretty easy thing to spot.
And then in this case they aren't hacking the phone but the account which means Apple is going to notice a set of photos coming from an IP address they haven't seen used from that account before.
Do you think that Apple is going to decide whether a big dump of CSAM was uploaded by that user or a hacker and act differently based on that investigation, or just send it to LEO and let them sort it out?
Seems like there could be some legal ramifications from the choice to bypass law enforcement under certain circumstances
Depends on if they think the public will buy their claim of "we just let law enforcement sort it out." If they think the public will blame them for the false accusation, they are incentivized to avoid letting it happen.
> A big dump of lots of CSAM at one particular timestamp is a pretty easy thing to spot.
Only if that system / heuristic has been built. The same could have been said about Apple’s systems for identifying bulk account hijacks, but Apple didn’t, which I suppose is the value of this story.
And companies aren’t allowed to Just inspect content once they identify CSAM. It is kryptonite for criminal liability. Companies are required to turn it over to the feds quickly and to try not to disturb metadata.
I suspect your line of thought would work given full ability to inspect (and some assumptions about what an IP change actually proves), but in practice Apple still hasn’t gotten the basics around account hijacks/fraud sorted out, so I’m hesitant to cheer them on as they try to quickly jump into the deep screaming “think of the children!”.
This comment assumes that Apple does a lot of heavy lifting to exonerate individuals who are found with CSAM beyond just reporting them to law enforcement.
Of course metadata could exonerate someone who is a victim in a case like this. The question is will it ever see the light of day?
The negative PR from a false accusation would be expensive. On top of the judgement itself, and you know that Apple has deep enough pockets that someone will be looking for a big score.
Also known as a 20 line script which checks the last modified date for a bunch of recently uploaded files and validates the IP address against the recently known list.
The code to extract metadata is easy. I’m talking more about whether or not there is a deliberate process in place to actually write the code, run the checks and provide all available metadata and context to law enforcement. Apple has not indicated that process exists, thus far.
Edit: No if they use the same algorithm, but they could use other algorithm which are less abusable and no one would know the hashes in the database, so Yes I guess?
If he was specifically going after famous women's accounts, I don't think it was so random, given that he went after hundreds of people and didn't cover his tracks at all. He was after celebrity photos, he was sloppy, people who try to defend against such attacks were going to catch him.
We've seen more decentralized and sophisticated attacks of the same type against iCloud ("the fappening" etc.) which were kept mostly private for years before being made public.
The fact that those hacks quickly were flushed from the news cycle without a bunch of public lawsuits etc. makes me suspect Apple very proactively went out and made settlements with the more high profile victims of those hacks. Of course, I have no proof of this at all, so it's purely speculation, but it was odd to see almost nothing come out of those hacks.
The fact Apple missed logins to hundreds of accounts over time from a single ip registered probably to Spectrum or Verizon ISP is a little suspect. Then again, there are probably public ips with a nat with thousands of iphones behind it at times. This might be a really hard one to detect even though it's sloppy.
Companies regularly NAT many thousands of users behind a single public IP. Additionally non-profits, schools, and others often provide WiFi for their guests/students using a supposedly residential internet account or their ISP doesn't segment basic business IPs from residentials.
In any case flagging multiple accounts logging in from a single public IP is not as useful a signal as you might think.
Apple itself is currently obsoleting IP-based account theft heuristics with their iCloud VPN, so they might have stopped relying on it internally already :)
This Twitter account continues to debase discourse about the child safety proposals with FUD. It posted incorrect information about the proposal before launch and has continued with useless speculation. How many of the hypothesized threat models which don’t pan out has he formally redacted?
If you are worried about the security of iCloud, then that can be read as more reason to prefer client side scanning. Of course the tweets are ambiguous about logical implications so you can’t engage with them directly.
And I could say that this HN account has been baselessly dismissing valid concerns about the proposal and providing non sequiturs to assert why nobody should be concerned since it was announced.
However, stating my opinion as fact in an attempt to invalidate someone else's perspective on the matter would be debasing discourse so I wouldn't do that. None of us should.
Are you asking me to provide evidence that the account posted false information and never redacted it? How about the very tweets in the linked thread where the account makes fact-free claims about how a “single IP” accessing “hundreds of accounts” (the former of which is not substantiated) suggest iCloud security is fundamentally broken. Of course Matt is smart enough to not state the implication directly, relying instead on sarcasm and FUD.
Since you went ahead and stated opinion as fact (while cleverly pretending that you didn’t), can you provide an example where I dismissed a valid concern with a non sequitur? How do you reconcile the accusation that I assert “nobody should be concerned” with comments like this where I clearly outlined why the announcement should be concerning:
I’ll go further and say that I have sincere concerns with what was announced, but seeing how that Twitter account seeds legions of incorrect commenters who proliferate (and post intentionally clickbait material on HN, as the poster of this article themselves admitted on this very thread!) led me to the conclusion that Matt is doing plenty of harm, especially since he should know better.
I have been thinking about "nudes" (which I will use as a shorthand to describe digital images of a person sans clothing, almost always taken by that person) in terms of cultural evolution. A couple of years ago I mentioned, on HN, that I knew Jenni, of JenniCam, before the "cam," back when she was just experimenting with this new digital camera device. And then they became more and more available.
For a brief time there was a kind of explosion of said nudes. I could be on Yahoo Chat and women would just send them, unsolicited, and I think that was the era of people not realizing that nudes can get around, like any other secret, once you let go of them. My guess is that probably came to an end roughly ten years ago or so, and people now hold onto them tightly, which is probably much more reasonable.
People still take nudes, and pass them on, but I think there is a level of discretion that has increased, although I know some women who mention being pestered for such by men they know. Still, these images are on cameras and cloud storage and such, and for the life of me I do not get the hunger that drives such a risky behavior as getting into hacked iCloud accounts versus, I don't know, average sources of free nudes? Poor judgment of course abounds in so many reported crimes but ... how does one even trawl more than half a million photos for nudes? Was he planning on going through them individually? Was he going to make a neural net to scan for skin?
I just find the whole thing a little baffling in this day and this age.
>and for the life of me I do not get the hunger that drives such a risky behavior as getting into hacked iCloud accounts versus, I don't know, average sources of free nudes?
I presume the hunger is more about having access to something you are not supposed to have access to, or were not given access to.
"Everything in human life is really about sex, except sex. Sex is about power.”
I get the impression this trend has peaked. For a while, young people stopped going topless on the beach, for example, for fear of photos appearing online. In the last years, it's been making a comeback. I believe it's both a sense that there's so much out there, chances are rather low someone you know will come across any photo. And that it just doesn't matter. I am absolutely certain you wouldn't be able to hurt someone with sending their work colleagues a topless photo you found, but rather risk your own job if you're found.
“I’m remorseful… but I have a family” he says hoping this doesn’t “ruin” his life. Fuck this guy. He knew what he was doing. He should have all the consequences both those from the court and professionally: who’s going to hire him now? Maybe someone in infosec but likely not ever again in tech.
A friend once pointed out that it's likely a majority of "amateur" porn is likely private content from hacked or stolen accounts and wasn't posted by the any of the parties depicted.
He mentioned this when a bunch of stories were coming out about GeekSquad and other IT help as a service companies stealing data or acting as data harvesters for the FBI/DEA etc.
Most likely the thrill of it. They might not even be aware of saving it to the cloud. Maybe they used their phone on a stand to record and iCloud or OneDrive or Google Photos just synced it automatically.
If I take a photo or a video on my iPhone, it's uploaded to iCloud automatically, and afaik there is no way to remove it from iCloud while still keeping it in the photo library on the device without opting out of iCloud Photos entirely.
I don't think that's likely at all. It seems like it would be far easier to find women who are willing to take their clothes off for money (something that has been relatively easy to find for centuries) than it would be to hack hundreds of devices in order to steal such pictures - if they happen to exist.
I am no fan of apple but this man used phishing attacks to gain access to just 306 icloud accounts. That hardly seams a significant failing on apples part. He used the credentials of the victims so I'm not really clear how rate limiting should have played a role, you should be limited from accessing your own account?
Apple has made leaps and bounds on security including having 2FA mandatory but none of it matters when the user is convinced they are speaking to someone from apple who is telling them to read out the 2FA code and provide their details.
No warning in the world will help because the attacker will just say "Ok thats ok, that warning is just for untrusted people. Since I am an Apple employee, it is perfectly safe". These victims already trust the attacker so they will just do anything asked.
I think the only solution here is to just block all logins outside of the users own country and to have local law enforcement crack down hard on any in country criminals. Apple can use the find my location to work out if any of the users devices are at or have been at a certain location. I can't imagine many situations where you leave all of your devices at home, leave the country and then try to log in.
Was it really in a short time frame? It sounds like he was choosing some targets based on requests from other people. This sounds like he was doing this over quite a long time.
How does this amount to only four felonies?! Our system is so abysmally bad at understanding crimes of scale, especially when they happen over the internet. If he burgled 4,700 houses, it would be a lot more than four felonies.
>Investigators soon discovered that a log-in to the victim’s iCloud account had come from an internet address at Chi’s house in La Puente, Bossone said. The FBI got a search warrant and raided the house
He goes through the trouble of phishing so many accounts and photos, only to access them directly from his own residence?
Sure. All he did was a social engineering by sending people an email asking for their password. There is no indication that he is actually technically competent.
My wife and I had our USAA account 'hacked' in much the same way. Someone called the support line repeatedly, pretending to be my wife, got denied repeatedly. Until one time they didn't. Convinced the teller to reset the password on the account and tell them the login name. All the security in the world doesn't matter if the human with the keys is an idiot.
In the end, in our case, USAA gave us a detailed rundown of how they failed, and then turned up to 11 the security questions my wife had to answer. Every single call she had to give a password, pin code, and then answer the questions that are sourced from Experian(or some other credit bureau) intended to prove identity through knowledge. Every time. They punished us for a mistake they fully admitted was their employee's fault.
Nah, I'm not bitter at all. Ultimately, though, it will be one of the reasons I move my account away from USAA.
It was a missed opportunity to educate users about 2FA. All Apple's services offer the 2FA and it should be mandatory- it will take some time before users get used to it.
What word do you use when someone unrightfully gains possession of something that isn’t theirs?
Btw a lot of words in English have multiple meanings, and transform meaning over time, which can be confusing sometimes. For example, in baseball you steal a base, which was being protected by the other team, but you don’t remove the base from the field and run off with it.
I think steal works better than copy here, more accurately conveying meaning and intention, and unjust access.
I think the reason "steal" can feel strange here is that we've spent the last 15 years arguing that copyright infringement is "not stealing" because the original creator has not been deprived of anything.
I think it’s context dependent, just like other uses of the word steal. With copyright infringement, internet communities have come to agreement that it is not stealing, so avoiding the use of the word in that context is important. In baseball it’s not, and neither with identity theft. With illegally obtained private photos, never intended to be shared or released to the world, is there a better word? It’s such a different scenario, the only similarity I see is both involve files on a computer.
