Yesterday some Australian and New Zealand iCloud device users woke up to disturbing messages from Find My iPhone warning that their phones were hacked and they needed to pay a ransom of $50 to $100 to restore access. Without official word from Apple some speculation centered on the possibility of an iCloud compromise. That speculation may continue even after Apple today issued a statement denying that its iCloud service has been compromised and has warned users affected by the attack to change their passwords.
Some users Down Under were wakened by the message that bore the ominous warning “Device Hacked by Olig Pliss.” Olig Pliss, as it turns out, is the name of a software engineer at Oracle. The real Olig Pliss had nothing to do with the attack. While initially the attack appeared in Australia and New Zealand, it appears users in Canada and the U.S. have also been affected according to this thread in the Apple Support forums.
Here is the text of Apple’s statement:
Apple takes security very seriously and iCloud was not compromised during this incident. Impacted users should change their Apple ID password as soon as possible and avoid using the same user name and password for multiple services. Any users who need additional help can contact AppleCare or visit their local Apple Retail Store.
What’s curious and unknown still, is how the hackers gained access to a number of user accounts in iCloud. If, as some security researchers believe, this was a phishing attack that tricked users to visit a malicious website, there has been no common denominator found so far among the affected users. Apple has not commented further than the statement above.
Users who had set up a passcode and/or are using Touch ID are not affected. Apparently the hackers are using Find My iPhone to send a device into “Lost Mode” and change passcode settings via iCloud on devices that don’t have a passcode already set up. In order to change a passcode on a device with a passcode already set up you need physical access to the device to make the change. Any user with a passcode already set up can unlock their device using that passcode.
Users who have not set up a passcode can regain control of their iOS device by following these instructions from Apple for a forgotten passcode or disabled device. Essentially you have to wipe and restore your device from scratch so that you can set up a new passcode.
Users were directed to a PayPal account to pay the “ransom” amount, but PayPal found no evidence of the email that was posted linking to any PayPal account. PayPal also offered to refund any who had sent money.
The focus thus far on this attack is an issue called “password reuse.” This happens when the same password is used on multiple accounts instead of unique passwords for each account or service a user has an account with. Far too many Internet users stick with the same password across multiple online services. If a password is compromised in a breach on one service and not changed, other accounts become vulnerable.
It is important to always practice safe password management when engaging with any Internet transaction. Recommended tips include:
- Use a different password for each website or service.
- Create a password that isn’t easy to guess. Don’t use discoverable information like your childrens’ names, anniversary dates, etc.. Use a combination of letters, numbers, and other characters to create a unique password.
- Use a password manager. Password storage and creation software such as 1Password, LastPass, RoboForm, Keeper, and Dashlane among others offer you the ability to create and store unique passwords that you can access through one master password or automatic logins. But remember you need to create a master password that is not easily discoverable as well. Browsers also offer the ability to save and store passwords for easy retrieval. But keep in mind, good security and convenience do not go hand in hand.
- If you must store your passwords somewhere other than a digital locker, find a location that is not easily discovered. Carrying your passwords around in an address book can easily compromise your security should you misplace it.
- Use two step authentication. Offered by some services and websites two step or two factor authentication creates a second layer of protection by requiring you to authenticate your account not only from a website, but also from a smartphone. Instructions for setting up two step authentication for iCloud can be found here.
- Users should routinely change passwords for websites and services that they use. Don’t wait for a security scare or warning. Think of creating a regular time to change your passwords in the same way you change batteries in smoke alarms.
- You are responsible for your own online security. Don’t trust any site or service absolutely.