Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.

View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3

gzt

3738 posts

Uber Geek
+1 received by user: 105

Subscriber

  Reply # 682154 6-Sep-2012 09:43 Send private message

1080p: Er, how did they gain access your Apple account exactly? That hack released the Apple iPhone UDID list. Not your password or any other personal information.

"As proof, the hackers released a stripped-down version of that file that only contained 1 million UDIDs, with associated Apple Push Notification Service tokens and device names. The other personal data that accompanied many of the UDIDs was intentionally removed, the hackers said."

I strongly believe this hack and your account compromise are completely unrelated.

keewee01: So it looks like these little w@nk5r$ used the stolen details to download a free game from iTunes and to then make an in game purchase of $24.99. Great security Apple! And even better security FBI - why were the FBI in possession of my account details in the first place!?????????

Game developer association of private personal details with UUID has been known for some time as a security problem. Bad idea from the beginning. Major game developers were unwilling to change this architecture. Some did work to mitigate the extent of the problem without changing the basic architecture. Apple began to discourage the UUID association practice a little while ago, deprecated the API, but it still can be and is widely used by game developers.

For keewee01 it is very likely the attackers first compromised the game account using the UUID {and} from there obtained enough further information to compromise the iTunes account. There are other possibilities to go forward after the {and} depending on how bad things were at the game end of things.

So, end of the story - very likely the game was compromised first and then {if at all - perhaps not necessary} iTunes account compromised as a result of information obtained from game account.

It follows from the above - resetting your iTunes password may make no difference to the attack vector.

In these circumstances it is not surprising to me Apple has disabled an account completely.

5862 posts

Uber Geek
+1 received by user: 284

Trusted
Subscriber

  Reply # 682156 6-Sep-2012 09:48 Send private message

Reset your apple ID here.

I notice they gave you a credit, not a refund, that's not the same thing, but if you'll use it some time it's easier than arguing with them.




Asus eee pad transformer
iPod 2G
Windows 7 PC
Lots and lots of Nikon camera gear

gzt

3738 posts

Uber Geek
+1 received by user: 105

Subscriber

  Reply # 682158 6-Sep-2012 09:51 Send private message

Another thing to note here. Not being on that list does not guarantee anything. The anti-sec hack has so far released 1 million of the 12 million records they obtained. We do not know how many other people may or may not have access to the other 11 million records.



IT Professional
1305 posts

Uber Geek
+1 received by user: 33

Trusted
Subscriber

  Reply # 682186 6-Sep-2012 10:28 Send private message

timmmay: Reset your apple ID here.

I notice they gave you a credit, not a refund, that's not the same thing, but if you'll use it some time it's easier than arguing with them.


Good point - have changed my Apple ID (sigh... and therefore the email address used for this account!) Have previously only changed the password..

Yes - interesting that it was a credit... Maybe it is because of the all sales are final policy?




IT Professional
1305 posts

Uber Geek
+1 received by user: 33

Trusted
Subscriber

  Reply # 682187 6-Sep-2012 10:32 Send private message

gzt:
1080p: Er, how did they gain access your Apple account exactly? That hack released the Apple iPhone UDID list. Not your password or any other personal information.

"As proof, the hackers released a stripped-down version of that file that only contained 1 million UDIDs, with associated Apple Push Notification Service tokens and device names. The other personal data that accompanied many of the UDIDs was intentionally removed, the hackers said."

I strongly believe this hack and your account compromise are completely unrelated.

keewee01: So it looks like these little w@nk5r$ used the stolen details to download a free game from iTunes and to then make an in game purchase of $24.99. Great security Apple! And even better security FBI - why were the FBI in possession of my account details in the first place!?????????

Game developer association of private personal details with UUID has been known for some time as a security problem. Bad idea from the beginning. Major game developers were unwilling to change this architecture. Some did work to mitigate the extent of the problem without changing the basic architecture. Apple began to discourage the UUID association practice a little while ago, deprecated the API, but it still can be and is widely used by game developers.

For keewee01 it is very likely the attackers first compromised the game account using the UUID {and} from there obtained enough further information to compromise the iTunes account. There are other possibilities to go forward after the {and} depending on how bad things were at the game end of things.

So, end of the story - very likely the game was compromised first and then {if at all - perhaps not necessary} iTunes account compromised as a result of information obtained from game account.

It follows from the above - resetting your iTunes password may make no difference to the attack vector.

In these circumstances it is not surprising to me Apple has disabled an account completely.


Yes - I think that somehow that is part of the vector used. Interestingly I've never signed up to anything other than music via iTunes - no games, no podcasts, no third parties that I know of! (And there doesn't seem to be anyway to find that information out in your account, that I can see).

My account doesn't seem to be disabled yet as I can log into it and change details... I wonder what disabled actually means in the Apple Universe?

Have now changed my Apple ID so hopefully that is the end of it...

5862 posts

Uber Geek
+1 received by user: 284

Trusted
Subscriber

  Reply # 682210 6-Sep-2012 11:20 Send private message

I meant change the password, not the whole ID, but that could be worthwhile if there's a security hole.




Asus eee pad transformer
iPod 2G
Windows 7 PC
Lots and lots of Nikon camera gear

683 posts

Ultimate Geek
+1 received by user: 2


  Reply # 682347 6-Sep-2012 14:15 Send private message

They have my iPad 1 on the list along with my Full Name.





6145 posts

Uber Geek
+1 received by user: 215

Trusted

  Reply # 682360 6-Sep-2012 14:32 Send private message

Can i ask if your account is registered as in the states? Are non USA accounts affected?




Apologies for poor typing standards when on Samsung Galaxy S4 LTE/iPad 2 Wifi

683 posts

Ultimate Geek
+1 received by user: 2


  Reply # 682365 6-Sep-2012 14:37 Send private message

joker97: Can i ask if your account is registered as in the states? Are non USA accounts affected?


NZ Account

Edit: Sorry, you meant the OP





gzt

3738 posts

Uber Geek
+1 received by user: 105

Subscriber

  Reply # 682388 6-Sep-2012 15:06 Send private message

keewee01: So it looks like these little w@nk5r$ used the stolen details to download a free game from iTunes and to then make an in game purchase of $24.99. Great security Apple!

What was the game used exactly?



IT Professional
1305 posts

Uber Geek
+1 received by user: 33

Trusted
Subscriber

  Reply # 682409 6-Sep-2012 15:48 Send private message

gzt:
keewee01: So it looks like these little w@nk5r$ used the stolen details to download a free game from iTunes and to then make an in game purchase of $24.99. Great security Apple!

What was the game used exactly?


Kingdoms of Camelot: Battle for the North

They downloaded the free game and then made an in game purchase of gems to the value of the credit I had on my iTunes account.

683 posts

Ultimate Geek
+1 received by user: 2


  Reply # 682812 7-Sep-2012 14:10 Send private message

FBI might not be involved

http://www.marco.org/2012/09/06/udid-theory

regardless, it's a serious security oversight that needs to be addressed ASAP

http://corte.si/posts/security/udid-leak.html





1599 posts

Uber Geek
+1 received by user: 307

Trusted
Orcon
Subscriber

  Reply # 682814 7-Sep-2012 14:14 Send private message

James Bond: FBI might not be involved

http://www.marco.org/2012/09/06/udid-theory

regardless, it's a serious security oversight that needs to be addressed ASAP

http://corte.si/posts/security/udid-leak.html


Both of your URLs return 404.  Tinfoil hats, everyone!

683 posts

Ultimate Geek
+1 received by user: 2


  Reply # 682817 7-Sep-2012 14:20 Send private message

ubergeeknz:
James Bond: FBI might not be involved

http://www.marco.org/2012/09/06/udid-theory

regardless, it's a serious security oversight that needs to be addressed ASAP

http://corte.si/posts/security/udid-leak.html


Both of your URLs return 404.  Tinfoil hats, everyone!


Sorry my mistake, just copy/paste the URLs now.





gzt

3738 posts

Uber Geek
+1 received by user: 105

Subscriber

  Reply # 682898 7-Sep-2012 18:13 Send private message

There is no convincing evidence it was obtained from the FBI. Just Anonymous's say so.

Line 405 - http://pastebin.com/nfVT7b0Z

It is equally possible the information was obtained from a compromised game database, just as the FBI could have obtained the same information from a compromised game database. No evidence yet either way.

The request on line 424 has been fulfilled btw.

One aspect of this not mentioned so far. The UUID can be used to generate a certificate allowing custom applications to be installed on that device outside the appstore. Jailbreak not needed.

1 | 2 | 3
View this topic in a long page with up to 500 replies per page Create new topic








Twitter »
Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when new jobs are posted to our jobs board:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:




News »

Trending now »
Hot discussions in our forums right now:

galaxy s4 now on 4.4.2
Created by nzrock, last reply by tanivula on 18-Apr-2014 22:33 (50 replies)
Pages... 2 3 4


Forms of government for New Zealand
Created by charsleysa, last reply by Kyanar on 18-Apr-2014 20:55 (98 replies)
Pages... 5 6 7


Snap suffering Trans-Tasman congestion 18/04?
Created by Lias, last reply by CaseyDan on 18-Apr-2014 22:18 (23 replies)
Pages... 2


MH370 - Call for Search & Rescue Help
Created by DS248, last reply by Sideface on 17-Apr-2014 17:28 (735 replies)
Pages... 47 48 49


why does the tax payer have to pay for the prince and princess' 6 star holiday?
Created by joker97, last reply by Geektastic on 17-Apr-2014 15:49 (67 replies)
Pages... 3 4 5


Watching overseas content on my TV
Created by beenz, last reply by freitasm on 18-Apr-2014 19:00 (13 replies)

Help ! Home business connection and VDSL dead. yikes.
Created by Scotsman, last reply by Scotsman on 17-Apr-2014 21:10 (26 replies)
Pages... 2


Free connection to Ultra Fibre not true
Created by kapitikarl, last reply by cbrpilot on 15-Apr-2014 13:24 (27 replies)
Pages... 2



Geekzone Live »
Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.