Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
Buying anything on Amazon? Please use the Geekzone Amazon aff link.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3

gzt

4680 posts

Uber Geek
+1 received by user: 270


  Reply # 682154 6-Sep-2012 09:43 Send private message

1080p: Er, how did they gain access your Apple account exactly? That hack released the Apple iPhone UDID list. Not your password or any other personal information.

"As proof, the hackers released a stripped-down version of that file that only contained 1 million UDIDs, with associated Apple Push Notification Service tokens and device names. The other personal data that accompanied many of the UDIDs was intentionally removed, the hackers said."

I strongly believe this hack and your account compromise are completely unrelated.

keewee01: So it looks like these little w@nk5r$ used the stolen details to download a free game from iTunes and to then make an in game purchase of $24.99. Great security Apple! And even better security FBI - why were the FBI in possession of my account details in the first place!?????????

Game developer association of private personal details with UUID has been known for some time as a security problem. Bad idea from the beginning. Major game developers were unwilling to change this architecture. Some did work to mitigate the extent of the problem without changing the basic architecture. Apple began to discourage the UUID association practice a little while ago, deprecated the API, but it still can be and is widely used by game developers.

For keewee01 it is very likely the attackers first compromised the game account using the UUID {and} from there obtained enough further information to compromise the iTunes account. There are other possibilities to go forward after the {and} depending on how bad things were at the game end of things.

So, end of the story - very likely the game was compromised first and then {if at all - perhaps not necessary} iTunes account compromised as a result of information obtained from game account.

It follows from the above - resetting your iTunes password may make no difference to the attack vector.

In these circumstances it is not surprising to me Apple has disabled an account completely.

7207 posts

Uber Geek
+1 received by user: 539

Trusted
Subscriber

  Reply # 682156 6-Sep-2012 09:48 Send private message

Reset your apple ID here.

I notice they gave you a credit, not a refund, that's not the same thing, but if you'll use it some time it's easier than arguing with them.




Asus eee pad transformer
iPod 2G
Windows 7 PC
Lots and lots of Nikon camera gear

gzt

4680 posts

Uber Geek
+1 received by user: 270


  Reply # 682158 6-Sep-2012 09:51 Send private message

Another thing to note here. Not being on that list does not guarantee anything. The anti-sec hack has so far released 1 million of the 12 million records they obtained. We do not know how many other people may or may not have access to the other 11 million records.



IT Professional
1325 posts

Uber Geek
+1 received by user: 40

Trusted
Subscriber

  Reply # 682186 6-Sep-2012 10:28 Send private message

timmmay: Reset your apple ID here.

I notice they gave you a credit, not a refund, that's not the same thing, but if you'll use it some time it's easier than arguing with them.


Good point - have changed my Apple ID (sigh... and therefore the email address used for this account!) Have previously only changed the password..

Yes - interesting that it was a credit... Maybe it is because of the all sales are final policy?




IT Professional
1325 posts

Uber Geek
+1 received by user: 40

Trusted
Subscriber

  Reply # 682187 6-Sep-2012 10:32 Send private message

gzt:
1080p: Er, how did they gain access your Apple account exactly? That hack released the Apple iPhone UDID list. Not your password or any other personal information.

"As proof, the hackers released a stripped-down version of that file that only contained 1 million UDIDs, with associated Apple Push Notification Service tokens and device names. The other personal data that accompanied many of the UDIDs was intentionally removed, the hackers said."

I strongly believe this hack and your account compromise are completely unrelated.

keewee01: So it looks like these little w@nk5r$ used the stolen details to download a free game from iTunes and to then make an in game purchase of $24.99. Great security Apple! And even better security FBI - why were the FBI in possession of my account details in the first place!?????????

Game developer association of private personal details with UUID has been known for some time as a security problem. Bad idea from the beginning. Major game developers were unwilling to change this architecture. Some did work to mitigate the extent of the problem without changing the basic architecture. Apple began to discourage the UUID association practice a little while ago, deprecated the API, but it still can be and is widely used by game developers.

For keewee01 it is very likely the attackers first compromised the game account using the UUID {and} from there obtained enough further information to compromise the iTunes account. There are other possibilities to go forward after the {and} depending on how bad things were at the game end of things.

So, end of the story - very likely the game was compromised first and then {if at all - perhaps not necessary} iTunes account compromised as a result of information obtained from game account.

It follows from the above - resetting your iTunes password may make no difference to the attack vector.

In these circumstances it is not surprising to me Apple has disabled an account completely.


Yes - I think that somehow that is part of the vector used. Interestingly I've never signed up to anything other than music via iTunes - no games, no podcasts, no third parties that I know of! (And there doesn't seem to be anyway to find that information out in your account, that I can see).

My account doesn't seem to be disabled yet as I can log into it and change details... I wonder what disabled actually means in the Apple Universe?

Have now changed my Apple ID so hopefully that is the end of it...

7207 posts

Uber Geek
+1 received by user: 539

Trusted
Subscriber

  Reply # 682210 6-Sep-2012 11:20 Send private message

I meant change the password, not the whole ID, but that could be worthwhile if there's a security hole.




Asus eee pad transformer
iPod 2G
Windows 7 PC
Lots and lots of Nikon camera gear

690 posts

Ultimate Geek
+1 received by user: 2


  Reply # 682347 6-Sep-2012 14:15 Send private message

They have my iPad 1 on the list along with my Full Name.





8287 posts

Uber Geek
+1 received by user: 560

Trusted

  Reply # 682360 6-Sep-2012 14:32 Send private message

Can i ask if your account is registered as in the states? Are non USA accounts affected?

690 posts

Ultimate Geek
+1 received by user: 2


  Reply # 682365 6-Sep-2012 14:37 Send private message

joker97: Can i ask if your account is registered as in the states? Are non USA accounts affected?


NZ Account

Edit: Sorry, you meant the OP





gzt

4680 posts

Uber Geek
+1 received by user: 270


  Reply # 682388 6-Sep-2012 15:06 Send private message

keewee01: So it looks like these little w@nk5r$ used the stolen details to download a free game from iTunes and to then make an in game purchase of $24.99. Great security Apple!

What was the game used exactly?



IT Professional
1325 posts

Uber Geek
+1 received by user: 40

Trusted
Subscriber

  Reply # 682409 6-Sep-2012 15:48 Send private message

gzt:
keewee01: So it looks like these little w@nk5r$ used the stolen details to download a free game from iTunes and to then make an in game purchase of $24.99. Great security Apple!

What was the game used exactly?


Kingdoms of Camelot: Battle for the North

They downloaded the free game and then made an in game purchase of gems to the value of the credit I had on my iTunes account.

690 posts

Ultimate Geek
+1 received by user: 2


  Reply # 682812 7-Sep-2012 14:10 Send private message

FBI might not be involved

http://www.marco.org/2012/09/06/udid-theory

regardless, it's a serious security oversight that needs to be addressed ASAP

http://corte.si/posts/security/udid-leak.html





Voice Engineer @ Orcon
1998 posts

Uber Geek
+1 received by user: 472

Trusted
Orcon
Subscriber

  Reply # 682814 7-Sep-2012 14:14 Send private message

James Bond: FBI might not be involved

http://www.marco.org/2012/09/06/udid-theory

regardless, it's a serious security oversight that needs to be addressed ASAP

http://corte.si/posts/security/udid-leak.html


Both of your URLs return 404.  Tinfoil hats, everyone!

690 posts

Ultimate Geek
+1 received by user: 2


  Reply # 682817 7-Sep-2012 14:20 Send private message

ubergeeknz:
James Bond: FBI might not be involved

http://www.marco.org/2012/09/06/udid-theory

regardless, it's a serious security oversight that needs to be addressed ASAP

http://corte.si/posts/security/udid-leak.html


Both of your URLs return 404.  Tinfoil hats, everyone!


Sorry my mistake, just copy/paste the URLs now.





gzt

4680 posts

Uber Geek
+1 received by user: 270


  Reply # 682898 7-Sep-2012 18:13 Send private message

There is no convincing evidence it was obtained from the FBI. Just Anonymous's say so.

Line 405 - http://pastebin.com/nfVT7b0Z

It is equally possible the information was obtained from a compromised game database, just as the FBI could have obtained the same information from a compromised game database. No evidence yet either way.

The request on line 424 has been fulfilled btw.

One aspect of this not mentioned so far. The UUID can be used to generate a certificate allowing custom applications to be installed on that device outside the appstore. Jailbreak not needed.

1 | 2 | 3
View this topic in a long page with up to 500 replies per page Create new topic




Twitter »
Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





Trending now »

Hot discussions in our forums right now:

Click Monday Deals
Created by mrtoken, last reply by Krishant007 on 24-Nov-2014 17:11 (25 replies)
Pages... 2


Gull Employment Dispute.
Created by networkn, last reply by Sidestep on 26-Nov-2014 09:53 (137 replies)
Pages... 8 9 10


The Warehouse pulling R18 games and DVD's
Created by semigeek, last reply by jpoc on 26-Nov-2014 07:59 (50 replies)
Pages... 2 3 4


Current Netflix payment method as of Nov 14 - Cant pay
Created by andynz, last reply by Kiwipixter on 25-Nov-2014 10:45 (33 replies)
Pages... 2 3


Knock off electronics in The Warehouse
Created by jpoc, last reply by wasabi2k on 26-Nov-2014 11:02 (12 replies)

SEO spammers
Created by freitasm, last reply by jamesrt on 24-Nov-2014 16:09 (25 replies)
Pages... 2


Voda VDSL, Horrid offnet performance.
Created by TimA, last reply by ckc on 26-Nov-2014 10:54 (31 replies)
Pages... 2 3


SSD hard drive in aging HTPC disappointingly slow
Created by watman, last reply by joker97 on 23-Nov-2014 22:02 (20 replies)
Pages... 2



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.