Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.

View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3

gzt

3774 posts

Uber Geek
+1 received by user: 112

Subscriber

  Reply # 682154 6-Sep-2012 09:43 Send private message

1080p: Er, how did they gain access your Apple account exactly? That hack released the Apple iPhone UDID list. Not your password or any other personal information.

"As proof, the hackers released a stripped-down version of that file that only contained 1 million UDIDs, with associated Apple Push Notification Service tokens and device names. The other personal data that accompanied many of the UDIDs was intentionally removed, the hackers said."

I strongly believe this hack and your account compromise are completely unrelated.

keewee01: So it looks like these little w@nk5r$ used the stolen details to download a free game from iTunes and to then make an in game purchase of $24.99. Great security Apple! And even better security FBI - why were the FBI in possession of my account details in the first place!?????????

Game developer association of private personal details with UUID has been known for some time as a security problem. Bad idea from the beginning. Major game developers were unwilling to change this architecture. Some did work to mitigate the extent of the problem without changing the basic architecture. Apple began to discourage the UUID association practice a little while ago, deprecated the API, but it still can be and is widely used by game developers.

For keewee01 it is very likely the attackers first compromised the game account using the UUID {and} from there obtained enough further information to compromise the iTunes account. There are other possibilities to go forward after the {and} depending on how bad things were at the game end of things.

So, end of the story - very likely the game was compromised first and then {if at all - perhaps not necessary} iTunes account compromised as a result of information obtained from game account.

It follows from the above - resetting your iTunes password may make no difference to the attack vector.

In these circumstances it is not surprising to me Apple has disabled an account completely.

5927 posts

Uber Geek
+1 received by user: 291

Trusted
Subscriber

  Reply # 682156 6-Sep-2012 09:48 Send private message

Reset your apple ID here.

I notice they gave you a credit, not a refund, that's not the same thing, but if you'll use it some time it's easier than arguing with them.




Asus eee pad transformer
iPod 2G
Windows 7 PC
Lots and lots of Nikon camera gear

gzt

3774 posts

Uber Geek
+1 received by user: 112

Subscriber

  Reply # 682158 6-Sep-2012 09:51 Send private message

Another thing to note here. Not being on that list does not guarantee anything. The anti-sec hack has so far released 1 million of the 12 million records they obtained. We do not know how many other people may or may not have access to the other 11 million records.



IT Professional
1305 posts

Uber Geek
+1 received by user: 33

Trusted
Subscriber

  Reply # 682186 6-Sep-2012 10:28 Send private message

timmmay: Reset your apple ID here.

I notice they gave you a credit, not a refund, that's not the same thing, but if you'll use it some time it's easier than arguing with them.


Good point - have changed my Apple ID (sigh... and therefore the email address used for this account!) Have previously only changed the password..

Yes - interesting that it was a credit... Maybe it is because of the all sales are final policy?




IT Professional
1305 posts

Uber Geek
+1 received by user: 33

Trusted
Subscriber

  Reply # 682187 6-Sep-2012 10:32 Send private message

gzt:
1080p: Er, how did they gain access your Apple account exactly? That hack released the Apple iPhone UDID list. Not your password or any other personal information.

"As proof, the hackers released a stripped-down version of that file that only contained 1 million UDIDs, with associated Apple Push Notification Service tokens and device names. The other personal data that accompanied many of the UDIDs was intentionally removed, the hackers said."

I strongly believe this hack and your account compromise are completely unrelated.

keewee01: So it looks like these little w@nk5r$ used the stolen details to download a free game from iTunes and to then make an in game purchase of $24.99. Great security Apple! And even better security FBI - why were the FBI in possession of my account details in the first place!?????????

Game developer association of private personal details with UUID has been known for some time as a security problem. Bad idea from the beginning. Major game developers were unwilling to change this architecture. Some did work to mitigate the extent of the problem without changing the basic architecture. Apple began to discourage the UUID association practice a little while ago, deprecated the API, but it still can be and is widely used by game developers.

For keewee01 it is very likely the attackers first compromised the game account using the UUID {and} from there obtained enough further information to compromise the iTunes account. There are other possibilities to go forward after the {and} depending on how bad things were at the game end of things.

So, end of the story - very likely the game was compromised first and then {if at all - perhaps not necessary} iTunes account compromised as a result of information obtained from game account.

It follows from the above - resetting your iTunes password may make no difference to the attack vector.

In these circumstances it is not surprising to me Apple has disabled an account completely.


Yes - I think that somehow that is part of the vector used. Interestingly I've never signed up to anything other than music via iTunes - no games, no podcasts, no third parties that I know of! (And there doesn't seem to be anyway to find that information out in your account, that I can see).

My account doesn't seem to be disabled yet as I can log into it and change details... I wonder what disabled actually means in the Apple Universe?

Have now changed my Apple ID so hopefully that is the end of it...

5927 posts

Uber Geek
+1 received by user: 291

Trusted
Subscriber

  Reply # 682210 6-Sep-2012 11:20 Send private message

I meant change the password, not the whole ID, but that could be worthwhile if there's a security hole.




Asus eee pad transformer
iPod 2G
Windows 7 PC
Lots and lots of Nikon camera gear

683 posts

Ultimate Geek
+1 received by user: 2


  Reply # 682347 6-Sep-2012 14:15 Send private message

They have my iPad 1 on the list along with my Full Name.





6194 posts

Uber Geek
+1 received by user: 216

Trusted

  Reply # 682360 6-Sep-2012 14:32 Send private message

Can i ask if your account is registered as in the states? Are non USA accounts affected?




Apologies for poor typing standards when on Samsung Galaxy S4 LTE/iPad 2 Wifi

683 posts

Ultimate Geek
+1 received by user: 2


  Reply # 682365 6-Sep-2012 14:37 Send private message

joker97: Can i ask if your account is registered as in the states? Are non USA accounts affected?


NZ Account

Edit: Sorry, you meant the OP





gzt

3774 posts

Uber Geek
+1 received by user: 112

Subscriber

  Reply # 682388 6-Sep-2012 15:06 Send private message

keewee01: So it looks like these little w@nk5r$ used the stolen details to download a free game from iTunes and to then make an in game purchase of $24.99. Great security Apple!

What was the game used exactly?



IT Professional
1305 posts

Uber Geek
+1 received by user: 33

Trusted
Subscriber

  Reply # 682409 6-Sep-2012 15:48 Send private message

gzt:
keewee01: So it looks like these little w@nk5r$ used the stolen details to download a free game from iTunes and to then make an in game purchase of $24.99. Great security Apple!

What was the game used exactly?


Kingdoms of Camelot: Battle for the North

They downloaded the free game and then made an in game purchase of gems to the value of the credit I had on my iTunes account.

683 posts

Ultimate Geek
+1 received by user: 2


  Reply # 682812 7-Sep-2012 14:10 Send private message

FBI might not be involved

http://www.marco.org/2012/09/06/udid-theory

regardless, it's a serious security oversight that needs to be addressed ASAP

http://corte.si/posts/security/udid-leak.html





1610 posts

Uber Geek
+1 received by user: 308

Trusted
Orcon
Subscriber

  Reply # 682814 7-Sep-2012 14:14 Send private message

James Bond: FBI might not be involved

http://www.marco.org/2012/09/06/udid-theory

regardless, it's a serious security oversight that needs to be addressed ASAP

http://corte.si/posts/security/udid-leak.html


Both of your URLs return 404.  Tinfoil hats, everyone!

683 posts

Ultimate Geek
+1 received by user: 2


  Reply # 682817 7-Sep-2012 14:20 Send private message

ubergeeknz:
James Bond: FBI might not be involved

http://www.marco.org/2012/09/06/udid-theory

regardless, it's a serious security oversight that needs to be addressed ASAP

http://corte.si/posts/security/udid-leak.html


Both of your URLs return 404.  Tinfoil hats, everyone!


Sorry my mistake, just copy/paste the URLs now.





gzt

3774 posts

Uber Geek
+1 received by user: 112

Subscriber

  Reply # 682898 7-Sep-2012 18:13 Send private message

There is no convincing evidence it was obtained from the FBI. Just Anonymous's say so.

Line 405 - http://pastebin.com/nfVT7b0Z

It is equally possible the information was obtained from a compromised game database, just as the FBI could have obtained the same information from a compromised game database. No evidence yet either way.

The request on line 424 has been fulfilled btw.

One aspect of this not mentioned so far. The UUID can be used to generate a certificate allowing custom applications to be installed on that device outside the appstore. Jailbreak not needed.

1 | 2 | 3
View this topic in a long page with up to 500 replies per page Create new topic








Twitter »
Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when new jobs are posted to our jobs board:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:




News »

Trending now »
Hot discussions in our forums right now:

Telecom introduces unlimited broadband data plan
Created by freitasm, last reply by NonprayingMantis on 25-Apr-2014 12:17 (111 replies)
Pages... 6 7 8


Stonedine
Created by Lizard1977, last reply by mattwnz on 24-Apr-2014 15:45 (67 replies)
Pages... 3 4 5


Windows 8 System Mechanics
Created by eme, last reply by eme on 24-Apr-2014 21:10 (20 replies)
Pages... 2


Using my Mac to ring family in the UK
Created by Geektastic, last reply by nakedmolerat on 24-Apr-2014 11:28 (19 replies)
Pages... 2


Telecom has started metering their TiVo customers' broadband usage (WITHOUT PRENOTIFICATION)
Created by Peteriv, last reply by mattwnz on 24-Apr-2014 15:11 (74 replies)
Pages... 3 4 5


Parallel imported product
Created by Wills1, last reply by joker97 on 23-Apr-2014 21:01 (53 replies)
Pages... 2 3 4


MH370 - Call for Search & Rescue Help
Created by DS248, last reply by Technofreak on 25-Apr-2014 12:43 (751 replies)
Pages... 49 50 51


Forms of government for New Zealand
Created by charsleysa, last reply by Sidestep on 25-Apr-2014 10:00 (179 replies)
Pages... 10 11 12



Geekzone Live »
Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.