'Oleg Pliss' hack makes for a perfect teachable IT moment
In this era of BYOD, IT shops should talk to employees about how to bolster security
Computerworld - Earlier this week, a number of iOS device owners woke up to discover that someone had locked them out of the iPhones, iPads, and iPod touches. The attack, primarily aimed at users in Australia and New Zealand (though there are now reports of users in North America and other countries being hit), demanded a ransom be paid to unlock each device. Ironically, the PayPal account referenced in the demand did not seem to even exist.
The "Oleg Pliss" hack, if you can call it one, wasn't particularly sophisticated. The party behind it -- most likely relied on information like user IDs (including email addresses used as usernames) collected by attacks on non-Apple websites like the recent breach that compromised eBay user accounts. Since a lot of people reuse user IDs, passwords and account security questions, all the hacker(s) needed to do was use that information to log into iCloud and use the Find My iPhone/iPad/iPod feature to lock the device and display a message on it. (The feature is typically used to locate a lost or stolen iOS device.)
It could have been worse
Apple acknowledged the incident, saying that the security of iCloud itself wasn't compromised and that affected users should reset their iCloud password and security questions, which seems to confirm the presumed vector of the attack.
It's also worth noting that the attack was easy to prevent or recover from as users with a passcode or Touch ID enabled on their devices could simply ignore the message and unlock their devices (and ideally reset the iCloud password). Users without a passcode should be able regain use of their devices by forcing them into recovery mode and restoring them via iTunes and a device backup.
What's important to consider is that the potential impact could have been much more damaging. A user's Apple ID, which functions as their iCloud login, delivers access to dozens of Apple services, ranging from Find My iPhone to setting appointments in Apple's stores; purchasing and accessing iTunes content; syncing sensitive account and credit/debit card numbers across devices using iCloud Keychain; and managing enterprise app installation on a user's device if it is used in the workplace.
Time for IT to talk security
That makes the incident a great opportunity for IT shops to talk about mobile and cloud risks to employees.
Over the past few years, IT departments have had to grapple with the trend of users taking their workplace technology needs into their own hands. Today's cloud- and mobile-enabled world means that workers frustrated by security restrictions, enterprise apps and collaboration systems that are slow or difficult to use -- and IT staffers that are slow to respond to their needs or don't respond at all -- can build their own set of tools and technologies without IT's permission or awareness.
- Step Out of the Bull's-Eye Learn about the evolution of targeted attacks, the latest in security intelligence, and strategic steps to keep your business safe.
- Using Cyber Insurance and Cybercrime Data to Limit Your Business Risk This paper examines the challenges of understanding cyber risks, the importance of having the right cyber risk intelligence, and how to use this...
- 5 Tips to Secure Small Business Backdoors in the Enterprise Supply Chain This paper examines the insecurity of the small businesses in the supply chain and offers tips to close those backdoors into the enterprise.
- Comprehensive Advanced Threat Defense The hot topic in the information security industry these days is "Advanced Threat Defense" (ATD). This paper describes a comprehensive, network-based approach to...
- Live Webcast Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- Keep Servers Up and Running and Attackers in the Dark An SSL/TLS handshake requires at least 10 times more processing power on a server than on the client. SSL renegotiation attacks can readily... All Cybercrime and Hacking White Papers | Webcasts