'Oleg Pliss' hack makes for a perfect teachable IT moment

In this era of BYOD, IT shops should talk to employees about how to bolster security

Earlier this week, a number of iOS device owners woke up to discover that someone had locked them out of the iPhones, iPads, and iPod touches. The attack, primarily aimed at users in Australia and New Zealand (though there are now reports of users in North America and other countries being hit), demanded a ransom be paid to unlock each device. Ironically, the PayPal account referenced in the demand did not seem to even exist.

The "Oleg Pliss" hack, if you can call it one, wasn't particularly sophisticated. The party behind it -- most likely relied on information like user IDs (including email addresses used as usernames) collected by attacks on non-Apple websites like the recent breach that compromised eBay user accounts. Since a lot of people reuse user IDs, passwords and account security questions, all the hacker(s) needed to do was use that information to log into iCloud and use the Find My iPhone/iPad/iPod feature to lock the device and display a message on it. (The feature is typically used to locate a lost or stolen iOS device.)

It could have been worse

Apple acknowledged the incident, saying that the security of iCloud itself wasn't compromised and that affected users should reset their iCloud password and security questions, which seems to confirm the presumed vector of the attack.

It's also worth noting that the attack was easy to prevent or recover from as users with a passcode or Touch ID enabled on their devices could simply ignore the message and unlock their devices (and ideally reset the iCloud password). Users without a passcode should be able regain use of their devices by forcing them into recovery mode and restoring them via iTunes and a device backup.

What's important to consider is that the potential impact could have been much more damaging. A user's Apple ID, which functions as their iCloud login, delivers access to dozens of Apple services, ranging from Find My iPhone to setting appointments in Apple's stores; purchasing and accessing iTunes content; syncing sensitive account and credit/debit card numbers across devices using iCloud Keychain; and managing enterprise app installation on a user's device if it is used in the workplace.

Time for IT to talk security

That makes the incident a great opportunity for IT shops to talk about mobile and cloud risks to employees.

Over the past few years, IT departments have had to grapple with the trend of users taking their workplace technology needs into their own hands. Today's cloud- and mobile-enabled world means that workers frustrated by security restrictions, enterprise apps and collaboration systems that are slow or difficult to use -- and IT staffers that are slow to respond to their needs or don't respond at all -- can build their own set of tools and technologies without IT's permission or awareness.

In many cases, this can make work-related tasks easier, help employees be more efficient and productive, and boost collaboration between coworkers and with contacts outside of an organization. It also opens the doors to all manner of data security and privacy concerns, with potentially disastrous consequences - things that most workers don't think about or consider to be their responsibility.

This incident should prompt IT teams to explain the very real risks employees, managers and executives take when they use iCloud, Dropbox, Google Drive, and other cloud services or when they store sensitive data on a personal and unsecured mobile device. You can say the same thing about other data breaches that have occurred in recent months, but this one is ideally suited to being a teachable moment, largely because it was an attack that non-tech folks can relate to their everyday experience. This isn't some abstract hacker threat; it's an iPhone or iPad that suddenly won't work, with a ransom note attached for good measure.

Important points to make

Here are the important points IT departments can, and should, include in a security conversation with users.

  • Users with the most basic mobile security -- a device with a passcode -- while not immune to the issue weren't significantly affected. That demonstrates the power a simple four-digit PIN can offer and why, despite the slight inconvenience, IT requires officially-sanctioned devices to use one. It also opens the door to discussing the personal as well as professional data that can be exposed and exploited when a device is lost or stolen. Focusing on the potential consequences of someone having complete access to all the data on one the most personal devices people own is likely to drive the point home.
  • The potential for damage is greater people that choose to use the same credentials across a range of sites and services. This underscores why IT requires regular password changes and often prevents them from being re-used.
  • Apple's own iCloud security systems were not at fault. This attack succeeded because users ignored common security lessons. Apple isn't responsible for it and isn't seen as a scapegoat. A similar incident affecting corporate resources could be blamed on the employee(s) in question rather than on the IT department, particularly if IT can prove it had no knowledge of where the data or credentials were stored by users.
  • This could have been much worse for the affected users if the perpetrator had used iCloud credentials to access data and documents synced or backed up to iCloud or stored there by a range of iOS and Mac apps. That lesson extends to every cloud service, email system, social network, and online account that a person has, both personal and professional. If any of those accounts had sensitive corporate data or data subject to government regulation under privacy laws (such as those related healthcare or finance), it could have done a great deal of damage to a company and resulted in termination for any employee that allowed data to be exposed.

That last message, in particular, is most likely to get the attention of workers who may have been oblivious to security, or reluctant to take even basic steps to protect data. Because while the Oleg Pliss hack wasn't bad, it could have been much worse. And this almost certainly isn't the last time something like it will happen.

Ryan Faas is a freelance writer and technology consultant specializing in Mac and multiplatform network issues. He has been a Computerworld columnist since 2003 and is a frequent contributor to CITEworld.com. Faas is also the author of iPhone for Work (Apress, 2009). You can find out more about him at RyanFaas.com and follow him on Twitter (@ryanfaas).

Join the CSO newsletter!

Error: Please check your email address.

Tags Applesecuritymobile security

More about AppleDropboxeBayGooglePayPal

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ryan Faas

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place