Security onus on users as apparent Apple compromise follows eBay attack

A spate of high-profile hacks of consumer brands like eBay and, most recently, Apple is bringing security concerns to the attention of even non-technical Australians, a senior security researcher has argued.

The latest revelations come as many Australians reported that their Apple IDs had been hacked, allowing malicious and unknown outsiders to use the device's remote-locking features to prevent them from being able to access their iPhones.

Reports on Apple's support forum shared users' experiences of being presented with a lock screen telling them they had been hacked by someone named 'Oleg Pliss' and demanding a $US100 ($A108) ransom to unlock the device. Efforts to log into Apple's service to reset their devices had been unsuccessful.

Advising that those affected should not pay the ransom because there is “no guarantee that the criminals responsible will unlock your device,” Symantec security response manager Satnam Narang wrote in a blog post that those affected needed to log into their Apple ID accounts to ensure their password haven't been changed – and then change the password.

Users should also log out of all Web browsers to ensure there are no active iCloud sessions opened using the previous password.

The issue and its solution reflect a similar high-profile attack that recently hit auction site eBay, compromising over 120 million users' accounts and highlighting the ongoing challenges that the company faces in its efforts to grow its data collection and analytics platform while maintaining adequate levels of security for that data.

eBay Marketplaces president Devin Wenig has been progressively writing to users, acknowledging the attack on a database containing customers' names, encrypted password, email address, physical address, phone number and date of birth.

Wenig requested that users change their passwords on eBay and any other site where they used the same password – despite there being “no evidence that any customer financial or credit card information was involved” and that there had been “no indication of a significant spike in fraudulent activity on our site”.

The latest Apple hack has intensified pressure on users to improve their password and lock code security.

Those that had previously set a passcode on their devices should be able to unlock them using that passcode, Symantec's Narang wrote, but those that had left their devices unsecured may find that the hacker had changed their password using the features of Find My iPhone's iPhone 'lost mode'.

“Although it may be annoying to have to input a passcode to unlock your device, it is a basic security measure to prevent unauthorized physical access to your device,” Narang wrote. “In this case, it could save you the trouble of having to perform a factory reset on your device.”

Narang suggested other protections for Apple ID users include using a strong, unique password including one produced by a password manager like LastPass or 1Password; setting up two-step verification for users' Apple IDs; and regularly backing up devices to ensure that data isn't lost in the event a factory reset is required.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

Tags Applehacksebay

More about AppleCSOeBaySymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts