[HN Gopher] Man steals 620k photos from iCloud accounts from hom... ___________________________________________________________________ Man steals 620k photos from iCloud accounts from home without Apple noticing Author : radicaldreamer Score : 145 points Date : 2021-08-24 20:54 UTC (2 hours ago) (HTM) web link (www.latimes.com) (TXT) w3m dump (www.latimes.com) | silurian wrote: | Interesting but not mentioned in article. What are the odds? | | Today: > Hao Kuo Chi, 40, of La Puente, has agreed to plead | guilty to four felonies | | then also a Hao Kuo Chi who was 26 in March 2007. | | from 2007 https://www.latimes.com/archives/la-xpm-2007-apr-12-me- | geeks... | | > The suit, filed in Los Angeles County Superior Court on behalf | of Sarah Vasquez, 22, and her mother, Natalie Fornaciari, 46, | both from city of Industry, alleges that Geek Squad technician | Hao Kuo Chi, 26, placed his cellphone in Vasquez's bathroom | during a computer service call March 4 and recorded her | showering. | radicaldreamer wrote: | I posted this link and I named it the way I did to draw attention | to this in context of CSAM enforcement... this man could have | easily uploaded any photos to these hacked iCloud accounts, which | would've been synced down to end user devices. | | Apple didn't catch on to this, despite him not using VPN or | Tor... it wasn't until the FBI investigated a public figure's | hacked and posted photos that this came to light. | | [EDIT]: Not the FBI, but a private company noticed this (h/t | codeecan) | Jtsummers wrote: | > I named it the way I did to draw attention to this in context | of CSAM enforcement... | | From the site guidelines: | | > Otherwise please use the original title, unless it is | misleading or linkbait; don't editorialize. | | Just a reminder because if a mod ends up viewing this they will | probably change the title back to the original. | codeecan wrote: | Scary indeed, slight correction, not the FBI [initially]; | | > A California company that specializes in removing celebrity | photos from the internet notified an unnamed public figure ... | | He was caught by random chance of this company. | not2b wrote: | If he was specifically going after famous women's accounts, I | don't think it was so random, given that he went after | hundreds of people and didn't cover his tracks at all. He was | after celebrity photos, he was sloppy, people who try to | defend against such attacks were going to catch him. | radicaldreamer wrote: | We've seen more decentralized and sophisticated attacks of | the same type against iCloud ("the fappening" etc.) which | were kept mostly private for years before being made | public. | | The fact that those hacks quickly were flushed from the | news cycle without a bunch of public lawsuits etc. makes me | suspect Apple very proactively went out and made | settlements with the more high profile victims of those | hacks. Of course, I have no proof of this at all, so it's | purely speculation, but it was odd to see almost nothing | come out of those hacks. | threeseed wrote: | > without a bunch of public lawsuits | | Apple is not at fault here though. | | These people have clicked on a phishing email no | different to a banking or retail one. | gsibble wrote: | The fact Apple missed logins to hundreds of accounts over time | from a single ip registered probably to Spectrum or Verizon ISP | is a little suspect. Then again, there are probably public ips | with a nat with thousands of iphones behind it at times. This | might be a really hard one to detect even though it's sloppy. | meibo wrote: | Apple itself is currently obsoleting IP-based account theft | heuristics with their iCloud VPN, so they might have stopped | relying on it internally already :) | xenadu02 wrote: | Companies regularly NAT many thousands of users behind a | single public IP. Additionally non-profits, schools, and | others often provide WiFi for their guests/students using a | supposedly residential internet account or their ISP doesn't | segment basic business IPs from residentials. | | In any case flagging multiple accounts logging in from a | single public IP is not as useful a signal as you might | think. | shuckles wrote: | Given that the accused was arrested in 2007 for similar sex | crimes while a Geek Squad employee, one must imagine that | he's been up to this for years. | tyingq wrote: | We'll call it "The Trappening". | spac wrote: | https://twitter.com/matthew_d_green/status/14299631415684014... | shuckles wrote: | This Twitter account continues to debase discourse about the | child safety proposals with FUD. It posted incorrect | information about the proposal before launch and has | continued with useless speculation. How many of the | hypothesized threat models which don't pan out has he | formally redacted? | | If you are worried about the security of iCloud, then that | can be read as more reason to prefer client side scanning. Of | course the tweets are ambiguous about logical implications so | you can't engage with them directly. | radicaldreamer wrote: | Absolutely: https://twitter.com/matthew_d_green/status/142998 | 37034602045... | | I assume each upload is tagged with device ID which first | uploaded it etc. but maybe that can be spoofed as well? | radicaldreamer wrote: | There's no real reason to assume this is true, because | Apple's systems didn't detect hundreds of accounts being | accessed from a single, home IP... | Tagbert wrote: | If Apple were to do what many recommend and do CSAM scanning in | the cloud like other providers, would that change this attack | vector? | dathinab wrote: | no | | Edit: No if they use the same algorithm, but they could use | other algorithm which are less abusable and no one would know | the hashes in the database, so Yes I guess? | threeseed wrote: | It's only an attack vector in the minds of people who haven't | given it more than 10 seconds of thought. | | Apple knows the sync dates of all of the photos that are | uploaded. So unless someone has hacked your account and has | been directly trickle feeding CSAM for years (without you | noticing) then it's going to look suspicious. A big dump of | lots of CSAM at one particular timestamp is a pretty easy | thing to spot. | | And then in this case they aren't hacking the phone but the | account which means Apple is going to notice a set of photos | coming from an IP address they haven't seen used from that | account before. | marcellus23 wrote: | Not giving it 10 seconds of thought seems common in most HN | reactions to the whole CSAM thing. | cwkoss wrote: | Do you think that Apple is going to decide whether a big | dump of CSAM was uploaded by that user or a hacker and act | differently based on that investigation, or just send it to | LEO and let them sort it out? | | Seems like there could be some legal ramifications from the | choice to bypass law enforcement under certain | circumstances | brandon272 wrote: | This comment assumes that Apple does a lot of heavy lifting | to exonerate individuals who are found with CSAM beyond | just reporting them to law enforcement. | | Of course metadata could exonerate someone who is a victim | in a case like this. The question is will it ever see the | light of day? | threeseed wrote: | Comments like are so bizarre to me. | | Google, Microsoft etc we know for a fact do server side | scanning of photos for CSAM. Apple should be assumed to do the | same. | | So what exactly is the difference if this is done client or | server side. The person being hacked would still be | investigated by the FBI. | mulmen wrote: | Well Apple differentiates themselves on privacy. I would | prefer to do business with a company that never looks at my | data for any reason. The problem with on-device scanning is | the implicit backdoor. | codeecan wrote: | > he impersonated Apple customer support staff in emails that | tricked unsuspecting victims into providing him with their Apple | IDs and passwords | | > He gained unauthorized access to photos and videos of at least | 306 victims across the nation | | > Investigators soon discovered that a log-in to the victim's | iCloud account had come from an internet address at Chi's house | | Not very sophisticated, but very effective, glad they shut him | down but we really need to teach basic internet security in | schools. | pbhjpbhj wrote: | I can't believe Facebook haven't stopped the "your mother's | maiden name and your first pets name is your pornstar name, | post yours below" posts on Facebook. These companies clearly | don't care their platforms are used to enable scammers so long | as they're getting their cut of the money. | TheCraiggers wrote: | > Not very sophisticated, but very effective, glad they shut | him down but we really need to teach basic internet security in | schools. | | They could start by _following_ basic security. My kid 's | school sets everyone's passwords to various forms of "temp123" | (same password for every kid) and often talks about them in | cleartext. It sets a very bad example, and it occasionally | gives me hives just thinking about it. | pier25 wrote: | I worked at an ed tech company that provided services for | schools and this was _very_ common in my experience. | | Schools wanted to store the students' passwords in clear text | in an excel basically to get less complaints from parents. | | Students didn't store their password after logging in. If | they needed to log in again they did not know (or did not | care) how to reset their passwords. Then the problem would | fall unto the parents which would then complain to the | school. | throenabout wrote: | A friend worked at a UK government site that one week | complained about an increase in "Russian" attempted | intrusions and literally the next week issued an instruction | in an unsigned email to all staff to change their password to | a new password given in plaintext in the email. | | The instruction, they thought, had to be a poor phishing | attempt - but no, it was a genuine email from the IT | department and the friend was punished (!!) for questioning | the instruction and not immediately complying. | | It may not have been the same password across the | organisation but their's was reportedly word based and quite | short. | pier25 wrote: | Seems so naive that you'd do such a thing from your home | without any type of security like a VPN. | | The guy probably was the only one in the group doing this and | was led to believe by the others that it was completely safe. | legohead wrote: | So all he needed do to avoid being caught was use a VPN? | glitcher wrote: | I agree that better education around Internet security is | needed, especially for basic phishing attacks like this. | | OTOH, I believe Apple could be doing more to deter and/or | detect this type of broad access, especially with the lack of | sophistication behind this scheme! I feel like even Netflix | does a better job at alerting me to access from a new device, | and they aren't storing any of my personal photos. | shuckles wrote: | If you have two factor enabled, which is required for many | iCloud features, every single Apple device you own will | receive an alert with the location of login before you can | reveal the 2FA code, even for iCloud logins. What more would | you like to see? | not2b wrote: | They would just get an email saying that | icloudbackupsupport@gmail.com (his phony address) accessed | the account immediately after giving their info to | icloudbackupsupport@gmail.com. He could even have told them | to expect and ignore such an email. | makecheck wrote: | It's better than nothing but still not great because the | login area they present is too broad. For example, if you | live in a large city and the phisher is somebody you know, | seeing "New login from Your City" is not going to make you | think twice. | gowld wrote: | If you refuse to think, even when prompted, that's on | you. You should think about whether you logged in from | the city and device/OS named in the alert. | glitcher wrote: | > Investigators soon discovered that a log-in to the | victim's iCloud account had come from an internet address | at Chi's house | | If the attacker was really not covering his tracks, perhaps | Apple may have flagged hundreds of different iCloud account | logins originating from the same location as something to | look into? | missingcolours wrote: | That's not really a reliable/actionable signal overall - | my previous employer had like 20,000 employees NATed | behind a single IP. | pavs wrote: | IP NATing is a common thing done by most isps, you can | literally have 100s or even thousands of users using the | same ip. | shuckles wrote: | There isn't enough information in the linked article to | reveal the attacker's methods. Do you have further | information or are you speculating? | enricopulatzo wrote: | Perhaps something in that 2FA request saying "Apple will | only ask for your password in-person in a store or other | authorized repair provider. Only allow this request if you | know who requested it"? | ryandrake wrote: | Not just better education around security practices, but | better understanding around control of your content, where | it's stored, what happens to content when you press that | button in an app. I don't want to victim blame here, and this | guy is a total creep, but the victims uploaded their nudes to | the Internet. At that point, the cat was out of the bag. | | Part safely using the Internet is having the knowledge and | being aware of where (in your apps) the boundary is between | your local device and the global network that everyone has | access to. People need to understand: When you sync to a | cloud service, you're _sending_ your content to someone 's | computer unknown to you. Yes, in this case, it's Apple's | computer, but that didn't stop this guy. Once you sync | something online, it's out of your hands, and on the Internet | now. | | I personally treat all cloud services as if they were | accessible publicly and anonymously, and will inevitably be | printed in my local newspaper, and only upload content to | those services where I am comfortable with that level of | exposure. | | EDIT: To clarify, I wish applications would stop blurring the | line between "on my device" and "on the Internet". I've used | applications where, to an unsophisticated user, the save | dialog looks like it's saving to their computer but it's | actually in the cloud. Add to it all these apps that try to | be helpful by seamlessly (and invisibly) keeping local | content in sync with the cloud versions and you have a recipe | for disasters like this. Have an explicit "upload this thing | to the Internet" button, please! | minsc__and__boo wrote: | >Investigators soon discovered that a log-in to the victim's | iCloud account had come from an internet address at Chi's house | in La Puente, Bossone said. The FBI got a search warrant and | raided the house | | He goes through the trouble of phishing so many accounts and | photos, only to access them directly from his own residence? | oh_sigh wrote: | Sure. All he did was a social engineering by sending people an | email asking for their password. There is no indication that he | is actually technically competent. | brutal_chaos_ wrote: | Isn't "stealing" inaccurate here? Copies were made, sure, but | nothing was removed from their possession. | koolhaas wrote: | What word do you use when someone unrightfully gains possession | of something that isn't theirs? | | Btw a lot of words in English have multiple meanings, and | transform meaning over time, which can be confusing sometimes. | For example, in baseball you steal a base, which was being | protected by the other team, but you don't remove the base from | the field and run off with it. | | I think steal works better than copy here, more accurately | conveying meaning and intention, and unjust access. | Permit wrote: | I think the reason "steal" can feel strange here is that | we've spent the last 15 years arguing that copyright | infringement is "not stealing" because the original creator | has not been deprived of anything. | | The phrase "not stealing" is almost exclusively used in this | context on HN: https://hn.algolia.com/?dateRange=all&page=0&p | refix=true&que... | at_a_remove wrote: | I have been thinking about "nudes" (which I will use as a | shorthand to describe digital images of a person sans clothing, | almost always taken by that person) in terms of cultural | evolution. A couple of years ago I mentioned, on HN, that I knew | Jenni, of JenniCam, before the "cam," back when she was just | experimenting with this new digital camera device. And then they | became more and more available. | | For a brief time there was a kind of explosion of said nudes. I | could be on Yahoo Chat and women would just send them, | unsolicited, and I think that was the era of people not realizing | that nudes can get around, like any other secret, once you let go | of them. My guess is that probably came to an end roughly ten | years ago or so, and people now hold onto them tightly, which is | probably much more reasonable. | | People still take nudes, and pass them on, but I think there is a | level of discretion that has increased, although I know some | women who mention being pestered for such by men they know. | Still, these images are on cameras and cloud storage and such, | and for the life of me I do not get the hunger that drives such a | risky behavior as getting into hacked iCloud accounts versus, I | don't know, average sources of free nudes? Poor judgment of | course abounds in so many reported crimes but ... how does one | even trawl more than half a million photos for nudes? Was he | planning on going through them individually? Was he going to make | a neural net to scan for skin? | | I just find the whole thing a little baffling in this day and | this age. | lotsofpulp wrote: | >and for the life of me I do not get the hunger that drives | such a risky behavior as getting into hacked iCloud accounts | versus, I don't know, average sources of free nudes? | | I presume the hunger is more about having access to something | you are not supposed to have access to, or were not given | access to. | | "Everything in human life is really about sex, except sex. Sex | is about power." | admn2 wrote: | Doesn't icloud have built in 2FA from an unrecognized device? | judge2020 wrote: | Yes, and it's heavily pushed. But if this scam really goes that | deep in manipulation/phishing: | | > but he managed to get victims to give him the iCloud | passwords he needed to download their data. | | Then he might have been able to get victims to allow his | access. | fortuna86 wrote: | I had the same thought. | gigatexal wrote: | "I'm remorseful... but I have a family" he says hoping this | doesn't "ruin" his life. Fuck this guy. He knew what he was | doing. He should have all the consequences both those from the | court and professionally: who's going to hire him now? Maybe | someone in infosec but likely not ever again in tech. | radicaldreamer wrote: | A friend once pointed out that it's likely a majority of | "amateur" porn is likely private content from hacked or stolen | accounts and wasn't posted by the any of the parties depicted. | | He mentioned this when a bunch of stories were coming out about | GeekSquad and other IT help as a service companies stealing | data or acting as data harvesters for the FBI/DEA etc. | throwawayboise wrote: | I don't really understand why people even make their own | porn, but that aside, I _really_ don 't understand why they | would save it in the cloud. | CoryAlexMartin wrote: | If I take a photo or a video on my iPhone, it's uploaded to | iCloud automatically, and afaik there is no way to remove | it from iCloud while still keeping it in the photo library | on the device without opting out of iCloud Photos entirely. | Rietty wrote: | Most likely the thrill of it. They might not even be aware | of saving it to the cloud. Maybe they used their phone on a | stand to record and iCloud or OneDrive or Google Photos | just synced it automatically. | gowld wrote: | Defaults are powerful. | mdoms wrote: | I don't think that's likely at all. It seems like it would be | far easier to find women who are willing to take their | clothes off for money (something that has been relatively | easy to find for centuries) than it would be to hack hundreds | of devices in order to steal such pictures - if they happen | to exist. | mataug wrote: | As always humans are the weakest link when securing systems. | | This reminds me of this thread | https://news.ycombinator.com/item?id=28279326 | | Where the attacker was able to trick Tmobile / Sprint customer | service into providing a PUK number. | jeroenhd wrote: | It's kind of funny. When you look into cyber security, the papers | are all about controlled rate limiting, advanced anomaly | detection, client fingerprinting, the likes, but in practice, | very little companies will actually pick out abuse like this. | | This creep didn't need advanced tooling, exploits or deep | knowledge of the backing system. All he needed was a basic | phishing scam to work well enough, and the official iCloud | software (either from his browser or his computer). | | All the supposedly advanced algorithms that often arbitrarily ban | accounts by mistake managed to miss some random dude behind his | laptop, shamelessly leaking private pictures. | | My heart goes out to this man's victims. | pojzon wrote: | This just means cyber security advanced so much that the | simpliest way to accomplish the goal is abusing human nature. | | (IMHO human was always the weakest part in the security chain | and this will not change looking at social engineering) | fshbbdssbbgdd wrote: | It's not too weird for 306 accounts to be using iCloud from the | same IP, considering stadiums, universities, etc. It's probably | highly unusual for that many of them to do an account | recovery... unless the IP is an Apple store. | mrkramer wrote: | Phishing is one of the most common entry points of | cyberattacks. Even tech savvy people get tricked into clicking | links or downloading attachments. | bogwog wrote: | > Even tech savvy people get tricked into clicking links or | downloading attachments. | | Like Jim Browning, the Youtuber famous for scamming scammers, | who recently fell for a phishing scam himself and ended up | deleting his Youtube account. | (https://news.slashdot.org/story/21/07/28/2023241/youtube- | cha...) | nitrogen wrote: | Has that been resolved yet? I'm really curious what advice | he gives based on that experience. | fny wrote: | You mean like this? | | EDIT: DO NOT TRY WHAT FOLLOWS IT IS AN EXAMPLE OF A SCAM. | | Wow! XYZ is smart enough to block your password so others can't | see it! -[d13567]--|h[?]-[ | | I can see it, but you can't. Try it!!!! | | An unbelievable number of people fell for this on Myspace and | Facebook in the early days. | abacadaba wrote: | Edit: just tried this it DOES NOT work, don't do it | detaro wrote: | if you actually did, you should change your password now. | And pick a more secure one. (not going to try if what you | posted actually works...) | fny wrote: | It doesn't. DO NOT TRY. I was just giving an example of a | classic scam, and I can't believe someone actually tried | it. | detaro wrote: | I meant I won't try if I can log into their account with | what their comment said at first. | fny wrote: | *Facepalm* What were you thinking?! | Beaver117 wrote: | Let me try - dmich87!@# | hunter2_ wrote: | Yep, works perfectly. | spiderice wrote: | This was also a common technique used in Runescape back in | the day. Takes me back. The much more innocent version was | all chatting "Press alt q q for free gold" in Warcraft 3. | Alt+q+q was the keyboard shortcut to abandon the match, which | I learned the hard way. | nitrogen wrote: | In Brood War it was "press Alt-F4 to download faster" when | someone wanted to boot the slow user on a dial-up modem. | BuildTheRobots wrote: | +++ATH0 | branon wrote: | hunter2 | Corrado wrote: | all I see is **** | gowld wrote: | Google will alert the account owner (across all channels -- | devices they own, and Gmail) when there's a login from a new | device. Doesn't Apple do the same? | Cullinet wrote: | I had this idea for a service just the other night : a means | of overlaying real time messages and alerts direct to any app | you are using at the time. Kind of Class 0 "flash" SMS. | [deleted] | jeromegv wrote: | Yes they do. But don't underestimate how much people don't | actually read their emails. They have 20 newsletters coming | in every day and quickly check if anything is related to | them, they have no idea what that iCloud email says. They | just fell victim to a phishing attempt, they are already not | that tech savvy. | jchw wrote: | To be fair, phishing is just the path of least resistance due | to overall security improvements getting rid of other low- | hanging fruit. If security became worse overall, phishing would | fall a bit more out of favor. | [deleted] ___________________________________________________________________ (page generated 2021-08-24 23:00 UTC)