[HN Gopher] Man steals 620k photos from iCloud accounts from hom...
___________________________________________________________________
Man steals 620k photos from iCloud accounts from home without Apple
noticing
Author : radicaldreamer
Score : 145 points
Date : 2021-08-24 20:54 UTC (2 hours ago)
(HTM) web link (www.latimes.com)
(TXT) w3m dump (www.latimes.com)
| silurian wrote:
| Interesting but not mentioned in article. What are the odds?
|
| Today: > Hao Kuo Chi, 40, of La Puente, has agreed to plead
| guilty to four felonies
|
| then also a Hao Kuo Chi who was 26 in March 2007.
|
| from 2007 https://www.latimes.com/archives/la-xpm-2007-apr-12-me-
| geeks...
|
| > The suit, filed in Los Angeles County Superior Court on behalf
| of Sarah Vasquez, 22, and her mother, Natalie Fornaciari, 46,
| both from city of Industry, alleges that Geek Squad technician
| Hao Kuo Chi, 26, placed his cellphone in Vasquez's bathroom
| during a computer service call March 4 and recorded her
| showering.
| radicaldreamer wrote:
| I posted this link and I named it the way I did to draw attention
| to this in context of CSAM enforcement... this man could have
| easily uploaded any photos to these hacked iCloud accounts, which
| would've been synced down to end user devices.
|
| Apple didn't catch on to this, despite him not using VPN or
| Tor... it wasn't until the FBI investigated a public figure's
| hacked and posted photos that this came to light.
|
| [EDIT]: Not the FBI, but a private company noticed this (h/t
| codeecan)
| Jtsummers wrote:
| > I named it the way I did to draw attention to this in context
| of CSAM enforcement...
|
| From the site guidelines:
|
| > Otherwise please use the original title, unless it is
| misleading or linkbait; don't editorialize.
|
| Just a reminder because if a mod ends up viewing this they will
| probably change the title back to the original.
| codeecan wrote:
| Scary indeed, slight correction, not the FBI [initially];
|
| > A California company that specializes in removing celebrity
| photos from the internet notified an unnamed public figure ...
|
| He was caught by random chance of this company.
| not2b wrote:
| If he was specifically going after famous women's accounts, I
| don't think it was so random, given that he went after
| hundreds of people and didn't cover his tracks at all. He was
| after celebrity photos, he was sloppy, people who try to
| defend against such attacks were going to catch him.
| radicaldreamer wrote:
| We've seen more decentralized and sophisticated attacks of
| the same type against iCloud ("the fappening" etc.) which
| were kept mostly private for years before being made
| public.
|
| The fact that those hacks quickly were flushed from the
| news cycle without a bunch of public lawsuits etc. makes me
| suspect Apple very proactively went out and made
| settlements with the more high profile victims of those
| hacks. Of course, I have no proof of this at all, so it's
| purely speculation, but it was odd to see almost nothing
| come out of those hacks.
| threeseed wrote:
| > without a bunch of public lawsuits
|
| Apple is not at fault here though.
|
| These people have clicked on a phishing email no
| different to a banking or retail one.
| gsibble wrote:
| The fact Apple missed logins to hundreds of accounts over time
| from a single ip registered probably to Spectrum or Verizon ISP
| is a little suspect. Then again, there are probably public ips
| with a nat with thousands of iphones behind it at times. This
| might be a really hard one to detect even though it's sloppy.
| meibo wrote:
| Apple itself is currently obsoleting IP-based account theft
| heuristics with their iCloud VPN, so they might have stopped
| relying on it internally already :)
| xenadu02 wrote:
| Companies regularly NAT many thousands of users behind a
| single public IP. Additionally non-profits, schools, and
| others often provide WiFi for their guests/students using a
| supposedly residential internet account or their ISP doesn't
| segment basic business IPs from residentials.
|
| In any case flagging multiple accounts logging in from a
| single public IP is not as useful a signal as you might
| think.
| shuckles wrote:
| Given that the accused was arrested in 2007 for similar sex
| crimes while a Geek Squad employee, one must imagine that
| he's been up to this for years.
| tyingq wrote:
| We'll call it "The Trappening".
| spac wrote:
| https://twitter.com/matthew_d_green/status/14299631415684014...
| shuckles wrote:
| This Twitter account continues to debase discourse about the
| child safety proposals with FUD. It posted incorrect
| information about the proposal before launch and has
| continued with useless speculation. How many of the
| hypothesized threat models which don't pan out has he
| formally redacted?
|
| If you are worried about the security of iCloud, then that
| can be read as more reason to prefer client side scanning. Of
| course the tweets are ambiguous about logical implications so
| you can't engage with them directly.
| radicaldreamer wrote:
| Absolutely: https://twitter.com/matthew_d_green/status/142998
| 37034602045...
|
| I assume each upload is tagged with device ID which first
| uploaded it etc. but maybe that can be spoofed as well?
| radicaldreamer wrote:
| There's no real reason to assume this is true, because
| Apple's systems didn't detect hundreds of accounts being
| accessed from a single, home IP...
| Tagbert wrote:
| If Apple were to do what many recommend and do CSAM scanning in
| the cloud like other providers, would that change this attack
| vector?
| dathinab wrote:
| no
|
| Edit: No if they use the same algorithm, but they could use
| other algorithm which are less abusable and no one would know
| the hashes in the database, so Yes I guess?
| threeseed wrote:
| It's only an attack vector in the minds of people who haven't
| given it more than 10 seconds of thought.
|
| Apple knows the sync dates of all of the photos that are
| uploaded. So unless someone has hacked your account and has
| been directly trickle feeding CSAM for years (without you
| noticing) then it's going to look suspicious. A big dump of
| lots of CSAM at one particular timestamp is a pretty easy
| thing to spot.
|
| And then in this case they aren't hacking the phone but the
| account which means Apple is going to notice a set of photos
| coming from an IP address they haven't seen used from that
| account before.
| marcellus23 wrote:
| Not giving it 10 seconds of thought seems common in most HN
| reactions to the whole CSAM thing.
| cwkoss wrote:
| Do you think that Apple is going to decide whether a big
| dump of CSAM was uploaded by that user or a hacker and act
| differently based on that investigation, or just send it to
| LEO and let them sort it out?
|
| Seems like there could be some legal ramifications from the
| choice to bypass law enforcement under certain
| circumstances
| brandon272 wrote:
| This comment assumes that Apple does a lot of heavy lifting
| to exonerate individuals who are found with CSAM beyond
| just reporting them to law enforcement.
|
| Of course metadata could exonerate someone who is a victim
| in a case like this. The question is will it ever see the
| light of day?
| threeseed wrote:
| Comments like are so bizarre to me.
|
| Google, Microsoft etc we know for a fact do server side
| scanning of photos for CSAM. Apple should be assumed to do the
| same.
|
| So what exactly is the difference if this is done client or
| server side. The person being hacked would still be
| investigated by the FBI.
| mulmen wrote:
| Well Apple differentiates themselves on privacy. I would
| prefer to do business with a company that never looks at my
| data for any reason. The problem with on-device scanning is
| the implicit backdoor.
| codeecan wrote:
| > he impersonated Apple customer support staff in emails that
| tricked unsuspecting victims into providing him with their Apple
| IDs and passwords
|
| > He gained unauthorized access to photos and videos of at least
| 306 victims across the nation
|
| > Investigators soon discovered that a log-in to the victim's
| iCloud account had come from an internet address at Chi's house
|
| Not very sophisticated, but very effective, glad they shut him
| down but we really need to teach basic internet security in
| schools.
| pbhjpbhj wrote:
| I can't believe Facebook haven't stopped the "your mother's
| maiden name and your first pets name is your pornstar name,
| post yours below" posts on Facebook. These companies clearly
| don't care their platforms are used to enable scammers so long
| as they're getting their cut of the money.
| TheCraiggers wrote:
| > Not very sophisticated, but very effective, glad they shut
| him down but we really need to teach basic internet security in
| schools.
|
| They could start by _following_ basic security. My kid 's
| school sets everyone's passwords to various forms of "temp123"
| (same password for every kid) and often talks about them in
| cleartext. It sets a very bad example, and it occasionally
| gives me hives just thinking about it.
| pier25 wrote:
| I worked at an ed tech company that provided services for
| schools and this was _very_ common in my experience.
|
| Schools wanted to store the students' passwords in clear text
| in an excel basically to get less complaints from parents.
|
| Students didn't store their password after logging in. If
| they needed to log in again they did not know (or did not
| care) how to reset their passwords. Then the problem would
| fall unto the parents which would then complain to the
| school.
| throenabout wrote:
| A friend worked at a UK government site that one week
| complained about an increase in "Russian" attempted
| intrusions and literally the next week issued an instruction
| in an unsigned email to all staff to change their password to
| a new password given in plaintext in the email.
|
| The instruction, they thought, had to be a poor phishing
| attempt - but no, it was a genuine email from the IT
| department and the friend was punished (!!) for questioning
| the instruction and not immediately complying.
|
| It may not have been the same password across the
| organisation but their's was reportedly word based and quite
| short.
| pier25 wrote:
| Seems so naive that you'd do such a thing from your home
| without any type of security like a VPN.
|
| The guy probably was the only one in the group doing this and
| was led to believe by the others that it was completely safe.
| legohead wrote:
| So all he needed do to avoid being caught was use a VPN?
| glitcher wrote:
| I agree that better education around Internet security is
| needed, especially for basic phishing attacks like this.
|
| OTOH, I believe Apple could be doing more to deter and/or
| detect this type of broad access, especially with the lack of
| sophistication behind this scheme! I feel like even Netflix
| does a better job at alerting me to access from a new device,
| and they aren't storing any of my personal photos.
| shuckles wrote:
| If you have two factor enabled, which is required for many
| iCloud features, every single Apple device you own will
| receive an alert with the location of login before you can
| reveal the 2FA code, even for iCloud logins. What more would
| you like to see?
| not2b wrote:
| They would just get an email saying that
| icloudbackupsupport@gmail.com (his phony address) accessed
| the account immediately after giving their info to
| icloudbackupsupport@gmail.com. He could even have told them
| to expect and ignore such an email.
| makecheck wrote:
| It's better than nothing but still not great because the
| login area they present is too broad. For example, if you
| live in a large city and the phisher is somebody you know,
| seeing "New login from Your City" is not going to make you
| think twice.
| gowld wrote:
| If you refuse to think, even when prompted, that's on
| you. You should think about whether you logged in from
| the city and device/OS named in the alert.
| glitcher wrote:
| > Investigators soon discovered that a log-in to the
| victim's iCloud account had come from an internet address
| at Chi's house
|
| If the attacker was really not covering his tracks, perhaps
| Apple may have flagged hundreds of different iCloud account
| logins originating from the same location as something to
| look into?
| missingcolours wrote:
| That's not really a reliable/actionable signal overall -
| my previous employer had like 20,000 employees NATed
| behind a single IP.
| pavs wrote:
| IP NATing is a common thing done by most isps, you can
| literally have 100s or even thousands of users using the
| same ip.
| shuckles wrote:
| There isn't enough information in the linked article to
| reveal the attacker's methods. Do you have further
| information or are you speculating?
| enricopulatzo wrote:
| Perhaps something in that 2FA request saying "Apple will
| only ask for your password in-person in a store or other
| authorized repair provider. Only allow this request if you
| know who requested it"?
| ryandrake wrote:
| Not just better education around security practices, but
| better understanding around control of your content, where
| it's stored, what happens to content when you press that
| button in an app. I don't want to victim blame here, and this
| guy is a total creep, but the victims uploaded their nudes to
| the Internet. At that point, the cat was out of the bag.
|
| Part safely using the Internet is having the knowledge and
| being aware of where (in your apps) the boundary is between
| your local device and the global network that everyone has
| access to. People need to understand: When you sync to a
| cloud service, you're _sending_ your content to someone 's
| computer unknown to you. Yes, in this case, it's Apple's
| computer, but that didn't stop this guy. Once you sync
| something online, it's out of your hands, and on the Internet
| now.
|
| I personally treat all cloud services as if they were
| accessible publicly and anonymously, and will inevitably be
| printed in my local newspaper, and only upload content to
| those services where I am comfortable with that level of
| exposure.
|
| EDIT: To clarify, I wish applications would stop blurring the
| line between "on my device" and "on the Internet". I've used
| applications where, to an unsophisticated user, the save
| dialog looks like it's saving to their computer but it's
| actually in the cloud. Add to it all these apps that try to
| be helpful by seamlessly (and invisibly) keeping local
| content in sync with the cloud versions and you have a recipe
| for disasters like this. Have an explicit "upload this thing
| to the Internet" button, please!
| minsc__and__boo wrote:
| >Investigators soon discovered that a log-in to the victim's
| iCloud account had come from an internet address at Chi's house
| in La Puente, Bossone said. The FBI got a search warrant and
| raided the house
|
| He goes through the trouble of phishing so many accounts and
| photos, only to access them directly from his own residence?
| oh_sigh wrote:
| Sure. All he did was a social engineering by sending people an
| email asking for their password. There is no indication that he
| is actually technically competent.
| brutal_chaos_ wrote:
| Isn't "stealing" inaccurate here? Copies were made, sure, but
| nothing was removed from their possession.
| koolhaas wrote:
| What word do you use when someone unrightfully gains possession
| of something that isn't theirs?
|
| Btw a lot of words in English have multiple meanings, and
| transform meaning over time, which can be confusing sometimes.
| For example, in baseball you steal a base, which was being
| protected by the other team, but you don't remove the base from
| the field and run off with it.
|
| I think steal works better than copy here, more accurately
| conveying meaning and intention, and unjust access.
| Permit wrote:
| I think the reason "steal" can feel strange here is that
| we've spent the last 15 years arguing that copyright
| infringement is "not stealing" because the original creator
| has not been deprived of anything.
|
| The phrase "not stealing" is almost exclusively used in this
| context on HN: https://hn.algolia.com/?dateRange=all&page=0&p
| refix=true&que...
| at_a_remove wrote:
| I have been thinking about "nudes" (which I will use as a
| shorthand to describe digital images of a person sans clothing,
| almost always taken by that person) in terms of cultural
| evolution. A couple of years ago I mentioned, on HN, that I knew
| Jenni, of JenniCam, before the "cam," back when she was just
| experimenting with this new digital camera device. And then they
| became more and more available.
|
| For a brief time there was a kind of explosion of said nudes. I
| could be on Yahoo Chat and women would just send them,
| unsolicited, and I think that was the era of people not realizing
| that nudes can get around, like any other secret, once you let go
| of them. My guess is that probably came to an end roughly ten
| years ago or so, and people now hold onto them tightly, which is
| probably much more reasonable.
|
| People still take nudes, and pass them on, but I think there is a
| level of discretion that has increased, although I know some
| women who mention being pestered for such by men they know.
| Still, these images are on cameras and cloud storage and such,
| and for the life of me I do not get the hunger that drives such a
| risky behavior as getting into hacked iCloud accounts versus, I
| don't know, average sources of free nudes? Poor judgment of
| course abounds in so many reported crimes but ... how does one
| even trawl more than half a million photos for nudes? Was he
| planning on going through them individually? Was he going to make
| a neural net to scan for skin?
|
| I just find the whole thing a little baffling in this day and
| this age.
| lotsofpulp wrote:
| >and for the life of me I do not get the hunger that drives
| such a risky behavior as getting into hacked iCloud accounts
| versus, I don't know, average sources of free nudes?
|
| I presume the hunger is more about having access to something
| you are not supposed to have access to, or were not given
| access to.
|
| "Everything in human life is really about sex, except sex. Sex
| is about power."
| admn2 wrote:
| Doesn't icloud have built in 2FA from an unrecognized device?
| judge2020 wrote:
| Yes, and it's heavily pushed. But if this scam really goes that
| deep in manipulation/phishing:
|
| > but he managed to get victims to give him the iCloud
| passwords he needed to download their data.
|
| Then he might have been able to get victims to allow his
| access.
| fortuna86 wrote:
| I had the same thought.
| gigatexal wrote:
| "I'm remorseful... but I have a family" he says hoping this
| doesn't "ruin" his life. Fuck this guy. He knew what he was
| doing. He should have all the consequences both those from the
| court and professionally: who's going to hire him now? Maybe
| someone in infosec but likely not ever again in tech.
| radicaldreamer wrote:
| A friend once pointed out that it's likely a majority of
| "amateur" porn is likely private content from hacked or stolen
| accounts and wasn't posted by the any of the parties depicted.
|
| He mentioned this when a bunch of stories were coming out about
| GeekSquad and other IT help as a service companies stealing
| data or acting as data harvesters for the FBI/DEA etc.
| throwawayboise wrote:
| I don't really understand why people even make their own
| porn, but that aside, I _really_ don 't understand why they
| would save it in the cloud.
| CoryAlexMartin wrote:
| If I take a photo or a video on my iPhone, it's uploaded to
| iCloud automatically, and afaik there is no way to remove
| it from iCloud while still keeping it in the photo library
| on the device without opting out of iCloud Photos entirely.
| Rietty wrote:
| Most likely the thrill of it. They might not even be aware
| of saving it to the cloud. Maybe they used their phone on a
| stand to record and iCloud or OneDrive or Google Photos
| just synced it automatically.
| gowld wrote:
| Defaults are powerful.
| mdoms wrote:
| I don't think that's likely at all. It seems like it would be
| far easier to find women who are willing to take their
| clothes off for money (something that has been relatively
| easy to find for centuries) than it would be to hack hundreds
| of devices in order to steal such pictures - if they happen
| to exist.
| mataug wrote:
| As always humans are the weakest link when securing systems.
|
| This reminds me of this thread
| https://news.ycombinator.com/item?id=28279326
|
| Where the attacker was able to trick Tmobile / Sprint customer
| service into providing a PUK number.
| jeroenhd wrote:
| It's kind of funny. When you look into cyber security, the papers
| are all about controlled rate limiting, advanced anomaly
| detection, client fingerprinting, the likes, but in practice,
| very little companies will actually pick out abuse like this.
|
| This creep didn't need advanced tooling, exploits or deep
| knowledge of the backing system. All he needed was a basic
| phishing scam to work well enough, and the official iCloud
| software (either from his browser or his computer).
|
| All the supposedly advanced algorithms that often arbitrarily ban
| accounts by mistake managed to miss some random dude behind his
| laptop, shamelessly leaking private pictures.
|
| My heart goes out to this man's victims.
| pojzon wrote:
| This just means cyber security advanced so much that the
| simpliest way to accomplish the goal is abusing human nature.
|
| (IMHO human was always the weakest part in the security chain
| and this will not change looking at social engineering)
| fshbbdssbbgdd wrote:
| It's not too weird for 306 accounts to be using iCloud from the
| same IP, considering stadiums, universities, etc. It's probably
| highly unusual for that many of them to do an account
| recovery... unless the IP is an Apple store.
| mrkramer wrote:
| Phishing is one of the most common entry points of
| cyberattacks. Even tech savvy people get tricked into clicking
| links or downloading attachments.
| bogwog wrote:
| > Even tech savvy people get tricked into clicking links or
| downloading attachments.
|
| Like Jim Browning, the Youtuber famous for scamming scammers,
| who recently fell for a phishing scam himself and ended up
| deleting his Youtube account.
| (https://news.slashdot.org/story/21/07/28/2023241/youtube-
| cha...)
| nitrogen wrote:
| Has that been resolved yet? I'm really curious what advice
| he gives based on that experience.
| fny wrote:
| You mean like this?
|
| EDIT: DO NOT TRY WHAT FOLLOWS IT IS AN EXAMPLE OF A SCAM.
|
| Wow! XYZ is smart enough to block your password so others can't
| see it! -[d13567]--|h[?]-[
|
| I can see it, but you can't. Try it!!!!
|
| An unbelievable number of people fell for this on Myspace and
| Facebook in the early days.
| abacadaba wrote:
| Edit: just tried this it DOES NOT work, don't do it
| detaro wrote:
| if you actually did, you should change your password now.
| And pick a more secure one. (not going to try if what you
| posted actually works...)
| fny wrote:
| It doesn't. DO NOT TRY. I was just giving an example of a
| classic scam, and I can't believe someone actually tried
| it.
| detaro wrote:
| I meant I won't try if I can log into their account with
| what their comment said at first.
| fny wrote:
| *Facepalm* What were you thinking?!
| Beaver117 wrote:
| Let me try - dmich87!@#
| hunter2_ wrote:
| Yep, works perfectly.
| spiderice wrote:
| This was also a common technique used in Runescape back in
| the day. Takes me back. The much more innocent version was
| all chatting "Press alt q q for free gold" in Warcraft 3.
| Alt+q+q was the keyboard shortcut to abandon the match, which
| I learned the hard way.
| nitrogen wrote:
| In Brood War it was "press Alt-F4 to download faster" when
| someone wanted to boot the slow user on a dial-up modem.
| BuildTheRobots wrote:
| +++ATH0
| branon wrote:
| hunter2
| Corrado wrote:
| all I see is ****
| gowld wrote:
| Google will alert the account owner (across all channels --
| devices they own, and Gmail) when there's a login from a new
| device. Doesn't Apple do the same?
| Cullinet wrote:
| I had this idea for a service just the other night : a means
| of overlaying real time messages and alerts direct to any app
| you are using at the time. Kind of Class 0 "flash" SMS.
| [deleted]
| jeromegv wrote:
| Yes they do. But don't underestimate how much people don't
| actually read their emails. They have 20 newsletters coming
| in every day and quickly check if anything is related to
| them, they have no idea what that iCloud email says. They
| just fell victim to a phishing attempt, they are already not
| that tech savvy.
| jchw wrote:
| To be fair, phishing is just the path of least resistance due
| to overall security improvements getting rid of other low-
| hanging fruit. If security became worse overall, phishing would
| fall a bit more out of favor.
| [deleted]
___________________________________________________________________
(page generated 2021-08-24 23:00 UTC)