The hacker used what’s called “social engineering” to obtain information from Apple’s support techs. Social engineering is gathering information either verbally or by messaging which compromises the security of a user. It’s very common in identity theft. Even tougher, the person hacked is himself a tech journalist.
The Sydney Morning Herald
Several others have reported similar stories of Apple handing access to their accounts over to hackers. Security experts say it is "very concerning" that Apple's staff could be so easily tricked, while even Apple co-founder Steve Wozniak believes the move to cloud computing will create "horrendous" problems in the next five years.
The problem is that the Cloud is an aggregator of accounts and operations. The idea of “One password to rule them all” has always had holes in it, and this one is looking like a super-massive black hole for the Cloud, until it gets it right.
In all fairness to Apple support, people get hacked like this every day of the week on the net. Social engineering can also do what conventional cracking and hacking often can’t do- Get the critical information required to use accounts.
The user, Mat Honan, lost a lot on the Cloud, including a year’s worth of photos, emails, and access to multiple accounts. He was fully trashed, and in my opinion from the sheer amount of destruction may have been deliberately targeted. An Apple designer, in fact, was similarly targeted and affected:
Chance Graham, a "designer at Apple" according to his Twitter page, tweeted: "Exact same thing happened to me - iCloud was social engineered via support. All accounts compromised. Hacker contacts me. Same m/o?"
Then there’s this interesting little fact:
The hacker also contacted Honan to let him know that they access his account "via Apple tech support and some clever social engineering that let them bypass security questions".
Bragging, or seeding some doubts? Either somebody has a serious grudge against these people, or a hacker has found a weak spot at Apple and is exploiting it selectively. Another possibility is that the hacker(s) may be working for somebody. Unlike viruses and Trojans, selective hacking isn’t done “on principle”. Selective hacking is done for a reason. So is information-trashing. Social engineering implies direct targeting of individuals.
If that’s the case, the Cloud may not be a very safe place to put assets. Targeting has other ramifications apart from trashing individuals. Imagine important business data being compromised like that. One hack could do billions of dollars’ worth of damage.
The Cloud is in fact another tier of the internet. It’s a secondary form. It has separate and unique functions, but obviously it has to interact with the net. There is precisely no reason at all to believe that basic hacking techniques can’t work just as well on the Cloud, and in this case even more efficiently.
If Cloud promoters want to be taken seriously by users, security has to be a proven fact. People may tolerate security risks on line as “normal”, but that’s a long way from wanting any more risk. Businesses are not going to be reassured by these events. Solving the obvious problems is going to have to take priority before anyone’s prepared to go on to the Cloud without a risk manager on standby.