Forgot your password?
typodupeerror
Cloud Security Apple News

Apple Denies Systems Breach In Photo Leak 311

Posted by Soulskill
from the not-my-fault-i-promise dept.
Hamsterdan notes that Apple has posted an update to its investigation into the recently celebrity photo leak, which was attributed to a breach of iCloud. Apple says the leak was not due to any flaw in iCloud or Find My iPhone, but rather the result of "a targeted attack on user names, passwords and security questions." Despite this, Wired reports that hackers on an anonymous web board have been openly discussing a piece of software designed for use by law enforcement. Whether it was involved in the celebrity attacks or not, it's currently being used to impersonate a user's device in order to download iCloud backups.

"For Apple, the use of government forensic tools by criminal hackers raises questions about how cooperative it may be with Elcomsoft. The Russian company’s tool, as Zdziarski describes it, doesn't depend on any 'backdoor' agreement with Apple and instead required Elcomsoft to fully reverse engineer Apple’s protocol for communicating between iCloud and its iOS devices. But Zdziarski argues that Apple could still have done more to make that reverse engineering more difficult or impossible." Meanwhile, Nik Cubrilovic has waded into the data leak subculture that led to this incident and provides insight into the tech and the thinking behind it.
This discussion has been archived. No new comments can be posted.

Apple Denies Systems Breach In Photo Leak

Comments Filter:
  • by John3 (85454) <john3@cornells . c om> on Wednesday September 03, 2014 @11:04AM (#47816769) Homepage Journal
    Just another reminder to use strong passwords, password managers, and change them often. It's a pain, but it's the reality of the digital world.
    • Re: (Score:3, Insightful)

      by Anonymous Coward

      I'm sorry but when are password managers ever a good idea? Having 1 place with ALL your passwords ready to be stolen.

      • by Anonymous Coward on Wednesday September 03, 2014 @11:17AM (#47816893)

        protect your password manager with a strong password from another password manager to protect!

      • by John3 (85454) <john3@cornells . c om> on Wednesday September 03, 2014 @11:23AM (#47816937) Homepage Journal
        Use one very strong password for the password manager. That allows you to have hundreds of different passwords so each site you visit uses a different password and you don't need to remember them. If you use a strong enough password then you'll be fine.
        • by vux984 (928602) on Wednesday September 03, 2014 @02:52PM (#47818981)

          Use one very strong password for the password manager.

          Actually, I recommend using multiple safes/vaults/etc with different passwords; make the passwords appropriate to the contents of the safe; and treat the safes appropriate relative to their contents.

          My safe with my passwords for throwaway email accounts and forum accounts, club memberships, etc is fairly simple. (It still counts as strong by all usual metrics, but its easy for me to remember and type in, which is good because I have to type it several times a day on average -- sometimes via a smartphone keyboard. Its sync'd via cloud to my smart phone, laptop, work computer, etc.

          My safe with passwords for my life savings, domain registrar, email account and other assets which would be quite devastating to lose is MUCH longer and stronger, and it isn't synchronized with my devices. (Actually I have 4 - 5 safes with different groups of passwords in them.)

          If you use a strong enough password then you'll be fine.

          Unless you get hit with a keylogger. Then you lose everything. Does it really even make sense to have your online pay-parking app passwords and your numbered offshore banking in the same vault? All protected by the same password?

          Its just silly.

          And its another reason why I've split things up. If the phone gets compromised, my high value passwords aren't even in it. My higher value password safes get opened less frequently and on fewer systems, so a keylogger will have to be in the right system and wait longer to get into them -- giving me better odds of dodging the bullet, and more time to detect and remove them.

          • by drkim (1559875)

            ...I recommend using multiple safes/vaults/etc with different passwords...

            It's just funny - because Pamela Anderson had her sex tape stolen from her safe. (back when there were 'tapes')

      • I'm sorry but when are password managers ever a good idea? Having 1 place with ALL your passwords ready to be stolen.

        Password 'managers' make me nervous(unless based on proper crypto/key storage ICs with actual vetting by people who actually care, which is rare indeed, if it exists at all, since the people who care that much don't use passwords, just proper cryptographic authentication); but they do have the advantage of allowing those of us without eidetic memories to use passwords that might actually be strong enough to resist casual attack, and force the casual attacker to use the ultra-weak password reset process inst

        • by DarkOx (621550) on Wednesday September 03, 2014 @01:42PM (#47818357) Journal

          You need to take a step back and consider the actual threat. If you are going to post the ciphered content of your password database on the front page of Slashdot yes the cryptography better be done right.

          If you going to keep it on your desktop or on your phone and NOT send it over the network. Than I would say the value it affords you in being able to use longer passwords, with greater randomness, and unique passwords for every account is a win. The only anyone is going to get hold of it is if they pwn your computing device. If they do that than they don't need to beak the crypto they will just wait with the keylogger running for your to unlock it and collect the secret.

          At that point though you rather than $PUBLIC_WEBSITE have become the attackers target. Once we are talking about a targeted persistent attack, there is little any of us will do personally to be safe if our attackers are any better equipped/capable than script kiddies.

      • by Anonymous Coward on Wednesday September 03, 2014 @12:17PM (#47817483)

        I'm sorry but when are password managers ever a good idea? Having 1 place with ALL your passwords ready to be stolen.

        And yet, in reality, regardless of your personal security measures, you already have this today

        It's called that one email address you have ALL of your accounts configured to send a password reset to when you forget it.

        All you really need is access to your email and All Your Passwords are Belong to Us, so let's just stop bullshitting each other and bashing password managers. The overall security model sucks ass anyway.

        • by mjwx (966435)

          I'm sorry but when are password managers ever a good idea? Having 1 place with ALL your passwords ready to be stolen.

          And yet, in reality, regardless of your personal security measures, you already have this today

          It's called that one email address you have ALL of your accounts configured to send a password reset to when you forget it.

          All you really need is access to your email and All Your Passwords are Belong to Us, so let's just stop bullshitting each other and bashing password managers. The overall security model sucks ass anyway.

          I certainly dont have this today.

          I've got 3 different email addresses and 1 phone number, this isn't including my work email and all ordered by security level. The password reset for slashdot doesn't go to the same email my address domain registrar or accountant. Below this I have another email address I use for signing onto services that I know are going to spam me. The low security accounts are not linked in any way to the high security accounts and my high security account is only accessed from device

      • by Dishevel (1105119)
        If it is a trusted implementation, and you are using a very strong password (20 Characters, Upper case, Lower Case, numbers and symbols.), then you use unique generated passwords for each site you are really quite safe.
      • Re: (Score:2, Insightful)

        by Anonymous Coward

        I'm sorry but when are password managers ever a good idea? Having 1 place with ALL your passwords ready to be stolen.

        If you don't want to put all your passwords in your password manager, you don't have to do so. However if you put all your second tier passwords in it (the ones that you use to maintain privacy rather than fiscal security), then you can make them much more complex without requiring ridiculous complexity to memorize. You can also save arbitrary answers to security questions (if the answer to your dog's name is saved as sFjksL23549&@*^*% rather than Fido, it's not possible to get from investigating pers

    • by Macrat (638047) on Wednesday September 03, 2014 @11:27AM (#47816977)

      Just another reminder to use strong passwords, password managers, and change them often. It's a pain, but it's the reality of the digital world.

      What good is a password manager when the answers to your security questions are public knowledge?

      • by heypete (60671) <pete@heypete.com> on Wednesday September 03, 2014 @11:31AM (#47817005) Homepage

        Just another reminder to use strong passwords, password managers, and change them often. It's a pain, but it's the reality of the digital world.

        What good is a password manager when the answers to your security questions are public knowledge?

        Who says you need to tell the truth on those questions?

        Q: "What is your mother's maiden name?"
        A: "Purple monkey dishwasher."

        Of course, you should keep a record of those questions and answers so you can correctly answer them if the need arises.

        • by gmhowell (26755)

          Just another reminder to use strong passwords, password managers, and change them often. It's a pain, but it's the reality of the digital world.

          What good is a password manager when the answers to your security questions are public knowledge?

          Who says you need to tell the truth on those questions?

          Q: "What is your mother's maiden name?"
          A: "Purple monkey dishwasher."

          Damnit, time to change the security question on the password manager for my luggage.

      • by Megol (3135005)

        Don't use them - input random crap instead of correct information.

        • The point of security questions are to have things that you can remember without having to write them down. If you input random crap like you and others are suggesting you're just extending the stupidity to a different level OR being needlessly redundant, because then you have to write down what that stupid crap was. Which might as well be the same thing as writing down your password.

          • by St.Creed (853824)

            In keeping with the theme of todays Q&A: Security questions are for people who don't use password managers. People who use password managers don't need them and can thus put random crap in them.

      • by AmiMoJo (196126) *

        You don't answer those things honestly do you?

      • What good is a password manager when the answers to your security questions are public knowledge?

        Many sites, including all the financial institutions that I deal with, use the security questions as an additional layer of authentication, rather than as a mechanism to bypass passwords. If I login from a device that they do not recognize, they will ask the security questions. If I answer them correctly, then I still have to enter the correct password.

      • My Mother's maiden name is 52Vg8alTkWjJ92AXLq8c. I was born in the town of iyUJuoE5go9pWhylGHJT, where I got my first pet, 9DurEntFD7WU9lpZJCKI.

        If you ever tell the truth with a security question, you've done it wrong. If you ever use the same answer to a security question twice, you've done it wrong. If your answers have less entropy than your passwords, you've done it wrong.
    • by hairyfeet (841228) <bassbeast1968@NOsPAM.gmail.com> on Wednesday September 03, 2014 @12:39PM (#47817693) Journal

      WTF good is that gonna do when the "find my iPhone" feature allowed for unlimited password tries with NO TIME LIMIT as has been reported on several sites? You can have the best password ever created and if I can just brute force the site all day long without penalty then you be fucked friend, after all you can throw together an AMD octocore box for a couple hundred bucks that can crank out attempts in the millions if not tens of millions if you have a big enough pipe!

      Lets face it, somebody at Apple done fucked up REAL bad and instead of admitting it they are doing a "you're holding it wrong" level of BS spinjob trying to cover it up.

    • by Sara Chan (138144) on Wednesday September 03, 2014 @04:46PM (#47820187)
      There is a good article "Five reasons to blame Apple in nude celebrity photo leak [thespec.com]", in The Hamilton Spectator. Here are the key points (read the article for elaborations).

      1. The vulnerability is Security 101 stuff (even a good password, like “D0nM@tt1ngly!”, was still vulnerable).
      2. The vulnerability was publicly known since May.
      3. Apple defaults users into the cloud (and Apple makes it very hard to not store in the cloud).
      4. Apple does not encourage two-factor authentication (it discourages this).
      5. Two-factor authentication wouldn't have worked anyway (it is not actually enforced on iCloud).
  • by i kan reed (749298) on Wednesday September 03, 2014 @11:05AM (#47816785) Homepage Journal

    Remember 2008? Some random douche on 4chan just looked up her dog's name?

    Security questions do not work for public figures. Almost none of them will hold up to people whose whole lives are pointlessly documented.

    • The advice from people like you and me is to lie like hell.

      • Re: (Score:3, Funny)

        by i kan reed (749298)

        Sarah Palin has proven to be good at that.

        BOOM politics slam.

    • by mozumder (178398) on Wednesday September 03, 2014 @11:32AM (#47817009)

      Security questions do not work for public figures. Almost none of them will hold up to people whose whole lives are pointlessly documented.

      Modern social media can also be used to identify personal information of regular people.

      If you look at the anon-in.com logs where they operate, you can see hackers asking each other "What car is this?" with posts of random hot girls cars that they collected from Facebook or wherever. They then use this to break the iCloud security questions for said hot girls and get their nudes.

      Also, you don't even need social media accounts to be targeted via social media. Just having friends that posts pics with your bits of identifying info is enough.

      • You're clearly arguing that the best solution is to have no friends.

        (Also how did you get Karma so bad that you're lower than ACs?)

      • Re: (Score:2, Interesting)

        by Cro Magnon (467622)

        My first pet predated social media, and there are no online pics of it. There's probably 2 people who could guess that one, and I'm not worried about either of them cracking my accounts.

      • by gtall (79522)

        If you are a celebrity, every douche and their brother's dog is going to be looking for nude photos. Don't take them, instead populate your collections with variations on goatse, it will maim the perps for life.

    • Remember 2008? Some random douche on 4chan just looked up her dog's name?

      Security questions do not work for public figures. Almost none of them will hold up to people whose whole lives are pointlessly documented.

      More to the point why does anybody use real information for security questions? As long as I can remember the answer the accuracy is irrelevant. Same with birthdays. If I decide some random date is my birthday it makes it a lot harder to guess.

    • by Aaden42 (198257)

      I always use something related to the question asked that isn’t technically the right answer but is something I’d remember.

      Example: Ask my mother-in-law’s name, I’ll enter “waste of oxygen”. Never gonna forget that one

  • I can indeed imagine that in some cases it would be possible to find the answer to the password security questions by doing some googling about the celebrity. With 2 factor authentication this would not have been an issue.
    I still wonder how the hackers got access to the email addresses of the celebrities they targeted? Because this is the necessary first step. Sloppy industry agents perhaps?
  • by erp_consultant (2614861) on Wednesday September 03, 2014 @11:09AM (#47816827)

    what the heck are these people thinking? Putting nude photos of yourself on a phone and synching it every which way? It's one thing if you are Joe-nobody but being a celebriry is entirely different. That's just plain stupid.

    • by CaptainDork (3678879) on Wednesday September 03, 2014 @11:14AM (#47816867)

      Wrong-think.

      If the fucking system worked like it's supposed to, people could put anything anywhere. Blaming the victim for a broken system is not logical.

      • by Black Parrot (19622) on Wednesday September 03, 2014 @11:34AM (#47817037)

        But dealing with reality is very logical.

        If you don't want people to see pictures of you naked, don't take the pictures.
        And if you do, don't put them on a computer.
        And if you do, don't put them on a computer on the internet.
        And if you do, don't put them on someone else's computer on the internet.

        If they're out there, someone is going to get them.

        • by St.Creed (853824)

          f you don't want people to see pictures of you naked, don't take the pictures.

          Yes, it's probably too much to ask for some security on your private files, nowadays. Options like "only sync photo's with permission" or "Do not sync" folders are way to complex to implement. So let's put the burden of dealing with failing technology on the consumer. After all, that worked really well for car vendors, right?

          I foresee the day when Apple et al are going to pay HUGE settlements in class action suits if they keep up this rather cavalier attitude towards security.

        • by edremy (36408) on Wednesday September 03, 2014 @01:43PM (#47818381) Journal
          If you don't want people stealing your money don't store money online. Don't use credit/debit cards, an online brokerage account, web access to your checking account, etc. If it's out there someone is going to steal it.

          Simple, no? Blame the victim all you want, but that line of thinking pretty quickly devolves into unplugging from the Internet and trying to pay your bills with physical cash.

      • by Lehk228 (705449) on Wednesday September 03, 2014 @12:40PM (#47817713) Journal
        Working systems are available, but fools want their iThing or $20 droid and then act all surprised when their genitals end up on 4chan. It's not a new problem when was it Paris hilton's sidekick got hacked again?

        if you buy trash with security ranging from "fuck it we have none" to "well I guess we tried" because it's ooh shiney let's play flappy bird that is a choice with consequences.
      • by rHBa (976986)
        Better education of users is the answer. To coin a car analogy, most people now know not to leave their purse, computer, other valuable items visible in their car, they take extra measures like leaving it in the boot/trunk or not leaving it there in the first place.

        This was (and unfortunately still is) not always the case but because of advertising campaigns people tend to know they should be more aware.
    • by JustNiz (692889)

      What those celebs are actually thinking is that there's no such thing as bad publicity, especially when backed up with fake self-righteous indignation.

      I think its funny that most people still genuinely believe that those celebs really didn't want that stuff leaked.

      • I'd imagine that most of them really didn't want that stuff leaked - or they'd just leak them, themselves, in a coordinated manner.

        Of course now that they are out, most of them will be working with their PR agent(s) to put as positive a spin on it as they can - be that to be indignant, outraged, shrugging it off, claiming it's not them, thinking of how they're going to put themselves in a PSA about password security so that their idolizing fans don't make the same mistake, etc.
        And, yes, some of them will p

        • Lemonade out of lemons? Or lemonade out of sugar water?

        • by JustNiz (692889)

          >> I'd imagine that most of them really didn't want that stuff leaked ...Because most normal people tend to put naked pictures of themselves in a cloud somewhere?

          >> or they'd just leak them, themselves, in a coordinated manner.

          That was exactly my point, that this is actually coordinated.

    • by Aaden42 (198257) on Wednesday September 03, 2014 @12:32PM (#47817621) Homepage

      Wrong-think on several levels indeed.

      1) They took nudes. So fscking what. The fact that in their private lives they decided to indulge in an activity that lots of people do isn’t something that should even be reported, much less held against them or effect their careers.

      2) Basic human dignity should preclude assholes like the attackers from invading others privacy like this. (Yes, I know the world is full of assholes, and this is unreasonable dreaming, but still wrong of OP to blame the victim for someone else being an asshole.)

      3) I believe Apple enables photo syncing to the cloud by default when you setup iCloud on a new device. (I could be wrong. It’s been a while since I setup a device from scratch rather than backup/restore.) I wouldn’t expect the vast majority of people to appreciate the gravity of having every pic you ever take immediately uploaded to a third party server. I consider that a serious falling of the tech industry for not educating people of the risks of using cloud-based services. I also wouldn’t expect the majority of iUsers to be able to find & disable the photo sync option nor to know how to expunge any images that might already have been uploaded. Blaming non-techies for being non-techies isn’t a reasonable approach.

      So as far as assigning blame for this one:

      1) The Hackers.
      2) Prudish, sex-hating, women-hating ‘mur’kans for blaming the victims.
      3) The press for seizing on this as news story of the month thus ensuring everyone knows to go searching for the pics.
      4) Tech industry for pushing cloud-based storage.
      5) Apple for not enabling password lockout on Find my Phone (assuming the reporting on that was accurate).
      6) Apple for default-enabled on photo sync (assuming my recollection on that is correct - I may be wrong).
      7) Their publicists/managers/etc for not knowing enough to a) ensure their emails were unguessable, b) insist they disable photo syncing on their devices, c) insist they enable two-factor auth, d) ensure complex passwords and non-public-records password reset answers, and e) monitor their emails for “new device accessed your account” or “password reset” notifications.

      You’ll note the celebs aren’t in the above list of people who share in the blame here. I don’t even expect them to know enough to use good passwords. They’re ordinary humans whose focus should be on things not related to IT security. The people they undoubtedly pay good money to manage their careers and lives should have known better though. If not known enough themselves, known enough to contract with someone who did who could advise them appropriately.

  • by davidwr (791652) on Wednesday September 03, 2014 @11:10AM (#47816831) Homepage Journal

    Well, mostly.

    What Apple can do is require 2-factor authentication.

    They can also provide individuals who want it - primarily high-profile individuals - stronger lock-downs such as only allowing registered devices to log in or require typing in a code that is texted to the person prior to completing the login, much like some banks already do.

    • by MickyTheIdiot (1032226) on Wednesday September 03, 2014 @11:15AM (#47816875) Homepage Journal

      Yeah. They can do two factor auth. The key fob they sell will only cost $595 and work only with Safari.

  • by qbast (1265706) on Wednesday September 03, 2014 @11:10AM (#47816835)
    It is not like they would admit to getting hacked if they can shift the blame to user. And let's not forget that probably half of NSA was fapping to these pictures.
    • by AmiMoJo (196126) * <(mojo) (at) (world3.net)> on Wednesday September 03, 2014 @11:22AM (#47816931) Homepage

      Apple always deny there is a problem, even after they fixed it. They denied the iPhone 4 antenna problems, but offered customers a free rubber bumper anyway. They denied problems with overheating MacBook Pros, but replaced the CPU boards anyway. They denied problems with moisture sensors but added exceptions to their warranty policies anyway. They denied iPod battery problems but reduced the replacement price from $250 to $50 anyway. They denied retina screen problems with their laptops but replaced ghosting ones anyway.

      I imagine they will just quietly fix the problem and pretend it never existed. Probably their lawyers telling them to admit nothing, since most of these issues end up as lawsuits.

      • Re:No surprise here (Score:5, Informative)

        by nine-times (778537) <nine.times@gmail.com> on Wednesday September 03, 2014 @12:43PM (#47817743) Homepage

        There's no real reason to think that Apple is at fault here, or even that all of the photos came from compromised accounts on iCloud. The rumor going around last I saw was that this was a collection that was acquired over sever years, contributed by many different people who acquired the photos from many different accounts that were attacked in many different ways. It wasn't gathered all at once from a single attack on iCloud. It was just leaked all at once.

        I have no evidence of that-- just the rumor I've seen on a couple different sites-- but it makes more sense than a massive iCloud hack that scooped up all of these photos at once.

        • Yar, from what I've heard is that there is basically an underground ring that trades in these sorts of things -- not too dissimilar from the 'carding' groups. And, many different sources makes sense. File names in particular -- some are time stamps, others random characters. Pictures taken with a variety of phones (not all of which were iPhones etc.

  • by NotDrWho (3543773) on Wednesday September 03, 2014 @11:14AM (#47816873)

    It's THEIR fault. Apple MAKES NO MISTAKES!!!

  • by Noah Haders (3621429) on Wednesday September 03, 2014 @11:15AM (#47816877)
    You know, I'm really annoyed at Apple about this. They say that iCloud wasn't breached and it was a targeted account attack with weak passwords. But on Monday (the day after the pics were posted) they patched a flaw in Find My Friends where the account would be vulnerable to a dictionary attack:

    The vulnerability allegedly discovered in the Find my iPhone service appears to have allowed attackers to use this method to guess passwords repeatedly without any sort of lockout or alert to the target. Once the password has been eventually matched, the attacker can then use it to access other iCloud functions freely. A tool to exploit the weakness was uploaded to Github, where it remained for two days before being shared on Hacker News Apple patched the service at 3.20am PT today. While it’s possible that the timing was coincidental, an iCloud exploit being posted online just two days before the photos appeared, and being patched shortly after the story broke, makes this seem unlikely. Apple has not yet responded to a request for comment.

    http://9to5mac.com/2014/09/01/... [9to5mac.com]

    so there was no icloud breach, but there was a bug that enabled a brute force attack. It's not known that this exploit was used on the celebrities, but a tool that exploits this bug was recently posted. Ok...

    also, super unclassy for Apple to blame the victim, especially when these types of weaknesses are buried in their code.

    • by Wulfstan (180404)

      Yes, and I just don't believe them. It's super-bad press for them a week before they release their new device.

      The core problem is that in order to improve iCloud use they have actively encouraged users during the signup process to enable iCloud syncing - and default settings push all of your photos, docs and data. For a time-pressed celeb who may not be that tech savvy this is just asking for trouble.

      I'm a bit surprised by the number of people who send around naked photos of themselves though. I must be in

    • by Anubis IV (1279820) on Wednesday September 03, 2014 @12:00PM (#47817341)

      It's not known that this exploit was used on the celebrities

      The pics were apparently circulating over a week ago in some parts of the Internet, and were, by all indications, collected over the course of several months from a variety of sources (i.e. not all of the celebrities are in the Apple ecosystem; a number of them use Android). The "iBrute" exploit code didn't become available until earlier this week.

      There's actually a fairly detailed breakdown of this and similar attacks [nikcub.com] already available, most of which rely on various social engineering techniques, basic detective work, or turning (ex-)friends of the celebrities against them to get malware installed or procure more intimate information (sometimes in exchange for receiving their own copies of the pics).

      Finally, pointing out that they're not responsible for the data being compromised is not the same as blaming the victims. As the article I linked mentions, in many cases these celebrities may not have ever fallen for a phishing attack or given their password to "tech support" over the phone. The only error they may have made was in keeping poor company.

      • Finally, pointing out that they're not responsible for the data being compromised is not the same as blaming the victims. As the article I linked mentions, in many cases these celebrities may not have ever fallen for a phishing attack or given their password to "tech support" over the phone. The only error they may have made was in keeping poor company.

        WaPo article [washingtonpost.com] "Apple then goes on to offer some security suggestions for iCloud users who might be confused about how to protect themselves. The subtext is clear: If there's anything wrong here, it's in the way that individual users secured their accounts."

        Apple press release [macresource.com]: "To protect against this type of attack, we advise all users to always use a strong password".

        read different things into it, but the fact remains: human being suck at passwords. we have sucked at passwords for 30 years, and we wil

  • by Chewbacon (797801) on Wednesday September 03, 2014 @11:21AM (#47816925)

    I thought Find My iPhone didn't lock accounts after too many failed logins? This was discussed in many twitter conversations yesterday and how the script used no longer works since apple updated the system. I call that a failure in Apple's security. Who the hell forgets to put in that kind of fail safe anymore?

    • by mean pun (717227)

      I thought Find My iPhone didn't lock accounts after too many failed logins? This was discussed in many twitter conversations yesterday and how the script used no longer works since apple updated the system. I call that a failure in Apple's security. Who the hell forgets to put in that kind of fail safe anymore?

      As far as I know, the only website that I use that enforces such a limit is my bank, and even there I think it is heavy-handed. They could just block you for an hour after three failed attempts, or make the time exponential, or something.

      Logging in to FMi will be a relatively slow process anyway. A full brute-force attempt is extremely unlikely to succeed, so scripting only makes sense if the attacker knows at least some of the password. That is, if you want to try if one of 'fido1' to 'fido9999' is the rig

  • Good security doesn't depend on protocol secrecy.

    How the heck does it matter if Apple works with elcomsoft or not? If reverse-engineering a protocol is all it takes to jeapordize user's data, it's security-by-obscurity in the best case.

  • In combination with iCloud credentials obtained with iBrute, the password-cracking software for iCloud released on Github over the weekend, EPPB lets anyone impersonate a victimâ(TM)s iPhone and download its full backup rather than the more limited data accessible on iCloud.com.

    So basically, in combination with your password, this tools let's you access resources secured by your password. Amazing! Next up you'll tell me there's a tool that lets you open my front door in combination with a copy of my house key!

    Let's put this another way -- you tell some /.er that he can buy a new iPhone, enter his password and immediately restore from an iCloud backup. Logically then, we expect that he understands that the password controls access to the backup, since the only thing he needed to pr

    • by St.Creed (853824)

      Not "your password" but "any password".

      Using the correct answer to a security question, you can reset the password for the backup. After that, you can download it and then apply the password you just entered. So the security is as strong as the weakest link, in this case still most likely the security questions.

  • That we use secure 2 factor authentication for our World of Warcraft accounts but we don't for important stuff like iCloud stored nudies?

  • by brunes69 (86786) <slashdot@kHORSEe ... minus herbivore> on Wednesday September 03, 2014 @11:49AM (#47817227) Homepage

    If your system does not offer any kind of brute force protection mechanism at all, which Find My iPhone does not seem to have based on my readings, then your system is broken by design. Brute force protections like 'only allow 10 login attempts within 5 minutes, and then block that IP from all login attempts for 30 minutes" are so trivial to implement that they should be part of any authentication system.

  • by fuzzyfuzzyfungus (1223518) on Wednesday September 03, 2014 @11:56AM (#47817287) Journal
    Apple obviously wants iCloud and your ITMS credentials to be the iGateway to your life and all your devices and whatnot. They also emphasize security, elegance, and ease of use in their advertising, and cater to a relatively upmarket audience, for the most part.

    Why, then, can you not even buy any serious security? Yes, they have 'two factor authentication', of the kind where you have a username, password, and they send you a temporary PIN to one of your devices; but money simply cannot buy a certificate authentication mechanism. Nor an RSA-fob or equivalent. Hell, your WoW character can be protected by a hardware auth fob; but your entire iLife can't?

    In the end(while it may well be true) Apple's insistence that the hack was based on guessing/gaining user credentials, rather than attacking Apple code, just doesn't matter. User credentials are always fairly vulnerable. If they want people to put their life 'in the cloud', they are going to have to do better than that(especially if they want celebrity users, since that's a userbase that more or less automatically includes insane stalkers).
    • Re: (Score:3, Interesting)

      by robstout (2873439)
      I think the issue is that security isn't pretty, and Apple wants pretty. Look at the two-factor authentication. Having to wait until a PIN is sent to you before you can access whatever? That isn't elegant at all (from Apple's POV. It removes the one click convenience.). Personally, I'd rather have the security, but I'm a geek, like most people on Slashdot.
  • was about normal people, no one would have lifted a finger. Since its the "intellectual property" creators and precious entertainment stars it gets full media and FBI attention.

After an instrument has been assembled, extra components will be found on the bench.

Working...