Apple Denies Systems Breach In Photo Leak

Hamsterdan notes that Apple has posted an update to its investigation into the recently celebrity photo leak, which was attributed to a breach of iCloud. Apple says the leak was not due to any flaw in iCloud or Find My iPhone, but rather the result of "a targeted attack on user names, passwords and security questions." Despite this, Wired reports that hackers on an anonymous web board have been openly discussing a piece of software designed for use by law enforcement. Whether it was involved in the celebrity attacks or not, it's currently being used to impersonate a user's device in order to download iCloud backups.

"For Apple, the use of government forensic tools by criminal hackers raises questions about how cooperative it may be with Elcomsoft. The Russian company’s tool, as Zdziarski describes it, doesn't depend on any 'backdoor' agreement with Apple and instead required Elcomsoft to fully reverse engineer Apple’s protocol for communicating between iCloud and its iOS devices. But Zdziarski argues that Apple could still have done more to make that reverse engineering more difficult or impossible." Meanwhile, Nik Cubrilovic has waded into the data leak subculture that led to this incident and provides insight into the tech and the thinking behind it.

Re:Solution lies with users, not Apple

[MickyTheIdiot]

Yeah. They can do two factor auth. The key fob they sell will only cost $595 and work only with Safari.

Re:This is also how Sarah Palin's email got "hacke

[Cro Magnon]

Because it's easier to remember the truth than a lie.

Re:Find My Friends password flaw

[Anubis IV]

It's not known that this exploit was used on the celebrities

The pics were apparently circulating over a week ago in some parts of the Internet, and were, by all indications, collected over the course of several months from a variety of sources (i.e. not all of the celebrities are in the Apple ecosystem; a number of them use Android). The "iBrute" exploit code didn't become available until earlier this week.

There's actually a fairly detailed breakdown of this and similar attacks [nikcub.com] already available, most of which rely on various social engineering techniques, basic detective work, or turning (ex-)friends of the celebrities against them to get malware installed or procure more intimate information (sometimes in exchange for receiving their own copies of the pics).

Finally, pointing out that they're not responsible for the data being compromised is not the same as blaming the victims. As the article I linked mentions, in many cases these celebrities may not have ever fallen for a phishing attack or given their password to "tech support" over the phone. The only error they may have made was in keeping poor company.

Re:No surprise here

[nine-times]

There's no real reason to think that Apple is at fault here, or even that all of the photos came from compromised accounts on iCloud. The rumor going around last I saw was that this was a collection that was acquired over sever years, contributed by many different people who acquired the photos from many different accounts that were attacked in many different ways. It wasn't gathered all at once from a single attack on iCloud. It was just leaked all at once.

I have no evidence of that-- just the rumor I've seen on a couple different sites-- but it makes more sense than a massive iCloud hack that scooped up all of these photos at once.

Re:Solution lies with users, not Apple

[Ksevio]

You can use any phone with SMS support [apple.com] which seems pretty standard. Since people are typically syncing from their iPhones to the iCloud they usually have an iPhone, but it's possible to use a freebie 10 year old brick phone if you wanted.

Re:Seemed pretty obvious this was the case

[Yaztromo]

A strong password CAN be easily remembered. How about remembering 10 and 11?

"Ten!!!!!!!!!!!"

That's 10 and eleven "!" characters.

There are a number of ways to calculate password effectiveness. If you assume zero knowledge of the password characteristics, then the 290 million years the website you linked to calculated may be accurate.

Hackers, however, have typically found that certain patterns are used by humans more frequently than others, and instead of brute-forcing the password from the beginning (following UTF-8 order " ", " ", " !"... etc.), you can instead skip a significant part of the overall password space by only testing these common patterns.

I prefer this tool [dropboxusercontent.com], which evaluates password entropy. The figures it comes up with do tend to presume that something about the structure of the password is known (i.e: in your example that it is a word followed by a repeating symbol), but IMO this is a good figure to base your password decisions off as it represents a worst-case scenario, and not the best-case scenario the tool you linked presumes.

Using that tooling instead, your passwords strength and estimated crack time is as follows:

• password: Ten!!!!!!!!!!!
• entropy: 18.669
• crack time (seconds): 20.836
• crack time (display): instant
• score from 0 to 4: 0
• calculation time (ms): 3

FWIW, (and purely for the sake of comparison) one of the passwords I use online has, according to this tool, an entropy of 61.819 and a crack time of 203355820622500.06s (about 6.4 million years). And yes, it's something I both change often and have memorized.

Yaz

Five reasons to blame Apple

[Sara Chan]

There is a good article "Five reasons to blame Apple in nude celebrity photo leak [thespec.com]", in The Hamilton Spectator. Here are the key points (read the article for elaborations).

1. The vulnerability is Security 101 stuff (even a good password, like “D0nM@tt1ngly!”, was still vulnerable).
2. The vulnerability was publicly known since May.
3. Apple defaults users into the cloud (and Apple makes it very hard to not store in the cloud).
4. Apple does not encourage two-factor authentication (it discourages this).
5. Two-factor authentication wouldn't have worked anyway (it is not actually enforced on iCloud).