Apple Denies Systems Breach In Photo Leak 311
Hamsterdan notes that Apple has posted an update to its investigation into the recently celebrity photo leak, which was attributed to a breach of iCloud. Apple says the leak was not due to any flaw in iCloud or Find My iPhone, but rather the result of "a targeted attack on user names, passwords and security questions." Despite this, Wired reports that hackers on an anonymous web board have been openly discussing a piece of software designed for use by law enforcement. Whether it was involved in the celebrity attacks or not, it's currently being used to impersonate a user's device in order to download iCloud backups.
"For Apple, the use of government forensic tools by criminal hackers raises questions about how cooperative it may be with Elcomsoft. The Russian company’s tool, as Zdziarski describes it, doesn't depend on any 'backdoor' agreement with Apple and instead required Elcomsoft to fully reverse engineer Apple’s protocol for communicating between iCloud and its iOS devices. But Zdziarski argues that Apple could still have done more to make that reverse engineering more difficult or impossible." Meanwhile, Nik Cubrilovic has waded into the data leak subculture that led to this incident and provides insight into the tech and the thinking behind it.
"For Apple, the use of government forensic tools by criminal hackers raises questions about how cooperative it may be with Elcomsoft. The Russian company’s tool, as Zdziarski describes it, doesn't depend on any 'backdoor' agreement with Apple and instead required Elcomsoft to fully reverse engineer Apple’s protocol for communicating between iCloud and its iOS devices. But Zdziarski argues that Apple could still have done more to make that reverse engineering more difficult or impossible." Meanwhile, Nik Cubrilovic has waded into the data leak subculture that led to this incident and provides insight into the tech and the thinking behind it.
Seemed pretty obvious this was the case (Score:5, Insightful)
This is also how Sarah Palin's email got "hacked" (Score:5, Insightful)
Remember 2008? Some random douche on 4chan just looked up her dog's name?
Security questions do not work for public figures. Almost none of them will hold up to people whose whole lives are pointlessly documented.
Re:Seemed pretty obvious this was the case (Score:3, Insightful)
I'm sorry but when are password managers ever a good idea? Having 1 place with ALL your passwords ready to be stolen.
Re:At the risk of blaming the victim... (Score:4, Insightful)
Wrong-think.
If the fucking system worked like it's supposed to, people could put anything anywhere. Blaming the victim for a broken system is not logical.
Re:No surprise here (Score:5, Insightful)
Apple always deny there is a problem, even after they fixed it. They denied the iPhone 4 antenna problems, but offered customers a free rubber bumper anyway. They denied problems with overheating MacBook Pros, but replaced the CPU boards anyway. They denied problems with moisture sensors but added exceptions to their warranty policies anyway. They denied iPod battery problems but reduced the replacement price from $250 to $50 anyway. They denied retina screen problems with their laptops but replaced ghosting ones anyway.
I imagine they will just quietly fix the problem and pretend it never existed. Probably their lawyers telling them to admit nothing, since most of these issues end up as lawsuits.
Re:Seemed pretty obvious this was the case (Score:5, Insightful)
Re:Seemed pretty obvious this was the case (Score:5, Insightful)
Just another reminder to use strong passwords, password managers, and change them often. It's a pain, but it's the reality of the digital world.
What good is a password manager when the answers to your security questions are public knowledge?
Re:Seemed pretty obvious this was the case (Score:5, Insightful)
Just another reminder to use strong passwords, password managers, and change them often. It's a pain, but it's the reality of the digital world.
What good is a password manager when the answers to your security questions are public knowledge?
Who says you need to tell the truth on those questions?
Q: "What is your mother's maiden name?"
A: "Purple monkey dishwasher."
Of course, you should keep a record of those questions and answers so you can correctly answer them if the need arises.
Re:At the risk of blaming the victim... (Score:4, Insightful)
But dealing with reality is very logical.
If you don't want people to see pictures of you naked, don't take the pictures.
And if you do, don't put them on a computer.
And if you do, don't put them on a computer on the internet.
And if you do, don't put them on someone else's computer on the internet.
If they're out there, someone is going to get them.
Re:Seemed pretty obvious this was the case (Score:5, Insightful)
I'm sorry but when are password managers ever a good idea? Having 1 place with ALL your passwords ready to be stolen.
And yet, in reality, regardless of your personal security measures, you already have this today
It's called that one email address you have ALL of your accounts configured to send a password reset to when you forget it.
All you really need is access to your email and All Your Passwords are Belong to Us, so let's just stop bullshitting each other and bashing password managers. The overall security model sucks ass anyway.
Re:At the risk of blaming the victim... (Score:4, Insightful)
Wrong-think on several levels indeed.
1) They took nudes. So fscking what. The fact that in their private lives they decided to indulge in an activity that lots of people do isn’t something that should even be reported, much less held against them or effect their careers.
2) Basic human dignity should preclude assholes like the attackers from invading others privacy like this. (Yes, I know the world is full of assholes, and this is unreasonable dreaming, but still wrong of OP to blame the victim for someone else being an asshole.)
3) I believe Apple enables photo syncing to the cloud by default when you setup iCloud on a new device. (I could be wrong. It’s been a while since I setup a device from scratch rather than backup/restore.) I wouldn’t expect the vast majority of people to appreciate the gravity of having every pic you ever take immediately uploaded to a third party server. I consider that a serious falling of the tech industry for not educating people of the risks of using cloud-based services. I also wouldn’t expect the majority of iUsers to be able to find & disable the photo sync option nor to know how to expunge any images that might already have been uploaded. Blaming non-techies for being non-techies isn’t a reasonable approach.
So as far as assigning blame for this one:
1) The Hackers.
2) Prudish, sex-hating, women-hating ‘mur’kans for blaming the victims.
3) The press for seizing on this as news story of the month thus ensuring everyone knows to go searching for the pics.
4) Tech industry for pushing cloud-based storage.
5) Apple for not enabling password lockout on Find my Phone (assuming the reporting on that was accurate).
6) Apple for default-enabled on photo sync (assuming my recollection on that is correct - I may be wrong).
7) Their publicists/managers/etc for not knowing enough to a) ensure their emails were unguessable, b) insist they disable photo syncing on their devices, c) insist they enable two-factor auth, d) ensure complex passwords and non-public-records password reset answers, and e) monitor their emails for “new device accessed your account” or “password reset” notifications.
You’ll note the celebs aren’t in the above list of people who share in the blame here. I don’t even expect them to know enough to use good passwords. They’re ordinary humans whose focus should be on things not related to IT security. The people they undoubtedly pay good money to manage their careers and lives should have known better though. If not known enough themselves, known enough to contract with someone who did who could advise them appropriately.
Re:At the risk of blaming the victim... (Score:3, Insightful)
"P@$$w0rd12"
If you want to do better than that, we need to be using a public key system, and create a secure, reliable, easy method of managing keys. Otherwise, if you're letting people set their own password, they're going to choose bad passwords.
Re:Seemed pretty obvious this was the case (Score:2, Insightful)
I'm sorry but when are password managers ever a good idea? Having 1 place with ALL your passwords ready to be stolen.
If you don't want to put all your passwords in your password manager, you don't have to do so. However if you put all your second tier passwords in it (the ones that you use to maintain privacy rather than fiscal security), then you can make them much more complex without requiring ridiculous complexity to memorize. You can also save arbitrary answers to security questions (if the answer to your dog's name is saved as sFjksL23549&@*^*% rather than Fido, it's not possible to get from investigating personal history).
I'm unconvinced that an attack based on manipulating the secret questions is not Apple's fault. As others have pointed out, this is useless for celebrities whose lives are relatively public. Birthplace, pet names, mother's maiden name, etc. are the kind of things that are relatively easily collected from fluff interviews. For non-celebrities, such information may only require a personal meeting.
A brute force attack is even worse. Unless everyone's using aardvark as their password, you would think that Apple would notice before the account is actually compromised.
People should not have to have degrees in information security to maintain privacy on their accounts. Apple should be pushing people to follow good security practices rather than blaming their customers when security fails. Can Apple even point to an account that the attackers tried to access but failed?
Comment removed (Score:5, Insightful)
Re:Seemed pretty obvious this was the case (Score:2, Insightful)
But also be sure you properly vet your password manager as they's a very delicious target for a trojan so unless you wrote the manager yourself or it comes from a source you trust (I'd recommend the creator of your OS as is they have malicious intent you're already fucked) you're asking fro trouble using a third party program to store all your passwords.
Whatever you do don't download an open source password manager form the Internet.
Re:Seemed pretty obvious this was the case (Score:5, Insightful)
You need to take a step back and consider the actual threat. If you are going to post the ciphered content of your password database on the front page of Slashdot yes the cryptography better be done right.
If you going to keep it on your desktop or on your phone and NOT send it over the network. Than I would say the value it affords you in being able to use longer passwords, with greater randomness, and unique passwords for every account is a win. The only anyone is going to get hold of it is if they pwn your computing device. If they do that than they don't need to beak the crypto they will just wait with the keylogger running for your to unlock it and collect the secret.
At that point though you rather than $PUBLIC_WEBSITE have become the attackers target. Once we are talking about a targeted persistent attack, there is little any of us will do personally to be safe if our attackers are any better equipped/capable than script kiddies.
Re:At the risk of blaming the victim... (Score:5, Insightful)
Simple, no? Blame the victim all you want, but that line of thinking pretty quickly devolves into unplugging from the Internet and trying to pay your bills with physical cash.