Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Cloud Security Apple News

Apple Denies Systems Breach In Photo Leak 311

Posted by Soulskill
from the not-my-fault-i-promise dept.
Hamsterdan notes that Apple has posted an update to its investigation into the recently celebrity photo leak, which was attributed to a breach of iCloud. Apple says the leak was not due to any flaw in iCloud or Find My iPhone, but rather the result of "a targeted attack on user names, passwords and security questions." Despite this, Wired reports that hackers on an anonymous web board have been openly discussing a piece of software designed for use by law enforcement. Whether it was involved in the celebrity attacks or not, it's currently being used to impersonate a user's device in order to download iCloud backups.

"For Apple, the use of government forensic tools by criminal hackers raises questions about how cooperative it may be with Elcomsoft. The Russian company’s tool, as Zdziarski describes it, doesn't depend on any 'backdoor' agreement with Apple and instead required Elcomsoft to fully reverse engineer Apple’s protocol for communicating between iCloud and its iOS devices. But Zdziarski argues that Apple could still have done more to make that reverse engineering more difficult or impossible." Meanwhile, Nik Cubrilovic has waded into the data leak subculture that led to this incident and provides insight into the tech and the thinking behind it.
This discussion has been archived. No new comments can be posted.

Apple Denies Systems Breach In Photo Leak

Comments Filter:
  • by erp_consultant (2614861) on Wednesday September 03, 2014 @10:09AM (#47816827)

    what the heck are these people thinking? Putting nude photos of yourself on a phone and synching it every which way? It's one thing if you are Joe-nobody but being a celebriry is entirely different. That's just plain stupid.

  • by davidwr (791652) on Wednesday September 03, 2014 @10:10AM (#47816831) Homepage Journal

    Well, mostly.

    What Apple can do is require 2-factor authentication.

    They can also provide individuals who want it - primarily high-profile individuals - stronger lock-downs such as only allowing registered devices to log in or require typing in a code that is texted to the person prior to completing the login, much like some banks already do.

  • by Noah Haders (3621429) on Wednesday September 03, 2014 @10:15AM (#47816877)
    You know, I'm really annoyed at Apple about this. They say that iCloud wasn't breached and it was a targeted account attack with weak passwords. But on Monday (the day after the pics were posted) they patched a flaw in Find My Friends where the account would be vulnerable to a dictionary attack:

    The vulnerability allegedly discovered in the Find my iPhone service appears to have allowed attackers to use this method to guess passwords repeatedly without any sort of lockout or alert to the target. Once the password has been eventually matched, the attacker can then use it to access other iCloud functions freely. A tool to exploit the weakness was uploaded to Github, where it remained for two days before being shared on Hacker News Apple patched the service at 3.20am PT today. While it’s possible that the timing was coincidental, an iCloud exploit being posted online just two days before the photos appeared, and being patched shortly after the story broke, makes this seem unlikely. Apple has not yet responded to a request for comment.

    http://9to5mac.com/2014/09/01/... [9to5mac.com]

    so there was no icloud breach, but there was a bug that enabled a brute force attack. It's not known that this exploit was used on the celebrities, but a tool that exploits this bug was recently posted. Ok...

    also, super unclassy for Apple to blame the victim, especially when these types of weaknesses are buried in their code.

  • by mozumder (178398) on Wednesday September 03, 2014 @10:32AM (#47817009)

    Security questions do not work for public figures. Almost none of them will hold up to people whose whole lives are pointlessly documented.

    Modern social media can also be used to identify personal information of regular people.

    If you look at the anon-in.com logs where they operate, you can see hackers asking each other "What car is this?" with posts of random hot girls cars that they collected from Facebook or wherever. They then use this to break the iCloud security questions for said hot girls and get their nudes.

    Also, you don't even need social media accounts to be targeted via social media. Just having friends that posts pics with your bits of identifying info is enough.

  • by ixs (36283) on Wednesday September 03, 2014 @10:42AM (#47817135)

    And I am sure you realize that the 2factor Authorization as currently designed and utilized by Apple only protects against your account data being used to purchase things from the AppStore and interact with your account.

    Details are at http://support.apple.com/kb/ht5570 [apple.com] and quoting from there:
    It requires you to verify your identity using one of your devices before you can take any of these actions:

    • Sign in to My Apple ID to manage your account
    • Make an iTunes, App Store, or iBooks Store purchase from a new device
    • Get Apple ID related support from Apple

    All iCloud communication is still unprotected. Bzzzzt. Neeext!

  • by Cro Magnon (467622) on Wednesday September 03, 2014 @10:53AM (#47817267) Homepage Journal

    My first pet predated social media, and there are no online pics of it. There's probably 2 people who could guess that one, and I'm not worried about either of them cracking my accounts.

  • by fuzzyfuzzyfungus (1223518) on Wednesday September 03, 2014 @10:56AM (#47817287) Journal
    Apple obviously wants iCloud and your ITMS credentials to be the iGateway to your life and all your devices and whatnot. They also emphasize security, elegance, and ease of use in their advertising, and cater to a relatively upmarket audience, for the most part.

    Why, then, can you not even buy any serious security? Yes, they have 'two factor authentication', of the kind where you have a username, password, and they send you a temporary PIN to one of your devices; but money simply cannot buy a certificate authentication mechanism. Nor an RSA-fob or equivalent. Hell, your WoW character can be protected by a hardware auth fob; but your entire iLife can't?

    In the end(while it may well be true) Apple's insistence that the hack was based on guessing/gaining user credentials, rather than attacking Apple code, just doesn't matter. User credentials are always fairly vulnerable. If they want people to put their life 'in the cloud', they are going to have to do better than that(especially if they want celebrity users, since that's a userbase that more or less automatically includes insane stalkers).
  • by robstout (2873439) on Wednesday September 03, 2014 @11:20AM (#47817519)
    I think the issue is that security isn't pretty, and Apple wants pretty. Look at the two-factor authentication. Having to wait until a PIN is sent to you before you can access whatever? That isn't elegant at all (from Apple's POV. It removes the one click convenience.). Personally, I'd rather have the security, but I'm a geek, like most people on Slashdot.
  • by Lehk228 (705449) on Wednesday September 03, 2014 @11:40AM (#47817713) Journal
    Working systems are available, but fools want their iThing or $20 droid and then act all surprised when their genitals end up on 4chan. It's not a new problem when was it Paris hilton's sidekick got hacked again?

    if you buy trash with security ranging from "fuck it we have none" to "well I guess we tried" because it's ooh shiney let's play flappy bird that is a choice with consequences.
  • by vux984 (928602) on Wednesday September 03, 2014 @01:52PM (#47818981)

    Use one very strong password for the password manager.

    Actually, I recommend using multiple safes/vaults/etc with different passwords; make the passwords appropriate to the contents of the safe; and treat the safes appropriate relative to their contents.

    My safe with my passwords for throwaway email accounts and forum accounts, club memberships, etc is fairly simple. (It still counts as strong by all usual metrics, but its easy for me to remember and type in, which is good because I have to type it several times a day on average -- sometimes via a smartphone keyboard. Its sync'd via cloud to my smart phone, laptop, work computer, etc.

    My safe with passwords for my life savings, domain registrar, email account and other assets which would be quite devastating to lose is MUCH longer and stronger, and it isn't synchronized with my devices. (Actually I have 4 - 5 safes with different groups of passwords in them.)

    If you use a strong enough password then you'll be fine.

    Unless you get hit with a keylogger. Then you lose everything. Does it really even make sense to have your online pay-parking app passwords and your numbered offshore banking in the same vault? All protected by the same password?

    Its just silly.

    And its another reason why I've split things up. If the phone gets compromised, my high value passwords aren't even in it. My higher value password safes get opened less frequently and on fewer systems, so a keylogger will have to be in the right system and wait longer to get into them -- giving me better odds of dodging the bullet, and more time to detect and remove them.

Advertising may be described as the science of arresting the human intelligence long enough to get money from it.

Working...