Apple Denies Systems Breach In Photo Leak 311
Hamsterdan notes that Apple has posted an update to its investigation into the recently celebrity photo leak, which was attributed to a breach of iCloud. Apple says the leak was not due to any flaw in iCloud or Find My iPhone, but rather the result of "a targeted attack on user names, passwords and security questions." Despite this, Wired reports that hackers on an anonymous web board have been openly discussing a piece of software designed for use by law enforcement. Whether it was involved in the celebrity attacks or not, it's currently being used to impersonate a user's device in order to download iCloud backups.
"For Apple, the use of government forensic tools by criminal hackers raises questions about how cooperative it may be with Elcomsoft. The Russian company’s tool, as Zdziarski describes it, doesn't depend on any 'backdoor' agreement with Apple and instead required Elcomsoft to fully reverse engineer Apple’s protocol for communicating between iCloud and its iOS devices. But Zdziarski argues that Apple could still have done more to make that reverse engineering more difficult or impossible." Meanwhile, Nik Cubrilovic has waded into the data leak subculture that led to this incident and provides insight into the tech and the thinking behind it.
"For Apple, the use of government forensic tools by criminal hackers raises questions about how cooperative it may be with Elcomsoft. The Russian company’s tool, as Zdziarski describes it, doesn't depend on any 'backdoor' agreement with Apple and instead required Elcomsoft to fully reverse engineer Apple’s protocol for communicating between iCloud and its iOS devices. But Zdziarski argues that Apple could still have done more to make that reverse engineering more difficult or impossible." Meanwhile, Nik Cubrilovic has waded into the data leak subculture that led to this incident and provides insight into the tech and the thinking behind it.
Seemed pretty obvious this was the case (Score:5, Insightful)
Re: (Score:3, Insightful)
I'm sorry but when are password managers ever a good idea? Having 1 place with ALL your passwords ready to be stolen.
Re:Seemed pretty obvious this was the case (Score:4, Funny)
protect your password manager with a strong password from another password manager to protect!
Re:Seemed pretty obvious this was the case (Score:5, Funny)
Pasword manager busta (Score:2)
busta. Plug and and play mofo, yo...
https://www.youtube.com/watch?... [youtube.com]
Re: (Score:3)
Oblig. XKCD [xkcd.com].
Re:Seemed pretty obvious this was the case (Score:5, Insightful)
Re:Seemed pretty obvious this was the case (Score:4, Interesting)
Use one very strong password for the password manager.
Actually, I recommend using multiple safes/vaults/etc with different passwords; make the passwords appropriate to the contents of the safe; and treat the safes appropriate relative to their contents.
My safe with my passwords for throwaway email accounts and forum accounts, club memberships, etc is fairly simple. (It still counts as strong by all usual metrics, but its easy for me to remember and type in, which is good because I have to type it several times a day on average -- sometimes via a smartphone keyboard. Its sync'd via cloud to my smart phone, laptop, work computer, etc.
My safe with passwords for my life savings, domain registrar, email account and other assets which would be quite devastating to lose is MUCH longer and stronger, and it isn't synchronized with my devices. (Actually I have 4 - 5 safes with different groups of passwords in them.)
If you use a strong enough password then you'll be fine.
Unless you get hit with a keylogger. Then you lose everything. Does it really even make sense to have your online pay-parking app passwords and your numbered offshore banking in the same vault? All protected by the same password?
Its just silly.
And its another reason why I've split things up. If the phone gets compromised, my high value passwords aren't even in it. My higher value password safes get opened less frequently and on fewer systems, so a keylogger will have to be in the right system and wait longer to get into them -- giving me better odds of dodging the bullet, and more time to detect and remove them.
Re: (Score:3)
...I recommend using multiple safes/vaults/etc with different passwords...
It's just funny - because Pamela Anderson had her sex tape stolen from her safe. (back when there were 'tapes')
Re: (Score:3)
I'm sorry but when are password managers ever a good idea? Having 1 place with ALL your passwords ready to be stolen.
Password 'managers' make me nervous(unless based on proper crypto/key storage ICs with actual vetting by people who actually care, which is rare indeed, if it exists at all, since the people who care that much don't use passwords, just proper cryptographic authentication); but they do have the advantage of allowing those of us without eidetic memories to use passwords that might actually be strong enough to resist casual attack, and force the casual attacker to use the ultra-weak password reset process inst
Re:Seemed pretty obvious this was the case (Score:5, Insightful)
You need to take a step back and consider the actual threat. If you are going to post the ciphered content of your password database on the front page of Slashdot yes the cryptography better be done right.
If you going to keep it on your desktop or on your phone and NOT send it over the network. Than I would say the value it affords you in being able to use longer passwords, with greater randomness, and unique passwords for every account is a win. The only anyone is going to get hold of it is if they pwn your computing device. If they do that than they don't need to beak the crypto they will just wait with the keylogger running for your to unlock it and collect the secret.
At that point though you rather than $PUBLIC_WEBSITE have become the attackers target. Once we are talking about a targeted persistent attack, there is little any of us will do personally to be safe if our attackers are any better equipped/capable than script kiddies.
Re:Seemed pretty obvious this was the case (Score:5, Insightful)
I'm sorry but when are password managers ever a good idea? Having 1 place with ALL your passwords ready to be stolen.
And yet, in reality, regardless of your personal security measures, you already have this today
It's called that one email address you have ALL of your accounts configured to send a password reset to when you forget it.
All you really need is access to your email and All Your Passwords are Belong to Us, so let's just stop bullshitting each other and bashing password managers. The overall security model sucks ass anyway.
Re: (Score:3)
I'm sorry but when are password managers ever a good idea? Having 1 place with ALL your passwords ready to be stolen.
And yet, in reality, regardless of your personal security measures, you already have this today
It's called that one email address you have ALL of your accounts configured to send a password reset to when you forget it.
All you really need is access to your email and All Your Passwords are Belong to Us, so let's just stop bullshitting each other and bashing password managers. The overall security model sucks ass anyway.
I certainly dont have this today.
I've got 3 different email addresses and 1 phone number, this isn't including my work email and all ordered by security level. The password reset for slashdot doesn't go to the same email my address domain registrar or accountant. Below this I have another email address I use for signing onto services that I know are going to spam me. The low security accounts are not linked in any way to the high security accounts and my high security account is only accessed from device
Re: (Score:2)
Re: (Score:2, Insightful)
I'm sorry but when are password managers ever a good idea? Having 1 place with ALL your passwords ready to be stolen.
If you don't want to put all your passwords in your password manager, you don't have to do so. However if you put all your second tier passwords in it (the ones that you use to maintain privacy rather than fiscal security), then you can make them much more complex without requiring ridiculous complexity to memorize. You can also save arbitrary answers to security questions (if the answer to your dog's name is saved as sFjksL23549&@*^*% rather than Fido, it's not possible to get from investigating pers
Re:Seemed pretty obvious this was the case (Score:5, Insightful)
Just another reminder to use strong passwords, password managers, and change them often. It's a pain, but it's the reality of the digital world.
What good is a password manager when the answers to your security questions are public knowledge?
Re:Seemed pretty obvious this was the case (Score:5, Insightful)
Just another reminder to use strong passwords, password managers, and change them often. It's a pain, but it's the reality of the digital world.
What good is a password manager when the answers to your security questions are public knowledge?
Who says you need to tell the truth on those questions?
Q: "What is your mother's maiden name?"
A: "Purple monkey dishwasher."
Of course, you should keep a record of those questions and answers so you can correctly answer them if the need arises.
Re: (Score:2)
Just another reminder to use strong passwords, password managers, and change them often. It's a pain, but it's the reality of the digital world.
What good is a password manager when the answers to your security questions are public knowledge?
Who says you need to tell the truth on those questions?
Q: "What is your mother's maiden name?"
A: "Purple monkey dishwasher."
Damnit, time to change the security question on the password manager for my luggage.
Re: (Score:2)
Don't be so short-sighted. Use the password managers to store passwords that are employed instead of answers to secret questions.
Re: (Score:3)
OK - A password manager is a great way to keep track of all the nonsense answers you put in for security questions.
Re: (Score:3)
Don't use them - input random crap instead of correct information.
Re: (Score:2)
The point of security questions are to have things that you can remember without having to write them down. If you input random crap like you and others are suggesting you're just extending the stupidity to a different level OR being needlessly redundant, because then you have to write down what that stupid crap was. Which might as well be the same thing as writing down your password.
Re: (Score:3)
In keeping with the theme of todays Q&A: Security questions are for people who don't use password managers. People who use password managers don't need them and can thus put random crap in them.
Re: (Score:3)
Not necessarily. Security questions are essentially the same thing as passwords in every respect, except they're giving a clue as to their answer. But there are ways to make security questions secure, some of which are the same for passwords. A) use sentences to answer the question. They may know your pet is named "Scout" but will they probably won't know the answer if it's, "My third pet who was a dog was named scout" (assuming you could use that long of answer). B) Security questions could be determined b
Re: (Score:2)
You don't answer those things honestly do you?
Re: (Score:2)
What good is a password manager when the answers to your security questions are public knowledge?
Many sites, including all the financial institutions that I deal with, use the security questions as an additional layer of authentication, rather than as a mechanism to bypass passwords. If I login from a device that they do not recognize, they will ask the security questions. If I answer them correctly, then I still have to enter the correct password.
Re: (Score:3)
If you ever tell the truth with a security question, you've done it wrong. If you ever use the same answer to a security question twice, you've done it wrong. If your answers have less entropy than your passwords, you've done it wrong.
Comment removed (Score:5, Insightful)
Five reasons to blame Apple (Score:4, Informative)
1. The vulnerability is Security 101 stuff (even a good password, like “D0nM@tt1ngly!”, was still vulnerable).
2. The vulnerability was publicly known since May.
3. Apple defaults users into the cloud (and Apple makes it very hard to not store in the cloud).
4. Apple does not encourage two-factor authentication (it discourages this).
5. Two-factor authentication wouldn't have worked anyway (it is not actually enforced on iCloud).
Re:Seemed pretty obvious this was the case (Score:5, Informative)
A strong password CAN be easily remembered. How about remembering 10 and 11?
"Ten!!!!!!!!!!!"
That's 10 and eleven "!" characters.
There are a number of ways to calculate password effectiveness. If you assume zero knowledge of the password characteristics, then the 290 million years the website you linked to calculated may be accurate.
Hackers, however, have typically found that certain patterns are used by humans more frequently than others, and instead of brute-forcing the password from the beginning (following UTF-8 order " ", " ", " !"... etc.), you can instead skip a significant part of the overall password space by only testing these common patterns.
I prefer this tool [dropboxusercontent.com], which evaluates password entropy. The figures it comes up with do tend to presume that something about the structure of the password is known (i.e: in your example that it is a word followed by a repeating symbol), but IMO this is a good figure to base your password decisions off as it represents a worst-case scenario, and not the best-case scenario the tool you linked presumes.
Using that tooling instead, your passwords strength and estimated crack time is as follows:
FWIW, (and purely for the sake of comparison) one of the passwords I use online has, according to this tool, an entropy of 61.819 and a crack time of 203355820622500.06s (about 6.4 million years). And yes, it's something I both change often and have memorized.
Yaz
This is also how Sarah Palin's email got "hacked" (Score:5, Insightful)
Remember 2008? Some random douche on 4chan just looked up her dog's name?
Security questions do not work for public figures. Almost none of them will hold up to people whose whole lives are pointlessly documented.
Re: (Score:2)
The advice from people like you and me is to lie like hell.
Re: (Score:3, Funny)
Sarah Palin has proven to be good at that.
BOOM politics slam.
Re: (Score:2)
He's using SHA1 as a one time pad against people who know the answers to his questions, but not that he encrypts them.
The algorithm being broken doesn't do the theoretical malicious actor any good. He could use a checksum/rot13/whatever and the effect would be the same.
Not just public figures (Score:5, Interesting)
Security questions do not work for public figures. Almost none of them will hold up to people whose whole lives are pointlessly documented.
Modern social media can also be used to identify personal information of regular people.
If you look at the anon-in.com logs where they operate, you can see hackers asking each other "What car is this?" with posts of random hot girls cars that they collected from Facebook or wherever. They then use this to break the iCloud security questions for said hot girls and get their nudes.
Also, you don't even need social media accounts to be targeted via social media. Just having friends that posts pics with your bits of identifying info is enough.
Re: (Score:2)
You're clearly arguing that the best solution is to have no friends.
(Also how did you get Karma so bad that you're lower than ACs?)
Re: (Score:2, Interesting)
My first pet predated social media, and there are no online pics of it. There's probably 2 people who could guess that one, and I'm not worried about either of them cracking my accounts.
Re: (Score:2)
If you are a celebrity, every douche and their brother's dog is going to be looking for nude photos. Don't take them, instead populate your collections with variations on goatse, it will maim the perps for life.
Re: (Score:2)
Remember 2008? Some random douche on 4chan just looked up her dog's name?
Security questions do not work for public figures. Almost none of them will hold up to people whose whole lives are pointlessly documented.
More to the point why does anybody use real information for security questions? As long as I can remember the answer the accuracy is irrelevant. Same with birthdays. If I decide some random date is my birthday it makes it a lot harder to guess.
Re:This is also how Sarah Palin's email got "hacke (Score:5, Informative)
Because it's easier to remember the truth than a lie.
Re: (Score:2)
That depends.
Re: (Score:2)
If that were true there would be no religions or climate change deniers, they'd all be forgotten.
You're (apparently willfully obtusely) mixing up objective truth with what one believes to be true. It's always easier to remember facts that one has already learned (particularly from one's own past) than lies one has made up on the spot.
Dan Aris
Re: (Score:2)
Re: (Score:2)
I always use something related to the question asked that isn’t technically the right answer but is something I’d remember.
Example: Ask my mother-in-law’s name, I’ll enter “waste of oxygen”. Never gonna forget that one
Re: (Score:2)
No, I'm pretty sure it's the random guy, not 4chan as a whole, that's the douche, Mr. Anonymous-needs-defending.
This is the "your lock could be picked so I let myself in" defense.
But how do the hackers get the email addresses? (Score:2)
I still wonder how the hackers got access to the email addresses of the celebrities they targeted? Because this is the necessary first step. Sloppy industry agents perhaps?
Re: (Score:2)
That would be the easy part. If they use their email address for anything presumably it's to receive and send email so they CAN'T keep it a secret.
Re:But how do the hackers get the email addresses? (Score:5, Funny)
At the risk of blaming the victim... (Score:3, Interesting)
what the heck are these people thinking? Putting nude photos of yourself on a phone and synching it every which way? It's one thing if you are Joe-nobody but being a celebriry is entirely different. That's just plain stupid.
Re:At the risk of blaming the victim... (Score:4, Insightful)
Wrong-think.
If the fucking system worked like it's supposed to, people could put anything anywhere. Blaming the victim for a broken system is not logical.
Re:At the risk of blaming the victim... (Score:4, Insightful)
But dealing with reality is very logical.
If you don't want people to see pictures of you naked, don't take the pictures.
And if you do, don't put them on a computer.
And if you do, don't put them on a computer on the internet.
And if you do, don't put them on someone else's computer on the internet.
If they're out there, someone is going to get them.
Re: (Score:2)
f you don't want people to see pictures of you naked, don't take the pictures.
Yes, it's probably too much to ask for some security on your private files, nowadays. Options like "only sync photo's with permission" or "Do not sync" folders are way to complex to implement. So let's put the burden of dealing with failing technology on the consumer. After all, that worked really well for car vendors, right?
I foresee the day when Apple et al are going to pay HUGE settlements in class action suits if they keep up this rather cavalier attitude towards security.
Re:At the risk of blaming the victim... (Score:5, Insightful)
Simple, no? Blame the victim all you want, but that line of thinking pretty quickly devolves into unplugging from the Internet and trying to pay your bills with physical cash.
Re: (Score:3, Insightful)
"P@$$w0rd12"
If you want to do better than that, we need to be using a public key system, and create a secure, reliable, easy method of managi
Re: (Score:3)
See? There's the wrong-think.
Recall that systems people are the ones who are driving the freaking truck.
How hard is it to inspect a password and tell a person that it's just too weak and here are the rules, so please comply or die?
How hard is it to enforce two level authorization at sign-up?
The paradigm where we blame the victims instead of unimaginative and lazy IT jockeys has got to stop.
Re: (Score:3)
How hard is it to inspect a password and tell a person that it's just too weak and here are the rules, so please comply or die?
It's pretty hard. Whatever rules you use to automate the detection of weak passwords can be fooled. That was my point with "P@$$w0rd12". By most automated systems' ability to check, that's a strong password. Still, if you're running a dictionary attack, you're going to include things like that.
How hard is it to enforce two level authorization at sign-up?
Not necessarily easy, unless you can assume (a) everyone has whatever they need for the second factor; and (b) people will tolerate using the second factor. Even if you strictly enforce a second factor which send
Re:At the risk of blaming the victim... (Score:4, Interesting)
if you buy trash with security ranging from "fuck it we have none" to "well I guess we tried" because it's ooh shiney let's play flappy bird that is a choice with consequences.
Re: (Score:2)
This was (and unfortunately still is) not always the case but because of advertising campaigns people tend to know they should be more aware.
Re: (Score:2)
What those celebs are actually thinking is that there's no such thing as bad publicity, especially when backed up with fake self-righteous indignation.
I think its funny that most people still genuinely believe that those celebs really didn't want that stuff leaked.
Re: (Score:3)
I'd imagine that most of them really didn't want that stuff leaked - or they'd just leak them, themselves, in a coordinated manner.
Of course now that they are out, most of them will be working with their PR agent(s) to put as positive a spin on it as they can - be that to be indignant, outraged, shrugging it off, claiming it's not them, thinking of how they're going to put themselves in a PSA about password security so that their idolizing fans don't make the same mistake, etc.
And, yes, some of them will p
Re: (Score:2)
Lemonade out of lemons? Or lemonade out of sugar water?
Re: (Score:2)
>> I'd imagine that most of them really didn't want that stuff leaked ...Because most normal people tend to put naked pictures of themselves in a cloud somewhere?
>> or they'd just leak them, themselves, in a coordinated manner.
That was exactly my point, that this is actually coordinated.
Re:At the risk of blaming the victim... (Score:4, Insightful)
Wrong-think on several levels indeed.
1) They took nudes. So fscking what. The fact that in their private lives they decided to indulge in an activity that lots of people do isn’t something that should even be reported, much less held against them or effect their careers.
2) Basic human dignity should preclude assholes like the attackers from invading others privacy like this. (Yes, I know the world is full of assholes, and this is unreasonable dreaming, but still wrong of OP to blame the victim for someone else being an asshole.)
3) I believe Apple enables photo syncing to the cloud by default when you setup iCloud on a new device. (I could be wrong. It’s been a while since I setup a device from scratch rather than backup/restore.) I wouldn’t expect the vast majority of people to appreciate the gravity of having every pic you ever take immediately uploaded to a third party server. I consider that a serious falling of the tech industry for not educating people of the risks of using cloud-based services. I also wouldn’t expect the majority of iUsers to be able to find & disable the photo sync option nor to know how to expunge any images that might already have been uploaded. Blaming non-techies for being non-techies isn’t a reasonable approach.
So as far as assigning blame for this one:
1) The Hackers.
2) Prudish, sex-hating, women-hating ‘mur’kans for blaming the victims.
3) The press for seizing on this as news story of the month thus ensuring everyone knows to go searching for the pics.
4) Tech industry for pushing cloud-based storage.
5) Apple for not enabling password lockout on Find my Phone (assuming the reporting on that was accurate).
6) Apple for default-enabled on photo sync (assuming my recollection on that is correct - I may be wrong).
7) Their publicists/managers/etc for not knowing enough to a) ensure their emails were unguessable, b) insist they disable photo syncing on their devices, c) insist they enable two-factor auth, d) ensure complex passwords and non-public-records password reset answers, and e) monitor their emails for “new device accessed your account” or “password reset” notifications.
You’ll note the celebs aren’t in the above list of people who share in the blame here. I don’t even expect them to know enough to use good passwords. They’re ordinary humans whose focus should be on things not related to IT security. The people they undoubtedly pay good money to manage their careers and lives should have known better though. If not known enough themselves, known enough to contract with someone who did who could advise them appropriately.
Re: (Score:2)
what the heck are these people thinking? Putting valuables in your house, and installing windows so people can see right in? It's like they're INVITING robberies!!!
Criminal trespass is criminal trespass. It doesn't matter if it was "easy" to get to the photos - they were not yours, or anybody else's, to access without permission.
I don't think the debate is about whether the access of the photos was a crime, rather it is turning into a debate about the thought given, or not, of how sensitive information is being handled, in this case celebrity nude pics of themselves. Having valuables in my house and having windows in my house are both OK, but placing valuables right up against the front windows where a smash-and-grab can get them is stupid. If a person takes nude pics of themselves, then the person better understand that they hav
Solution lies with users, not Apple (Score:5, Interesting)
Well, mostly.
What Apple can do is require 2-factor authentication.
They can also provide individuals who want it - primarily high-profile individuals - stronger lock-downs such as only allowing registered devices to log in or require typing in a code that is texted to the person prior to completing the login, much like some banks already do.
Re:Solution lies with users, not Apple (Score:5, Informative)
Yeah. They can do two factor auth. The key fob they sell will only cost $595 and work only with Safari.
Re: (Score:2)
You can buy RSA tokens, the same that governments and militaries around the world rely on, for $10 a piece.
Re:Solution lies with users, not Apple (Score:4, Informative)
Re:Solution lies with users, not Apple (Score:5, Interesting)
And I am sure you realize that the 2factor Authorization as currently designed and utilized by Apple only protects against your account data being used to purchase things from the AppStore and interact with your account.
Details are at http://support.apple.com/kb/ht5570 [apple.com] and quoting from there:
It requires you to verify your identity using one of your devices before you can take any of these actions:
All iCloud communication is still unprotected. Bzzzzt. Neeext!
Re: (Score:2)
Re: (Score:2)
And then your phone breaks and you lose all your data.
Re: (Score:3)
And then your phone breaks and you lose all your data.
Because there's no other options than "lose everything" or "put it all on someone else's computer?"
I expect that sort of non-thinking response from the crowd over at Yahoo, but c'mon man - this is /., we expect more thinky from our community.
Re: (Score:2)
Sometimes. Not everyone that has a smartphone also owns a computer.
Re: (Score:2)
Actually phone users that don't own a PC (or a Mac for that matter, if you don't count them as PCs) do exit.
How do you backup your phone if you don't want to use a cloud and have no computer at home?
No surprise here (Score:3)
Re:No surprise here (Score:5, Insightful)
Apple always deny there is a problem, even after they fixed it. They denied the iPhone 4 antenna problems, but offered customers a free rubber bumper anyway. They denied problems with overheating MacBook Pros, but replaced the CPU boards anyway. They denied problems with moisture sensors but added exceptions to their warranty policies anyway. They denied iPod battery problems but reduced the replacement price from $250 to $50 anyway. They denied retina screen problems with their laptops but replaced ghosting ones anyway.
I imagine they will just quietly fix the problem and pretend it never existed. Probably their lawyers telling them to admit nothing, since most of these issues end up as lawsuits.
Re:No surprise here (Score:5, Informative)
There's no real reason to think that Apple is at fault here, or even that all of the photos came from compromised accounts on iCloud. The rumor going around last I saw was that this was a collection that was acquired over sever years, contributed by many different people who acquired the photos from many different accounts that were attacked in many different ways. It wasn't gathered all at once from a single attack on iCloud. It was just leaked all at once.
I have no evidence of that-- just the rumor I've seen on a couple different sites-- but it makes more sense than a massive iCloud hack that scooped up all of these photos at once.
Re: (Score:3)
Yar, from what I've heard is that there is basically an underground ring that trades in these sorts of things -- not too dissimilar from the 'carding' groups. And, many different sources makes sense. File names in particular -- some are time stamps, others random characters. Pictures taken with a variety of phones (not all of which were iPhones etc.
Our dumb users are holding it wrong! (Score:5, Funny)
It's THEIR fault. Apple MAKES NO MISTAKES!!!
Find My Friends password flaw (Score:5, Interesting)
The vulnerability allegedly discovered in the Find my iPhone service appears to have allowed attackers to use this method to guess passwords repeatedly without any sort of lockout or alert to the target. Once the password has been eventually matched, the attacker can then use it to access other iCloud functions freely. A tool to exploit the weakness was uploaded to Github, where it remained for two days before being shared on Hacker News Apple patched the service at 3.20am PT today. While it’s possible that the timing was coincidental, an iCloud exploit being posted online just two days before the photos appeared, and being patched shortly after the story broke, makes this seem unlikely. Apple has not yet responded to a request for comment.
http://9to5mac.com/2014/09/01/... [9to5mac.com]
so there was no icloud breach, but there was a bug that enabled a brute force attack. It's not known that this exploit was used on the celebrities, but a tool that exploits this bug was recently posted. Ok...
also, super unclassy for Apple to blame the victim, especially when these types of weaknesses are buried in their code.
Re: (Score:2)
Yes, and I just don't believe them. It's super-bad press for them a week before they release their new device.
The core problem is that in order to improve iCloud use they have actively encouraged users during the signup process to enable iCloud syncing - and default settings push all of your photos, docs and data. For a time-pressed celeb who may not be that tech savvy this is just asking for trouble.
I'm a bit surprised by the number of people who send around naked photos of themselves though. I must be in
Re: (Score:2)
Not prurient. Whatever the opposite is.
Re: (Score:2)
Re:Find My Friends password flaw (Score:5, Informative)
It's not known that this exploit was used on the celebrities
The pics were apparently circulating over a week ago in some parts of the Internet, and were, by all indications, collected over the course of several months from a variety of sources (i.e. not all of the celebrities are in the Apple ecosystem; a number of them use Android). The "iBrute" exploit code didn't become available until earlier this week.
There's actually a fairly detailed breakdown of this and similar attacks [nikcub.com] already available, most of which rely on various social engineering techniques, basic detective work, or turning (ex-)friends of the celebrities against them to get malware installed or procure more intimate information (sometimes in exchange for receiving their own copies of the pics).
Finally, pointing out that they're not responsible for the data being compromised is not the same as blaming the victims. As the article I linked mentions, in many cases these celebrities may not have ever fallen for a phishing attack or given their password to "tech support" over the phone. The only error they may have made was in keeping poor company.
Re: (Score:2)
Finally, pointing out that they're not responsible for the data being compromised is not the same as blaming the victims. As the article I linked mentions, in many cases these celebrities may not have ever fallen for a phishing attack or given their password to "tech support" over the phone. The only error they may have made was in keeping poor company.
WaPo article [washingtonpost.com] "Apple then goes on to offer some security suggestions for iCloud users who might be confused about how to protect themselves. The subtext is clear: If there's anything wrong here, it's in the way that individual users secured their accounts."
Apple press release [macresource.com]: "To protect against this type of attack, we advise all users to always use a strong password".
read different things into it, but the fact remains: human being suck at passwords. we have sucked at passwords for 30 years, and we wil
Ummmm (Score:3)
I thought Find My iPhone didn't lock accounts after too many failed logins? This was discussed in many twitter conversations yesterday and how the script used no longer works since apple updated the system. I call that a failure in Apple's security. Who the hell forgets to put in that kind of fail safe anymore?
Re: (Score:3)
I thought Find My iPhone didn't lock accounts after too many failed logins? This was discussed in many twitter conversations yesterday and how the script used no longer works since apple updated the system. I call that a failure in Apple's security. Who the hell forgets to put in that kind of fail safe anymore?
As far as I know, the only website that I use that enforces such a limit is my bank, and even there I think it is heavy-handed. They could just block you for an hour after three failed attempts, or make the time exponential, or something.
Logging in to FMi will be a relatively slow process anyway. A full brute-force attempt is extremely unlikely to succeed, so scripting only makes sense if the attacker knows at least some of the password. That is, if you want to try if one of 'fido1' to 'fido9999' is the rig
I don't get it (Score:2)
How the heck does it matter if Apple works with elcomsoft or not? If reverse-engineering a protocol is all it takes to jeapordize user's data, it's security-by-obscurity in the best case.
In combination with an accurate summary ... (Score:2)
In combination with iCloud credentials obtained with iBrute, the password-cracking software for iCloud released on Github over the weekend, EPPB lets anyone impersonate a victimâ(TM)s iPhone and download its full backup rather than the more limited data accessible on iCloud.com.
So basically, in combination with your password, this tools let's you access resources secured by your password. Amazing! Next up you'll tell me there's a tool that lets you open my front door in combination with a copy of my house key!
Let's put this another way -- you tell some /.er that he can buy a new iPhone, enter his password and immediately restore from an iCloud backup. Logically then, we expect that he understands that the password controls access to the backup, since the only thing he needed to pr
Re: (Score:2)
Not "your password" but "any password".
Using the correct answer to a security question, you can reset the password for the backup. After that, you can download it and then apply the password you just entered. So the security is as strong as the weakest link, in this case still most likely the security questions.
Isnt it weird? (Score:2)
That we use secure 2 factor authentication for our World of Warcraft accounts but we don't for important stuff like iCloud stored nudies?
Re: (Score:2)
And that's why birds eat fish. How many fish eat birds?
Re: (Score:2)
Catfishs and Sharks do ... perhaps a few more where I'm not aware about.
Erm, but that was not a serious question, or was it?
Brute Force Protection (Score:3)
If your system does not offer any kind of brute force protection mechanism at all, which Find My iPhone does not seem to have based on my readings, then your system is broken by design. Brute force protections like 'only allow 10 login attempts within 5 minutes, and then block that IP from all login attempts for 30 minutes" are so trivial to implement that they should be part of any authentication system.
I honestly don't get it... (Score:5, Interesting)
Why, then, can you not even buy any serious security? Yes, they have 'two factor authentication', of the kind where you have a username, password, and they send you a temporary PIN to one of your devices; but money simply cannot buy a certificate authentication mechanism. Nor an RSA-fob or equivalent. Hell, your WoW character can be protected by a hardware auth fob; but your entire iLife can't?
In the end(while it may well be true) Apple's insistence that the hack was based on guessing/gaining user credentials, rather than attacking Apple code, just doesn't matter. User credentials are always fairly vulnerable. If they want people to put their life 'in the cloud', they are going to have to do better than that(especially if they want celebrity users, since that's a userbase that more or less automatically includes insane stalkers).
Re: (Score:3, Interesting)
If this leak (Score:2)
was about normal people, no one would have lifted a finger. Since its the "intellectual property" creators and precious entertainment stars it gets full media and FBI attention.
Re:Of course... (Score:5, Funny)
"Your Holiness, people are accusing our priests of molesting their children!"
"My son, send out a missive immediately--chastising the parishioners for letting their children seduce our priests."
Re: (Score:2)
Re: (Score:2)
People don't post nude pics to the cloud.
They have a little check box in their iPhone named something like "synch photos with your mac via icloud".
The checkbox is checked by default when you buy the phone.
All new photos are automatically transferred to the iCloud and when you open your Mac at home it "magically" shows up there.
No one ever is doing a "now I have to upload my photos to the cloud" thing. So most people don't even know that their photos are up there.