Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Apple Denies Systems Breach In Photo Leak

Soulskill posted about a month ago | from the not-my-fault-i-promise dept.

Cloud 311

Hamsterdan notes that Apple has posted an update to its investigation into the recently celebrity photo leak, which was attributed to a breach of iCloud. Apple says the leak was not due to any flaw in iCloud or Find My iPhone, but rather the result of "a targeted attack on user names, passwords and security questions." Despite this, Wired reports that hackers on an anonymous web board have been openly discussing a piece of software designed for use by law enforcement. Whether it was involved in the celebrity attacks or not, it's currently being used to impersonate a user's device in order to download iCloud backups.

"For Apple, the use of government forensic tools by criminal hackers raises questions about how cooperative it may be with Elcomsoft. The Russian company’s tool, as Zdziarski describes it, doesn't depend on any 'backdoor' agreement with Apple and instead required Elcomsoft to fully reverse engineer Apple’s protocol for communicating between iCloud and its iOS devices. But Zdziarski argues that Apple could still have done more to make that reverse engineering more difficult or impossible." Meanwhile, Nik Cubrilovic has waded into the data leak subculture that led to this incident and provides insight into the tech and the thinking behind it.

cancel ×

311 comments

Sorry! There are no comments related to the filter you selected.

Seemed pretty obvious this was the case (5, Insightful)

John3 (85454) | about a month ago | (#47816769)

Just another reminder to use strong passwords, password managers, and change them often. It's a pain, but it's the reality of the digital world.

Re:Seemed pretty obvious this was the case (3, Insightful)

Anonymous Coward | about a month ago | (#47816839)

I'm sorry but when are password managers ever a good idea? Having 1 place with ALL your passwords ready to be stolen.

Re:Seemed pretty obvious this was the case (4, Funny)

Anonymous Coward | about a month ago | (#47816893)

protect your password manager with a strong password from another password manager to protect!

Re:Seemed pretty obvious this was the case (5, Funny)

Sique (173459) | about a month ago | (#47816921)

It's Password Managers all the way down!

Re:Seemed pretty obvious this was the case (4, Insightful)

John3 (85454) | about a month ago | (#47816937)

Use one very strong password for the password manager. That allows you to have hundreds of different passwords so each site you visit uses a different password and you don't need to remember them. If you use a strong enough password then you'll be fine.

Re:Seemed pretty obvious this was the case (2)

fuzzyfuzzyfungus (1223518) | about a month ago | (#47817201)

I'm sorry but when are password managers ever a good idea? Having 1 place with ALL your passwords ready to be stolen.

Password 'managers' make me nervous(unless based on proper crypto/key storage ICs with actual vetting by people who actually care, which is rare indeed, if it exists at all, since the people who care that much don't use passwords, just proper cryptographic authentication); but they do have the advantage of allowing those of us without eidetic memories to use passwords that might actually be strong enough to resist casual attack, and force the casual attacker to use the ultra-weak password reset process instead...

Re:Seemed pretty obvious this was the case (1)

Anonymous Coward | about a month ago | (#47817259)

Yes, people who care have subverted the need to use passwords. I bet they don't even use the public internet!

Re:Seemed pretty obvious this was the case (5, Insightful)

Anonymous Coward | about a month ago | (#47817483)

I'm sorry but when are password managers ever a good idea? Having 1 place with ALL your passwords ready to be stolen.

And yet, in reality, regardless of your personal security measures, you already have this today

It's called that one email address you have ALL of your accounts configured to send a password reset to when you forget it.

All you really need is access to your email and All Your Passwords are Belong to Us, so let's just stop bullshitting each other and bashing password managers. The overall security model sucks ass anyway.

Re:Seemed pretty obvious this was the case (1)

Dishevel (1105119) | about a month ago | (#47817605)

If it is a trusted implementation, and you are using a very strong password (20 Characters, Upper case, Lower Case, numbers and symbols.), then you use unique generated passwords for each site you are really quite safe.

Re:Seemed pretty obvious this was the case (5, Insightful)

Macrat (638047) | about a month ago | (#47816977)

Just another reminder to use strong passwords, password managers, and change them often. It's a pain, but it's the reality of the digital world.

What good is a password manager when the answers to your security questions are public knowledge?

Re:Seemed pretty obvious this was the case (5, Insightful)

heypete (60671) | about a month ago | (#47817005)

Just another reminder to use strong passwords, password managers, and change them often. It's a pain, but it's the reality of the digital world.

What good is a password manager when the answers to your security questions are public knowledge?

Who says you need to tell the truth on those questions?

Q: "What is your mother's maiden name?"
A: "Purple monkey dishwasher."

Of course, you should keep a record of those questions and answers so you can correctly answer them if the need arises.

Re:Seemed pretty obvious this was the case (-1)

Macrat (638047) | about a month ago | (#47817089)

Who says you need to tell the truth on those questions?

The topic of this thread is about how a password manager takes care of everything.

Keep focused.

Re:Seemed pretty obvious this was the case (1)

ericloewe (2129490) | about a month ago | (#47817111)

Don't be so short-sighted. Use the password managers to store passwords that are employed instead of answers to secret questions.

Re:Seemed pretty obvious this was the case (2)

CanHasDIY (1672858) | about a month ago | (#47817547)

OK - A password manager is a great way to keep track of all the nonsense answers you put in for security questions.

Re:Seemed pretty obvious this was the case (1)

Anonymous Coward | about a month ago | (#47817345)

I've done this before. In my password manager:

"All secret question answers are FART"

Re:Seemed pretty obvious this was the case (1)

gmhowell (26755) | about a month ago | (#47817447)

Just another reminder to use strong passwords, password managers, and change them often. It's a pain, but it's the reality of the digital world.

What good is a password manager when the answers to your security questions are public knowledge?

Who says you need to tell the truth on those questions?

Q: "What is your mother's maiden name?"
A: "Purple monkey dishwasher."

Damnit, time to change the security question on the password manager for my luggage.

Re:Seemed pretty obvious this was the case (2)

Megol (3135005) | about a month ago | (#47817095)

Don't use them - input random crap instead of correct information.

Re:Seemed pretty obvious this was the case (1)

neoritter (3021561) | about a month ago | (#47817371)

The point of security questions are to have things that you can remember without having to write them down. If you input random crap like you and others are suggesting you're just extending the stupidity to a different level OR being needlessly redundant, because then you have to write down what that stupid crap was. Which might as well be the same thing as writing down your password.

Re:Seemed pretty obvious this was the case (1)

AmiMoJo (196126) | about a month ago | (#47817415)

You don't answer those things honestly do you?

This is also how Sarah Palin's email got "hacked" (5, Insightful)

i kan reed (749298) | about a month ago | (#47816785)

Remember 2008? Some random douche on 4chan just looked up her dog's name?

Security questions do not work for public figures. Almost none of them will hold up to people whose whole lives are pointlessly documented.

Re:This is also how Sarah Palin's email got "hacke (1)

CaptainDork (3678879) | about a month ago | (#47816855)

The advice from people like you and me is to lie like hell.

Re:This is also how Sarah Palin's email got "hacke (2, Funny)

i kan reed (749298) | about a month ago | (#47816863)

Sarah Palin has proven to be good at that.

BOOM politics slam.

Re:This is also how Sarah Palin's email got (1)

Anonymous Coward | about a month ago | (#47816897)

I always do the SHA1 of the answer..

Re:This is also how Sarah Palin's email got (0)

Anonymous Coward | about a month ago | (#47817171)

SHA-1 is compromised. See: https://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html

Use Skein.

...amateurs

Re:This is also how Sarah Palin's email got (1)

i kan reed (749298) | about a month ago | (#47817443)

He's using SHA1 as a one time pad against people who know the answers to his questions, but not that he encrypts them.

The algorithm being broken doesn't do the theoretical malicious actor any good. He could use a checksum/rot13/whatever and the effect would be the same.

Not just public figures (5, Interesting)

mozumder (178398) | about a month ago | (#47817009)

Security questions do not work for public figures. Almost none of them will hold up to people whose whole lives are pointlessly documented.

Modern social media can also be used to identify personal information of regular people.

If you look at the anon-in.com logs where they operate, you can see hackers asking each other "What car is this?" with posts of random hot girls cars that they collected from Facebook or wherever. They then use this to break the iCloud security questions for said hot girls and get their nudes.

Also, you don't even need social media accounts to be targeted via social media. Just having friends that posts pics with your bits of identifying info is enough.

Re:Not just public figures (1)

i kan reed (749298) | about a month ago | (#47817061)

You're clearly arguing that the best solution is to have no friends.

(Also how did you get Karma so bad that you're lower than ACs?)

Re:Not just public figures (1, Interesting)

Cro Magnon (467622) | about a month ago | (#47817267)

My first pet predated social media, and there are no online pics of it. There's probably 2 people who could guess that one, and I'm not worried about either of them cracking my accounts.

Re:This is also how Sarah Palin's email got "hacke (1)

Anonymous Coward | about a month ago | (#47817133)

Security questions work really well, you just have to fill them out creatively.

Mother's maiden name:
The moon is a mysterious mistress

Name of your pet:
I move like night from land to land

Childhood home address:
'Tis the Moor! I know him by his trumpet

No-one is gonna guess that shit because there's no link between question and answer.

Re:This is also how Sarah Palin's email got "hacke (1)

Registered Coward v2 (447531) | about a month ago | (#47817149)

Remember 2008? Some random douche on 4chan just looked up her dog's name?

Security questions do not work for public figures. Almost none of them will hold up to people whose whole lives are pointlessly documented.

More to the point why does anybody use real information for security questions? As long as I can remember the answer the accuracy is irrelevant. Same with birthdays. If I decide some random date is my birthday it makes it a lot harder to guess.

Re:This is also how Sarah Palin's email got "hacke (5, Informative)

Cro Magnon (467622) | about a month ago | (#47817177)

Because it's easier to remember the truth than a lie.

Re:This is also how Sarah Palin's email got "hacke (0)

kruach aum (1934852) | about a month ago | (#47817199)

If that were true there would be no religions or climate change deniers, they'd all be forgotten.

Re:This is also how Sarah Palin's email got "hacke (1)

theedgeofoblivious (2474916) | about a month ago | (#47817567)

That depends.

Re:This is also how Sarah Palin's email got "hacke (1)

nine-times (778537) | about a month ago | (#47817623)

All the more reason why they just shouldn't have these security questions.

Re:This is also how Sarah Palin's email got "hacke (1)

Aaden42 (198257) | about a month ago | (#47817419)

I always use something related to the question asked that isn’t technically the right answer but is something I’d remember.

Example: Ask my mother-in-law’s name, I’ll enter “waste of oxygen”. Never gonna forget that one

Re:This is also how Sarah Palin's email got "hacke (1)

Anonymous Coward | about a month ago | (#47817537)

Remember 2008? Some random douche on 4chan just looked up her dog's name?

Oh, so it's 4chan who's the douche here, and not [random idiot celebrity] who uses their dog's name(that has their own Twitter feed) as a security question.

Security questions do not work for public figures. Almost none of them will hold up to people whose whole lives are pointlessly documented.

You know what is also pointless? Assuming that public figures actually have a fucking brain, and would choose a secure, private security question.

And for fucks sake, you can't lie on those security questions? Hell, that's half the way you make them secure. Hollywood figures should be damn good at putting up facade. They get paid to do it professionally.

Re:This is also how Sarah Palin's email got "hacke (1)

i kan reed (749298) | about a month ago | (#47817615)

No, I'm pretty sure it's the random guy, not 4chan as a whole, that's the douche, Mr. Anonymous-needs-defending.

This is the "your lock could be picked so I let myself in" defense.

Of course... (-1)

Anonymous Coward | about a month ago | (#47816793)

Admitting any kind of flaw would harm the illusion of papal infallibility at the Cult of Jobs.

Re:Of course... (4, Funny)

NotDrWho (3543773) | about a month ago | (#47816903)

"Your Holiness, people are accusing our priests of molesting their children!"

"My son, send out a missive immediately--chastising the parishioners for letting their children seduce our priests."

Surprised? (0)

Anonymous Coward | about a month ago | (#47816797)

You expected apple to say whoops, our bad? come on

But how do the hackers get the email addresses? (1)

Camembert (2891457) | about a month ago | (#47816805)

I can indeed imagine that in some cases it would be possible to find the answer to the password security questions by doing some googling about the celebrity. With 2 factor authentication this would not have been an issue.
I still wonder how the hackers got access to the email addresses of the celebrities they targeted? Because this is the necessary first step. Sloppy industry agents perhaps?

Re:But how do the hackers get the email addresses? (1)

Russ1642 (1087959) | about a month ago | (#47816927)

That would be the easy part. If they use their email address for anything presumably it's to receive and send email so they CAN'T keep it a secret.

Re:But how do the hackers get the email addresses? (5, Funny)

John3 (85454) | about a month ago | (#47816957)

I'd imagine once you hack a celebrity email you can then get emails of their friends, and so on. The key is to get the email address of Kevin Bacon and then you're golden.

Re:But how do the hackers get the email addresses? (1)

Anonymous Coward | about a month ago | (#47817119)

Forget the celebrity, target the agent

At the risk of blaming the victim... (3, Interesting)

erp_consultant (2614861) | about a month ago | (#47816827)

what the heck are these people thinking? Putting nude photos of yourself on a phone and synching it every which way? It's one thing if you are Joe-nobody but being a celebriry is entirely different. That's just plain stupid.

Re:At the risk of blaming the victim... (4, Insightful)

CaptainDork (3678879) | about a month ago | (#47816867)

Wrong-think.

If the fucking system worked like it's supposed to, people could put anything anywhere. Blaming the victim for a broken system is not logical.

Re:At the risk of blaming the victim... (3, Insightful)

Black Parrot (19622) | about a month ago | (#47817037)

But dealing with reality is very logical.

If you don't want people to see pictures of you naked, don't take the pictures.
And if you do, don't put them on a computer.
And if you do, don't put them on a computer on the internet.
And if you do, don't put them on someone else's computer on the internet.

If they're out there, someone is going to get them.

Re:At the risk of blaming the victim... (0, Troll)

CaptainDork (3678879) | about a month ago | (#47817159)

Or ...

Sue the hell out of companies that don't have the sense god gave a piss ant to provide a secure method of log in.

Re:At the risk of blaming the victim... (1)

Anonymous Coward | about a month ago | (#47817659)

I think You missed the summary of the article up above. Apple does have a secure method to log in: two-factor authentication plus strong passwords. Apparently, the Celebrities in question didn't use it.

Re:At the risk of blaming the victim... (2, Insightful)

nine-times (778537) | about a month ago | (#47817663)

What does this have to do with a secure method of log-in? If I make my password "password", then it's my own fault, not the login system's fault. You could say that they could require a strong password, which is great. Require it to be 10 characters, including at least 1 upper-case, 1 lower-case, 1 number, and one symbol. You know what the password will be then?

"P@$$w0rd12"

If you want to do better than that, we need to be using a public key system, and create a secure, reliable, easy method of managing keys. Otherwise, if you're letting people set their own password, they're going to choose bad passwords.

Re:At the risk of blaming the victim... (1)

Anonymous Coward | about a month ago | (#47817317)

Wrong-think.

If the fucking system worked like it's supposed to, people could put anything anywhere. Blaming the victim for a broken system is not logical.

Parent doesn't state that the perpetrators did nothing wrong, he stated that the victims behaved irresponsibly with their data. Don't confuse that with victim-blaming, those are two very different things.

Taking no precautions as if you lived in utopia is straight out retarded and pushing the agenda that people shouldn't behave responsibly to protect their information is inconsiderate and/or malicious, you only create more victims.

Re:At the risk of blaming the victim... (0)

Anonymous Coward | about a month ago | (#47817357)

and this is where el CapitanSJW screams 'Not rabbit, not rabbit' because someone has an opinion not like his own.

No such thing as wrong-think but there is such a thing as bully people for expressing their opinion.

Re:At the risk of blaming the victim... (1)

JustNiz (692889) | about a month ago | (#47817085)

What those celebs are actually thinking is that there's no such thing as bad publicity, especially when backed up with fake self-righteous indignation.

I think its funny that most people still genuinely believe that those celebs really didn't want that stuff leaked.

Re:At the risk of blaming the victim... (2)

QuasiSteve (2042606) | about a month ago | (#47817179)

I'd imagine that most of them really didn't want that stuff leaked - or they'd just leak them, themselves, in a coordinated manner.

Of course now that they are out, most of them will be working with their PR agent(s) to put as positive a spin on it as they can - be that to be indignant, outraged, shrugging it off, claiming it's not them, thinking of how they're going to put themselves in a PSA about password security so that their idolizing fans don't make the same mistake, etc.
And, yes, some of them will probably come out of this better.
But that doesn't mean that this is what they wanted all along.

Re:At the risk of blaming the victim... (1)

neoritter (3021561) | about a month ago | (#47817411)

Lemonade out of lemons? Or lemonade out of sugar water?

Re:At the risk of blaming the victim... (1)

Anonymous Coward | about a month ago | (#47817339)

what the heck are these people thinking? Putting valuables in your house, and installing windows so people can see right in? It's like they're INVITING robberies!!!

Criminal trespass is criminal trespass. It doesn't matter if it was "easy" to get to the photos - they were not yours, or anybody else's, to access without permission.

Re:At the risk of blaming the victim... (3, Insightful)

Aaden42 (198257) | about a month ago | (#47817621)

Wrong-think on several levels indeed.

1) They took nudes. So fscking what. The fact that in their private lives they decided to indulge in an activity that lots of people do isn’t something that should even be reported, much less held against them or effect their careers.

2) Basic human dignity should preclude assholes like the attackers from invading others privacy like this. (Yes, I know the world is full of assholes, and this is unreasonable dreaming, but still wrong of OP to blame the victim for someone else being an asshole.)

3) I believe Apple enables photo syncing to the cloud by default when you setup iCloud on a new device. (I could be wrong. It’s been a while since I setup a device from scratch rather than backup/restore.) I wouldn’t expect the vast majority of people to appreciate the gravity of having every pic you ever take immediately uploaded to a third party server. I consider that a serious falling of the tech industry for not educating people of the risks of using cloud-based services. I also wouldn’t expect the majority of iUsers to be able to find & disable the photo sync option nor to know how to expunge any images that might already have been uploaded. Blaming non-techies for being non-techies isn’t a reasonable approach.

So as far as assigning blame for this one:

1) The Hackers.
2) Prudish, sex-hating, women-hating ‘mur’kans for blaming the victims.
3) The press for seizing on this as news story of the month thus ensuring everyone knows to go searching for the pics.
4) Tech industry for pushing cloud-based storage.
5) Apple for not enabling password lockout on Find my Phone (assuming the reporting on that was accurate).
6) Apple for default-enabled on photo sync (assuming my recollection on that is correct - I may be wrong).
7) Their publicists/managers/etc for not knowing enough to a) ensure their emails were unguessable, b) insist they disable photo syncing on their devices, c) insist they enable two-factor auth, d) ensure complex passwords and non-public-records password reset answers, and e) monitor their emails for “new device accessed your account” or “password reset” notifications.

You’ll note the celebs aren’t in the above list of people who share in the blame here. I don’t even expect them to know enough to use good passwords. They’re ordinary humans whose focus should be on things not related to IT security. The people they undoubtedly pay good money to manage their careers and lives should have known better though. If not known enough themselves, known enough to contract with someone who did who could advise them appropriately.

Solution lies with users, not Apple (5, Interesting)

davidwr (791652) | about a month ago | (#47816831)

Well, mostly.

What Apple can do is require 2-factor authentication.

They can also provide individuals who want it - primarily high-profile individuals - stronger lock-downs such as only allowing registered devices to log in or require typing in a code that is texted to the person prior to completing the login, much like some banks already do.

Re:Solution lies with users, not Apple (4, Informative)

MickyTheIdiot (1032226) | about a month ago | (#47816875)

Yeah. They can do two factor auth. The key fob they sell will only cost $595 and work only with Safari.

Re:Solution lies with users, not Apple (0)

Anonymous Coward | about a month ago | (#47817533)

WOW authenticators do it for $8. Just make the Apple one solar powered and cost $29.95 and it will be "greatest security invention ever"

Re: Solution lies with users, not Apple (1)

Anonymous Coward | about a month ago | (#47816947)

What users can do is turn off the 'sync to the cloud' function.

What vendors can do is stop setting up a slick greased trail so that the easy thing to do is click 'yeah, okay' when setting up a new device, and it syncs everything to 'the cloud.'

And our job as regular people is to spread the word and encourage skepticism, so only the stupidest dolts continue to 'sync to the cloud.'

The cloud concept can be killed with the proper buzz out there.

Re: Solution lies with users, not Apple (1)

Drethon (1445051) | about a month ago | (#47817277)

Tried it a couple times on my non apple phone and it is still uploading. I just don't use a networked camera for anything I don't want anyone else to see.

Re: Solution lies with users, not Apple (1)

Ultra64 (318705) | about a month ago | (#47817401)

so only the stupidest dolts continue to 'sync to the cloud.'

And then your phone breaks and you lose all your data.

Re: Solution lies with users, not Apple (2)

CanHasDIY (1672858) | about a month ago | (#47817583)

so only the stupidest dolts continue to 'sync to the cloud.'

And then your phone breaks and you lose all your data.

Because there's no other options than "lose everything" or "put it all on someone else's computer?"

I expect that sort of non-thinking response from the crowd over at Yahoo, but c'mon man - this is /., we expect more thinky from our community.

Re: Solution lies with users, not Apple (0)

Anonymous Coward | about a month ago | (#47817427)

Or, like driving, we require a test to use the internet. I'm okay with something simple like having read at least 20 linux man pages, being able to work from a command line and move a few files around, using an FTP server for 3 file transfers, and maybe learning C enough that a person can store a string (char array) and display it to the user.

Not really internet specific but a little computer intelligence goes a long way.

Or, we just mass distribute t-shirts that say: "IF YOU DON'T WANT PEOPLE TO SEE IT, DON'T PUT IT ON THE INTERNET."

Solution lies with users, not Apple (0)

Anonymous Coward | about a month ago | (#47816967)

They already offer two factor authentication. I have it enabled on my account.

Re:Solution lies with users, not Apple (5, Interesting)

ixs (36283) | about a month ago | (#47817135)

And I am sure you realize that the 2factor Authorization as currently designed and utilized by Apple only protects against your account data being used to purchase things from the AppStore and interact with your account.

Details are at http://support.apple.com/kb/ht5570 [apple.com] and quoting from there:
It requires you to verify your identity using one of your devices before you can take any of these actions:

  • Sign in to My Apple ID to manage your account
  • Make an iTunes, App Store, or iBooks Store purchase from a new device
  • Get Apple ID related support from Apple

All iCloud communication is still unprotected. Bzzzzt. Neeext!

Re:Solution lies with users, not Apple (0)

Anonymous Coward | about a month ago | (#47817165)

Relevant:

http://lifehacker.com/iclouds-two-factor-authentication-doesnt-secure-your-ph-1630021133?utm_campaign=socialflow_lifehacker_facebook&utm_source=lifehacker_facebook&utm_medium=socialflow

No surprise here (2)

qbast (1265706) | about a month ago | (#47816835)

It is not like they would admit to getting hacked if they can shift the blame to user. And let's not forget that probably half of NSA was fapping to these pictures.

Re:No surprise here (5, Insightful)

AmiMoJo (196126) | about a month ago | (#47816931)

Apple always deny there is a problem, even after they fixed it. They denied the iPhone 4 antenna problems, but offered customers a free rubber bumper anyway. They denied problems with overheating MacBook Pros, but replaced the CPU boards anyway. They denied problems with moisture sensors but added exceptions to their warranty policies anyway. They denied iPod battery problems but reduced the replacement price from $250 to $50 anyway. They denied retina screen problems with their laptops but replaced ghosting ones anyway.

I imagine they will just quietly fix the problem and pretend it never existed. Probably their lawyers telling them to admit nothing, since most of these issues end up as lawsuits.

Re:No surprise here (0)

Anonymous Coward | about a month ago | (#47817453)

So what you're saying is, Apple denies that the problem exists, but then acknowledges the problem exists through their actions.

So what action have they taken that acknowledges this problem exists?

None?

How's that apple hate working out for you, stupid?

Re:No surprise here (0)

Anonymous Coward | about a month ago | (#47817137)

There are a lot of people out there holding it wrong thanks to Apple now.

Our dumb users are holding it wrong! (5, Funny)

NotDrWho (3543773) | about a month ago | (#47816873)

It's THEIR fault. Apple MAKES NO MISTAKES!!!

Find My Friends password flaw (5, Interesting)

Noah Haders (3621429) | about a month ago | (#47816877)

You know, I'm really annoyed at Apple about this. They say that iCloud wasn't breached and it was a targeted account attack with weak passwords. But on Monday (the day after the pics were posted) they patched a flaw in Find My Friends where the account would be vulnerable to a dictionary attack:

The vulnerability allegedly discovered in the Find my iPhone service appears to have allowed attackers to use this method to guess passwords repeatedly without any sort of lockout or alert to the target. Once the password has been eventually matched, the attacker can then use it to access other iCloud functions freely. A tool to exploit the weakness was uploaded to Github, where it remained for two days before being shared on Hacker News Apple patched the service at 3.20am PT today. While it’s possible that the timing was coincidental, an iCloud exploit being posted online just two days before the photos appeared, and being patched shortly after the story broke, makes this seem unlikely. Apple has not yet responded to a request for comment.

http://9to5mac.com/2014/09/01/... [9to5mac.com]

so there was no icloud breach, but there was a bug that enabled a brute force attack. It's not known that this exploit was used on the celebrities, but a tool that exploits this bug was recently posted. Ok...

also, super unclassy for Apple to blame the victim, especially when these types of weaknesses are buried in their code.

Re:Find My Friends password flaw (1)

Wulfstan (180404) | about a month ago | (#47817045)

Yes, and I just don't believe them. It's super-bad press for them a week before they release their new device.

The core problem is that in order to improve iCloud use they have actively encouraged users during the signup process to enable iCloud syncing - and default settings push all of your photos, docs and data. For a time-pressed celeb who may not be that tech savvy this is just asking for trouble.

I'm a bit surprised by the number of people who send around naked photos of themselves though. I must be in the prurient minority.

Re:Find My Friends password flaw (1)

Wulfstan (180404) | about a month ago | (#47817065)

Not prurient. Whatever the opposite is.

Re:Find My Friends password flaw (1)

Noah Haders (3621429) | about a month ago | (#47817343)

he's thinking prudish.

Re:Find My Friends password flaw (4, Informative)

Anubis IV (1279820) | about a month ago | (#47817341)

It's not known that this exploit was used on the celebrities

The pics were apparently circulating over a week ago in some parts of the Internet, and were, by all indications, collected over the course of several months from a variety of sources (i.e. not all of the celebrities are in the Apple ecosystem; a number of them use Android). The "iBrute" exploit code didn't become available until earlier this week.

There's actually a fairly detailed breakdown of this and similar attacks [nikcub.com] already available, most of which rely on various social engineering techniques, basic detective work, or turning (ex-)friends of the celebrities against them to get malware installed or procure more intimate information (sometimes in exchange for receiving their own copies of the pics).

Finally, pointing out that they're not responsible for the data being compromised is not the same as blaming the victims. As the article I linked mentions, in many cases these celebrities may not have ever fallen for a phishing attack or given their password to "tech support" over the phone. The only error they may have made was in keeping poor company.

Re:Find My Friends password flaw (1)

Noah Haders (3621429) | about a month ago | (#47817455)

Finally, pointing out that they're not responsible for the data being compromised is not the same as blaming the victims. As the article I linked mentions, in many cases these celebrities may not have ever fallen for a phishing attack or given their password to "tech support" over the phone. The only error they may have made was in keeping poor company.

WaPo article [washingtonpost.com] "Apple then goes on to offer some security suggestions for iCloud users who might be confused about how to protect themselves. The subtext is clear: If there's anything wrong here, it's in the way that individual users secured their accounts."

Apple press release [macresource.com] : "To protect against this type of attack, we advise all users to always use a strong password".

read different things into it, but the fact remains: human being suck at passwords. we have sucked at passwords for 30 years, and we will continue to suck at passwords. There has been enormous effort to get people to be better about passwords. As a result, the most popular password is no longer "12345" - it's now "123456".

considering this, all software makers need to recognize that they have a much greater burden to create a security solution that people don't suck at. Apple did that with the touch id thing. brilliant and simple. until software makers (including apple themselves) take more responsibility, they will continue to get owned (yes the user gets hacked, but the reputation of the software suffers too).

a bright spot: in ios8 apple is supposed to open up touch ID so it can be used for things other than the phone unlock. there are a whole host of dangers with touch id, but at least it solves the weak password issue.

Re:Find My Friends password flaw (0)

Anonymous Coward | about a month ago | (#47817395)

also, super unclassy for Apple to blame the victim, especially when these types of weaknesses are buried in their code.

it's not their code, it's their systems. Salting pre-hash values? Rate-limiting requests? Lockout after > 10 incorrect attempts?

These are system design issues, not coding issues ... although they can't get the code right, either (see also: "goto fail")

Top Dude of Master Bunny (0)

Anonymous Coward | about a month ago | (#47816885)

The goals of apple are to subtivate and motivate the audience. Since Steve Jobs died there have been changes in the industry of the goals we would provide. The difference is that the motivation for the audience has become more subdued some would say due to changes like these. If you look at the general goals of organizations like Compcost you notice instantly that the whole worker's compensation issue is basically directly related to general issues of this nature. The goal then of the general public should be to motivate these people and not change on general topics. We are hoping that each person would identify with their goals. The basic premise of motivation is not subliminal or hierarichal but instead a motivation aspect of topic. Do not change the topic, rather find the heirarchy of need of each subject. Maslow was not entirely incorrect.

http://www.samefacts.com/2010/09/health-medicine/what-abraham-maslow-got-wrong-about-the-limits-of-science-and-psychological-knowledge/

That pretty much explains it.

At least the view is nice (-1)

Anonymous Coward | about a month ago | (#47816913)

Dat Kate Upton Mmmmmm

Ummmm (2)

Chewbacon (797801) | about a month ago | (#47816925)

I thought Find My iPhone didn't lock accounts after too many failed logins? This was discussed in many twitter conversations yesterday and how the script used no longer works since apple updated the system. I call that a failure in Apple's security. Who the hell forgets to put in that kind of fail safe anymore?

I don't get it (1)

pem (1013437) | about a month ago | (#47816985)

Good security doesn't depend on protocol secrecy.

How the heck does it matter if Apple works with elcomsoft or not? If reverse-engineering a protocol is all it takes to jeapordize user's data, it's security-by-obscurity in the best case.

In combination with an accurate summary ... (1)

Wrath0fb0b (302444) | about a month ago | (#47817049)

In combination with iCloud credentials obtained with iBrute, the password-cracking software for iCloud released on Github over the weekend, EPPB lets anyone impersonate a victimâ(TM)s iPhone and download its full backup rather than the more limited data accessible on iCloud.com.

So basically, in combination with your password, this tools let's you access resources secured by your password. Amazing! Next up you'll tell me there's a tool that lets you open my front door in combination with a copy of my house key!

Let's put this another way -- you tell some /.er that he can buy a new iPhone, enter his password and immediately restore from an iCloud backup. Logically then, we expect that he understands that the password controls access to the backup, since the only thing he needed to provide was that password.

Isnt it weird? (2)

drake2k (3458443) | about a month ago | (#47817121)

That we use secure 2 factor authentication for our World of Warcraft accounts but we don't for important stuff like iCloud stored nudies?

Re:Isnt it weird? (1)

Anonymous Coward | about a month ago | (#47817355)

Not really. People with World of Warcraft accounts don't have iCloud stored nudies.

Re:Isnt it weird? (0)

Anonymous Coward | about a month ago | (#47817509)

Not really. People with World of Warcraft accounts don't have iCloud stored nudies.

They do have nudies, but nobody wants to see them.

Re:Isnt it weird? (0)

Anonymous Coward | about a month ago | (#47817515)

Different audiences. The nerds playing WoW understand the value of 2-factor auth. The people having sex that are storing nudies in iCloud don't understand. These two segments of the market are ENTIRELY different, so it's not weird or surprising at all.

You're like a bird looking at a fish and going, "No feathers. Less wingspan than a sparrow. Lame."

Don't trust cloud with your personal stuff (0)

Anonymous Coward | about a month ago | (#47817157)

I doubt many people focus on creating good passwords. Nobody said, Stars were any more intelligent then the rest of us. Note to self, don't store any really sensitive stuff on a cloud storage solution. Unless you have half a wit to create a strong password and change it often. Don't blame everyone else for being lax when you yourself are. Put you very private and sensitive information on a local storage device. Preferably encrypted and stored in a safe place. The cloud is about as secure as your password is. That is the only thing standing between your information and the hackers.

Brute Force Protection (2)

brunes69 (86786) | about a month ago | (#47817227)

If your system does not offer any kind of brute force protection mechanism at all, which Find My iPhone does not seem to have based on my readings, then your system is broken by design. Brute force protections like 'only allow 10 login attempts within 5 minutes, and then block that IP from all login attempts for 30 minutes" are so trivial to implement that they should be part of any authentication system.

I honestly don't get it... (5, Interesting)

fuzzyfuzzyfungus (1223518) | about a month ago | (#47817287)

Apple obviously wants iCloud and your ITMS credentials to be the iGateway to your life and all your devices and whatnot. They also emphasize security, elegance, and ease of use in their advertising, and cater to a relatively upmarket audience, for the most part.

Why, then, can you not even buy any serious security? Yes, they have 'two factor authentication', of the kind where you have a username, password, and they send you a temporary PIN to one of your devices; but money simply cannot buy a certificate authentication mechanism. Nor an RSA-fob or equivalent. Hell, your WoW character can be protected by a hardware auth fob; but your entire iLife can't?

In the end(while it may well be true) Apple's insistence that the hack was based on guessing/gaining user credentials, rather than attacking Apple code, just doesn't matter. User credentials are always fairly vulnerable. If they want people to put their life 'in the cloud', they are going to have to do better than that(especially if they want celebrity users, since that's a userbase that more or less automatically includes insane stalkers).

Re:I honestly don't get it... (3, Interesting)

robstout (2873439) | about a month ago | (#47817519)

I think the issue is that security isn't pretty, and Apple wants pretty. Look at the two-factor authentication. Having to wait until a PIN is sent to you before you can access whatever? That isn't elegant at all (from Apple's POV. It removes the one click convenience.). Personally, I'd rather have the security, but I'm a geek, like most people on Slashdot.

Biometrics (1)

StrangeBrew (769203) | about a month ago | (#47817361)

This is going to put a damper in Apples wish to use nipple morphology in their newest biometric security system.

With Great joy (-1)

Anonymous Coward | about a month ago | (#47817379)

Think of all of the people who were made happy by this leak. The joy that this has spread amongst the masses is incalculable. Really these ladies should be happy they caused such joy in their fans.

If this leak (1)

future assassin (639396) | about a month ago | (#47817397)

was about normal people, no one would have lifted a finger. Since its the "intellectual property" creators and precious entertainment stars it gets full media and FBI attention.

dumb as fuck celebrities (0)

tekrat (242117) | about a month ago | (#47817487)

Your life is already under a microscope. You can't go to the supermarket without a crew from TMZ following you and paparazzi are camped out on your lawn.... just how freaking stupid do you have to be to post nude pics of yourself to the cloud?

I'm going to start a consulting agency to the stars, called "Common Sense", and get paid to distribute my common sense to people who obviously have none of their own.

Here's a free tip: If you don't want nude pics of yourself spread to the web, don't take nude pics of yourself!

Fact (0)

Anonymous Coward | about a month ago | (#47817501)

Never take naked pictures of you FINAL, NEVER, EVER, specially when your dumb enough to sync it on the internet

Two Points (0)

Anonymous Coward | about a month ago | (#47817657)

1) The cloud works. Jennifer Lawrence, et al have found that the internet does provide a near infinite backup solution that guarantees your images* will be available forever.

2) Internet 101. Never upload on the internet what you don't want to be on the internet. Encryption? Passwords? Special dongles? People get far worse punishments (Chinese dissenters and child porn viewers) who use the internet. That your nipple or pussy is now visible online to the general public? Oh, the horror! So, I presume the privacy advocates would be just as upset if all the leaked photos were of celebrities drinking tea (clothed). Right, yea, that's what the NSA spying does and there's no uproar over that. This is all about nipple and pussy.

* This obviously only applies if your (1) famous, (2) you're sexy, (3) you pose at least somewhat provocatively, and (4) you don't engage in legal action that quickly drives outweighs all of items 1 to 3 combined. So, yea, (1) and (3) are the big reason this leak is permanent.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?