Apple Denies Systems Breach In Photo Leak

← Back to Stories (view on slashdot.org)

Apple Denies Systems Breach In Photo Leak

Posted by Soulskill on Wednesday September 3, 2014 @03:00AM from the not-my-fault-i-promise dept.

Hamsterdan notes that Apple has posted an update to its investigation into the recently celebrity photo leak, which was attributed to a breach of iCloud. Apple says the leak was not due to any flaw in iCloud or Find My iPhone, but rather the result of "a targeted attack on user names, passwords and security questions." Despite this, Wired reports that hackers on an anonymous web board have been openly discussing a piece of software designed for use by law enforcement. Whether it was involved in the celebrity attacks or not, it's currently being used to impersonate a user's device in order to download iCloud backups.

"For Apple, the use of government forensic tools by criminal hackers raises questions about how cooperative it may be with Elcomsoft. The Russian company’s tool, as Zdziarski describes it, doesn't depend on any 'backdoor' agreement with Apple and instead required Elcomsoft to fully reverse engineer Apple’s protocol for communicating between iCloud and its iOS devices. But Zdziarski argues that Apple could still have done more to make that reverse engineering more difficult or impossible." Meanwhile, Nik Cubrilovic has waded into the data leak subculture that led to this incident and provides insight into the tech and the thinking behind it.

11 of 311 comments (clear)

Min score:

Reason:

Sort:

Seemed pretty obvious this was the case by John3 · 2014-09-03 03:04 · Score: 5, Insightful

Just another reminder to use strong passwords, password managers, and change them often. It's a pain, but it's the reality of the digital world.

--
"We make our world significant by the courage of our questions and by the depth of our answers." Carl Sagan
1. Re:Seemed pretty obvious this was the case by John3 · 2014-09-03 03:23 · Score: 4, Insightful
  
  Use one very strong password for the password manager. That allows you to have hundreds of different passwords so each site you visit uses a different password and you don't need to remember them. If you use a strong enough password then you'll be fine.
  
  --
  "We make our world significant by the courage of our questions and by the depth of our answers." Carl Sagan
2. Re:Seemed pretty obvious this was the case by Macrat · 2014-09-03 03:27 · Score: 5, Insightful
  
  Just another reminder to use strong passwords, password managers, and change them often. It's a pain, but it's the reality of the digital world.
  What good is a password manager when the answers to your security questions are public knowledge?
3. Re:Seemed pretty obvious this was the case by heypete · 2014-09-03 03:31 · Score: 5, Insightful
  
  Just another reminder to use strong passwords, password managers, and change them often. It's a pain, but it's the reality of the digital world.
  What good is a password manager when the answers to your security questions are public knowledge?
  Who says you need to tell the truth on those questions?
  Q: "What is your mother's maiden name?"
  A: "Purple monkey dishwasher."
  Of course, you should keep a record of those questions and answers so you can correctly answer them if the need arises.
4. Re:Seemed pretty obvious this was the case by Anonymous Coward · 2014-09-03 04:17 · Score: 5, Insightful
  
  I'm sorry but when are password managers ever a good idea? Having 1 place with ALL your passwords ready to be stolen.
  And yet, in reality, regardless of your personal security measures, you already have this today
  It's called that one email address you have ALL of your accounts configured to send a password reset to when you forget it.
  All you really need is access to your email and All Your Passwords are Belong to Us, so let's just stop bullshitting each other and bashing password managers. The overall security model sucks ass anyway.
5. Re:Seemed pretty obvious this was the case by hairyfeet · 2014-09-03 04:39 · Score: 4, Insightful
  
  WTF good is that gonna do when the "find my iPhone" feature allowed for unlimited password tries with NO TIME LIMIT as has been reported on several sites? You can have the best password ever created and if I can just brute force the site all day long without penalty then you be fucked friend, after all you can throw together an AMD octocore box for a couple hundred bucks that can crank out attempts in the millions if not tens of millions if you have a big enough pipe!
  Lets face it, somebody at Apple done fucked up REAL bad and instead of admitting it they are doing a "you're holding it wrong" level of BS spinjob trying to cover it up.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
6. Re:Seemed pretty obvious this was the case by DarkOx · 2014-09-03 05:42 · Score: 4, Insightful
  
  You need to take a step back and consider the actual threat. If you are going to post the ciphered content of your password database on the front page of Slashdot yes the cryptography better be done right.
  If you going to keep it on your desktop or on your phone and NOT send it over the network. Than I would say the value it affords you in being able to use longer passwords, with greater randomness, and unique passwords for every account is a win. The only anyone is going to get hold of it is if they pwn your computing device. If they do that than they don't need to beak the crypto they will just wait with the keylogger running for your to unlock it and collect the secret.
  At that point though you rather than $PUBLIC_WEBSITE have become the attackers target. Once we are talking about a targeted persistent attack, there is little any of us will do personally to be safe if our attackers are any better equipped/capable than script kiddies.
  
  --
  Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
This is also how Sarah Palin's email got "hacked" by i+kan+reed · 2014-09-03 03:05 · Score: 5, Insightful

Remember 2008? Some random douche on 4chan just looked up her dog's name?
Security questions do not work for public figures. Almost none of them will hold up to people whose whole lives are pointlessly documented.
Re:At the risk of blaming the victim... by CaptainDork · 2014-09-03 03:14 · Score: 4, Insightful

Wrong-think.
If the fucking system worked like it's supposed to, people could put anything anywhere. Blaming the victim for a broken system is not logical.

--
It little behooves the best of us to comment on the rest of us.
Re:No surprise here by AmiMoJo · 2014-09-03 03:22 · Score: 5, Insightful

Apple always deny there is a problem, even after they fixed it. They denied the iPhone 4 antenna problems, but offered customers a free rubber bumper anyway. They denied problems with overheating MacBook Pros, but replaced the CPU boards anyway. They denied problems with moisture sensors but added exceptions to their warranty policies anyway. They denied iPod battery problems but reduced the replacement price from $250 to $50 anyway. They denied retina screen problems with their laptops but replaced ghosting ones anyway.
I imagine they will just quietly fix the problem and pretend it never existed. Probably their lawyers telling them to admit nothing, since most of these issues end up as lawsuits.

--
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Re:At the risk of blaming the victim... by edremy · 2014-09-03 05:43 · Score: 4, Insightful

If you don't want people stealing your money don't store money online. Don't use credit/debit cards, an online brokerage account, web access to your checking account, etc. If it's out there someone is going to steal it.
Simple, no? Blame the victim all you want, but that line of thinking pretty quickly devolves into unplugging from the Internet and trying to pay your bills with physical cash.

--
"Seven Deadly Sins? I thought it was a to-do list!"