Apple Denies Systems Breach In Photo Leak

Hamsterdan notes that Apple has posted an update to its investigation into the recently celebrity photo leak, which was attributed to a breach of iCloud. Apple says the leak was not due to any flaw in iCloud or Find My iPhone, but rather the result of "a targeted attack on user names, passwords and security questions." Despite this, Wired reports that hackers on an anonymous web board have been openly discussing a piece of software designed for use by law enforcement. Whether it was involved in the celebrity attacks or not, it's currently being used to impersonate a user's device in order to download iCloud backups.

"For Apple, the use of government forensic tools by criminal hackers raises questions about how cooperative it may be with Elcomsoft. The Russian company’s tool, as Zdziarski describes it, doesn't depend on any 'backdoor' agreement with Apple and instead required Elcomsoft to fully reverse engineer Apple’s protocol for communicating between iCloud and its iOS devices. But Zdziarski argues that Apple could still have done more to make that reverse engineering more difficult or impossible." Meanwhile, Nik Cubrilovic has waded into the data leak subculture that led to this incident and provides insight into the tech and the thinking behind it.

Seemed pretty obvious this was the case

[John3]

Just another reminder to use strong passwords, password managers, and change them often. It's a pain, but it's the reality of the digital world.

Re:Seemed pretty obvious this was the case

[Macrat]

Just another reminder to use strong passwords, password managers, and change them often. It's a pain, but it's the reality of the digital world.

What good is a password manager when the answers to your security questions are public knowledge?

Re:Seemed pretty obvious this was the case

[heypete]

Just another reminder to use strong passwords, password managers, and change them often. It's a pain, but it's the reality of the digital world.

What good is a password manager when the answers to your security questions are public knowledge?

Who says you need to tell the truth on those questions?

Q: "What is your mother's maiden name?"
A: "Purple monkey dishwasher."

Of course, you should keep a record of those questions and answers so you can correctly answer them if the need arises.

Re:Seemed pretty obvious this was the case

I'm sorry but when are password managers ever a good idea? Having 1 place with ALL your passwords ready to be stolen.

And yet, in reality, regardless of your personal security measures, you already have this today

It's called that one email address you have ALL of your accounts configured to send a password reset to when you forget it.

All you really need is access to your email and All Your Passwords are Belong to Us, so let's just stop bullshitting each other and bashing password managers. The overall security model sucks ass anyway.

This is also how Sarah Palin's email got "hacked"

[i+kan+reed]

Remember 2008? Some random douche on 4chan just looked up her dog's name?

Security questions do not work for public figures. Almost none of them will hold up to people whose whole lives are pointlessly documented.

Re:No surprise here

[AmiMoJo]

Apple always deny there is a problem, even after they fixed it. They denied the iPhone 4 antenna problems, but offered customers a free rubber bumper anyway. They denied problems with overheating MacBook Pros, but replaced the CPU boards anyway. They denied problems with moisture sensors but added exceptions to their warranty policies anyway. They denied iPod battery problems but reduced the replacement price from $250 to $50 anyway. They denied retina screen problems with their laptops but replaced ghosting ones anyway.

I imagine they will just quietly fix the problem and pretend it never existed. Probably their lawyers telling them to admit nothing, since most of these issues end up as lawsuits.