Slashdot Mirror
Apple Denies Systems Breach In Photo Leak
Hamsterdan notes that Apple has posted an update to its investigation into the recently celebrity photo leak, which was attributed to a breach of iCloud. Apple says the leak was not due to any flaw in iCloud or Find My iPhone, but rather the result of "a targeted attack on user names, passwords and security questions." Despite this, Wired reports that hackers on an anonymous web board have been openly discussing a piece of software designed for use by law enforcement. Whether it was involved in the celebrity attacks or not, it's currently being used to impersonate a user's device in order to download iCloud backups.
"For Apple, the use of government forensic tools by criminal hackers raises questions about how cooperative it may be with Elcomsoft. The Russian company’s tool, as Zdziarski describes it, doesn't depend on any 'backdoor' agreement with Apple and instead required Elcomsoft to fully reverse engineer Apple’s protocol for communicating between iCloud and its iOS devices. But Zdziarski argues that Apple could still have done more to make that reverse engineering more difficult or impossible." Meanwhile, Nik Cubrilovic has waded into the data leak subculture that led to this incident and provides insight into the tech and the thinking behind it.
"For Apple, the use of government forensic tools by criminal hackers raises questions about how cooperative it may be with Elcomsoft. The Russian company’s tool, as Zdziarski describes it, doesn't depend on any 'backdoor' agreement with Apple and instead required Elcomsoft to fully reverse engineer Apple’s protocol for communicating between iCloud and its iOS devices. But Zdziarski argues that Apple could still have done more to make that reverse engineering more difficult or impossible." Meanwhile, Nik Cubrilovic has waded into the data leak subculture that led to this incident and provides insight into the tech and the thinking behind it.
Just another reminder to use strong passwords, password managers, and change them often. It's a pain, but it's the reality of the digital world.
"We make our world significant by the courage of our questions and by the depth of our answers." Carl Sagan
Remember 2008? Some random douche on 4chan just looked up her dog's name?
Security questions do not work for public figures. Almost none of them will hold up to people whose whole lives are pointlessly documented.
Well, mostly.
What Apple can do is require 2-factor authentication.
They can also provide individuals who want it - primarily high-profile individuals - stronger lock-downs such as only allowing registered devices to log in or require typing in a code that is texted to the person prior to completing the login, much like some banks already do.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Wrong-think.
If the fucking system worked like it's supposed to, people could put anything anywhere. Blaming the victim for a broken system is not logical.
It little behooves the best of us to comment on the rest of us.
It's THEIR fault. Apple MAKES NO MISTAKES!!!
SJW's don't eliminate discrimination. They just expropriate it for themselves.
The vulnerability allegedly discovered in the Find my iPhone service appears to have allowed attackers to use this method to guess passwords repeatedly without any sort of lockout or alert to the target. Once the password has been eventually matched, the attacker can then use it to access other iCloud functions freely. A tool to exploit the weakness was uploaded to Github, where it remained for two days before being shared on Hacker News Apple patched the service at 3.20am PT today. While it’s possible that the timing was coincidental, an iCloud exploit being posted online just two days before the photos appeared, and being patched shortly after the story broke, makes this seem unlikely. Apple has not yet responded to a request for comment.
http://9to5mac.com/2014/09/01/...
so there was no icloud breach, but there was a bug that enabled a brute force attack. It's not known that this exploit was used on the celebrities, but a tool that exploits this bug was recently posted. Ok...
also, super unclassy for Apple to blame the victim, especially when these types of weaknesses are buried in their code.
"Your Holiness, people are accusing our priests of molesting their children!"
"My son, send out a missive immediately--chastising the parishioners for letting their children seduce our priests."
SJW's don't eliminate discrimination. They just expropriate it for themselves.
Apple always deny there is a problem, even after they fixed it. They denied the iPhone 4 antenna problems, but offered customers a free rubber bumper anyway. They denied problems with overheating MacBook Pros, but replaced the CPU boards anyway. They denied problems with moisture sensors but added exceptions to their warranty policies anyway. They denied iPod battery problems but reduced the replacement price from $250 to $50 anyway. They denied retina screen problems with their laptops but replaced ghosting ones anyway.
I imagine they will just quietly fix the problem and pretend it never existed. Probably their lawyers telling them to admit nothing, since most of these issues end up as lawsuits.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
I'd imagine once you hack a celebrity email you can then get emails of their friends, and so on. The key is to get the email address of Kevin Bacon and then you're golden.
"We make our world significant by the courage of our questions and by the depth of our answers." Carl Sagan
Security questions do not work for public figures. Almost none of them will hold up to people whose whole lives are pointlessly documented.
Modern social media can also be used to identify personal information of regular people.
If you look at the anon-in.com logs where they operate, you can see hackers asking each other "What car is this?" with posts of random hot girls cars that they collected from Facebook or wherever. They then use this to break the iCloud security questions for said hot girls and get their nudes.
Also, you don't even need social media accounts to be targeted via social media. Just having friends that posts pics with your bits of identifying info is enough.
Because it's easier to remember the truth than a lie.
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
Apple obviously wants iCloud and your ITMS credentials to be the iGateway to your life and all your devices and whatnot. They also emphasize security, elegance, and ease of use in their advertising, and cater to a relatively upmarket audience, for the most part.
Why, then, can you not even buy any serious security? Yes, they have 'two factor authentication', of the kind where you have a username, password, and they send you a temporary PIN to one of your devices; but money simply cannot buy a certificate authentication mechanism. Nor an RSA-fob or equivalent. Hell, your WoW character can be protected by a hardware auth fob; but your entire iLife can't?
In the end(while it may well be true) Apple's insistence that the hack was based on guessing/gaining user credentials, rather than attacking Apple code, just doesn't matter. User credentials are always fairly vulnerable. If they want people to put their life 'in the cloud', they are going to have to do better than that(especially if they want celebrity users, since that's a userbase that more or less automatically includes insane stalkers).
There's no real reason to think that Apple is at fault here, or even that all of the photos came from compromised accounts on iCloud. The rumor going around last I saw was that this was a collection that was acquired over sever years, contributed by many different people who acquired the photos from many different accounts that were attacked in many different ways. It wasn't gathered all at once from a single attack on iCloud. It was just leaked all at once.
I have no evidence of that-- just the rumor I've seen on a couple different sites-- but it makes more sense than a massive iCloud hack that scooped up all of these photos at once.
Simple, no? Blame the victim all you want, but that line of thinking pretty quickly devolves into unplugging from the Internet and trying to pay your bills with physical cash.
"Seven Deadly Sins? I thought it was a to-do list!"