Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

trevorbsmith

macrumors member
Dec 17, 2007
36
2
Just tried the step suggested by these guys.

Well, the security questions are really dumb! I entered an e-mail address of a friend and entered the birthday. Then I was ask: what is your hometown? WTF everybody knows this guy's hometown! :eek: I didn't go any further but it made me very worried about my security questions. I'd better enter some password like stuff in the answer fields.

Then set up 2-factor authentication. There will no longer exist any security questions for your account. Problem solved.
 

mozumder

macrumors 65816
Mar 9, 2009
1,275
4,397
Seems like some of these "hacks"can be used on any site you can think of. Pretty scary.

I don't know how any company can prevent things like this.

Couple that with weak or same passwords across multiple sites and it becomes easy for anyone to do this.

There are plenty of authentication systems that could be used to prevent this.

Apple has 2-factor. That should have been the default, instead of optional.

A simple phone call to reset passwords would be a lot less tempting for hackers than a hacker-friendly web reset.

Apple also could have used TouchID.

And so on.
 

Glassed Silver

macrumors 68020
Mar 10, 2007
2,096
2,567
Kassel, Germany
Time for Apple to realize that people do have and take these kinds of photos of either themselves or their partners.

It'd be nice if they allowed people to mark photos like these with a tag or something so you can hide them in the Photos app or have them in a password protected/Touch ID protected vault.
Also, these would be exempt from Photo Stream and other possible higher security decisions could be made.

OR: Of course they can pretend people just don't do that, everyone is living in a Disney world where nudity doesn't even exist and keep on going the same way.

I don't blame Apple, I just hope that MAYBE this could be a reminder for Apple to acknowledge that people do have files they want to treat differently.

Glassed Silver:mac
 

Trapezoid

macrumors 65816
Mar 19, 2014
1,429
0
There are plenty of authentication systems that could be used to prevent this.

A simple phone call to reset passwords would be a lot less tempting for hackers than a hacker-friendly web reset.

Apple also could have used TouchID.

And so on.

True, I wonder why companies don't take measures like this. It's like your don't even have to have any knowledge of hacking to do this. Pretty scary.
 

jclo

Managing Editor
Staff member
Dec 7, 2012
1,969
4,300
I think you need to change the headline for this article, so you are not claiming that someones opinion is fact.

Hackers Using Law Enforcement Tools to Access iCloud Backups Unprotected by Two-Factor Authentication

Should be changed to:

Hackers May Be Using Law Enforcement Tools to Access iCloud Backups Unprotected by Two-Factor Authentication

Yes, this headline is VERY misleading.

It seems clear these tools are being used by hackers to access iCloud backups, so I don't think it's just limited to opinion. I'm not sure what the issue is with the headline -- it doesn't imply that it was the method of attack for the celebrity hacking, just that it's a phenomenon that's ongoing. What is misleading?
 

SleeplessChaos

macrumors newbie
Oct 22, 2011
11
0
Seems like some of these "hacks"can be used on any site you can think of. Pretty scary.

I don't know how any company can prevent things like this.

Couple that with weak or same passwords across multiple sites and it becomes easy for anyone to do this.

Actually these methods seem to bypass the password entirely (via pw reset), which is really the main problem.
 

SandboxGeneral

Moderator emeritus
Sep 8, 2010
26,482
10,051
Detroit
I suppose.

And is icloud backups set by default? I always thought they were but looking at my phone, I dont even back up to icloud.

I don't recall if it's on by default when a new iDevice is purchased or not. I don't back up to iCloud, but locally on my Mac via iTunes. The only thing that is susceptible is my Photo Stream filled with pictures of coffee and espresso! Very important stuff!
 

trevorbsmith

macrumors member
Dec 17, 2007
36
2
If, and that obviously is an IF, that is what happened then Apple should not claim that the images were not stolen due to weaknesses in their security. In fact, this is an even bigger potential hole in their security in my opinion. And to those who want to make it the victims fault that these photos were stolen: You are messed up in the head.

If I sell you a steel door with a steel dead bolt and you leave it closed but unlocked because it's inconvenient for you to spend the 3 seconds to unlock it when you come home, it is not my (the vendor's) fault.

No one deserves to have her account hacked, but Apple cannot be faulted (any longer) for someone who chooses a password that can be guessed, or fails to enable 2-factor authentication.
 

Velin

macrumors 68000
Jul 23, 2008
1,988
1,862
Hearst Castle
This is why it was a terrible idea to force IOS users to use iCloud for contacts info. I never wanted anything in iCloud, including contacts. Let us sync contacts locally, in iTunes.

Screw iCloud.
 

bozzykid

macrumors 68020
Aug 11, 2009
2,430
492
Hackers May Be Using Law Enforcement Tools to Access iCloud Backups Unprotected by Two-Factor Authentication

Hackers have been using these tools though. There is no "may". Maybe they didn't use them in the celebrity photos case, but they have been used to access iCloud.
 

haruhiko

macrumors 604
Sep 29, 2009
6,529
5,874
If I sell you a steel door with a steel dead bolt and you leave it closed but unlocked because it's inconvenient for you to spend the 3 seconds to unlock it when you come home, it is not my (the vendor's) fault.

No one deserves to have her account hacked, but Apple cannot be faulted (any longer) for someone who chooses a password that can be guessed, or fails to enable 2-factor authentication.
Your military grade steel door with a steel dead bolt will automatically open when someone answer a few questions :D

"open sesame" :D
 

xli_ne

macrumors 6502a
Mar 3, 2005
790
0
Center of the Nation
I don't recall if it's on by default when a new iDevice is purchased or not. I don't back up to iCloud, but locally on my Mac via iTunes. The only thing that is susceptible is my Photo Stream filled with pictures of coffee and espresso! Very important stuff!

So with your backup scenario, say I magically came across your icloud username/password, can I just enter that into my iPhone/Mac and your photos will populate on my phone and/or Mac?
 

trevorbsmith

macrumors member
Dec 17, 2007
36
2
It seems clear these tools are being used by hackers to access iCloud backups, so I don't think it's just limited to opinion. I'm not sure what the issue is with the headline -- it doesn't imply that it was the method of attack for the celebrity hacking, just that it's a phenomenon that's ongoing. What is misleading?

The headline suggests that Apple's 2-factor authentication does not prevent the "hackers" from using the "law enforcement tools" to get into iCloud backups. That is false, as can be seen from just reading the actual posts on the AnonIB board about how they are "hacking" into the accounts.

They are just guessing security question answers.

If you enable 2-factor authentication, there are no more security questions, so you cannot guess the answers, so you cannot reset the password, so you cannot log in, so you cannot download the iCloud backups with the "law enforcement tools" (which, by the way, is misleading, because the software is just a program built by a for-profit company and sold to anyone who wants it, for a profit, so it is equally accurate to call it a "hacking tool for evil doers"--the company doesn't give a **** who buys their software and MUST know that these AnonIB users are using it).

----------

Your military grade steel door with a steel dead bolt will automatically open when someone answer a few questions :D

"open sesame" :D

The steel deadbolt is the 2-factor authentication in this analogy.
 

trevorbsmith

macrumors member
Dec 17, 2007
36
2
This is why it was a terrible idea to force IOS users to use iCloud for contacts info. I never wanted anything in iCloud, including contacts. Let us sync contacts locally, in iTunes.

Screw iCloud.

What is REALLY a terrible idea is the new iOS 8 where ALL photos are going to be stored online by default.

I don't bother with that now, mostly because it sucks up huge amounts of online storage and I'm not going to pay Apple for storage. But also, screw online storage of images. That's just a bad idea generally.

I have not yet seen if Apple will be providing a way to turn OFF online storage of photos in iOS 8. If not, I will not migrate. I would hate it if I have to actually start using Android just to avoid exposing my life to (real) haxxors, because I hate android.
 

rGiskard

macrumors 68000
Aug 9, 2012
1,800
955
Your military grade steel door with a steel dead bolt will automatically open when someone answer a few questions :D

"open sesame" :D

Yeah, and it had a little swinging pet door in it, but Apple has sinced patched it. :p
 

bozzykid

macrumors 68020
Aug 11, 2009
2,430
492
If you enable 2-factor authentication, there are no more security questions, so you cannot guess the answers, so you cannot reset the password, so you cannot log in, so you cannot download the iCloud backups with the "law enforcement tools"

Simply not true. You can download iCloud backups if you have the email and password. That is the problem. The whole point of 2-factor authentication is if someone gets your username and password, they still couldn't access your information. In this case, Apple doesn't require 2-factor authentication which seems to be a huge problem since what you can access without it is your entire iCloud backup.
 

jclo

Managing Editor
Staff member
Dec 7, 2012
1,969
4,300
The headline suggests that Apple's 2-factor authentication does not prevent the "hackers" from using the "law enforcement tools" to get into iCloud backups. That is false, as can be seen from just reading the actual posts on the AnonIB board about how they are "hacking" into the accounts.

They are just guessing security question answers.

If you enable 2-factor authentication, there are no more security questions, so you cannot guess the answers, so you cannot reset the password, so you cannot log in, so you cannot download the iCloud backups with the "law enforcement tools" (which, by the way, is misleading, because the software is just a program built by a for-profit company and sold to anyone who wants it, for a profit, so it is equally accurate to call it a "hacking tool for evil doers"--the company doesn't give a **** who buys their software and MUST know that these AnonIB users are using it).

The headline suggests that there is a tool available to hackers that lets them access iCloud backups even if two-factor authentication is enabled, which is true. Answering someone's security questions may be the main way a user name and password is obtained, but what about someone who uses the same password in multiple locations and is hacked? Even if that person has two-factor authentication enabled their content is accessible.

I did clarify in the post that two-factor authentication is useful for preventing people from obtaining an Apple ID and password via password resets/guessing security questions -- I didn't mean to imply that it was totally worthless.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.