Go Back   MacRumors Forums > News and Article Discussion > MacRumors.com News Discussion

Reply
 
Thread Tools Search this Thread Display Modes
Old Sep 2, 2014, 09:19 PM   #26
trevorbsmith
macrumors member
 
Join Date: Dec 2007
Quote:
Originally Posted by haruhiko View Post
Just tried the step suggested by these guys.

Well, the security questions are really dumb! I entered an e-mail address of a friend and entered the birthday. Then I was ask: what is your hometown? WTF everybody knows this guy's hometown! I didn't go any further but it made me very worried about my security questions. I'd better enter some password like stuff in the answer fields.
Then set up 2-factor authentication. There will no longer exist any security questions for your account. Problem solved.
trevorbsmith is offline   4 Reply With Quote
Old Sep 2, 2014, 09:19 PM   #27
haruhiko
macrumors 68030
 
haruhiko's Avatar
 
Join Date: Sep 2009
Quote:
Originally Posted by xli_ne View Post
i still don't understand how they got their username/email address
People use the same login / e-mail address / password everywhere.
__________________
rMBP'12 15" 2.3GHz, iPad Air 2 LTE 64GB, iPhone 6 Plus Space Grey 128GB
iMac'08/24",Mini'09,MBP'10/15",MBA'11/13". iPhone 5s,5,4S,4,3GS. iPT: 3,1. iPad: Air,4,3,2,1,Mini2. ATV'12,'11, AEBS'09,TC'13.
haruhiko is offline   4 Reply With Quote
Old Sep 2, 2014, 09:19 PM   #28
mozumder
macrumors 6502a
 
Join Date: Mar 2009
Quote:
Originally Posted by Trapezoid View Post
Seems like some of these "hacks"can be used on any site you can think of. Pretty scary.

I don't know how any company can prevent things like this.

Couple that with weak or same passwords across multiple sites and it becomes easy for anyone to do this.
There are plenty of authentication systems that could be used to prevent this.

Apple has 2-factor. That should have been the default, instead of optional.

A simple phone call to reset passwords would be a lot less tempting for hackers than a hacker-friendly web reset.

Apple also could have used TouchID.

And so on.
mozumder is offline   0 Reply With Quote
Old Sep 2, 2014, 09:20 PM   #29
Glassed Silver
macrumors 6502a
 
Glassed Silver's Avatar
 
Join Date: Mar 2007
Location: Kassel, Germany
Time for Apple to realize that people do have and take these kinds of photos of either themselves or their partners.

It'd be nice if they allowed people to mark photos like these with a tag or something so you can hide them in the Photos app or have them in a password protected/Touch ID protected vault.
Also, these would be exempt from Photo Stream and other possible higher security decisions could be made.

OR: Of course they can pretend people just don't do that, everyone is living in a Disney world where nudity doesn't even exist and keep on going the same way.

I don't blame Apple, I just hope that MAYBE this could be a reminder for Apple to acknowledge that people do have files they want to treat differently.

Glassed Silver:mac
__________________
Last login: Sat May 5 22:52:51 on ttys000
Society-System:~ dumbnut$ rm -rf ~/Library/mind.db ~/Library/Frameworks/tolerance ~/Library/Frameworks/commonsense ~/integrity ~/individuality
Glassed Silver is offline   9 Reply With Quote
Old Sep 2, 2014, 09:21 PM   #30
Trapezoid
macrumors 65816
 
Trapezoid's Avatar
 
Join Date: Mar 2014
Quote:
Originally Posted by mozumder View Post
There are plenty of authentication systems that could be used to prevent this.

A simple phone call to reset passwords would be a lot less tempting for hackers than a hacker-friendly web reset.

Apple also could have used TouchID.

And so on.
True, I wonder why companies don't take measures like this. It's like your don't even have to have any knowledge of hacking to do this. Pretty scary.
__________________
Promised land.
Android Messiah. <-- Dude's shirt says "Roots". Yeah.
Trapezoid is offline   0 Reply With Quote
Old Sep 2, 2014, 09:21 PM   #31
xli_ne
macrumors 6502a
 
xli_ne's Avatar
 
Join Date: Mar 2005
Location: Center of the Nation
Send a message via AIM to xli_ne Send a message via MSN to xli_ne Send a message via Yahoo to xli_ne
Quote:
Originally Posted by SandboxGeneral View Post
Social engineering, the black web, search engines and such, plus a ring of underground bad guys collaborating, together, achieve this and more.
I suppose.

And is icloud backups set by default? I always thought they were but looking at my phone, I dont even back up to icloud.
__________________

"The secret to creativity is knowing how to hide your sources."
- Albert Einstein

xli_ne is offline   0 Reply With Quote
Old Sep 2, 2014, 09:21 PM   #32
jclo
Editor
 
Join Date: Dec 2012
Location: California
Quote:
Originally Posted by apolloa View Post
I think you need to change the headline for this article, so you are not claiming that someones opinion is fact.

Hackers Using Law Enforcement Tools to Access iCloud Backups Unprotected by Two-Factor Authentication

Should be changed to:

Hackers May Be Using Law Enforcement Tools to Access iCloud Backups Unprotected by Two-Factor Authentication
Quote:
Originally Posted by Rogifan View Post
Yes, this headline is VERY misleading.
It seems clear these tools are being used by hackers to access iCloud backups, so I don't think it's just limited to opinion. I'm not sure what the issue is with the headline -- it doesn't imply that it was the method of attack for the celebrity hacking, just that it's a phenomenon that's ongoing. What is misleading?
jclo is offline   4 Reply With Quote
Old Sep 2, 2014, 09:22 PM   #33
SleeplessChaos
macrumors newbie
 
Join Date: Oct 2011
Quote:
Originally Posted by Trapezoid View Post
Seems like some of these "hacks"can be used on any site you can think of. Pretty scary.

I don't know how any company can prevent things like this.

Couple that with weak or same passwords across multiple sites and it becomes easy for anyone to do this.
Actually these methods seem to bypass the password entirely (via pw reset), which is really the main problem.
SleeplessChaos is offline   0 Reply With Quote
Old Sep 2, 2014, 09:23 PM   #34
SandboxGeneral
Moderator
 
SandboxGeneral's Avatar
 
Join Date: Sep 2010
Location: The New World
Quote:
Originally Posted by xli_ne View Post
I suppose.

And is icloud backups set by default? I always thought they were but looking at my phone, I dont even back up to icloud.
I don't recall if it's on by default when a new iDevice is purchased or not. I don't back up to iCloud, but locally on my Mac via iTunes. The only thing that is susceptible is my Photo Stream filled with pictures of coffee and espresso! Very important stuff!
__________________
"Gee, I've been on this diet only ten minutes and I've already lost something, my sense of humor."
SandboxGeneral is online now   2 Reply With Quote
Old Sep 2, 2014, 09:23 PM   #35
trevorbsmith
macrumors member
 
Join Date: Dec 2007
Quote:
Originally Posted by jdawgnoonan View Post
If, and that obviously is an IF, that is what happened then Apple should not claim that the images were not stolen due to weaknesses in their security. In fact, this is an even bigger potential hole in their security in my opinion. And to those who want to make it the victims fault that these photos were stolen: You are messed up in the head.
If I sell you a steel door with a steel dead bolt and you leave it closed but unlocked because it's inconvenient for you to spend the 3 seconds to unlock it when you come home, it is not my (the vendor's) fault.

No one deserves to have her account hacked, but Apple cannot be faulted (any longer) for someone who chooses a password that can be guessed, or fails to enable 2-factor authentication.
trevorbsmith is offline   3 Reply With Quote
Old Sep 2, 2014, 09:26 PM   #36
Velin
macrumors 65816
 
Velin's Avatar
 
Join Date: Jul 2008
Location: Hearst Castle
This is why it was a terrible idea to force IOS users to use iCloud for contacts info. I never wanted anything in iCloud, including contacts. Let us sync contacts locally, in iTunes.

Screw iCloud.
Velin is offline   1 Reply With Quote
Old Sep 2, 2014, 09:27 PM   #37
bozzykid
macrumors 68000
 
Join Date: Aug 2009
Quote:
Originally Posted by apolloa View Post

Hackers May Be Using Law Enforcement Tools to Access iCloud Backups Unprotected by Two-Factor Authentication
Hackers have been using these tools though. There is no "may". Maybe they didn't use them in the celebrity photos case, but they have been used to access iCloud.
bozzykid is offline   5 Reply With Quote
Old Sep 2, 2014, 09:27 PM   #38
haruhiko
macrumors 68030
 
haruhiko's Avatar
 
Join Date: Sep 2009
Quote:
Originally Posted by trevorbsmith View Post
If I sell you a steel door with a steel dead bolt and you leave it closed but unlocked because it's inconvenient for you to spend the 3 seconds to unlock it when you come home, it is not my (the vendor's) fault.

No one deserves to have her account hacked, but Apple cannot be faulted (any longer) for someone who chooses a password that can be guessed, or fails to enable 2-factor authentication.
Your military grade steel door with a steel dead bolt will automatically open when someone answer a few questions

"open sesame"
__________________
rMBP'12 15" 2.3GHz, iPad Air 2 LTE 64GB, iPhone 6 Plus Space Grey 128GB
iMac'08/24",Mini'09,MBP'10/15",MBA'11/13". iPhone 5s,5,4S,4,3GS. iPT: 3,1. iPad: Air,4,3,2,1,Mini2. ATV'12,'11, AEBS'09,TC'13.
haruhiko is offline   5 Reply With Quote
Old Sep 2, 2014, 09:27 PM   #39
BasicGreatGuy
macrumors 68000
 
BasicGreatGuy's Avatar
 
Join Date: Sep 2012
Location: Atlanta, Ga.
Quote:
Originally Posted by xli_ne View Post
I suppose.

And is icloud backups set by default? I always thought they were but looking at my phone, I dont even back up to icloud.
If I remember correctly, a user has to set it up.
__________________
The Bill of Rights is not a Bill of Loopholes.
BasicGreatGuy is offline   0 Reply With Quote
Old Sep 2, 2014, 09:27 PM   #40
xli_ne
macrumors 6502a
 
xli_ne's Avatar
 
Join Date: Mar 2005
Location: Center of the Nation
Send a message via AIM to xli_ne Send a message via MSN to xli_ne Send a message via Yahoo to xli_ne
Quote:
Originally Posted by SandboxGeneral View Post
I don't recall if it's on by default when a new iDevice is purchased or not. I don't back up to iCloud, but locally on my Mac via iTunes. The only thing that is susceptible is my Photo Stream filled with pictures of coffee and espresso! Very important stuff!
So with your backup scenario, say I magically came across your icloud username/password, can I just enter that into my iPhone/Mac and your photos will populate on my phone and/or Mac?
__________________

"The secret to creativity is knowing how to hide your sources."
- Albert Einstein

xli_ne is offline   0 Reply With Quote
Old Sep 2, 2014, 09:29 PM   #41
mozumder
macrumors 6502a
 
Join Date: Mar 2009
A lot of the hack victims are just regular people.. not celebs.
mozumder is offline   0 Reply With Quote
Old Sep 2, 2014, 09:33 PM   #42
trevorbsmith
macrumors member
 
Join Date: Dec 2007
Quote:
Originally Posted by jclo View Post
It seems clear these tools are being used by hackers to access iCloud backups, so I don't think it's just limited to opinion. I'm not sure what the issue is with the headline -- it doesn't imply that it was the method of attack for the celebrity hacking, just that it's a phenomenon that's ongoing. What is misleading?
The headline suggests that Apple's 2-factor authentication does not prevent the "hackers" from using the "law enforcement tools" to get into iCloud backups. That is false, as can be seen from just reading the actual posts on the AnonIB board about how they are "hacking" into the accounts.

They are just guessing security question answers.

If you enable 2-factor authentication, there are no more security questions, so you cannot guess the answers, so you cannot reset the password, so you cannot log in, so you cannot download the iCloud backups with the "law enforcement tools" (which, by the way, is misleading, because the software is just a program built by a for-profit company and sold to anyone who wants it, for a profit, so it is equally accurate to call it a "hacking tool for evil doers"--the company doesn't give a **** who buys their software and MUST know that these AnonIB users are using it).

----------

Quote:
Originally Posted by haruhiko View Post
Your military grade steel door with a steel dead bolt will automatically open when someone answer a few questions

"open sesame"
The steel deadbolt is the 2-factor authentication in this analogy.
trevorbsmith is offline   6 Reply With Quote
Old Sep 2, 2014, 09:34 PM   #43
SandboxGeneral
Moderator
 
SandboxGeneral's Avatar
 
Join Date: Sep 2010
Location: The New World
Quote:
Originally Posted by xli_ne View Post
So with your backup scenario, say I magically came across your icloud username/password, can I just enter that into my iPhone/Mac and your photos will populate on my phone and/or Mac?
Yes, I believe so.
__________________
"Gee, I've been on this diet only ten minutes and I've already lost something, my sense of humor."
SandboxGeneral is online now   0 Reply With Quote
Old Sep 2, 2014, 09:36 PM   #44
trevorbsmith
macrumors member
 
Join Date: Dec 2007
Quote:
Originally Posted by Velin View Post
This is why it was a terrible idea to force IOS users to use iCloud for contacts info. I never wanted anything in iCloud, including contacts. Let us sync contacts locally, in iTunes.

Screw iCloud.
What is REALLY a terrible idea is the new iOS 8 where ALL photos are going to be stored online by default.

I don't bother with that now, mostly because it sucks up huge amounts of online storage and I'm not going to pay Apple for storage. But also, screw online storage of images. That's just a bad idea generally.

I have not yet seen if Apple will be providing a way to turn OFF online storage of photos in iOS 8. If not, I will not migrate. I would hate it if I have to actually start using Android just to avoid exposing my life to (real) haxxors, because I hate android.
trevorbsmith is offline   2 Reply With Quote
Old Sep 2, 2014, 09:37 PM   #45
xli_ne
macrumors 6502a
 
xli_ne's Avatar
 
Join Date: Mar 2005
Location: Center of the Nation
Send a message via AIM to xli_ne Send a message via MSN to xli_ne Send a message via Yahoo to xli_ne
Quote:
Originally Posted by SandboxGeneral View Post
Yes, I believe so.
Quite amazing how simple some of this stuff is.
__________________

"The secret to creativity is knowing how to hide your sources."
- Albert Einstein

xli_ne is offline   0 Reply With Quote
Old Sep 2, 2014, 09:37 PM   #46
rGiskard
macrumors 65816
 
rGiskard's Avatar
 
Join Date: Aug 2012
Quote:
Originally Posted by haruhiko View Post
Your military grade steel door with a steel dead bolt will automatically open when someone answer a few questions

"open sesame"
Yeah, and it had a little swinging pet door in it, but Apple has sinced patched it. :P
__________________
Mac Pro 3.46 GHz Hexa-Core W3690, 24 GB RAM, GeForce GTX 680, 6G PCIe SSD RAID
rGiskard is offline   0 Reply With Quote
Old Sep 2, 2014, 09:37 PM   #47
bozzykid
macrumors 68000
 
Join Date: Aug 2009
Quote:
Originally Posted by trevorbsmith View Post
If you enable 2-factor authentication, there are no more security questions, so you cannot guess the answers, so you cannot reset the password, so you cannot log in, so you cannot download the iCloud backups with the "law enforcement tools"
Simply not true. You can download iCloud backups if you have the email and password. That is the problem. The whole point of 2-factor authentication is if someone gets your username and password, they still couldn't access your information. In this case, Apple doesn't require 2-factor authentication which seems to be a huge problem since what you can access without it is your entire iCloud backup.
bozzykid is offline   4 Reply With Quote
Old Sep 2, 2014, 09:37 PM   #48
jclo
Editor
 
Join Date: Dec 2012
Location: California
Quote:
Originally Posted by trevorbsmith View Post
The headline suggests that Apple's 2-factor authentication does not prevent the "hackers" from using the "law enforcement tools" to get into iCloud backups. That is false, as can be seen from just reading the actual posts on the AnonIB board about how they are "hacking" into the accounts.

They are just guessing security question answers.

If you enable 2-factor authentication, there are no more security questions, so you cannot guess the answers, so you cannot reset the password, so you cannot log in, so you cannot download the iCloud backups with the "law enforcement tools" (which, by the way, is misleading, because the software is just a program built by a for-profit company and sold to anyone who wants it, for a profit, so it is equally accurate to call it a "hacking tool for evil doers"--the company doesn't give a **** who buys their software and MUST know that these AnonIB users are using it).
The headline suggests that there is a tool available to hackers that lets them access iCloud backups even if two-factor authentication is enabled, which is true. Answering someone's security questions may be the main way a user name and password is obtained, but what about someone who uses the same password in multiple locations and is hacked? Even if that person has two-factor authentication enabled their content is accessible.

I did clarify in the post that two-factor authentication is useful for preventing people from obtaining an Apple ID and password via password resets/guessing security questions -- I didn't mean to imply that it was totally worthless.
jclo is offline   1 Reply With Quote
Old Sep 2, 2014, 09:39 PM   #49
cyberlocke
macrumors member
 
Join Date: Mar 2009
Maybe if people just stopped taking nude pictures of themselves . . .
cyberlocke is offline   1 Reply With Quote
Old Sep 2, 2014, 09:39 PM   #50
xli_ne
macrumors 6502a
 
xli_ne's Avatar
 
Join Date: Mar 2005
Location: Center of the Nation
Send a message via AIM to xli_ne Send a message via MSN to xli_ne Send a message via Yahoo to xli_ne
But there still is an inherent flaw with icloud in that it can be brute forced
__________________

"The secret to creativity is knowing how to hide your sources."
- Albert Einstein

xli_ne is offline   1 Reply With Quote

Reply
MacRumors Forums > News and Article Discussion > MacRumors.com News Discussion

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Forum Jump

All times are GMT -5. The time now is 09:45 AM.

Mac Rumors | Mac | iPhone | iPhone Game Reviews | iPhone Apps

Mobile Version | Fixed | Fluid | Fluid HD
Copyright 2002-2013, MacRumors.com, LLC