Apple Reportedly Aware of iCloud Flaw Six Months Before Hacking of Celebrity Accounts

[gnasher729]

Legit user just resets password. Issue resolved.

Unless of course the first step is to check for piss poor security questions and get in by resetting the password. And immediate change the credentials to keep the real user out

Yes, that's so simple. The problem is that you need to authenticate the person who does the password reset. And if the account is locked, what keeps the hacker from trying to do password resets?

Any password reset is a huge security problem. You had this excellent password that took you weeks to remember, but now you know it. And suddenly you have to find a new one. That won't help security.

 

[Carlanga]

...this isn't blaming a victim about having no bars on their window, it's blaming the landlord for not putting bars on the window, and it turns out the victim left their front door open.

Nope, more like the victim left the keys at a viewing distance from the window, the thief needed to keep getting extensions for his rod continuously all day and the apple cops never went to check her house. The key was easy to get, but time consuming and no one came to check the suspicious activity even in broad daylight.

 

[tbrinkma]

Guessing passwords isn't much of a hack.

Not having exponentially increasing login delays after failed attempts is epic fail.

Disabling an internet accessible account after n failed login attempts is a bad idea. Script kiddies would disable random accounts to make your day.

Having 'exponentially increasing login delays' is just as bad unless you cap that increase somewhere south of a minute. If a DOS can make it so that your account can't be accessed for a minute, it's *trivial* to keep someone out of their own account with a DOS. It doesn't happen often because most people are more concerned with getting at what's *in* the account, but if your delay is long enough griefers (rather than crackers) will take advantage of it to cause people problems.

 

[gnasher729]

Nope, more like the victim left the keys at a viewing distance from the window, the thief needed to keep getting extensions for his rod continuously all day and the apple cops never went to check her house. The key was easy to get, but time consuming and no one came to check the suspicious activity even in broad daylight.

But that's not what happened. That's what someone claims might have happened, but it's not what happened. The victim left the door open. Some "security researcher" in quotation marks noticed that if a victim left their key near the window, someone might get it without being noticed. But in reality, the thief came through the open door. And while the landlord was first blamed for not putting bars on the window, you know blame him for some hypothetical problem that wasn't the cause of the breakin either.

 

[krravi]

Steve would have called the guy a Bozo and fired him (and probably a good chunk of his surrounding team) - the second step is what Tim should do for this (whomever made the decision to ignore this brute force vulnerability) - its too big an issue to let this slide by for whichever IT guy made the call to ignore it. JMHO...

I think that's what he did with the mobile me fiasco.

 

[Skoal]

Apple should have addressed icloud sooner but there were things on the other side of the celeb hacking incident that could have been done to minimize catastrophic fallout.

I feel especially bad for Jennifer Lawrence. I can't see her career coming out unscathed over this.

What? She will be just fine! This won't affect ANY celebrity in any way other than a bit of embarrassment. These leaks are stolen leaks. It's not like she put these out herself. People feel for her. They're aren't against her at all.

 

[gnasher729]

Because then he'd be an invisible Apple employee. He wouldn't be able to blather freely and become a (minor) internet celeb

If he's a minor internet celeb, he better get some good passwords. And don't put any nude selfies onto iCloud.

 

[0098386]

cue the applelogetics

Oh that's brilliant. Stealing that one.

 

[milo]

On September 1, 2014, hackers breached the iCloud accounts of many well-known actresses

Is that really what happened? It sounds like hackers had been collecting those pictures for months if not years, they just started releasing a bunch all at once on that day. And while some were from getting iCloud passwords, it sounded like some were from other sources, even some pictures taken with android phones.

Not trying to downplay Apple's failure to shut down multiple attempts, just take issue with making it sound like hackers got into "many" iCloud accounts in one day.

 

[WolfSnap]

How much is Samesoon paying for all the negative publicity and hand wringing?

 

[Dresling]

Lets just acknowledge that Apple isn't perfect, these things happen to all big tech company's.

However, if this is true, that they knew about the "brute force" vulnerability, it's really worrying. It will most likely mean the sacking of an Apple security employee.

Apple? Please focus.

 

[JPSaltzman]

"We're Apple. We don't have to care."

 

[QCassidy352]

This article seems to be saying a brute force method is how the accounts were breached, yes?

That's not the story that's been reported for weeks now. The reported story is that this was done by obtaining (through Facebook, Wikipedia, etc) the answers to security questions.

I understand that this guy wants to make himself look good and apple look bad, but unless all the reports have been wrong to this point, what he's saying may be relevant in some sense but is not why these celebs' accounts were breached.

 

[rdlink]

Just another fender bender.

The car is getting pretty dinged up...

 

[hansonjohn590]

How many celebrities would be able to use iCloud accounts in that case, if all a hacker has to do is guess the username and try to log in five times, to get their account locked?

Because Apple should design iCloud security based on what benefits a celebrity the most. Since we all know, famous people are the number one customer

 

[rdlink]

Is that really what happened? It sounds like hackers had been collecting those pictures for months if not years, they just started releasing a bunch all at once on that day. And while some were from getting iCloud passwords, it sounded like some were from other sources, even some pictures taken with android phones.

Not trying to downplay Apple's failure to shut down multiple attempts, just take issue with making it sound like hackers got into "many" iCloud accounts in one day.

Apple as click bait is gold for your website these days. 'Nuff said.

 

[ThisIsNotMe]

On a side note, that isn't even what happened and MacRumors should be embarrassed to publish this story.

 

[MaSx]

"We're Apple. We don't have to care."

"And we're Apple fanboys. We don't have to care that Apple don't care"

 

[QCassidy352]

Is that really what happened? It sounds like hackers had been collecting those pictures for months if not years, they just started releasing a bunch all at once on that day. And while some were from getting iCloud passwords, it sounded like some were from other sources, even some pictures taken with android phones.

Not trying to downplay Apple's failure to shut down multiple attempts, just take issue with making it sound like hackers got into "many" iCloud accounts in one day.

Right. That's why that one woman (Mary something, never heard of her before this) wrongly assumed that some hacker had used some crazy trick to restore pics of her taken and deleted long before -- they'd had them for a while, but they're never been shared publicly.

 

[Skoal]

Throttling login attempts is a common method to help prevent brute force attacks, yes. However, it also has the problem that, if you throttle too far, you can end up creating the possibility of a DOS for a user.



You saw the unrestrained glee with which these folks released 'naughty' pictures of famous actresses, right? Don't you think they'd take equal (or possibly even greater) glee in being able to prevent those same actresses from ever seeing their own email accounts?

I doubt they'd take glee in that. The pictures were most likely the sole intent for the intrusions from everything I've read.

 

[zmonteca]

You're kidding me right?

Have you ever shopped at Home Depot, Target, Jimmy Johns, Neiman Marcus, Michaels, P.F. Changs, Jewel-Osco, Gap, Nordstrom, T.J. Maxx or even the processors themselves like Heartland who had 100 million cards stolen.

Last year there was a bug that exposed 6 million Facebook users’ personal data in yearlong breach.

Do you hesitate to use any of those services?

Don't get all righteous about not using Apple Pay. If a service is convenient, people will use it regardless of the security risks. Point of sale credit card usage is a perfect example of that.

Surely wouldn't trust them with Apple pay now, imagine your credit card information stolen.

 

[QCassidy352]

On a side note, that isn't even what happened and MacRumors should be embarrassed to publish this story.

Okay, see, that's what I thought. Some security expert trying to get publicity for himself and make apple look bad. And They may well be at fault here, but this issue is not what happened with the celebrity leaks, as I understand it.

 

[agsystems]

It depends how easily it bends. Most phones can be bent when there's enough force and that's acceptable. However, if the phone bends in totally normal use conditions, then that's an issue.

My total guess on this is that people used to the 4" inch screen place the phones in their back or very tight jeans without giving a thought that the longer phone will stress structure of the phone.

Based on this reports, looks like this 6+ phone needs to be treated like an Ipad - for women to put it their purse and for men to take out of their pockets before sitting

 

[SusanK]

This wasn't Apple' fault.

It never is on this site

 

[Redneck1089]

You realise what you gave as an analogy is just another example of victim blaming, right? For rapes to stop, men need to stop raping. If a man rapes, he is to blame. Attempting to control women by telling them not to walk down alleys and then blaming rape on them if they don't listen to you is victim blaming.

Hello sociology feminist major. "Men need to stop raping"? That's not a prejudicial or offensive statement at all...

I would argue that those doing the raping aren't men, they're monsters. Women can just as easily be monsters; there have been many stories of women teachers having sexual relations with minors. Disgusting, right? Especially since they are in positions of power.

People need to be vigilant with how they conduct themselves in everyday life. So in the iCloud case, people, and especially celebrities, will have to be far more cautious with their password creations and account management styles. Should they have to be more careful? No, but they wouldn't be very wise then.

And going back to the other example from the poster you quoted: yes, absolutely, a lady should probably think twice about walking down the street of a bad area or neighborhood. While she absolutely has a right to walk down the street without being accosted, there are criminals and monsters out there and they don't care about anyone's rights...an unfortunate fact of life. We can all become victims just from minding our own business; this iCloud thing, again, is the perfect example of that.

Another example is if I drive an expensive car and park it in a shady area of town. I have a right not to have my property damaged or taken. Just because I have a right, however, doesn't make me invincible to the bad people out there.

The reality is we all (men, women, children, and celebrities alike) have the potential to be victims. So yes, there is a small element of blame deserved if you've put yourself in a bad situation. Going through life saying "I'm empowered and you can't or shouldn't touch me" is just asking for trouble. The reality is we are all potential victims; if not victims of rape or crime, then victims of our privacy being invaded by hackers or the government. Unfortunately, it seems like witnessing such terrible things is the only way to learn how to be more vigilant. Awful, I know.

Now that there are victims in this iCloud scandal, it's up to the rest of society to find and punish these monsters.