Celebrity iCloud Accounts Compromised by Weak Passwords, Not iCloud Breach

[iBug2]

Except the door in this case was locked and BROKEN INTO. God, why doesn't school teach logic, reasoning, and analogies.

It wasn't supposed to be an analogy for this event. I was simply saying that people can share some of the blame when a crime happens and victim blaming is not de-facto wrong.

But if you want an analogy specifically for this event, here's one for you and only for you.

If you lock your door and leave the key under the fake rock, which sits conveniently among 3 other rocks on your mattress, you are partly to blame.

Happy?

 

[tbrinkma]

You bet I am. We are all the same. What makes them special? Nothing. If they used weak passwords, that's their fault.

No. It's the fault of the person who hacked into their account.
It's no more the fault of the victim here than it is when someone gets mugged.

 

[Tumbleweed666]

There is actually no requirement that answers to these "security questions" have to be truthful. "Name of your high school" = 39dji39afnaloef is perfectly fine and reasonably secure.

Not any more dude

 

[Fabricman112]

People are still going to believe it's Apples fault because of the misleading media but I just hope this won't hurt Apple in any way.

basically it IS apples fault.. they could easily force multi factor authentication on us.. I´d rather have a 4 digit pin-code on my iPhone and respond with another pin
than aYB)tVA8!skpqNnEÖmcbqapRzH6ü-password

but that security would mean would have to expand their servers/hardware and cost some $$

why can we use simple authentication?? there are way safer methods today

 

[MacSince1990]

Yep, I've thought about it. Still stupid to have such a simple password.

For the love of God.

YOU DON'T EVEN KNOW WHAT THEIR PASSWORDS WERE. Your assumptions, and the asinine conclusions you draw are absolutely mind blowing.

If they were stupid to take naked pictures of themselves, then they were stupid enough to have a weak password.

Again, chock full of stupid.

I would say MOST people these days under 40 take naked pics of themselves. The fact that your body isn't pic-worthy does not make you morally superior to others.

 

[firewood]

Stop blaming the victims.

If saying "stop blaming the victims" is correlated with a statistical increase in this crime next year, then maybe the one partially to blame are the ones saying this instead of doing something else more positive. It's basic numeracy.

 

[gnasher729]

Apple confirmed that some photos were stolen from icloud accounts. They obviously did not confirm all leaked photos were stolen from icloud accounts.

What I read was that Apple confirmed that some people had weak passwords. I didn't read them confirming that some photos were stolen from iCloud accounts.

 

[Keirasplace]

Well, they didn't leave the door open, instead the lock in the door wasn't the best one you could get. The door was still locked and the thieves still had to break in.

Stop blaming the victims.

The house analogy is pretty poor anyway, your house is in no way exposed to the traffic and diversity of people that is on the Internet.

It would be more like having a combination bike lock having 1234 as a combination and you leaving your bike locked with it on a busy street. Most people wouldn't touch your lock or bike, but the first person who does, maybe a bored of teenager, could take your bike without having to cut the lock!

But, even if you get a massive U lock, you can steal get your bike stolen. Least likely, but still possible.

So, no, blaming the victim but we can't be naive and think we live in an utopia either.

 

[flux73]

Settings > iCloud
1. Turn off iCloud Photo Syncing
2. Turn off iCloud backups

Done.

Some shots you might want backed up, some you might not. A button option built into Camera lets you do it disable it whenever you want, rather than going in and out of another app to do it.

 

[SMIDG3T]

For the love of God.

YOU DON'T EVEN KNOW WHAT THEIR PASSWORDS WERE. Your assumptions, and the asinine conclusions you draw are absolutely mind blowing.



Again, chock full of stupid.

I would say MOST people these days under 40 take naked pics of themselves. The fact that your body isn't pic-worthy does not make you morally superior to others.

Oh, you take naked pictures of yourself? Ha, take a chill pill.

 

[tbrinkma]

what about the recently fixed ibrute exploit on github?

I'm not trying to hang apple here, I just have a hard time believing all of these concurrent leaks were from social engineering alone

The hacks weren't concurrent. People have been grabbing and trading these images for a while now, someone just decided to do a big, public release of them all at once.

 

[kerrikins]

So... Does this actually rule out whether or not 'iBrute' could be used to forcibly target these accounts over and over again? Because it doesn't seem like this actually says that that's the case, just blames it on weak passwords.

 

[apolloa]

There was a backdoor issue. It allowed unlimited login attempts but had to be through a specific service's interface into iCloud...and was accomplished with a special script. It wasn't something as obvious as being able to simply try logging in an unlimited amount of times with any user account through any iCloud interface.

There is no way in hell I'm looking for "proof" for you, you're the conspiracy theorist here.

And that's not how photo stream works...it's obvious you don't know jack**** about Apple's tech, why are you here?

So rather then post proof to back up your 'claims' you decide to insult me, nice.
I'm no conspiracy theorist either, plenty of people on here have already claimed you can / could make as many password attempts as you liked.

But I did find this:

The timing of Sunday's leak also implicated Apple because HackApp posted a proof of concept exploit for an iCloud flaw the day before, on Saturday. The "iBrute" vulnerability flooded the Find My iPhone website with password attempts without being locked out. Apple patched the FMF brute force vulnerability yesterday and now locks an Apple ID after five unsuccessful Find My iPhone password attempts.

From here:
http://www.zdnet.com/apple-releases...y-photo-breach-denies-culpability-7000033216/

 

[jont-fu]

Again, you can not crack even an unsafe password with only 5 attempts!

That limit must be related to IP address or time, for example 5 attemps in an hour. Otherwise anybody could lock other people's accounts just like that.

If the limit is 5 attemps in an hour, you would need 4 days to go through the 500 most used passwords list.

If the limit is by IP address, you would need a botnet of 100 machines to go through the list and get results immediately.

See, it's hard to limit the amount of attemps if somebody uses a weak password. That's because the legitimate account owner also has the right to make mistakes sometimes and not get locked out of their account.

 

[Iconoclysm]

A point people don't want to see or admit to. ALL of Apples systems should lock you out if you enter the wrong password too many times, in fact all online systems should do that regardless.

And that is EXACTLY how they are configured to do things. Today, yesterday, last year. That is exactly why what happened with find my phone was called a backdoor. It happens to every tech company out there at some point or another, but again...you aren't paying attention to the details of that specific crack.

You may think I'm defending Apple here, but this is simply injecting facts into your uninformed argument. Facts that pretty much make 90% of what you're whining about a moot point.

 

[iBug2]

The house analogy is pretty poor anyway, your house is in no way exposed to the traffic and diversity of people that is on the Internet.

You're kidding right? Your house is more exposed especially if you live in a crowded neighbourhood. For people to attack your house they don't need to know anything about the house or who lives inside. For people to attack your icloud, they need to know your email to begin with.

 

[Iconoclysm]

So rather then post proof to back up your 'claims' you decide to insult me, nice.
I'm no conspiracy theorist either, plenty of people on here have already claimed you can / could make as many password attempts as you liked.

Yes, all of them just as misinformed as you. This is why groups of apple haters never, ever, get their facts straight.

 

[phillipduran]

They need to bring the downvote button back.

Yes they do.

5 people upvote something and you think it is getting community acceptance.If you had down votes, you would see there are 5000 down votes and only 5 people who agree with them. It makes upvotes meaningless if you don't have something to compare it to.

 

[mozumder]

I am because I'm not stupid enough to use pathetically small passwords.

Why would people that use small passwords be stupid?

You do know that people that have won Oscars are smarter than you, right?

In life, the people that win Oscars are superior to you. They have a higher social status than you do.

Again, this is 100% Apple's fault for having such a bad design.

 

[innominato5090]

The key phrase here for me is "and security questions". Most of those questions are biographical, and most celebrity biographies are well known.

I've always thought it was silly to say that the name of my high school was a security question-- there is nothing secure about that information.

So spot on. Easy-to-infer security questions are an overlooked problem. TIP: get into the habit of generating them randomly just like you do for your passwords.

 

[rGiskard]

So no mention of Apple's failure to secure iCloud's Find My Phone against brute force PW attacks?

Yeah, the celebs should have used better passwords, just like 90% of everyone else out there. But Apple shouldn't have left a brute force backdoor in iCloud, and Apple should know better, unlike computer illiterate users.

 

[miamialley]

I'd like to know what Apple considers a "weak" password.

Also, there is no way they all had a password like "password." Brute force HAD to be involved. Even if they use a top 50 password the hackers still SHOULD have gotten locked out during repeated attempts!

 

[iBug2]

Yes they do.

5 people upvote something and you think it is getting community acceptance.If you had down votes, you would see there are 5000 down votes and only 5 people who agree with them. It makes upvotes meaningless if you don't have something to compare it to.

May not be the case.

 

[gnasher729]

you raise a very good point. on many systems after 3 or so (sometimes the limit is 10) incorrect guesses it not only temporarily locks the account but it sends a notification email stating what is going on. that would have given these women time to act...to go in and change passwords and change security questions again...or contact apple and put a temp hold on everything.

That's called a "Denial of Service Attack" (DoS attack). Guess which username someone would use, try to get to their account with random passwords until you and they are locked out.

 

[bpeeps]

Don't you just HATE women? I mean, they're just so STU-- oh crap, sorry, we're not supposed to have our misogyny meetings in public.

I think you may have misunderstood the context here. They weren't calling females stupid for having weak passwords. They were responding to a post that mentioned the odds of hacked celebrities all having poor passwords was low. When in fact, the odds are pretty high given the thousands of female celebrities to pool from.

But I appreciate you attempting to call out misogynists.