Celebrity iCloud Accounts Compromised by Weak Passwords, Not iCloud Breach

[redscull]

we need a strong campaign educating people about what are and are not good passwords

This isn't even possible. For two reasons.

1) Security "experts" are morons. Or intentionally misleading everyone. All those password requirements about letters, numbers, symbols, at least one capital, etc are complete nonsense. Those do nothing to make a password stronger. LONGER passwords are stronger. UNIQUE passwords are stronger. That's it. A long, all lower case, all alpha password that's not used anywhere else is perfectly strong. Complex (and pointless) password requirements just force people to write them down (often digitally) or reset them often, both of which actually make the password much more compromisable.

2) Security questions are inherently insecure. They're far easier to crack than passwords and basically invalidate any effort put into making a strong password. Any system which requires users to provide security question answers might as well be considered a publicly open repository.

 

[rGiskard]

If it turns out to be weak passwords, is that really a hack?

If someone leaves their keys in the car and it gets stolen, do you blame the car company?

Based on what we know, the accounts were accessed by brute force password attack. Yes, the users wouldn't have been compromised if they had chosen better passwords, but Apple still left the back door ajar, and Apple KNOWS BETTER.

You want proof? Apple has already quietly closed the back door. This is the software used in the attack. Note the first line of the ReadMe:

The end of fun, Apple have just patched

Someone at Apple effed-up; it happens at every company, even Apple, even under Jobs. This is a rather trivial eff up compared to the iPhone 4's botched antenna IMO. Hopefully it's a teachable moment for the public on the need for secure passwords, and more importantly, Apple should learn something.

Rigby nailed it:

A well designed security system needs to be reasonably convenient. Apple's current system is not. You cannot expect people to pick passwords consisting of 20 random characters when at the same time you force them to enter said password on a mobile device all the time. It's just not practical.

 

[S.B.G]

Am I missing something, hacking a password etc there is tools to do but how do people find the persons email address in the first place?

Social engineering, the black web, search engines and such, plus a ring of underground bad guys collaborating, together, achieve this and more.

 

[C DM]

Based on what we know, the accounts were accessed by brute force password attack. Yes, the users wouldn't have been compromised if they had chosen better passwords, but Apple still left the back door ajar, and Apple KNOWS BETTER.

You want proof? Apple has already quietly closed the back door. This is the software used in the attack. Note the first line of the ReadMe:



Someone at Apple effed-up; it happens at every company, even Apple, even under Jobs. This is a rather trivial eff up compared to the iPhone 4's botched antenna IMO. Hopefully it's a teachable moment for the public on the need for secure passwords, and more importantly, Apple should learn something.

Rigby nailed it:

Is that proof that this is in fact what was used for all or even some of this?

----------

A well designed security system needs to be reasonably convenient. Apple's current system is not. You cannot expect people to pick passwords consisting of 20 random characters when at the same time you force them to enter said password on a mobile device all the time. It's just not practical.

So what would that well designed security system (that Apple should be using I guess) be?

 

[Trapezoid]

Based on what we know, the accounts were accessed by brute force password attack. Yes, the users wouldn't have been compromised if they had chosen better passwords, but Apple still left the back door ajar, and Apple KNOWS BETTER.

You want proof? Apple has already quietly closed the back door. This is the software used in the attack. Note the first line of the ReadMe:



Someone at Apple effed-up; it happens at every company, even Apple, even under Jobs. This is a rather trivial eff up compared to the iPhone 4's botched antenna IMO. Hopefully it's a teachable moment for the public on the need for secure passwords, and more importantly, Apple should learn something.

Rigby nailed it:

So much wrong here. Based on what we know, and not speculation, ibrute wasn't used and there was no breach of icloud or find my iphone. Man, it's crazy that people can post this in the very thread that proves this wrong!

 

[mdelvecchio]

You bet I am. We are all the same. What makes them special? Nothing. If they used weak passwords, that's their fault.

so if somebody broke into your home and murdered your family, it'd be your fault for not having a commercial steel door frame? hmm...

 

[jsmith189]

So much wrong here. Based on what we know, and not speculation, ibrute wasn't used and there was no breach of icloud or find my iphone. Man, it's crazy that people can post this in the very thread that proves this wrong!

People will believe what they want to believe, and unfortunately a conspiracy is much more interesting than "your passwords sucked"!

 

[ViperDesign]

2 step verification wouldn't have mattered anyways

http://techcrunch.com/2014/09/02/ap...esnt-protect-icloud-backups-or-photo-streams/

 

[bpeeps]

If you want to blame the victims go ahead. I don't blame them for what the hackers did, and you're not going to get me to go along with you on that.

Yes, let's tell people to use weak passwords, because if you get hacked, then you become a victim and are not responsible for anything.

If you had read the post I was responding to, you would have the context clues to understand my comment was sarcasm.

 

[bozzykid]

Apple suggests that all iCloud/Apple ID users should have a strong password and enable two-step verification to avoid similar hacking attempts.

Apple is trying to cover up their security issues with this bogus statement. The fact is, iCloud backups are not protected by 2-factor authentication. This is a huge omission and is one of the many reasons Apple's 2-factor authentication is poorly implemented and not very secure.

 

[milo]

Based on what we know, the accounts were accessed by brute force password attack.

What's your source on that? Brute force could be one possibility but so are others like security questions.

This is the software used in the attack.

You come to that conclusion based on what? That line in the read me just says that Apple fixed it, not that it was used in this case. Seems like you're jumping to conclusions.

so if somebody broke into your home and murdered your family, it'd be your fault for not having a commercial steel door frame? hmm...

So "weak" is somehow equivalent to "not commercial steel"? Stretching.

There are probably users of iCloud and many other sites with passwords like "password" and "12345". That's the equivalent of leaving your door not just unlocked but sitting wide open.

 

[JesusQuintana]

So much wrong here. Based on what we know, and not speculation, ibrute wasn't used and there was no breach of icloud or find my iphone. Man, it's crazy that people can post this in the very thread that proves this wrong!

Amen.

Though Apple has taken all the flak, the hacking was not Apple specific. In fact, most of the photos were probably acquired not from hacking but from ex-boyfriends. Naked pictures are not usually for personal consumption, they are sent to people. The biggest security breach has been the people who were given (or took) the pictures originally and then showed them to off others.

Apple has gotten dragged into this mess for no reason other than the company patched a flaw in Find My iPhone around the time that this sleazy ring of celebrity photo collectors was exposed. Somehow the two stories got merged and Apple became the recipient of some very bad PR.

 

[rGiskard]

So much wrong here. Based on what we know, and not speculation, ibrute wasn't used and there was no breach of icloud or find my iphone. Man, it's crazy that people can post this in the very thread that proves this wrong!

Are you referring to Apple's claims? I doubt they are going to reveal more than they need to.

 

[Trapezoid]

Are you referring to Apple's claims? I doubt they are going to reveal more than they need to.

So again, you're speculating. I think it was google drive brute force. There, both of our statements carry the same weight, that is to say none.

 

[jont-fu]

Apple is trying to cover up their security issues with this bogus statement. The fact is, iCloud backups are not protected by 2-factor authentication. This is a huge omission and is one of the many reasons Apple's 2-factor authentication is poorly implemented and not very secure.

There's a fair reason why they are not protected. Imagine having your phone stolen or lost and getting a new phone to get back in track as fast as possible. You need to restore your backup.. but where are you going to receive the verification code?

(Of course it's possible to setup another trusted device but if you know that, you're not going to use a weak password either)

 

[rGiskard]

You come to that conclusion based on what? That line in the read me just says that Apple fixed it, not that it was used in this case. Seems like you're jumping to conclusions.

Early reports suggest it was used in this case.

 

[gotluck]

2 step verification wouldn't have mattered anyways

http://techcrunch.com/2014/09/02/ap...esnt-protect-icloud-backups-or-photo-streams/

Just read that and was wondering when that'd make it in this thread.

If two factor auth isn't protecting iCloud backups or photo streams and a brute force technique was available, that is pretty bad.. A compromising combination

 

[rGiskard]

So again, you're speculating. I think it was google drive brute force. There, both of our statements carry the same weight, that is to say none.

Do you have evidence of Google Drive security problems that would permit a brute force attack?

Apple had a security lapse. We may never know conclusively if that is exactly how the celeb nudes were obtained, but that doesn't change the fact that Apple left the back door ajar.

I'll say it again, it's not a huge deal, EVERY computer company has security lapses of some form at some point. It's very odd that some feel the need to defend Apple so vigorously on this...

 

[Doctor Q]

Not only are there lots of encrypted storage iOS apps (some with source code you can audit), but you can also write the answers down where you won't lose them (passport, bank deposit box, etc.)

I know how it CAN be done, but I was specifically asking nostaws. I'm curious what he/she gains by use an invented system to create real-looking locations and dates for answering security questions. Whether you use sticky notes or a password manager, it seems to me that random strings are the safest answers.

 

[C DM]

Early reports suggest it was used in this case.

And it seems that later ones (when actually more information was gathered and more investigation took place) suggest that it wasn't. So...

 

[gibbz]

What does this have to do with women? There are boatloads of pretty boys who are just as dumb—I wouldn't be surprised if more men have insecure passwords. Source: I'm a man who used to have somewhat insecure passwords. ...

My comment was in reply to someone who said "All looks and no brains..." I was being sarcastic, thus the eye-roll emoji.

 

[haruhiko]

Apple is trying to cover up their security issues with this bogus statement. The fact is, iCloud backups are not protected by 2-factor authentication. This is a huge omission and is one of the many reasons Apple's 2-factor authentication is poorly implemented and not very secure.

I near switched off Apple's 2-factor verification after it failed to send me a confirmation code to all of my devices and my phone after 10 minutes.

 

[apolloa]

If it turns out to be weak passwords, is that really a hack?

If someone leaves their keys in the car and it gets stolen, do you blame the car company?

Oh stop with the analogies, of course it's partly Apple's fault based on the evidence so far, as has already been said on here, they have used a system to randomly guess passwords to access the accounts, it is Apple's fault for having a hole to allow that and not locking accounts after 4 or 5 wrong password entries.

 

[Trapezoid]

Do you have evidence of Google Drive security problems that would permit a brute force attack?

Apple had a security lapse. We may never know conclusively if that is exactly how the celeb nudes were obtained, but that doesn't change the fact that Apple left the back door ajar.

I'll say it again, it's not a huge deal, EVERY computer company has security lapses of some form at some point. It's very odd that some feel the need to defend Apple so vigorously on this...

I find it odd that stating facts is defined as "defending apple vigorously"

I'm doing no defending at all. I'm reviewing the FACTS of the case and drawing conclusions based on those facts. I'm not speculating and letting my emotion cloud my judgement.

If new facts come out in the case showing that it was a brute force attack, I'll criticize apple as they rightly should be.

 

[jont-fu]

Oh stop with the analogies, of course it's partly Apple's fault based on the evidence so far, as has already been said on here, they have used a system to randomly guess passwords to access the accounts, it is Apple's fault for having a hole to allow that and not locking accounts after 4 or 5 wrong password entries.

So you are okay with the fact that anybody who knows your email address could lock your account by entering 5 random passwords in a login box?