Celebrity iCloud Accounts Compromised by Weak Passwords, Not iCloud Breach

[apolloa]

So you are okay with the fact that anybody who knows your email address could lock your account by entering 5 random passwords in a login box?

Well, other services have that system and no one has locked me out of those. Plus all you need to do is hit reset password, then you get an email to your email account which can be on your phone, tablet, computer and then reset your password.

You do realise banks lock you out after 2 wrong attempts right? Well mine does. Although I don't use my email to log into that.

 

[rGiskard]

I find it odd that stating facts is defined as "defending apple vigorously"

I'm doing no defending at all. I'm reviewing the FACTS of the case and drawing conclusions based on those facts. I'm not speculating and letting my emotion cloud my judgement.

If new facts come out in the case showing that it was a brute force attack, I'll criticize apple as they rightly should be.

I just presented you with the facts: brute force attacks were possible on iCloud, and then Apple patched the security hole.

What's your horse in this race? Are you a spooked AAPL investor or something?

----------

So you are okay with the fact that anybody who knows your email address could lock your account by entering 5 random passwords in a login box?

That sounds better than having pics of my humongous manhood spread all over facebook.

 

[Zellio]

I wish I could say I was surprised by the fact that most people on this liberal oriented site want to do stupid things and have no responsibility for their decisions, not matter how much they could've changed their own decisions, but I can't.

Since we should never blame the victim, just keep using weak passwords. I'm sure criminals will thank you constantly.

 

[Trapezoid]

I just presented you with the facts: brute force attacks were possible on iCloud, and then Apple patched the security hole.

What's your horse in this race? Are you a spooked AAPL investor or something?
.

Apple stated that the find my iphone service where the security hole existed was not used in this hack.

What's your horse in this race? Are you an overzealous google worshipper? Hey look, more stupid statements! Is that what we're doing?

Please argue the facts and leave your childish rhetoric out of it.

 

[bozzykid]

There's a fair reason why they are not protected. Imagine having your phone stolen or lost and getting a new phone to get back in track as fast as possible. You need to restore your backup.. but where are you going to receive the verification code?

So because of that, they should just disable secure authentication and let hackers take icloud data? Somehow Google manages to handle this situation just fine. It isn't hard to setup a trusted device like a computer since that is what is required to setup 2-factor authentication in the first place.

 

[Rigby]

There's a fair reason why they are not protected. Imagine having your phone stolen or lost and getting a new phone to get back in track as fast as possible. You need to restore your backup.. but where are you going to receive the verification code?

You can use the machine-generated recovery key that Apple gives you when you set up 2FA. Even better would be if Apple generated a set of one-time backup codes, like Google does with their 2FA implementation. If the user does not have a second trusted device, they could carry a printed backup code in their wallet (note that this is not a security risk, since the password would still be needed together with the code to log in, and the code could be revoked in case the wallet is lost).

Also, Apple should offer more options for delivery of the secondary code, particularly using offline code generators (like Google Authenticator) in case you have no connectivity, and perhaps delivery to a trusted email address.

 

[C DM]

Oh stop with the analogies, of course it's partly Apple's fault based on the evidence so far, as has already been said on here, they have used a system to randomly guess passwords to access the accounts, it is Apple's fault for having a hole to allow that and not locking accounts after 4 or 5 wrong password entries.

And if most of these were accessed in less than 4 or 5 attempts? Or from even other services and/or places not related to Apple?

 

[Zellio]

Oh stop with the analogies, of course it's partly Apple's fault based on the evidence so far, as has already been said on here, they have used a system to randomly guess passwords to access the accounts, it is Apple's fault for having a hole to allow that and not locking accounts after 4 or 5 wrong password entries.

You mean the evidence you want to hear? And if turns out to be simply weak passwords, I'm sure it will still be Apple's fault and never the user right?

 

[C DM]

I just presented you with the facts: brute force attacks were possible on iCloud, and then Apple patched the security hole.

What's your horse in this race? Are you a spooked AAPL investor or something?

----------



That sounds better than having pics of my humongous manhood spread all over facebook.

Two sequential related facts don't necessarily imply something else, they can just as easily be two sequential related facts. There's got to be actual evidence/proof to make it something more than just conjecture.

 

[Rigby]

So what would that well designed security system (that Apple should be using I guess) be?

The #1 improvement would be not to allow access to any cloud service from an untrusted device without 2-factor authentication (I'm glad to see that Macrumors and other blogs are now finally pointing out this flaw in the current system).

#2 would be not to require people to type their password on iOS devices so often. Ask for it once when setting up the device, then generate an authentication token that is encrypted using a simpler code (such as the device passcode or perhaps the restriction code). Also, for phones with a fingerprint sensor, enable that everywhere, not just for iTunes purchases. These steps would make it more practical for people to use a secure password.

 

[apolloa]

You mean the evidence you want to hear? And if turns out to be simply weak passwords, I'm sure it will still be Apple's fault and never the user right?

Erm no, the evidence in Apples statement.

 

[C DM]

Erm no, the evidence in Apples statement.

Evidence of what exactly?

 

[alphaod]

This is hardly surprising. I know a lot of people with just numbers for their passwords or just 123456 (or similar). Heck I've seen people use all zeros for their PIN! (I know this because I was in the store and the guy said to the sales clerk, it's all zeroes).

 

[Analog Kid]

Make something up?

Nobody ever said that these questions have to be answered truthfully.

There is actually no requirement that answers to these "security questions" have to be truthful. "Name of your high school" = 39dji39afnaloef is perfectly fine and reasonably secure.

No one has to provide accurate answers. I don't. I pick a question and use a fictitious answer that only I know.

UPDATE - I see this or similar advice was already given. I should have know.

Yes, many people gave that advice. I think they may have been confused-- it wasn't my account that was hacked.

My point is that the approach is broken. It assumes you're tech savvy enough to assume that the biggest companies on the internet are providing you a broken security method that you should intentionally subvert. Why even ask these questions if they're not safe to answer?

And if you are savvy enough, what's the point? Presumably you used a strong password to begin with. Sure, you could provide three other random strings in case you forget the one random string, but what good is that doing anyone?

Just because they ask about your high school doesn't mean you have to use your real high school.

I never use my real birthplace for my "birth place" question. I use a location that only I know.

Also just because of my paranoia I don't use my real birth date when filling out most online stuff. I use a combination of day, year, and month from other people close to me.

Granted I don't make up a new birth date, and location every time I sign up for something, but I use the same fake ones - depending on the level of security I need.

Ok, so you've used a number and a few dictionary words to secure your randomized password. Guess which entry point I'd attack?

When choosing a password use complex strings of mixed case letters, numerals and symbols. Never use personal details that can easily be guessed such as family birthdays or the name of your dog.

If you forget your password you can change it by answering a security question.

What is the name of your dog?

Exactly-- much better than I could have stated it.

 

[zioxide]

The thing is though, we are simply assuming they used easy passwords or security questions.


Who knows. Maybe they didn't. Maybe hackers were somehow able to get their passwords which were not easy to guess through other methods.

It's highly likely it was through the security questions. If you know and correctly guess an AppleID's birth date, you only need to answer 2 security questions to get in to the account and reset the password. At least half of those questions are stuff you can find on people's facebook now with a little bit of guessing.

People need to start treating security questions like passwords. Use a random 20 character alphanumeric string for each question and keep them in an encrypted password management app or something.

 

[firewood]

... it seems to me that random strings are the safest answers.

A longer and easier to remember string (for any answer) may be more secure than a short random one. Many people can't remember 8 random digits long enough to type them all in correctly.

 

[Carlanga]

Apple stated that the find my iphone service where the security hole existed was not used in this hack.
...

That is not what they said.

 

[Analog Kid]

A longer and easier to remember string (for any answer) may be more secure than a short random one. Many people can't remember 8 random digits long enough to type them all in correctly.

http://xkcd.com/936/
I think he's miscalculating entropy here though. Dictionary words don't have the same level of entropy as random digits.

 

[617aircav]

Never share your nude pics with anyone, including the cloud. Lesson learned.

 

[Doctor Q]

A longer and easier to remember string (for any answer) may be more secure than a short random one. Many people can't remember 8 random digits long enough to type them all in correctly.

I don't think anyone should try to remember their passwords anymore. It's fine to memorize a few clever phrases plus digits and punctuation for a few sites, but how many different passwords and passcodes and PINS do we each have these days? Social sites, financial institutions, ATMS, shopping sites, medical record sites, hobby sites, employer intranets, personal records, phone and computer logins, etc.

Make them all strong passwords, use software instead of human memory to track them, and have security and convenience at the same time. You'll no longer have to compromise between secure-enough and easy-to-remember.

 

[KdParker]

It was a big holiday weekend, low resources at Apple and most people on holiday. What do you want them to do, issue a press release when they have no information at all, invent stuff? They said right away they were investigating and that's all they could really do initially.

They could have done more.

Apple has more that enough money to have a public relations team that is big enough to cover the holiday's.

It didn't take 3 days to figure out what happened, I bet that they new how the breach happened within an hour of looking into the situation. As a tech company, Apple knows that bad public opinion losses money.

With their iCloud being under attack in the press for 3 straight days world wide, a quicker response was needed. Remember there are countries where Apple is in a dog fight with Samsung for market share (in the high end smart phone market) and this kind of press could hurt that.

----------

This has nothing to do with Taking them. Nothing wrong with taking explicit photos. But, if you use a poor password, don't expect your photos, or anything not to be stolen. Its sad that its the case, but that's how it is.

The Internet is like a very busy street, if you leave your purse lying there, expect it to be swiped by someone. So, if your privacy is important to you but still want to take the pictures, take them with a regular camera (better pictures anyway) and never put it on any device at all. Keep it in a lockbox on a SD card and deliver it in person to the intended person.

So if you have something that is easy for someone to steal, then you are fine with the thief getting away with it.

I doubt you would be that forgiving if you where the one being violated.

 

[Trapezoid]

That is not what they said.

Oh? So what did they say?

 

[Michaelgtrusa]

Perhaps they need too invest into something like 1Password.

 

[Beautyspin]

Rofl@1Password. Right, because that's for security gurus.

Don't be so smug. The password managers are all trash according to this article ..

***p://www.darkreading.com/risk-management/security-fail-apple-ios-password-managers/d/d-id/1103401?

The sole exception they found in testing a sample of popular apps was Strip Lite, a free password manager from Zetetic. Strip Lite computes an encryption key using 4,000 iterations of PBKDF2-SHA1, together with a per-database salt (random bits). All this makes it very difficult to crack the password it generates, which means that the app does a good job of securing passwords.

One positive is that it says - The security situation improved with the iPhone 4S, the iPad 2, and the new iPad, because all password-cracking attempts must be done on the device itself. This greatly slows attackers because "there are no publicly available exploits that can be utilized to recover the passcode," according to Belenko.

He also says this - Belenko said that he himself had been using 1Password Pro, which may be the most-installed password manager for Apple iOS. But he ceased using it after testing the application's cryptography. "When we recovered my master password in five seconds? That was a moment," he said.

Good luck with 1Password..

 

[laurim]

No. The victim is not to blame. I still can't believe the responses in this thread and the other one. A crime was committed against several individuals. Think about that.

You are one of those people who think people have no responsibility for protecting themselves or their property. There are very few completely, 100% innocent "victims". If you can do simple things to protect yourself and/or your property, you are obligated to do it or you contributed in a small way to whatever happens to you. Doesn't mean a criminal doesn't get punished for the crime by taking advantage of your weakness. Just means you get a berating for being so stupid. There's the fantasy world YOU want to believe in, where criminals don't commit crimes no matter how you tempt them and the REAL world where you need to do whatever you reasonable can to avoid being victimized. Kind of like the law that says you have to mitigate damages, meaning if you can do something to minimize the monetary damage caused by someone defaulting on a contract you are obligated to do so. Calling out these people for having crappy passwords and putting nudes online in the first place might make other people NOT make the same mistake and that's valuable to society as a whole.