Celebrity iCloud Accounts Compromised by Weak Passwords, Not iCloud Breach

[iososx]

Not only did Apple react extremely quickly, compared to their normal response time, they did a masterful job of spinning a story that fulfills the believers need to prove Apple is so perfect none of this is their responsibility. Very impressive.

However that said despite this being an open public forum, my honest opinion will likely draw the rath of the forum members and mods. Oh well you can't please them all, honesty is often unwelcome. The reward for participating can be getting labeled a troll. Rather discouraging.

 

[laurim]

And, strangely enough, people get mugged (and hacked) even when they *do* follow all those suggestions.

There's a pretty strong hint there, too. It's that it's not the victim's fault.

By that logic, I guess women can stroll down any street at 3 am completely naked and obliterated drunk and expect nothing bad to happen to them and if it does, it's absolutely not their fault in any way. Good to know. Not in any way a practical way to think but not everyone lives in the real world apparently.

----------

so if somebody broke into your home and murdered your family, it'd be your fault for not having a commercial steel door frame? hmm...

There's a difference between being a victim of crime where doing simple things could have avoided it and being a completely innocent victim where no easy fix could have prevented it. You need to work on your black and white style of thinking. there are all sorts of shades of grey in between you are missing.

----------

What's your source on that? Brute force could be one possibility but so are others like security questions.



You come to that conclusion based on what? That line in the read me just says that Apple fixed it, not that it was used in this case. Seems like you're jumping to conclusions.



So "weak" is somehow equivalent to "not commercial steel"? Stretching.

There are probably users of iCloud and many other sites with passwords like "password" and "12345". That's the equivalent of leaving your door not just unlocked but sitting wide open.

Not just wide open. Since they are female celebrities it's like having a pile of money in front of the open door with a spotlight shining on it.

----------

So if you have something that is easy for someone to steal, then you are fine with the thief getting away with it.

I doubt you would be that forgiving if you where the one being violated.

If I had something stolen and I knew I left it vulnerable, I would be mad AND kick myself for leaving it vulnerable and wouldn't do that ever again. That's all people here are saying. Learn from your mistakes and take some personal responsibility when bad things happen to you that you could have taken simple steps to avoid.

 

[laurim]

On the positive side, this story made me turn on two-factor security on my AppleID. So it wasn't a total waste.

 

[Analog Kid]

"If you don't lock your doors, you're to blame just as much as the thief who walks in the unlocked door."

Yes you are to blame, that doesn't mean you get jail time or the thief would get less jailtime. Don't confuse blame with punishment.

This kind of thinking makes me crazy. How much must good people do to not be blamed for bad actions against them?

You blame the source of the problem-- the problem is theft. Nobody should have to lock their doors. You may say leaving your doors unlocked in this day and age is naive, but it's not their fault they were robbed.

If they lock their doors, but the window is broken, is it their fault for not having bars over their windows? If the bars are cut, is it their fault for not using stronger steel? If the home is breached by tunneling under the foundation, is it their fault for not reinforcing their floor?

In short: whatever the offense, is it the victims fault for not anticipating the attack and having slightly greater security? Where do you draw the line on blame? Is it coincidentally at the same level of precaution you happen to take for yourself?

By that logic, I guess women can stroll down any street at 3 am completely naked and obliterated drunk and expect nothing bad to happen to them and if it does, it's absolutely not their fault in any way. Good to know.
There's a difference between being a victim of crime where doing simple things could have avoided it and being a completely innocent victim where no easy fix could have prevented it. You need to work on your black and white style of thinking. there are all sorts of shades of grey in between you are missing.

There is a difference between expecting something bad to happen and assigning blame.

She has the right to walk where she pleases without fear. If someone violates that right, they are completely at fault. I'm well aware of the imperfections of the world, and I wouldn't council any woman I know to do such a thing, but I wouldn't blame them for the consequences.

Where is the line? If she were clothed and sober at 3am would it be her fault? If it were 11pm? 10pm? 9:30? Dusk but not dark? An eclipse? Do you know what fixes you'd consider easy before the situation occurs?

Good people are not at fault for bad actions against them. Society must be black and white on these points. It is the concept of laws. The grey is in the definition of good and bad.

There are cultures where a woman can not leave home without being fully covered head to toe and attended by a male relative. Their laws are structured in this way, and she is held to blame if she behaves any other way.

That is not my culture. In parts of my culture public nudity and public drunkenness are forbidden, but these norms are enforced by the State, and not left to individual. Individuals are not license to do her harm, and she is not to blame for harm that comes to her.

There are situations where bad people are held to blame for bad things happening to them-- self defense laws and "fighting words" come to mind, but that's a different situation.

 

[firewood]

http://xkcd.com/936/
I think he's miscalculating entropy here though. Dictionary words don't have the same level of entropy as random digits.

A thousand word dictionary has almost 10 bits of entropy per randomly chosen word, 2k words, 11 bits. Most dictionaries have a lot more than 10k words, a high percentage common enough to remember as part of a really stupid picture story. 4 unrelated easy words randomly chosen might easily have 44 bits or more of entropy. Throw darts at Oxfords unabridged for even more entropy.

 

[C DM]

Not only did Apple react extremely quickly, compared to their normal response time, they did a masterful job of spinning a story that fulfills the believers need to prove Apple is so perfect none of this is their responsibility. Very impressive.

However that said despite this being an open public forum, my honest opinion will likely draw the rath of the forum members and mods. Oh well you can't please them all, honesty is often unwelcome. The reward for participating can be getting labeled a troll. Rather discouraging.

It's an interesting opinion, just not much to back it up beyond it being "interesting" essentially.

 

[dampfnudel]

All looks and no brains...

Brains enough to make a lot of money...or maybe it's a combination of knowing the right people and luck, I don't know.

Two step authentication ftw

Yeah, I have a strong password, but decided a while back to use the two step verification...just in case.

 

[Tech198]

Not to be takin as a follow up...

FYI : Don't use passwords from this thread

 

[iBug2]

This kind of thinking makes me crazy. How much must good people do to not be blamed for bad actions against them?

As much as society expects of them. Simple.

You blame the source of the problem-- the problem is theft. Nobody should have to lock their doors. You may say leaving your doors unlocked in this day and age is naive, but it's not their fault they were robbed.

Yes it is. People are supposed to lock their doors. You should not invite robbers into your home either.

If they lock their doors, but the window is broken, is it their fault for not having bars over their windows? If the bars are cut, is it their fault for not using stronger steel? If the home is breached by tunneling under the foundation, is it their fault for not reinforcing their floor?

No. At some point enough is enough. The value of the target has to match your security. If you have 1 billion dollars sitting in your home, a simple lock on your door is stupid. Similarly if you have nothing but a couch in your home, on which you are sleeping, I doubt you should bother with locking the door in the first place.

 

[iBug2]

Don't be so smug. The password managers are all trash according to this article ..

***p://www.darkreading.com/risk-management/security-fail-apple-ios-password-managers/d/d-id/1103401?

The sole exception they found in testing a sample of popular apps was Strip Lite, a free password manager from Zetetic. Strip Lite computes an encryption key using 4,000 iterations of PBKDF2-SHA1, together with a per-database salt (random bits). All this makes it very difficult to crack the password it generates, which means that the app does a good job of securing passwords.

One positive is that it says - The security situation improved with the iPhone 4S, the iPad 2, and the new iPad, because all password-cracking attempts must be done on the device itself. This greatly slows attackers because "there are no publicly available exploits that can be utilized to recover the passcode," according to Belenko.

He also says this - Belenko said that he himself had been using 1Password Pro, which may be the most-installed password manager for Apple iOS. But he ceased using it after testing the application's cryptography. "When we recovered my master password in five seconds? That was a moment," he said.

Good luck with 1Password..

Maybe you should check this

http://blog.agilebits.com/2012/03/16/strong-security-requires-strong-passwords/

What you posted is an old article. Many of those password wallets seem to have updated their security since then.

 

[brianbunge]

With respect, your daughter didn't really get 'hacked' if the teenagers simply logged into their Facebook account.

They changed her iCloud password, most of her social media passwords and deleted her entire Instagram account including pictures of a friend who had passed away and sent out porn to every one of her twitter followers.

----------

Haven't read the whole thread yet but did you hold the culprits accountable?

My wife finally got them to confess by posting on our daughter's accounts saying if they didn't come forward that she would contact the police and the school. The girl's mother was horrified. The boy's mother is a local police officer and she just tried to spin it back on our daughter, saying she had started things or some such nonsense. The girl's mother warned us that the other mom would be a problem and that she gets her son out of trouble all the time. Basically he's a POS who is going to one day get into enough trouble that she can't get him out of.

 

[samcraig]

You are one of those people who think people have no responsibility for protecting themselves or their property. There are very few completely, 100% innocent "victims". If you can do simple things to protect yourself and/or your property, you are obligated to do it or you contributed in a small way to whatever happens to you. Doesn't mean a criminal doesn't get punished for the crime by taking advantage of your weakness. Just means you get a berating for being so stupid. There's the fantasy world YOU want to believe in, where criminals don't commit crimes no matter how you tempt them and the REAL world where you need to do whatever you reasonable can to avoid being victimized. Kind of like the law that says you have to mitigate damages, meaning if you can do something to minimize the monetary damage caused by someone defaulting on a contract you are obligated to do so. Calling out these people for having crappy passwords and putting nudes online in the first place might make other people NOT make the same mistake and that's valuable to society as a whole.

Actually - you have no idea who I am or what I believe. You can't possibly make the assumptions and assertions you've laid out.

----------

If I had something stolen and I knew I left it vulnerable, I would be mad AND kick myself for leaving it vulnerable and wouldn't do that ever again. That's all people here are saying. Learn from your mistakes and take some personal responsibility when bad things happen to you that you could have taken simple steps to avoid.

Newsflash - that's NOT all people are here saying. Clearly you aren't paying attention.

 

[Analog Kid]

As much as society expects of them. Simple.

Yes it is. People are supposed to lock their doors. You should not invite robbers into your home either.

No. At some point enough is enough. The value of the target has to match your security. If you have 1 billion dollars sitting in your home, a simple lock on your door is stupid. Similarly if you have nothing but a couch in your home, on which you are sleeping, I doubt you should bother with locking the door in the first place.

Basically arbitrary criteria focused on absurd extremes, though I find it interesting that you don't place enough value on the safety of the person with nothing but a couch to even recommend locking the door.

If society felt that strong passwords or door locks were the responsibility of each of us, it would be codified in law. Instead, it is a pragmatic step most of us take because it simplifies our lives-- not because it is our moral duty.

What you're laying out is a recipe for apathy and decline. Apathy because arbitrary criteria allow each of us who aren't victims to sit back in our arm chairs and say "eh, they had it coming, why should I get upset."

Decline because criminals know that if they break into a home with a simple lock they'll retain some of society's sympathy. Once society gets used to simple locks being insufficient, they'll expect we use stronger ones before apportioning full blame to the criminal.

 

[samcraig]

Basically arbitrary criteria focused on absurd extremes, though I find it interesting that you don't place enough value on the safety of the person with nothing but a couch to even recommend locking the door.

If society felt that strong passwords or door locks were the responsibility of each of us, it would be codified in law. Instead, it is a pragmatic step most of us take because it simplifies our lives-- not because it is our moral duty.

What you're laying out is a recipe for apathy and decline. Apathy because arbitrary criteria allow each of us who aren't victims to sit back in our arm chairs and say "eh, they had it coming, why should I get upset."

Decline because criminals know that if they break into a home with a simple lock they'll retain some of society's sympathy. Once society gets used to simple locks being insufficient, they'll expect we use stronger ones before apportioning full blame to the criminal.

I bolded above because it relates to what I've said before. Too many people are focused on only one violation here. And that is the THEFT of someone's personal property. And then laying some/all the blame on the victim for not protecting it well enough. There's 2nd component to this - and that's the publication of the stolen images. I can't find a single reason why anyone would say that someone deserved that, should have known better, shouldn't have taken the photos, or anything other than the fact that they are clearly a victim.

 

[Sdashiki]

Over 600 posts and I would guess myself that over 2/3 of the people who commented never even saw any of the photos.

I have...and let me tell you...some are ambiguous, some are definitely not.

Jennifer Lawrence...yikes, I feel so bad for you allowing someone to take photos of you like that. And Im not saying "taking naked photos is whorish or stupid" but when you straight up make HARDCORE (if youve seen them, you know what I mean) sexting part of your repertoire with your significant other you ought to take a little more care about where they end up.

Playing dumb with how your tech works is no excuse. Come on. Its some NASTY shizz in some of these photos and as the shutter went click the person in the photo didnt go "Hey, where is this gonna end up?"

 

[iBug2]

Basically arbitrary criteria focused on absurd extremes, though I find it interesting that you don't place enough value on the safety of the person with nothing but a couch to even recommend locking the door.

Because the example was about robbers, not murderers.

If society felt that strong passwords or door locks were the responsibility of each of us, it would be codified in law. Instead, it is a pragmatic step most of us take because it simplifies our lives-- not because it is our moral duty.

It's more than a pragmatic step. The insurance companies won't pay after a robbery you if you left your door open. It's called personal responsibility and common sense.

And I don't think it's true that if society expects something from us it would be codified in law. Society expects you to drink responsibly but there's no law saying that you can't fry your liver by drinking heavily. People are allowed to act on ways that are self destructive. It's called freedom.

Decline because criminals know that if they break into a home with a simple lock they'll retain some of society's sympathy.

How do you figure? A criminal is a criminal whether he gets into a house through an open door, or through 10 deadbolt locks. The crime (well in this case it's either entering or breaking/entering but you get the point) is the same and he/she has no sympathy from me in any case and I'd stay away from people who'd actually have sympathy for a criminal.

The victim not doing what's necessary does not diminish the guilt of the criminal at all. But in this case, if the example would be walking into a house or breaking into a house, the crime and the punishment is different. So even the law differentiates between making it too easy for a criminal and taking some security measures. But that's the law, I'd say punish the criminal the same way in both cases.

 

[bozzykid]

Not only did Apple react extremely quickly, compared to their normal response time, they did a masterful job of spinning a story that fulfills the believers need to prove Apple is so perfect none of this is their responsibility. Very impressive.

Apple's response will get lost in the noise for most people. Most people don't care about details. All they hear is iCloud was hacked and let anyone access these celebrities photos. Even with their response, more and more is coming out that is showing Apple's security is not as tight as even Apple thought. In that sense, Apple's response may come back to haunt them.

 

[samcraig]

Apple's response will get lost in the noise for most people. Most people don't care about details. All they hear is iCloud was hacked and let anyone access these celebrities photos. Even with their response, more and more is coming out that is showing Apple's security is not as tight as even Apple thought. In that sense, Apple's response may come back to haunt them.

Which is exactly the press they don't need right now as they get ready to launch the iphone 6 which will no doubt be heavily "invested" in the cloud.

 

[laurim]

Actually - you have no idea who I am or what I believe. You can't possibly make the assumptions and assertions you've laid out.

----------



Newsflash - that's NOT all people are here saying. Clearly you aren't paying attention.

If that's not what you believe, then say something different that illustrates that because I can only base my impression of you on what you say here. And I guess you are being pedantic when you purposely misunderstand that I meant all people on here who want these victims to take some personal accountability for their share of their situation.

----------

There is a difference between expecting something bad to happen and assigning blame.

She has the right to walk where she pleases without fear. If someone violates that right, they are completely at fault. I'm well aware of the imperfections of the world, and I wouldn't council any woman I know to do such a thing, but I wouldn't blame them for the consequences.

Where is the line? If she were clothed and sober at 3am would it be her fault? If it were 11pm? 10pm? 9:30? Dusk but not dark? An eclipse? Do you know what fixes you'd consider easy before the situation occurs?

Good people are not at fault for bad actions against them. Society must be black and white on these points. It is the concept of laws. The grey is in the definition of good and bad.

There are cultures where a woman can not leave home without being fully covered head to toe and attended by a male relative. Their laws are structured in this way, and she is held to blame if she behaves any other way.

That is not my culture. In parts of my culture public nudity and public drunkenness are forbidden, but these norms are enforced by the State, and not left to individual. Individuals are not license to do her harm, and she is not to blame for harm that comes to her.

There are situations where bad people are held to blame for bad things happening to them-- self defense laws and "fighting words" come to mind, but that's a different situation.

What you are labeling as "blaming the victim" I am calling "learning how to protect yourself BEFORE something bad happens". We can't give this kind of advice without someone like you calling it "blaming the victim" so there can't be any simple way to help people avoid being victims. Is what you are doing really helpful to people? What you are doing is protecting people AFTER they have been victimized, when it's too late and doesn't really matter much in the scheme of things. What I am doing is protecting people as much as one can BEFORE they are victimized. Which is better? Which would YOU prefer if you were vulnerable? You shouldn't require laws to force you to protect yourself. Talk about having a nanny state. How purposely weak are you?

You also seem to be one of those annoying types of people who always posts about theoretical worlds that don't actually exist. I am a logical person living in a real world where most people don't always act the way they "should". Your discussions of a theoretical utopia is of no real value to me. Millions of people continue to get violated while you go on and on about how people just aren't supposed to commit crimes against them. Who cares what criminals "should" do. Let's concentrate on what they DO do and avoid it when we can.

P.S. Most people can separate in their minds the ideas of people protecting themselves and criminals being punished. The two aren't mutually exclusive.

 

[samcraig]

If that's not what you believe, then say something different that illustrates that because I can only base my impression of you on what you say here. And I guess you are being pedantic when you purposely misunderstand that I meant all people on here who want these victims to take some personal accountability for their share of their situation.

----------



What you are labeling as "blaming the victim" I am calling "learning how to protect yourself BEFORE something bad happens". We can't give this kind of advice without someone like you calling it "blaming the victim" so there can't be any simple way to help people avoid being victims. Is what you are doing really helpful to people? What you are doing is protecting people AFTER they have been victimized, when it's too late and doesn't really matter much in the scheme of things. What I am doing is protecting people as much as one can BEFORE they are victimized. Which is better? Which would YOU prefer if you were vulnerable?

P.S. Most people can separate in their minds the ideas of people protecting themselves and criminals being punished. The two aren't mutually exclusive.

You seem to want to put the onus on the potential victim however. The onus should also be on the perpetrator. Meaning - That we, as a society should not tolerate or encourage such behaviors. Idealistic - perhaps but as I said earlier and in another thread - these pictures were posted - and subsequently downloaded/clicked on/etc because there are those that think this is acceptable behavior. You want an educational process for people to not be victimized. Fine. You should also advocate for an educational process to make sure people understand WHY this behavior is not acceptable.

 

[Carlanga]

Oh? So what did they say?

you can re-read apples' statement.

 

[laurim]

You seem to want to put the onus on the potential victim however. The onus should also be on the perpetrator. Meaning - That we, as a society should not tolerate or encourage such behaviors. Idealistic - perhaps but as I said earlier and in another thread - these pictures were posted - and subsequently downloaded/clicked on/etc because there are those that think this is acceptable behavior. You want an educational process for people to not be victimized. Fine. You should also advocate for an educational process to make sure people understand WHY this behavior is not acceptable.

Where in ANYTHING I said did I say the criminals get a free pass from me? You really don't understand what I and others have been saying. We aren't condoning in any way what the criminals did. We hate it and they should be punished for it. We ALSO believe that people are obligated to do basic things to protect themselves because if they do, it makes it harder for criminals to commit crimes and maybe they will give up on trying to commit them. BOTH concepts true at the same time. Try it.

P.S. I hate people who pirate movies. They should know that that is wrong and not do it. I also applaud copyright owners who have been victimized to go after people who do it to make it unattractive to steal movies. How about you?

 

[AGKyle]

Don't be so smug. The password managers are all trash according to this article ..

***p://www.darkreading.com/risk-management/security-fail-apple-ios-password-managers/d/d-id/1103401?

The sole exception they found in testing a sample of popular apps was Strip Lite, a free password manager from Zetetic. Strip Lite computes an encryption key using 4,000 iterations of PBKDF2-SHA1, together with a per-database salt (random bits). All this makes it very difficult to crack the password it generates, which means that the app does a good job of securing passwords.

One positive is that it says - The security situation improved with the iPhone 4S, the iPad 2, and the new iPad, because all password-cracking attempts must be done on the device itself. This greatly slows attackers because "there are no publicly available exploits that can be utilized to recover the passcode," according to Belenko.

He also says this - Belenko said that he himself had been using 1Password Pro, which may be the most-installed password manager for Apple iOS. But he ceased using it after testing the application's cryptography. "When we recovered my master password in five seconds? That was a moment," he said.

Good luck with 1Password..

Hi there, friendly neighborhood 1Password support here

I want to point out that the article you link to was written in 2012, nearly two and a half years ago. A lot has changed since then, particularly since the article you link to discusses 1Password 3 for iOS and not the new 1Password 4 for iOS.

Absolutely none of that article applies to 1Password 4 for Mac or iOS. The entirety of the encryption side of things has changed.

When this article was published we posted a blog article about it, you can read that here:

http://blog.agilebits.com/2012/03/16/strong-security-requires-strong-passwords/

and

http://blog.agilebits.com/2012/03/30/the-abcs-of-xry-not-so-simple-passcodes/

Then we followed up with some improvements to 1Password 3 to help protect your data, the announcement was here:

http://blog.agilebits.com/2012/04/09/1password-ios-pbkdf2-goodness/

I'd suggest reading those as they talk about a lot of details in that Elcomsoft report that aren't super obvious in their report. Though, once again, none of it applies to 1Password 4.

If you have any questions I'd be happy to discuss with you or you can contact us directly via email and I'll let you discuss with our security expert who will happily explain anything you might want to know about how 1Password works from a security perspective.

 

[scrubmilk]

no ****, nerds

 

[bpeeps]

Basically arbitrary criteria focused on absurd extremes, though I find it interesting that you don't place enough value on the safety of the person with nothing but a couch to even recommend locking the door.

If society felt that strong passwords or door locks were the responsibility of each of us, it would be codified in law. Instead, it is a pragmatic step most of us take because it simplifies our lives-- not because it is our moral duty.

What you're laying out is a recipe for apathy and decline. Apathy because arbitrary criteria allow each of us who aren't victims to sit back in our arm chairs and say "eh, they had it coming, why should I get upset."

Decline because criminals know that if they break into a home with a simple lock they'll retain some of society's sympathy. Once society gets used to simple locks being insufficient, they'll expect we use stronger ones before apportioning full blame to the criminal.

This is a good post and I hope you feel good about it.