Celebrity iCloud Accounts Compromised by Weak Passwords, Not iCloud Breach

[pdqgp]

What directions? Unless people actively search for knowledgebase articles on Apple's support site, all they see is this: "Automatically backup your camera roll, accounts, documents and settings when this iPhone is plugged in, and connected to Wifi". How many persons on the street do you think understand that they are opening themselves up to security risks by using this function?

Really? I found this with one simple search of how to back up an iPhone.
http://support.apple.com/kb/HT1766

Besides, when you set up a new phone or iPad you're given a choice. If people on the streets don't understand then I think it would serve them well to do a bit of reading or perhaps even make a phone call to support if they are really the inept. Again, if my wife can do it then it's pretty simple.

And T&C? Are you kidding?

Not at all. In light of what just happened as it relates to this hacking incident don't you think more people should actually READ what it is they are signing up to use? Again, back to putting that blame on these "victims" which is growing harder to use as a term when comments like this get put out there.

Who reads pages after pages of smallprint legalese when setting up an exiting new toy?

Someone needs to tell these ladies that their lack of reading and understanding of their new "toy" just caused them to put highly sensitive information in a very compromising situation.

I bet many average users don't even realize that their phone is uploading files in the background.

that's entirely on them not Apple or heck, even the bad guys. where that's true they are entirely to blame.

I don't buy the notion that Apple shares no responsibility in keeping their users' information safe, especially since they try to push people into using cloud services at every opportunity.

I don't buy the notion that users have no role to play in reading and understanding what the heck they are doing with their data! Are you kidding me!! Sounds like people are holding Apple to a level of expectations that much higher than what they are willing to hold themselves too and it's their data! WOW! Just WOW! You're right....I have no role at all in securing my own personal sensitive data, it's all on Apple or Google or others, but certainly not me.

As regrettable as this incident is, I'm glad that they will now finally be forced to make improvements in this area.

Hopefully it will wake up the knuckleheads that have no idea what they are doing with their own data.

 

[laurim]

Right, but I don't know why some people here keep shifting blame back to the users when clearly there is stuff that Apple was at fault. I agree the user shares responsibility, but Apple does too.

----------



You tell me, should I trust Apple? Apple "suggested" it was not a factor, but the investigation is still ongoing.

Right, so instead of saying Apple is at fault, we should wait. The other players in the equation still did what they did to contribute to the situation so that doesn't change.

----------

I don't buy the notion that users have no role to play in reading and understanding what the heck they are doing with their data! Are you kidding me!! Sounds like people are holding Apple to a level of expectations that much higher than what they are willing to hold themselves too and it's their data! WOW! Just WOW! You're right....I have no role at all in securing my own personal sensitive data, it's all on Apple or Google or others, but certainly not me.



Hopefully it will wake up the knuckleheads that have no idea what they are doing with their own data.

Maybe Apple should make us ok every single little thing we do with double passwords to protect us from ourselves and absolve us from any responsibility to think on our own. Every single picture upload gets an "Are you sure?" before it goes. Wouldn't THAT be convenient? Maybe an app that holds your hand and saves you from every dumb decision you could make. Like that app that makes you do math before you can send a drunk text.

 

[pdqgp]

100% agreed. The fact is Apple is not just pushing but in some cases forcing people to use iCloud without an alternative. There used to be usb sync for everything, now it's limited.

Like I said before, Apple is primarily at fault here. It's not just about nude pictures and recklessness; suppose these girls just took non-nude pictures, it'd be a breach an invasion of privacy nonetheless. And there is nothing the user can do, it's a vulnerability that Apple needs to fix.

It's absolutely about recklessness and in some ways selfishness on the part of these actors. What's the user to do? How about better educate themselves on the use of the service they opted into so that they can better protect their data and not put themselves at such a risk. There's work on both sides, but users don't get to just put their hands up in the air and not take responsibility. That's not how life works.

 

[trifid]

For reference from Wired.com:

Elcomsoft is just one of a number of forensics firms like Oxygen and Cellebrite that reverse engineer smartphone software to allow government investigators to dump the devices’ data. But Elcomsoft’s program seems to be the most popular among Anon-IB’s crowd, where it’s been used for months prior to the most current leaks, likely in cases where the hacker was able to obtain the target’s password through means other than iBrute. Many “rippers” on Anon-IB offer to pull nude photos on behalf of any other user who may know the target’s Apple ID and password. “Always free, fast and discreet. Will make it alot easier if you have the password,” writes one hacker with the email address eppbripper@hush.ai. “Willing to rip anything iclouds – gf/bf/mom/sister/classmate/etc!! Pics, texts, notes etc!”

The fact hackers have been advertising their services as “Willing to rip anything iclouds – gf/bf/mom/sister/classmate/etc!! Pics, texts, notes etc!” suggests to me Apple has a disaster on their hands and should take iCloud backup offline until they fix whatever exploit or vulnerability in the system that makes it so easy to do if they haven't already done so.

 

[apolloa]

Maybe Apple should make us ok every single little thing we do with double passwords to protect us from ourselves and absolve us from any responsibility to think on our own. Every single picture upload gets an "Are you sure?" before it goes. Wouldn't THAT be convenient? Maybe an app that holds your hand and saves you from every dumb decision you could make. Like that app that makes you do math before you can send a drunk text.

Apple has a habit though of fooling it's customers to their benefit, for instance turning on by default the facility to buy IAP's with no password, which no doubt saw it raise rather a lot of money from it's 30% cut, and hence the law suite they have been found guilty off... yet people on here will still blame the customers and not Apple, even though when you get an iPhone it pretty much is sold on the premise you don't need to set anything up as Apple have done it all for you, you certainly don't get any instructions or guides with it.
And iCloud is based on the exact same premise.

 

[laurim]

Apple has a habit though of fooling it's customers to their benefit, for instance turning on by default the facility to buy IAP's with no password, which no doubt saw it raise rather a lot of money from it's 30% cut, and hence the law suite they have been found guilty off... yet people on here will still blame the customers and not Apple, even though when you get an iPhone it pretty much is sold on the premise you don't need to set anything up as Apple have done it all for you, you certainly don't get any instructions or guides with it.
And iCloud is based on the exact same premise.

What are you talking about? I have to set up everything the first time I use anything from Apple. Yeah, most people are braindead when they do it but that doesn't mean they aren't responsible for the decisions they make. At least Apple designed iPhones to require users to authorize access to things like a microphone or location as the need comes up and repeatedly unless you knowingly give a blanket ok in system preferences, in contrast to Android devices asking all permissions up front when the app is first used and when people are the most likely to just ok everything to get to the app. Apple's way is much more secure and makes people think about it more.

 

[C DM]

Right, but I don't know why some people here keep shifting blame back to the users when clearly there is stuff that Apple was at fault. I agree the user shares responsibility, but Apple does too.

----------



You tell me, should I trust Apple? Apple "suggested" it was not a factor, but the investigation is still ongoing.

Apple had a security issue, yes, but it hasn't been linked to this. So, yes, there's some Apple fault for having the security issue, or more for not addressing it as soon as possible, but it doesn't necessarily mean that all of this wouldn't have happened pretty much as it did. And if it did, would it still be Apple's fault? And would there still be some vulnerability that needs to be fixed?

 

[JesusQuintana]

It is a mystery why Apple has been singled out in this mess. Google and Dropbox, among others, had accounts compromised as well. This is an industry wide issue regarding the inherent weakness of username/password security, especially for celebrities whose lives are so public.

Normally hacking scandals involve one company having its systems compromised. Perhaps that is why people are fixating on Apple. Clearly, though, these photos were collected by numerous people in many different ways over several years. Saying that Apple is to blame because of the iBrute flaw shows a complete lack of understanding about the issue.

It is a good bet that most of the photos were not even acquired from hacking into someone's cloud account. Naked photos are typically sent to people (or taken on someone else's phone.) Sometimes those people become exes and those exes often share the photos to others.

What should have been a story about using caution regarding who you send naked photos to and being careful with your passwords instead morphed into an Apple PR nightmare.

 

[Tech198]

The fact hackers have been advertising their services as “Willing to rip anything iclouds – gf/bf/mom/sister/classmate/etc!! Pics, texts, notes etc!” suggests to me Apple has a disaster on their hands and should take iCloud backup offline until they fix whatever exploit or vulnerability in the system that makes it so easy to do if they haven't already done so.

yep ... someone that is also offering the software to do this on a forum with instructions to help people with it also further states, that its proven that it works.

 

[twigman08]

One thing I learned a long time ago is that when the security question says Example: "What's your favorite food", you don't answer it with Pizza or something someone can eventually guess, you answer it completely off like "sky" or "green".

Also setting up 2-Step Verification on https://appleid.apple.com would help.

Pretty much what I do. I use the security questions as a way to give me like an extra password. My answers are pretty much as random as you can get, some are even setup like they're a password

 

[apolloa]

It is a mystery why Apple has been singled out in this mess. Google and Dropbox, among others, had accounts compromised as well.

Where did you read that?

 

[C DM]

For reference from Wired.com:

Elcomsoft is just one of a number of forensics firms like Oxygen and Cellebrite that reverse engineer smartphone software to allow government investigators to dump the devices’ data. But Elcomsoft’s program seems to be the most popular among Anon-IB’s crowd, where it’s been used for months prior to the most current leaks, likely in cases where the hacker was able to obtain the target’s password through means other than iBrute. Many “rippers” on Anon-IB offer to pull nude photos on behalf of any other user who may know the target’s Apple ID and password. “Always free, fast and discreet. Will make it alot easier if you have the password,” writes one hacker with the email address eppbripper@hush.ai. “Willing to rip anything iclouds – gf/bf/mom/sister/classmate/etc!! Pics, texts, notes etc!”

The fact hackers have been advertising their services as “Willing to rip anything iclouds – gf/bf/mom/sister/classmate/etc!! Pics, texts, notes etc!” suggests to me Apple has a disaster on their hands and should take iCloud backup offline until they fix whatever exploit or vulnerability in the system that makes it so easy to do if they haven't already done so.

There is really no greater vulnerability than someone actually haviung your password--the problem is someone having your password, everything else is really secondary.

 

[Tech198]

umm.. the Heartbleed bug ?

 

[C DM]

Apple has a habit though of fooling it's customers to their benefit, for instance turning on by default the facility to buy IAP's with no password, which no doubt saw it raise rather a lot of money from it's 30% cut, and hence the law suite they have been found guilty off... yet people on here will still blame the customers and not Apple, even though when you get an iPhone it pretty much is sold on the premise you don't need to set anything up as Apple have done it all for you, you certainly don't get any instructions or guides with it.
And iCloud is based on the exact same premise.

Really? The manual is often on the phone or at least linked to on the phone. And even if it's not, plenty of information out there about the phone, OS, apps if one would care even just a bit to actually bother with it. But that's the problem people don't want to bother. But just because a lot of people are ignorant doesn't mean that that excuses anything. Real life doesn't work that way.

----------

Where did you read that?

Pretty much most of the actual informative/investigative articles about all of this.

 

[Tech198]

Really? The manual is often on the phone or at least linked to on the phone. And even if it's not, plenty of information out there about the phone, OS, apps if one would care even just a bit to actually bother with it. But that's the problem people don't want to bother. But just because a lot of people are ignorant doesn't mean that that excuses anything. Real life doesn't work that way.


----------

Pretty much most of the actual informative/investigative articles about all of this.

of course not, why would people bother when Apple has steered us all in the direction of "It just works"

 

[Rigby]

1)Turn photo stream off. 2) Don't use a camera phone to take sensitive photos. There. Not "nothing they could have done".

I hope you have turned off iCloud backups as well. Otherwise almost everything on your phone, including call lists, voice mails, location history, work documents in Goodreader, non-cloud notes etc. is up for grabs. And you will never even know if somebody accesses your cloud backup remotely. Can't happen to you because you are too smart to be a victim of phishing, keylogging and social engineering? Remember the "goto fail" bug, which made it e.g. very easy for hackers to intercept encrypted passwords using a man-in-the-middle attack on an open WLAN?

Also, it seems to me that people are quick to make moral judgments and shrug it off because in this case it was about actors and nudies. But it is a much bigger problem. People have all kinds of sensitive information on their devices these days. Private information or confidential work documents of all kinds are just as much at risk. Or how about being tracked or stalked via "Find my iPhone", which is also protected by nothing than a password?

 

[C DM]

of course not, why would people bother when Apple has steered us all in the direction of "It just works"

Because people have rational mind that they actually use? Why does it matter if someone simplifies something and makes it quick and easy and convenient to use, does that excuse people from suddenly knowing what they are dealing with and what they are doing? If someone actually thinks that's the case, well, the only answer to that is that they are wrong, it's as simple as that. Ignorance is not an excuse, no matter how much convenient it might seem.

 

[laurim]

Pretty much most of the actual informative/investigative articles about all of this.

yes, other sources have said that it's likely the photos came from several storage sites. But Apple is everyone's favorite scapegoat so they get most of the blame. Success can be a witch but I guess Apple fans can consider it a plus because if Apple wasn't so successful they wouldn't be such a popular target for blame.

 

[Tech198]

with hackers getting smarter (maybe that's now too late), we keep seeing (often via the hard way), that strong passwords are no longer really "just an option" anymore.

Despite Apple giving us a convenience.

 

[laurim]

I hope you have turned off iCloud backups as well. Otherwise almost everything on your phone, including call lists, voice mails, location history, work documents in Goodreader, non-cloud notes etc. is up for grabs. And you will never even know if somebody accesses your cloud backup remotely. Can't happen to you because you are too smart to be a victim of phishing, keylogging and social engineering? Remember the "goto fail" bug, which made it e.g. very easy for hackers to intercept encrypted passwords using a man-in-the-middle attack on an open WLAN?

Also, it seems to me that people are quick to make moral judgments and shrug it off because in this case it was about actors and nudies. But it is a much bigger problem. People have all kinds of sensitive information on their devices these days. Private information or confidential work documents of all kinds are just as much at risk. Or how about being tracked or stalked via "Find my iPhone", which is also protected by nothing than a password?

Actually, I protect myself by not putting anything sensitive there in the first place. My good stuff is saved onto physical drives that don't get backed up to the cloud. In password-protected folders as well. My general backups are done on Time Capsules as well. Very little I have goes to iCloud, which is why I have 4.3 gigs of my 5 gigs of iCloud space still available.

 

[C DM]

I hope you have turned off iCloud backups as well. Otherwise almost everything on your phone, including call lists, voice mails, location history, work documents in Goodreader, non-cloud notes etc. is up for grabs. And you will never even know if somebody accesses your cloud backup remotely. Can't happen to you because you are too smart to be a victim of phishing, keylogging and social engineering? Remember the "goto fail" bug, which made it e.g. very easy for hackers to intercept encrypted passwords using a man-in-the-middle attack on an open WLAN?

Also, it seems to me that people are quick to make moral judgments and shrug it off because in this case it was about actors and nudies. But it is a much bigger problem. People have all kinds of sensitive information on their devices these days. Private information or confidential work documents of all kinds are just as much at risk. Or how about being tracked or stalked via "Find my iPhone", which is also protected by nothing than a password?

People keep on trying to interpret what others are saying as something that's black or white and nothing else. There are parts that the users should be aware of and do and there are parts that the service providers should be aware of and do. Sometimes it's more of one than the other or vice versa. But because it's more of one doesn't mean that anything on the other end should suddenly be overlooked or not done.

 

[Tech198]

Actually, I protect myself by not putting anything sensitive there in the first place. My good stuff is saved onto physical drives that don't get backed up to the cloud. In password-protected folders as well.

I should really start using File Vault on my external drives.

 

[samcraig]

----------



I missed the post where someone said the people "deserved" what they got. Can you point it out to me? I don't think anyone here did. I certainly didn't.

Funny - you want to call out others for thinking so black and white. And here you are asking for someone to point out a literal post with the word deserved in it. Quite frankly - I'm not going to go post by post in this thread or the other to find your requirement. Suffice to say - there have been plenty of posts that suggest exactly that. That they deserved it.

 

[trifid]

The alleged patch that Apple did on Monday may not have been enough:

On Monday, iBrute creator Troshichev noted that Apple had released an update for Find My iPhone designed to fix the flaw exploited by iBrute. “The end of fun, Apple have just patched,” he wrote on Github. But Anon-IB users continued to discuss stealing data with iBrute in combination with EPPB on the forum Tuesday, suggesting that the fix has yet to be applied to all users, or that stolen credentials are still being used with Elcomsoft’s program to siphon new data. Apple didn’t immediately respond to WIRED’s request for further comment, though it says it’s still investigating the hack and working with law enforcement.

http://www.wired.com/2014/09/eppb-icloud/

 

[laurim]

Funny - you want to call out others for thinking so black and white. And here you are asking for someone to point out a literal post with the word deserved in it. Quite frankly - I'm not going to go post by post in this thread or the other to find your requirement. Suffice to say - there have been plenty of posts that suggest exactly that. That they deserved it.

If there are several, you can quote one. I didn't want a literal "they deserved what they got". I want a post that even implied they deserved to have their stuff stolen. NO ONE said that.

Noone claimed that they deserved what happened, just that they made it easier when they could have done more to prevent it. That's not "deserved", which implies punishment. People playing fast and loose with word definitions and what they "think" people meant is the primary problem with this thread. The very implication that people can be even a little responsible for bad things happening to them really trips out some people's minds.