Hackers Using Law Enforcement Tools to Access iCloud Backups Unprotected by Two-Factor Authentication

[pdqgp]

Personal responsibility is the excuse that bad systems engineers use for their failed designs.

I don't see a failed design, I see a system that is pretty clear about how it's designed including the risks. I see users who failed to use the system in a safe and responsible manner. In fact the T&C's document that these people opted-into and agreed to when using their phone makes it clear. It's already been noted that Apple has 2-factor and while it's could be enabled by default, instead of optional, it's still the responsibility of the users to understand said options. They opted into iCloud, they need to opt into using it as safely as they can.

Here's a tip, if you're a sought after female actor, don't degrade yourself then host those pics/vids on a third party site that can be hacked leaving you even further exposed. What rock do these people live under to think it can't happen? Do they really not believe that it's more likely to happen to them vs just anyone?

They were forewarned and forearmed but made either a poor decision or a conscious one to put sensitive data on a third party site while knowing all too well they are "targets" of privacy invasions on a daily basis.

I'm quite sure not a day goes by that these ladies aren't pestered by paparazzi and well aware that people will do just about anything to not only get pics of them, but even more so to get such sensitive ones. How dumb could they be to have allowed themselves to be so exposed to such a thread...pun intended.

Anyone who uses an online site for financial transactions knows there are risks involved. If their not comfortable with owning that fact and potentially dealing with a breach then they need to opt out.

"But you were supposed to hold it right! It's YOUR fault, not mine!"

It's more like you read the T&C's and have brain so use it. Make informed decisions that you can live with when stuff goes wrong. Accept the role you play because when nude pics and vids of you get exposed it's not just a crime that happened TO YOU, it's one that YOU enabled and it really happened BECAUSE of you. They made the good available to be taken.

Look, I'm not condoning the actions/hacking of those that took these images but I'm not going to give these ladies a free-pass because they had a role in it too. A big role that hopefully serves as a wake up call to everyone.

 

[zioxide]

Apple's iCloud has become the victim of its own success. The company has relentlessly pushed the idea that you don't need physical storage space, that everything should just be uploaded to iCloud. It's also pushed the idea that whatever is in your iCloud is completely private, secure, and, unlike a gmail account, not mined for data.

It's a shame that this has happened but it wouldn't have been such a PR disaster if Apple hadn't made so many claims about the magical, wonderful, secure iCloud.

iCloud is secure assuming you don't use commonly available answers for your "security" questions.

Alas the majority of the population is dumb as rocks when it comes to technology, and they don't realize that, so they use answers people could find anywhere. It's pretty easy to crack an account when all you need is the person's birthday and to answer two "security" questions. Then you answer a question like "What city were you born in?". You can find that **** on most people's Facebook page.


This isn't just an Apple problem. This is a fundamental flaw with the way almost the entire tech industry deals with passwords and security. "Security" questions to reset a password being one of the biggest flaws of them all.

Two factor authentication is a good start, but in reality we need to push development of non-password based authentication and security. Widespread adoption of technologies like TouchID or optical iris scanning would help big time.

 

[mozumder]

it's not victim blaming nor is it the same as murder. However that said, if you don't have a plan to handle criminals during a home invasion while you or your family is home, including ways to escape and defend yourself and notify officials then, yeah, you do have to sit back and ask yourself if there wasn't perhaps more than a few things that could have prevented the horrible crime. BE PREPARED! That's on all of us because guess what.....bad guys exist and pray on those that are NOT prepared. They rarely go after the ones who are. These actors had zero plan nor did they execute much in the way of protecting said valuables. What they did was equivalent to simply locking their front door and banking on that being the end all be all for their protection. Wake up call, bad guys don't often just unlock your door and honestly you shouldn't be keeping such valuable data in such easy reach.

Actually what happened here is the equivalent to someone leaving their purse on or iPad on the front seat of a car while parked at a shopping mall then crying foul because someone broke in and took their stuff.

I'm sorry but these actors or anyone who puts sensitive data on a third party online site that clearly tells you use at your own risk is dumb. Take responsibility and don't leave said valuables outside your control.

The actors themselves, like purses and valuables are targets. More so than the average person and by not being aware of how the technology they are using can potentially put them at risk is on them. They have a role to play here too. Are they victims? Sure, but just like anyway, they have a role to play in protecting their valuables.

You'd make a terrible designer.

I love how you people think the general public should be responsible for their security.

You people would make terrible designers, because you're clueless about human behavior.

You live in the dreamy world of "should" instead of the world of "does".

Good designers don't design around "should".

 

[bozzykid]

I don't see a failed design, I see a system that is pretty clear about how it's designed including the risks.

Allowing hackers to use brute force to guess passwords is a bad design. That type of protection was added to most systems 15-20 years ago. You don't let a user attempt to login a thousand times a minute. But some of Apple's servers did. In that sense, Apple's security failed miserably.

 

[zioxide]

I love how you people think the general public should be responsible for their security.

You people would make terrible designers, because you're clueless about human behavior.

You live in the dreamy world of "should" instead of the world of "does".

Good designers don't design around "should".

Right. You have anything to say other than attacking the messenger over a straw man? I mean ****, did you even read my post?

Nowhere did I say the general public should be responsible for security. The entire industry is flawed when it comes to password authentication, especially recovery of "forgotten" passwords. You see these same security methods on almost every website. The industry gives these "hackers" the tools to make it easy to crack these accounts if you know a little bit of info about the person.

This isn't just an Apple problem. This is a fundamental flaw with the way almost the entire tech industry deals with passwords and security.

 

[bearcatrp]

Said this years ago when cloud computing was gaining speed. ITS NOT SAFE! None of it is secure. Why would you trust someone else with your data. 1st thing I did when I got my iphone was to shut icloud off.

 

[pdqgp]

You'd make a terrible designer.
I love how you people think the general public should be responsible for their security. You people would make terrible designers, because you're clueless about human behavior.

The irony is that I teach self defense have over 20yrs military service and design systems around the physical safety of people. I understand quite well what motivates the bad guys, deeply understand human behavior and do hold a very high regard for ones personal role in protecting themselves.

Anyone who is going around thinking others will protect you and looking out for your best interests are the ones living in a dreamy world. They are exact targets for such criminal behavior.

Good designers don't design around "should".

You're right, we design around what "could" and in this case, these celebrities were typical sheeple who live in lala land thinking the systems they use should be fool-proof (pun intended) instead of thinking about what "could" happen to the information they left less than fully protected.

----------

Allowing hackers to use brute force to guess passwords is a bad design. That type of protection was added to most systems 15-20 years ago. You don't let a user attempt to login a thousand times a minute. But some of Apple's servers did. In that sense, Apple's security failed miserably.

I follow you 100%. Agree too. However, just the same, people rely on a simple dead bolt lock or a series of locks to protect their front door while all along, I can get through just about ANY lock in a matter a just a minute.

That said, do you keep your most valuable and prized items behind a simple front door that's security has been proven over and over again to be unsafe or are you more aware and take precautions?

These movie stars may as well have put a hard drive of nude videos on the front seat of their car with a sign on it that said take me. Again, what rock do people live under to not know sensitive nude pics are not safe on a third party cloud site or that a front door with a deadbolt is not anywhere near a sure fire means of protecting your family.

You may be right that the Apple system is flawed, leaving user vulnerable, but really? Very high profile, high value targets like these actors whereby they have 10x the security and safeguards than the average person thought it was a good idea to put sensitive nude pics and vids on iCloud? Am I really supposed to be sad that they took zero effort and instead made themselves an easy target? WOW!

If you ride a motorcycle, you take risks, but you also should be taking precautions to minimize the damage of what "could" happen. We all have a role in our own personal security, including that of protecting our most sensitive data.

 

[DaveN]

They will now.

True but it is one more thing to guess. Use your mother's or father's hometown name if it is different than your hometown and spell it backwards.

 

[orioncrystalice]

I need all my devices to log in without any kinds of password, but only I should be able to log in, and also I need them to make me some grilled cheese. If this is not possible, tech has failed me.

 

[dasx]

Just tried the step suggested by these guys.

Well, the security questions are really dumb! I entered an e-mail address of a friend and entered the birthday. Then I was asked: what is your hometown? WTF everybody knows this guy's hometown! I didn't go any further but it made me very worried about my security questions. I'd better enter some password like stuff in the answer fields.

Spot on. How to do this properly:

1. Go to http://passwordsgenerator.net.
2. Leave default settings.
3. Generate a LONG password. 24, 32 characters... whatever.
4. Go to Apple and change your password to something like: gYA8n}xB=Vvkqh&G>a^$tt]]
5. Save password locally with a good password manager. I personally use and love 1Password. Expensive for some, cheap for me, considering what it does for you. (Not to mention once iOS8 comes out...). (With 1Password it can even generate your passwords for you, so you don't need to go do it somewhere online).
6. Then select 3 new security questions and change them to.
Q: What's your dog name?
A: T#y"{7>XBHqQ%%nvv%J7xmB'

Q: What's your home town?
A: .T~Y&w+[U@PL>Rxh2n!zZ";\

Q: What was your first car?
A: /SKmdG:BG[([eJ)A"W36MS!x

 

[CFreymarc]

Interesting timing with Apple about to come out with a mobile payments system.

That and what is looking like their biggest announcement since the iPhone launch. Like any major scandal, look who is benefitting the most and you will find the mastermind.

 

[whsbuss]

Spot on. How to do this properly:

1. Go to http://passwordsgenerator.net.
2. Leave default settings.
3. Generate a LONG password. 24, 32 characters... whatever.
4. Go to Apple and change your password to something like: gYA8n}xB=Vvkqh&G>a^$tt]]
5. Save password locally with a good password manager. I personally use and love 1Password. Expensive for some, cheap for me, considering what it does for you. (Not to mention once iOS8 comes out...). (With 1Password it can even generate your passwords for you, so you don't need to go do it somewhere online).
6. Then select 3 new security questions and change them to.
Q: What's your dog name?
A: T#y"{7>XBHqQ%%nvv%J7xmB'

Q: What's your home town?
A: .T~Y&w+[U@PL>Rxh2n!zZ";\

Q: What was your first car?
A: /SKmdG:BG[([eJ)A"W36MS!x

Gee, what's wrong with the 2-step verification? Never liked the security questions idea. If someone tries to force-login, getting a text message puts me on alert.

 

[trevorbsmith]

Simply not true. You can download iCloud backups if you have the email and password. That is the problem. The whole point of 2-factor authentication is if someone gets your username and password, they still couldn't access your information. In this case, Apple doesn't require 2-factor authentication which seems to be a huge problem since what you can access without it is your entire iCloud backup.

Yes, your scenario is preferable.

In the case at hand, though, the "hackers" were not in possession of passwords, and were not brute forcing passwords or otherwise guessing them. They were using password reset, which WOULD BE stopped by Apple's existing 2-factor authentication regime.

----------

But there still is an inherent flaw with icloud in that it can be brute forced

how?

----------

So in conclusion, we need to

1) enable 2-step verification - I guess not many people know how to do that because it involves going to the Apple ID management website

2) turn off iCloud backup and backup manually through iTunes.

Absolutely.

----------

According to this, Two factor will not help:

http://techcrunch.com/2014/09/02/ap...esnt-protect-icloud-backups-or-photo-streams/

That article, or your interpretation of it, are incorrect IN THIS PARTICULAR INSTANCE.

Two-factor authentication WOULD have stopped the people on AnonIB from resetting passwords, which would have stopped them from getting photo stream or iCloud backup info.

It would NOT stop them if they ALREADY had the passwords. But that is a different problem.

 

[tbrinkma]

it might be 'better' from a security point of view but one of the major reasons for iPhone backups is warranty replacements. which would not be trust devices. and in some cases the trusted device is totally non operational. thus mucking up the owner getting their stuff back efficiently. especially if they need a trusted iPhone to make the new iPhone trusted

The answer there is pretty obvious.
1) Set up more than one trusted device, and take that with you when you get your iPhone replaced.
2) Store your recovery code somewhere secure. (Just because you had to have a warranty replacement of your iPhone doesn't mean you can't wait to set it up until you get home to your recovery code.)

Actually they wouldn't have access to 'all of their info'. perhaps their apple id email but not necessarily everything else. its more likely the emails got out from a well meaning but stupid family member, a disgruntled assistant or boyfriend etc

This is, according to one (convicted 'revenge porn' site operator) exactly the case. A significant amount of it is done by hackers, but the vast majority is someone posting images to get 'revenge' against someone they feel has 'slighted' them in some fashion.

The headline implies that the hackers used special software created for law enforcement for the hack. But in fact there are ways of doing it that don't need that software and there is no proof it was a part of the scheme

Exactly.

you aren't forced to. you can totally choose to never sign into iCloud

Completely true.

 

[trevorbsmith]

Sites such as techcrunch are mimicking what's been written here: that 2FA would not have stopped this attack. But, I feel pretty sure trevorbsmith has laid it out correctly. 2FA would stop such an attack insofar as the hackers are just using social engineering to find answers to your security questions... which is what it sounds like they were probably doing.

If that's not right, can anyone explain why?

You are correct.

This can be confirmed by reading the actual anonib posts where they detail exactly how they "hack" accounts (by figuring out answers to password reset security questions, then resetting the password).

I hesitate to even call it social engineering though, because technically speaking social engineering should involve actually tricking someone into revealing info that allows you to log in. In this case, they were just reading publicly available knowledge and putting it into a web form.

It's like the authentication token for apple ID (and most web sites on the 'net) is EITHER:

1. a combination of:
e-mail address
and
password

OR

2. a combination of:
e-mail address
and
the answers to security questions

People are generally not dumb enough to post their passwords online. But we all let our e-mail addresses slip out. Unfortunately, we often also let enough personal info slip out that the answers to security questions are ALSO posted online, so scenario 2 means that we have essentially posted online the complete info needed to authenticate us for anyone with a little time on his hands to use.

This is dumb. It has been dumb for decades. The solution is not to expect lazy users to be smart. The solution is for companies to NOT authenticate people using only info like that.

For one thing, it makes it very hard to have a "unique" authentication, if you can authenticate at every web site using your e-mail address (same regardless of site) and answers to personal questions (same regardless of site, if they ask the same questions).

For another thing, it makes it too easy to find out the info.

 

[tbrinkma]

yikes

thanks for this info.

pls, apple, get better on all of this. real soon. pls.

You *do* understand what that means, right? The software in question must be running on a computer which has already received an authorization token from the iCloud service. This is useful if, for example, your computer is seized as part of executing a search warrant. This is *not* useful if you're sitting down at an arbitrary computer somewhere which does *not* have a current iCloud security token for the target account.

----------

They are not really comparable situations. Your comparison is absurd, because you equate a murder of your wife and kids and having an online account compromised. In your scenario you would also need to add a detail such as the house key being hidden under the door mat.

Not at all, he simply equates blaming the victim of a crime for the actions of the criminal with blaming the victim of a crime for the actions of the criminal.

Even if the key was hidden under the door mat, the neither the hypothetical person, nor his wife or kids are at fault for the decision of the criminal to commit murder.

Even if I use the password 'god' on my bank account, I am not at fault for the actions of the criminal who steals my money.

 

[trevorbsmith]

Surely it must be possible to turn it OFF even if it's ON by default. Otherwise troves and troves of iOS users will be switching to Android or Windows Phone very soon...

Indeed.

I love apple products. Have used them exclusively since 2004 (with the exception of a netbook with linux on it that I rarely use).

But I will not store every picture I take, by dealt, in the cloud. First, it's too much bandwidth for current cell networks--I'm not paying for that ****. Second, it's too permanent for my liking, and I'd rather not have the NSA following me around knowing every town I visit, etc. Not that the NSA cares about me, but still. It's the principle of the thing.

----------

But they can be faulted for making it so easy for someone who gets that information to be able to get your full device backup in a not encrypted format. And honestly they are not giving you a door made of steel with steel bolts. They have given you a door that is pretty easy to jimmy open since icloud backups are not protected by Apple's two factor solution.

No.

Apple has given you a steel door. If you enable to 2-factor authentication, and choose a reasonable password, no one will get into your iCloud back up. Full stop.

(Unless they are the NSA, the cops, or are real haxxors with physical access to your machine, or have installed a root kit or some other back door to get into your system and copy cryptographic tokens. In that case, you're still screwed, because they will easily defeat your pathetic attempts to hide your private info.)

 

[tbrinkma]

It is already encrypted.

But if you have the passwords, encryption means nothing.

Exactly.

The facts here are that iCloud once allowed multiple incorrect logins aka brute force hack. Now multiple high profile celebrities have had their pictures leaked from supposed iCloud backups.

The facts here are that there's no evidence that the brute force attack was used *at all*. The folks who *did it* have posted the methods they used, and it was largely a matter of guessing weak passwords, or guessing weak answers to password reset questions. All as a result of online research on the individual being targeted.

Did they just have the passwords the whole time and finally sold them? Did they have the pictures the whole time and finally sold them? Or is this a new exploit which apple or any company would not admit to publically off the bat if at all.

This has, likewise, been answered by the folks who did the act. The photos have been floating around for months/years, until some of them decided to do a mass release of the images.

In any case, it's not great.

True. It's not great no matter how it was done. So why keep talking about methods that *weren't* used as if they were?

 

[trevorbsmith]

Read this: http://techcrunch.com/2014/09/02/ap...esnt-protect-icloud-backups-or-photo-streams/

I did.

Read it again, then read my post again.

They are misstating the issue.

IF someone has your password, yes, 2-factor authentication does not protect your iCloud backups.

If someone does NOT have your password, as was the case apparently here, at least according to the people on AnonIB who appear to be doing the hacking, then 2-factor authentication DOES protect your backups, because it stops them from resetting your password and getting into your iCloud account at all.

----------

The LA Times reports that the passwords were obtained by phishing:

http://www.latimes.com/local/lanow/...d-by-phishing-source-says-20140902-story.html

If true, access to the content in the cloud could have been prevented if 2-factor authentication had been properly implemented for all services.

If this is true, then your conclusion is accurate.

Apple should implement 2-factor authentication for backup restores.

This causes the added problem that if you lose your original phone, you MIGHT be unable to restore.

The solution is to backup to your computer, NOT the cloud.

 

[Carlanga]

now to wait what excuse the nonbelievers will bring to the new thread…

Another info MR hasn't said yet (I already posted this in the other thread):

Mr Troshichev, a security researcher with HackApp - his online security firm, - said that he started looking for weaknesses in iCloud after photographs and emails apparently belonging to Dmitry Medvedev, the Russian prime minister and a prominent user of Apple products, were hacked and released on August 14.

 

[tbrinkma]

What truly matters is people like me own the responsibility of how we store our photos, videos and private data. Perhaps these actors need to look at their role in this event.

Their "role in this event" is that of the *victim*. They are no more at fault for the acts of the criminals who targeted them than you would be for the acts of a criminal who broke into your home and stole your TV.

Get that through your thick skull, and stop blaming the victims for the actions of the criminals.

 

[Carlanga]

...
The facts here are that there's no evidence that the brute force attack was used *at all*. The folks who *did it* have posted the methods they used, and it was largely a matter of guessing weak passwords, or guessing weak answers to password reset questions. All as a result of online research on the individual being targeted...

I have to lol at your comment, apple can't give/have evidence to the bruteforce method because it's not possible since there was no way to block this method in the first place so no counts would be stored.

 

[bozzykid]

Yes, your scenario is preferable.

In the case at hand, though, the "hackers" were not in possession of passwords, and were not brute forcing passwords or otherwise guessing them. They were using password reset, which WOULD BE stopped by Apple's existing 2-factor authentication regime.

Actually, it has been reported that they were brute forcing passwords because Apple's Find My Phone servers didn't lock out multiple brute force attempts. Apple recently closed that loophole so clearly they were aware of it (it was reported to them over a year ago).

----------

This causes the added problem that if you lose your original phone, you MIGHT be unable to restore.

Google solves this problem by giving you multiple one time use codes that you can keep offline. They also allow you to make a computer a trusted device. I don't see why Apple can't do something similar.

 

[pdqgp]

Their "role in this event" is that of the *victim*. They are no more at fault for the acts of the criminals who targeted them than you would be for the acts of a criminal who broke into your home and stole your TV. Get that through your thick skull, and stop blaming the victims for the actions of the criminals.

Dude they need to take responsibility for their irresponsibility.

If I knew I was being targeted daily like they are for pics and juicy scandal like they are, common sense would ring loudly that I wouldn't be putting naked pics and videos on a third party cloud site. Hell, Jennifer called out on live TV during the recent awards that she was uploading pics to iCloud. Ding Ding, anybody home? Why not post on Facebook that you're on vacation!

By doing so they accepted said risks of using that site and the likelihood of those images being revealed to the general public at some point through no fault of their own.

Quite simply they either through an ignorant or obstinate attitude chose gamble and are now upset that they lost. Bad guys and hackers exist and we all know it. They needed to get their head out of their hole and instead not take chances with such sensitive data being kept online..

They can read the paper and watch the news just like I do and know that such acts are happening daily to much larger and well protected organizations yet they chose to ignore the warnings, past history and took even greater risks. Dumb.

Are they victims, yes. However, they did nothing to protect themselves and in fact exposed themselves even more. They are already HUGE targets for pics from paparazzi and hackers alike.

Their role is that of a victim who let this Cr@p happen to them by taking huge risks in waters already filled with sharks preying upon them. Know your surroundings and prepare for them. They failed to do that.

To your point, if you live in a bad neighborhood where people are stalking you to steal your goods don't keep your prized belongings there.

 

[Rigby]

Apple should implement 2-factor authentication for backup restores.

This causes the added problem that if you lose your original phone, you MIGHT be unable to restore.

Apple's system currently relies on 3 types of credentials: the password, your trusted devices, and the recovery key. As long as you lose only one of the three, you will always be able to recover. So, even if a user lost all his trusted devices he would be able to restore the backup as long as he didn't also lose the password or recovery key.

And as I wrote elsewhere, even better than the recovery key is Google's system, where you get a set of one-time codes for backup that can be used as secondary token if you cannot receive one via normal means for some reason.

I'm pretty sure there is only one reason why Apple hasn't enabled 2FA everywhere: They want to save the cost on support caused by people calling the hotline after locking themselves out.