Tim Cook: Apple to Add Security Alerts for iCloud Users, Broaden Two-Factor Authentication

[orbliveguy]

This person is an idiot. Gee if I pour gasoline around my house and light a match, it will burn down!

If I have remote or physical access to the computer, I don't have to hack it, I already own it!

IDK, what you're talking about.

Did you even read what this EPPB tool can do & the concerns she brought up around it?

...the need for encrypted backups when restoring, better token security and additional 2fa implementation. When tools like EPPB exist, all these examples are legitimate security concerns for everybody, not just celebrities.

Tim Cook obviously acknowledges the flaw as Apple will now at least notify users when an icloud backup is restored...

 

[iBug2]

You can have Apple send the code through SMS also. When you set up 2-step with Apple, they even recommend added a cell number.

Didn't know this, I receive the code through the OS.

----------

IDK, what you're talking about.

Did you even read what this EPPB tool can do & the concerns she brought up around it?

...the need for encrypted backups when restoring, better token security and additional 2fa implementation. When tools like EPPB exist, all these examples are legitimate security concerns for everybody, not just celebrities.

Tim Cook obviously acknowledges the flaw as Apple will now at least notify users when an icloud backup is restored...

I don't see how that's a major concern. To get your backup they first need your password anyway. If they do get into your account, you will lose precious information to hackers. Backups would be my last concern but it's good that they will notify users about them as well.

----------

Hindsight is 20/20, but the fact that this wasn't the case from day 1 is just unacceptable.
Either implement 2FA properly or not at all. False security is worse than no security.

2 Step already covers iPad and iPhone. If you want to reset your password using your iPad, it has to send a code to your device. If they physically steal your iPad or your iPhone, there's not much you can do. So I don't really know what they mean by

"Apple will also broaden use of its two-factor authentication system, allowing it to also cover access to iCloud accounts from mobile devices like iPad and iPhone".

If you have 2-Step verification enabled, there's absolutely no way to reset your password without physical access to your devices. End of story.

 

[apolloa]

Hmm locking the door after the horse has bolted eh Tim? Doesn't bode well for its security with mobile payments IMO.

And this is exactly what these other reports have highlighted, that the two step verification isn't secure and gives people a false sense of security.

 

[orbliveguy]

I don't see how that's a major concern. To get your backup they first need your password anyway. If they do get into your account, you will lose precious information to hackers. Backups would be my last concern but it's good that they will notify users about them as well.

If you read the article, no, they don't need your password if they use your icloud auth token ("they" meaning anyone with remote or physical access to your equipment).

While this method was not how these celebs seemed to have been victimized, I'm referring to everyday Joes who may be victimized in a similar manner. The "hot" girl at work etc.

I'm referring to this article which was previously posted...

http://mashable.com/2014/09/04/i-hacked-my-own-icloud-account/

Honestly, the notification would be moot if the deed is done but at least you'd know which is more than what's currently implemented.

IMO, these are still security flaws no matter how minuscule they may seem.

 

[orioncrystalice]

I'm just gonna venture a guess that the millions of people who have never been compromised via an Apple service, and their own habits, also don't matter.

I would probably also guess that everybody still shops on eBay and Target as well. But ....now they're just out of line, what with their enabling system.

 

[jon3543]

If you read the article, no, they don't need your password if they use your icloud auth token ("they" meaning anyone with remote or physical access to your equipment).

If anyone has such access to your equipment, game over anyway. It's irrelevant.

The issue I perceive is the ongoing ability to reset a password by answering two sekrit question and giving a birth date. This needs to be stopped, NOW. Ferchissakes, they patched the vulnerability that apparently wasn't used in the attacks, but they haven't patched the one that apparently was? WTF?

 

[Putzytart]

Cook Gives a two week time frame, which I think means it will be tied into the iOS8 release, which always happens 1 or 2 days before the release of a new iPhone. My guess is that this means that iOS8 will be released on Wed Sep 17 with the new iPhone released Fri Sep 19, a week and a half after the keynote, which follows previous years. I guess preorders in certain countries (US, UK, etc) start Friday 12th.

If it is tied to iOS8, I wonder if this level of security will still be offered to iOS7 users. Could be a tactic to get more people to upgrade their devices, which makes perfect sense from an Apple history point of view.

 

[Razeus]

Apple really needs to take security more seriously, despite the dumb things might do with their devices.

 

[Rogifan]

Hmm locking the door after the horse has bolted eh Tim? Doesn't bode well for its security with mobile payments IMO.

And this is exactly what these other reports have highlighted, that the two step verification isn't secure and gives people a false sense of security.

I'm not concerned though I do think Apple needs to get better at cloud services and security in general. In fact I think Cook should be conducting a search right now to hire someone top notch to oversee Apple's efforts here.

This was a targeted attack specifically going after celebrates and nude photos. I'm not a celebrity and there are no photos on my device that would be valuable to a hacker. The Target and Home Depot hacks worry be more to be honest.

----------

If it is tied to iOS8, I wonder if this level of security will still be offered to iOS7 users. Could be a tactic to get more people to upgrade their devices, which makes perfect sense from an Apple history point of view.

There's plenty incentive for people running iOS 7 to upgrade iOS 8. I believe iPhone 4 is the only iOS 7 compatible device not getting iOS 8. Unless it's an absolutely worse experience on older hardware than iOS 7 was I see no reason why someone shouldn't upgrade.

 

[Shanghaichica]

Although this is not Apple's fault it's nice to see them responding appropriately.

 

[jamezr]

Sounds like a typical case of users using weak passwords (which most users tend to do) and hackers using common words to guess them. Amazing that with all the attempted hacking and identity theft and such going around that people still refuse to use complex passwords and security features. Especially celebrities.

Agreed with everything you said there. Apple can increase security even more by REQUIRING strong passwords. Passwords that are 8 to 10 characters and alphanumeric upper and lowercase. They might be a pain to do.....but lot less embarrassing than the alternative.

 

[Vanilla Face]

Apple... Always a step behind anymore....

Who else has better security?

 

[kevinof]

Well Google for one. Change any email, password or anything else on Google and they let you know. They also have two factor security for quite a while now.

It thinks this is (yet) another example of how Apple just doesn't get cloud. This stuff is basic and should have been there since the very start -not an afterthought. They have the resources, they just don't have the mindset.

Who else has better security?

 

[Apple_Robert]

Cook Gives a two week time frame, which I think means it will be tied into the iOS8 release, which always happens 1 or 2 days before the release of a new iPhone. My guess is that this means that iOS8 will be released on Wed Sep 17 with the new iPhone released Fri Sep 19, a week and a half after the keynote, which follows previous years. I guess preorders in certain countries (US, UK, etc) start Friday 12th.

If it is tied to iOS8, I wonder if this level of security will still be offered to iOS7 users. Could be a tactic to get more people to upgrade their devices, which makes perfect sense from an Apple history point of view.

I think that this security upgrade (if you will) will be backwards compatible.

 

[chrisbru]

Well Google for one. Change any email, password or anything else on Google and they let you know. They also have two factor security for quite a while now.

It thinks this is (yet) another example of how Apple just doesn't get cloud. This stuff is basic and should have been there since the very start -not an afterthought. They have the resources, they just don't have the mindset.

Do you even know what you're talking about?

 

[iBug2]

If you read the article, no, they don't need your password if they use your icloud auth token ("they" meaning anyone with remote or physical access to your equipment).

Well, if anyone has physical access to my equipment, that's a pretty much done deal anyway. Until you can act they'll get whatever they need. If you have physical access to my phone, you can hack my gmail as well, even if I have 2-Step active.

 

[C DM]

Hindsight is 20/20, but the fact that this wasn't the case from day 1 is just unacceptable.
Either implement 2FA properly or not at all. False security is worse than no security.

Except that even if 2FA was set up better and covered more it wouldn't matter since these people weren't using it anyway.

----------

Hmm locking the door after the horse has bolted eh Tim? Doesn't bode well for its security with mobile payments IMO.

And this is exactly what these other reports have highlighted, that the two step verification isn't secure and gives people a false sense of security.

2FA is secure if people don't compromise your information some other way. And now it will be more secure by being expanded--as it should have been before.

----------

Apple really needs to take security more seriously, despite the dumb things might do with their devices.

Seems like they are taking it seriously.

----------

If you read the article, no, they don't need your password if they use your icloud auth token ("they" meaning anyone with remote or physical access to your equipment).

While this method was not how these celebs seemed to have been victimized, I'm referring to everyday Joes who may be victimized in a similar manner. The "hot" girl at work etc.

I'm referring to this article which was previously posted...

http://mashable.com/2014/09/04/i-hacked-my-own-icloud-account/

Honestly, the notification would be moot if the deed is done but at least you'd know which is more than what's currently implemented.

IMO, these are still security flaws no matter how minuscule they may seem.

They either need your password or access to your device, in either situation that's the bigger issue than any other flaw that might be present.

 

[Vanilla Face]

This is incorrect. Two step verification - as currently implemented by Apple - would not have prevented this data breach.

The celebrities' passwords weren't changed - their existing passwords were brute forced. This was possible because (until this past weekend) Apple didn't restrict the number of password guesses being tried against an account. And once the hackers had the passwords, they were able to do a "restore from iCloud" to a faux new device, using that supposed law enforcement software from Elcomsoft - a step that does not currently require two step verification.

Two step verification is a good thing. Apple definitely should expand it. But it's not a panacea for every ill, and there will be situations where it's not practical. It's going to be hard to implement, for instance, when the user only owns an iphone and nothing else.

This is 100% incorrect and you should stop spreading misinformation. Literally everything you said was wrong.

1.) The passwords were not brute-forced, the security questions were guessed.
2.) Apple does time out users for too many password or security question attempts. Try it for yourself.
3.) Two-step verification gets rid of security questions, preventing them from being guessed.
4.) Even if the passwords were brute forced or guessed, they wouldn't have been able to restore from iCloud and download the backups without permission from one of the account's trusted devices.
5.) If a users only iOS device is an iPhone, they can still use 2-step verification.
6.) An iPhone isn't required for 2-step verification, it just requires a phone that can receive

The only draw back to 2-step verification is that if the user loses access to all trusted devices and to the phone number set up with their account, they have to their recovery key. If they didn't save this/print this out/lost this as well, there is absolutely no way to recover their account, even if they know their password.

 

[kevinof]

Er... yep. As a user I have two ipads, a iphone 5, a Samsung tab, a nexus 7 and a galaxy s4 and use both Apple and Google services on a daily basis.

As as business owner we provide a cloud service with two factor authentication, notifications to beat the band , aes 256 encryption on all data entered, SHA2 on passwords with random salts , IP blocking, account lockouts, traffic pattern matching etc etc etc.

That and over 30 years in the business gives me a good perspective on what good and bad security is.

Of course in the end it all just my opinion

Do you even know what you're talking about?

 

[scottwaugh]

That works well for people who never travel but I travel a lot for work and need my stuff synced while I'm on the road.

I can see the synching requirement, but that's a different switch on iCloud from backing up your iPhone/iPad. You can have synching on, but iCloud backups off (and local).

While the recent photos are embarrassing (and getting the press), its all the other long term data (contacts, messages and e-mails etc. that have long been deleted on the device) that is really valuable (could be used for truly nefarious purposes) and that the iCloud backups have on their servers (what a honeypot for the bad guys right?) waiting for harvesting.

I recently stopped doing iCloud backups (always made me uncomfortable anyways) and have them local - after all the revelations over the last year and the fact that multiple commercial companies sell software to access your iThing without the users permission (indicating to me Apple has their system's too wide open and is comfortable with these companies selling this software).

 

[Shanghaichica]

Agreed with everything you said there. Apple can increase security even more by REQUIRING strong passwords. Passwords that are 8 to 10 characters and alphanumeric upper and lowercase. They might be a pain to do.....but lot less embarrassing than the alternative.

I think you have to have one capital letter now. I changed my password about a year and a half ago and it made me put a capital letter in it much to my annoyance at the time.

I don't take or store naked pictures though

 

[jamezr]

I think you have to have one capital letter now. I changed my password about a year and a half ago and it made me put a capital letter in it much to my annoyance at the time.

I don't take or store naked pictures though

LOL....and here I was ready to put my hacker hat on!

 

[ricartedor]

couldnt they just make the phone verification step manditory BEFORE even downloading the backup?

 

[bozzykid]

Trust me I can write down some security questions which will be impossible to find out unless you are actually me. Everyone can do that. And nobody should be using hometown or birthdate as a security question.

Everybody can enable 2-factor authentication (oh wait, they can't in every country for Apple ids), but that doesn't mean they will. The fact is, Apple's password recovery system requires no verification other than the questions that are setup by the user. That is poor design. There is no other way to say it and no one should find their system acceptable. You can guarantee Apple is going to fix their implementation.

----------

Agreed with everything you said there. Apple can increase security even more by REQUIRING strong passwords. Passwords that are 8 to 10 characters and alphanumeric upper and lowercase. They might be a pain to do.....but lot less embarrassing than the alternative.

Again, strong passwords would not have helped AT ALL in this case. The problem is unlike most other major companies, Apple's password recovery system requires no verification other than to answer a few recovery questions. Most companies require that you verify your identify via a sms, phone call, or secondary email. In this case, it seems the password recovery system was used to get new passwords for the users. So how strong their passwords were did not factor in.

----------

4.) Even if the passwords were brute forced or guessed, they wouldn't have been able to restore from iCloud and download the backups without permission from one of the account's trusted devices.

That is simply untrue. No permission is needed to download an iCloud backup today. In fact, even with 2-factor enabled, you still only need a username/password. I'm not sure where you are getting your misinformation.

 

[jamezr]

Everybody can enable 2-factor authentication (oh wait, they can't in every country for Apple ids), but that doesn't mean they will. The fact is, Apple's password recovery system requires no verification other than the questions that are setup by the user. That is poor design. There is no other way to say it and no one should find their system acceptable. You can guarantee Apple is going to fix their implementation.

----------



Again, strong passwords would not have helped AT ALL in this case. The problem is unlike most other major companies, Apple's password recovery system requires no verification other than to answer a few recovery questions. Most companies require that you verify your identify via a sms, phone call, or secondary email. In this case, it seems the password recovery system was used to get new passwords for the users. So how strong their passwords were did not factor in.

Agreed....with the above.....having strong passwords and 2 factor auth and identity verification is best.