[Updated]: Apple denies iCloud breach, says ‘very targeted attack’ hit certain celebrities and Tim Cook Responds

[HippY]

okay let me make it simple

 

We have a large cloud service, AKA some large PC (like the one laying next to you), connected to the Internet, and through that can be accessible with many devices with a password and email combo (+ the other ways that are called hacking).

 

The problem (?) comes when this technology is introduced to many non techie people. I mean come on, go to your mom, and explain her what is a cloud exactly, there is a 99.9% chance that before that she did not even have a clue, and maybe she forgets it after 5 minutes.

So they trust a service with sensible data, that they should not

 

And when the poopoo happens, they freak out..

 

It can be any company behind this cloud, speaking of the number of connection and devices, and the internet it self will not be 100% safe. never. Someone WILL find a way due time.

[Spannerhands]

I make this simple as possible...

 

Its Apple fault...

 

They even know how the account was breached but they have swept it under the carpet, saying "week passwords" etc... Why? Because they don't want any damage done to the brand...

 

I don't care how week someone's password or personal answers are, you cant guess it all right first time! Apples system has failed to identify mutable failed login or password recovery attempts...

 

I have personally recovered mutable Apple accounts for customers that lost or forgot login details and there are mutable ways enable you to brought force passwords or keep going over the recovery questions...

[Victorious Secret]

Do you blame Trojan Condoms for you getting AIDs when you have sex with a STD riddled partner, even though condoms should protect you 99% of the time? 

Or do you blame yourself for putting yourself in that risky of a situation in the first place. 

 

Food for thought. 

[StingBull]

Do you blame Trojan Condoms for you getting AIDs when you have sex with a STD riddled partner, even though condoms should protect you 99% of the time? 

Or do you blame yourself for putting yourself in that risky of a situation in the first place. 

 

Food for thought. 

 

Okay people just stop with the bullshit allegories already. This is a tech forum, we can understand technical language here.

 

Congrats for the 1337 posts BTW.

[LAwLz]

Do you blame Trojan Condoms for you getting AIDs when you have sex with a STD riddled partner, even though condoms should protect you 99% of the time? 

Or do you blame yourself for putting yourself in that risky of a situation in the first place. 

 

Food for thought. 

Okay I am going to put this in as simple terms as possible.

Apple, fucked, up. They missed one of the absolute most basic security features. This is not some "ohh they thought of 99% of the attacks but missed the 1%". This is "they missed one of the first things anyone who studies securing computers learn".

They just fucked up. That's the end of the discussion. No bullshit analogies. No bullshit "no computer system is 100% secure". They just forgot about one of the most basic things ever. Protect against brute force attacks.

This is in no way like a condom failing. Not at all. This is like if Trojan put apple pie into the mold instead of rubber. It is that big of a mistake.

[Victorious Secret]

Okay I am going to put this in as simple terms as possible.

Apple, fucked, up. They missed one of the absolute most basic security features. This is not some "ohh they thought of 99% of the attacks but missed the 1%". This is "they missed one of the first things anyone who studies securing computers learn".

They just fucked up. That's the end of the discussion. No bullshit analogies. No bullshit "no computer system is 100% secure". They just forgot about one of the most basic things ever. Protect against brute force attacks.

This is in no way like a condom failing. Not at all. This is like if Trojan put apple pie into the mold instead of rubber. It is that big of a mistake.

 

 

You guys will stretch anything to make Apple look bad, won't you? 

 

What next, Apple is responsible for starving children and the bubonic plague? 

[sof006]

Best solution to this? Turn off iCloud backup.

 

I don't use or trust cloud based services. I just backup locally to my PC.

[LAwLz]

You guys will stretch anything to make Apple look bad, won't you? 

 

What next, Apple is responsible for starving children and the bubonic plague? 

I bash any company that does something bad. Leaving such a gaping security hole open is really, really bad.

I would have said exactly the same thing if it happened to Google, Microsoft, Samsung, Intel, AMD, anyone.

 

Stop with the "you're just hating on them because it's Apple". I am hating on the company because they royally screwed up.

 

 

"You will stretch anything to make Apple look good, won't you?"

See how childish it sounds?

[Victorious Secret]

I bash any company that does something bad. Leaving such a gaping security hole open is really, really bad.

I would have said exactly the same thing if it happened to Google, Microsoft, Samsung, Intel, AMD, anyone.

 

Stop with the "you're just hating on them because it's Apple". I am hating on the company because they royally screwed up.

 

 

"You will stretch anything to make Apple look good, won't you?"

See how childish it sounds?

 

Childish to call out all the "DAE APPLE IS HITLER" bullshit that goes around on a tech site? Okay?...

You are stretching the facts to make Apple look bad here. What did you expect them to do in this case? Is this really a security hole (a gaping one). Can Apple even prevent this from happening? Is the sky really blue? 

 

Jesus, if you are so wise go send your resume to Apple and show them how to fix this. Don't sit on your chair, hit your keyboard to make words, and bash companies as if you know better than they do. Sometimes, and I mean sometimes, you don't. 

[bcredeur97]

Apple cant stop people from making insecure passwords. If they got hacked then its the people's fault for not making their password secure enough. (if the password was cracked anyway)

[Equlix]

I find it hard to believe that all of these people who are constantly in public eye all around the same time had a lapse in judgment/security resulting in the largest privacy breach in recent memory.

[LAwLz]

Childish to call out all the "DAE APPLE IS HITLER" bullshit that goes around on a tech site? Okay?...

When did I scream that? It's childish to say "You guys will stretch anything to make Apple look bad, won't you?" though, because it implies that the sole purpose of me talking poorly about them right is because they are Apple. I will admit that I dislike Apple as a company (for many reasons) but that has nothing to do with this conversation. Right now I am talking poorly about one of their services because they really messed up the security aspect of it, not because I dislike them as a company.

 

You are stretching the facts to make Apple look bad here. What did you expect them to do in this case? Is this really a security hole (a gaping one). Can Apple even prevent this from happening? Is the sky really blue?

Please explain how I am stretching the facts. Apple did not have any protecting against brute force attacks. Brute force attacks are very very easy to block, and they are also one of the most common attacks.

Yes it is a huge gaping hole, as you can see by the results.

Yes Apple could have prevented this from happening very easily, and they have already patched it. I don't even think it took them a day to realize what the issue was and then patch it.

 

 

Jesus, if you are so wise go send your resume to Apple and show them how to fix this. Don't sit on your chair, hit your keyboard to make words, and bash companies as if you know better than they do. Sometimes, and I mean sometimes, you don't. 

Well they have already fixed it. It's not that I know better than them, it's that they forgot about it. I haven't used any Apple products for a long time now, but I am pretty sure their other services has counter measurements against brute force attacks, so it's obvious that they have the competence to realize the risks, and implement protection.

They just made a mistake. A big mistake.

[vm'N]

Alright fine, it's like leaving a bucket of keys outside your house with a sign saying "one of these keys work, I sure hope you won't try all of them".

No, it is not. It is leaving for vacation with the door locked. It could be compared like not telling your neighbors that you are going on a vacation.

 

I don't really see how proxies would help. First of all you would need so many it would be impractical (remember, the brute force program goes through tens of thousands, if not hundred of thousands of passwords). Secondly you just have to implement the lockout on the account itself, rather than the IP. Someone tested 5 wrong passwords in like 20 seconds? Lock the account for like half an hour.

No. Just no. Think about it. Everyone will be able to close down an account.

This will affect the user too.

You are also off with the use of proxies.

When an internet service deny you login after 3 times, it will deny your request about login in from that IP address for a certain period of time (normally pretty short).

With only a couple of hundreds proxies, you will be able to shuffle throughthem (you set a timer on each).

[vm'N]

Brute force attacks are very very easy to block

No.

[Spannerhands]

No.

Yes

 

To block brute-force attacks, simply lock out accounts after a defined number of incorrect password attempts. Account lockouts can last a specific duration, such as one hour...

[vm'N]

Yes

 

To block brute-force attacks, simply lock out accounts after a defined number of incorrect password attempts. Account lockouts can last a specific duration, such as one hour...

Are people retarded at this hour?

No, this is not an solution. This is more of a problem than a solution.

Imagine how easy it is to close a account for an hour. When that hour is done you do it again.

[LAwLz]

No, it is not. It is leaving for vacation with the door locked. It could be compared like not telling your neighbors that you are going on a vacation. 

Well then that analogy doesn't work. Facts are facts. It's a simple fix and a glaring security hole.

 

 

No. Just no. Think about it. Everyone will be able to close down an account.

This will affect the user too.

You are also off with the use of proxies.

When an internet service deny you login after 3 times, it will deny your request about login in from that IP address for a certain period of time (normally pretty short).

With only a couple of hundreds proxies, you will be able to shuffle throughthem (you set a timer on each).

No actually you're the one not thinking this through.

here are a few ways to counter this.

 

1) Set a timer on how often you can log in. For example set a 5 second timer on it. All of a sudden you've reduced the speed of an attack from maybe 50 passwords a second to 1 password every 5 seconds. Even a fairly short timer make brute force attacks very inefficient.

2) Set the lock on the account instead of the IP. If you are afraid that users will be locked out then simply implement a way for them to verify that they are the true owner, like a one time code that gets sent to them (you know, temporary two step verification).

3) Request a captcha after a certain number of attempts.

 

That's 3 ways of countering it.

The fact that Apple could fix the issue so quickly disprove any "it's hard to counter it!" claim you can make. If it was hard then they wouldn't have fixed the issue in like a day or less.

Seriously, I implement these kinds of things all the time on network equipment. It's far easier than you try to make it sound.

 

 

 

No.

Yes

[vm'N]

Well then that analogy doesn't work. Facts are facts. It's a simple fix and a glaring security hole.

It is not an direct security hole. The true comparison would be the robbers making a ton of different keys, hoping that one will fit.

Not more not less.

 

No actually you're the one not thinking this through.

here are a few ways to counter this.

 

1) Set a timer on how often you can log in. For example set a 5 second timer on it. All of a sudden you've reduced the speed of an attack from maybe 50 passwords a second to 1 password every 5 seconds. Even a fairly short timer make brute force attacks very inefficient.

2) Set the lock on the account instead of the IP. If you are afraid that users will be locked out then simply implement a way for them to verify that they are the true owner, like a one time code that gets sent to them (you know, temporary two step verification).

3) Request a captcha after a certain number of attempts.

 

That's 3 ways of countering it.

The fact that Apple could fix the issue so quickly disprove any "it's hard to counter it!" claim you can make. If it was hard then they wouldn't have fixed the issue in like a day or less.

Seriously, I implement these kinds of things all the time on network equipment. It's far easier than you try to make it sound.

1) Already implemented on most systems.

2) Never put a lock on the account, it gives more problem than it solves.

3) Already implemented on most systems.

All this does it slowing it down. There are ways around it (expect number 2, which noone are really interested in implementing).

You find one way to protect yourself, and the hacker find a new to exploit. It is a endless loop. Bruteforcing is still possible even with restrictions.

[Spannerhands]

Are people retarded at this hour?

No, this is not an solution. This is more of a problem than a solution.

Imagine how easy it is to close a account for an hour. When that hour is done you do it again.

 

1. Don't call me a retarded, you don't know me and have no idea what I do...

2. I just spelled out the most simple way you can combat the attack, with a bit more in depth than your "no" reply... this was just a simple solution there are more ways to skin a cat, CAPTCHA stops automated attacks, to can ask for text verifications etc., there are hundreds of combinations of ways to avoid these issues,  every other big web company has methods that help stop these type of attacks, Apple was just letting you continuously keep guessing with automated scripts...  

[LAwLz]

It is not an direct security hole. The true comparison would be the robbers making a ton of different keys, hoping that one will fit.

Not more not less.

Yes that is a security hole. A security hole is a flew in a system which allows an attacker to gain unauthorized access.

I am a fan of the IETF so I am going to post their definition:

 

$ vulnerability

(I) A flaw or weakness in a system's design, implementation, or operation and management that could be exploited to violate the system's security policy.

© Most systems have vulnerabilities of some sort, but this does not mean that the systems are too flawed to use. Not every threat results in an attack, and not every attack succeeds. Success depends on the degree of vulnerability, the strength of attacks, and the effectiveness of any countermeasures in use. If the attacks needed to exploit a vulnerability are very difficult to carry out, then the vulnerability may be tolerable. If the perceived benefit to an attacker is small, then even an easily exploited vulnerability may be tolerable. However, if the attacks are well understood and easily made, and if the vulnerable system

is employed by a wide range of users, then it is likely that there will be enough benefit for someone to make an attack.

And before you nitpick, a vulnerability and a security hole are synonyms.

 

 

 

1) Already implemented on most systems.

2) Never put a lock on the account, it gives more problem than it solves.

3) Already implemented on most systems.

1) Strange that Apple didn't have it implemented, right?

2) Why not put a lock on it? Temporary two step verification if the system thinks your account is under attack sounds like a good idea to me. it also warns the user that something bad is going on.

3) And not on Apple's system...

 

 

All this does it slowing it down. There are ways around it (expect number 2, which noone are really interested in implementing).

You find one way to protect yourself, and the hacker find a new to exploit. It is a endless loop. Bruteforcing is still possible even with restrictions.

Those things slow the attack down enough to make it become impractical. I recommend you read the definition of vulnerability I posted above. It's not about completely eliminating the risk of a brute force attack being successful. It's about making it hard and time consuming enough to not make it feasible. Apple had 0 protection in place. All three of the suggestions I posted would have given at least decent protection.

Again, Apple have had protection against this in their other services, and they fixed the issue very quickly so they obviously know what they are doing. They probably just forgot about it. Please stop trying to defend Apple when it's:

1) A really big mistake to make.

2) They fixed it quickly, and they have protection on their other services.

 

They screwed up and now they have fixed it. If it really was as hard as you try to make it sound then they would have been able to fix it so easily, and their other services would have been vulnerable as well.

[Murdoch]

If someone steals my debit card and guesses my pin how is it even a little bit my banks fault.

If the security on Apples end was never breached its not there fault people were able to find username and password.

I think answering security questions with the right answers is the problem.

I can go on a celebrities wikipedia page and probably find the answers to the 4 most common security questions.

 

You're arguing against yourself with this point.

 

If somebody steals your debit card and guesses your pin incorrectly 3 times, your card will be locked. These iCloud accounts were bruteforced, email + password combinations were probably tried millions of times. It doesn't take an Apple Genius to figure out that's where the lack of security occured. The post by Lawlz sums it up perfectly.

[othertomperson]

Were they all bruit-forced? Or did they have default passwords like 1234 or their birthdays?

[LePawel]

As said in the statement, iCloud wasn't hacked but the predictable passwords and security questions are the reasons for it. The hacker I must say was very determined to get what he had set for

Look. Anyone who's blaming apple, shut the hell up. Any service, no matter how secure, is NOT unhackable.

You're right, it's not 100% Apple's fault, but it is, a little bit. It's their service after all. 

How about a basic: You tried 3 times, wait 5 minutes, 4 times, 30, 5 times, 6 hours? lock the account after too many tries and use their "premium ultra American customer service" you pay for to unlock your shit ? And send an email in the meantime to tell you someone is trying to get into your files.

It's not Apple's fault they got in, it's their fault they don't have security measures to handle a brute force attack. This is not a zip file, and while I agree with enabling 2 step verification, I have a feeling so-called celebrities would need a separate phone to filter spam from all of the websites they're registered on.

[Hexram]

Last time I was in an apple store the sales person walked straight up to me and said "its right what you heard we are a virus free environment" with out me saying a thing. Its this kind of crap that fools non tech savy people into thinking that they are safe online. I know this was not a virus but what it implies to people who don't know better that they are safe from bad things happening.

[TAK]

.