[Updated]: Apple denies iCloud breach, says ‘very targeted attack’ hit certain celebrities and Tim Cook Responds

[vm'N]

Were they all bruit-forced? Or did they have default passwords like 1234 or their birthdays?

I do believe some used social engineering too.

[vm'N]

Yes that is a security hole. A security hole is a flew in a system which allows an attacker to gain unauthorized access.

I am a fan of the IETF so I am going to post their definition:

And before you nitpick, a vulnerability and a security hole are synonyms.

Then there is a security hole in everything.

1) Strange that Apple didn't have it implemented, right?

2) Why not put a lock on it? Temporary two step verification if the system thinks your account is under attack sounds like a good idea to me. it also warns the user that something bad is going on.

3) And not on Apple's system...

1) fail by apple, that is correct

2) As previously mentioned. You do NOT put a lock on the account. It creates other vulnerabilities.

3) Fail by apple again

Those things slow the attack down enough to make it become impractical. I recommend you read the definition of vulnerability I posted above. It's not about completely eliminating the risk of a brute force attack being successful. It's about making it hard and time consuming enough to not make it feasible. Apple had 0 protection in place. All three of the suggestions I posted would have given at least decent protection.

Again, Apple have had protection against this in their other services, and they fixed the issue very quickly so they obviously know what they are doing. They probably just forgot about it. Please stop trying to defend Apple when it's:

1) A really big mistake to make.

2) They fixed it quickly, and they have protection on their other services.

 

They screwed up and now they have fixed it. If it really was as hard as you try to make it sound then they would have been able to fix it so easily, and their other services would have been vulnerable as well.

Most of this is true. However I'm not defending apple.

Brute force is a known technique, that apple haven't made any security measures on it is obviously wrong.

I said it was impossible to stop brute force. You even agree with me. You are only slowing it down, which in it self are very important.

[RedRound2]

There seems to be a huge misconception on how the accounts were hacked.

 

New report says that the hacker was at public events like emmys where most people are connected to the open wifi network. Moreover the hacker was using Government grade software for hacking and the oldest picture was dated all the way back in 2011.

 

No one is still sure how the hacking was done. Apple confirmed that iCloud wasn't breached and it was targeted attacks. However that doesn't mean typing a password with 8 character a billion times to access someone's account. As the report sys there's a strong possibility that it might be open wifi networks

[Huginn]

I agree with Ricky Gervais on this part. If you don't want people to find out private things about you, DON'T PLACE THEM ON THE INTERNET. Put it on an external HDD, that you keep somewhere under your bed or something. Don't put it on iCloud or whatever.

[ZacDaMan72]

If you think it's completely Apple's fault...

[Mooshi]

If you want something to remain private, don't trust a freaking online service. I thought that was pretty obvious.

[LAwLz]

Then there is a security hole in everything.

Yes, but as the definition says, some are deemed acceptable because they are so complex and/or can't do much harm.

"There is a security hole in everything" is not an argument for why you shouldn't have basic security on your system.

An example of an acceptable vulnerability would been Google's use of 1024bit RSA on their HTTPS connections. Attacks were possible, but pretty unrealistic. As computers became more and more powerful they thought that the risk was now too great and changed to 2048bit RSA.

 

Not having any protection against a brute force attack is not acceptable.

 

 

1) fail by apple, that is correct

2) As previously mentioned. You do NOT put a lock on the account. It creates other vulnerabilities.

3) Fail by apple again

Most of this is true. However I'm not defending apple.

Brute force is a known technique, that apple haven't made any security measures on it is obviously wrong.

So what you're saying is that you have agreed with me all this time? Then why are we even arguing?

I think it is possible to implement account lock without introducing other vulnerabilities, such as temporary two step verification. Anyway we agree that Apple were stupid for at least not having 1 and 3 implemented, right?

Let's leave it at that.

 

 

I said it was impossible to stop brute force. You even agree with me. You are only slowing it down, which in it self are very important.

Eh... Yes? Of course it's impossible to make something 100% immune to brute force attacks. What you should aim for is to make it hard enough it's not even worth bothering.

 

 

There seems to be a huge misconception on how the accounts were hacked.

 

New report says that the hacker was at public events like emmys where most people are connected to the open wifi network. Moreover the hacker was using Government grade software for hacking and the oldest picture was dated all the way back in 2011.

 

No one is still sure how the hacking was done. Apple confirmed that iCloud wasn't breached and it was targeted attacks. However that doesn't mean typing a password with 8 character a billion times to access someone's account. As the report sys there's a strong possibility that it might be open wifi networks

I don't believe that news report. The reason why I don't believe they were attacked on an open public WiFi is because things like your email login details will be encrypted. If there is a vulnerability in the iPhone which lets you break that encryption then the consequences are even bigger than what I thought. That exploit could be used to gain access to bank accounts and pretty much any other online account as well.

 

"Government grade software for hacking"? Part of the script is uploaded on github and it was just a simple brute force program. It's not really anything special.

If you ask me, it was probably a mix of many different sources. Some photos came from the iCloud vulnerability, some came from old exploits in other services and so on. I've heard some rumors that would support that theory.

[vm'N]

So what you're saying is that you have agreed with me all this time? Then why are we even arguing?

I think it is possible to implement account lock without introducing other vulnerabilities, such as temporary two step verification. Anyway we agree that Apple were stupid for at least not having 1 and 3 implemented, right?

Let's leave it at that.

I have never said it was acceptable that apple didn't implement these security features. If you want a 2 step verification, you implement it on each attempt. So when you try to log in, it will require another verification.

Apple should have implemented step 1 and step 3 from the beginning.

Eh... Yes? Of course it's impossible to make something 100% immune to brute force attacks. What you should aim for is to make it hard enough it's not even worth bothering.

True

[TAK]

.

[othertomperson]

Fixed it for ya :rolleyes:

 

Not really. I couldn't give a shit if someone hacks Steam Cloud and sees that I, OH THE INDIGNITY OF IT, invert my y-axis.

[TAK]

.

[Rekx]

I would rather use mega, than icloud. Also never store any sensitive information in the cloud!

[ChrisxIxCross]

Apple DOES NOT have its own icloud servers. The entire service is run off Amazon Web Services & Microsoft Azure, so if anything we should be pointing our fingers at them since other reports state that the hacks were done using the open ssl security exploits that are STILL yet to be fixed. 

[vm'N]

Apple DOES NOT have its own icloud servers. The entire service is run off Amazon Web Services & Microsoft Azure, so if anything we should be pointing our fingers at them since other reports state that the hacks were done using the open ssl security exploits that are STILL yet to be fixed.

Suddenly, the hackers used tons of different method ranging from bruteforce to a SSL exploit.

I have yet to see any real prove on any of those, it is still rumours.

[LAwLz]

Apple DOES NOT have its own icloud servers. The entire service is run off Amazon Web Services & Microsoft Azure, so if anything we should be pointing our fingers at them since other reports state that the hacks were done using the open ssl security exploits that are STILL yet to be fixed. 

Bull, fucking, shit.

iCloud might run on Amazon hardware, but the software is still 100% Apple's.

On top of that, Amazon has patched Heartbleed and Azure uses Microsoft's open implementation of SSL, not OpenSSL, so they were never affected to begin with.

Don't blame the hardware suppliers for software issues.

 

 

It's possible that some of the photos were gathered back when HeartBleed was an issue, but Apple still didn't have any protection against brute force attacks up until a few days ago. Again, don't try to defend Apple when they royally messed up.

They may not be to blame for all photos, but they still screwed up.

[othertomperson]

Well, I wouldn't really consider that "data" as it concerns this topic.

 

Of course it's data. And if your definition of "data" is "sensitive data", what exactly have you added to my original comment?

[ChrisxIxCross]

Bull, fucking, shit.

iCloud might run on Amazon hardware, but the software is still 100% Apple's.

On top of that, Amazon has patched Heartbleed and Azure uses Microsoft's open implementation of SSL, not OpenSSL, so they were never affected to begin with.

Don't blame the hardware suppliers for software issues.

 

 

It's possible that some of the photos were gathered back when HeartBleed was an issue, but Apple still didn't have any protection against brute force attacks up until a few days ago. Again, don't try to defend Apple when they royally messed up.

They may not be to blame for all photos, but they still screwed up.

Yea I suppose so, and I'm not some fanboy or anything. I was just trying to point out that we shouldnt be blaming everything them. 

[TAK]

.

[othertomperson]

My definition of "data" in this case is anything you've uploaded. Not shit you've purchased. Of course I agree that your Steam shit is data as well, but it's not like your preferred y-axis setting can be used to blackmail you or whatever.

 

Precisely, it's not sensitive. I have no issue with cloud services for non-sensitive data, it's very convenient for stuff I don't care about getting stolen.

[RedRound2]

Update 2: 

 

Apple CEO Tim Cook has finally taken the iCloud leaked photos situation into his own hands. Cook today sat down with The Wall Street Journal for an interview regarding the breach, and the Apple executive shared details on key security improvements coming soon to iCloud. Cook first addressed what happened:

Quote

In his first interview on the subject, Apple Chief Executive Tim Cook said celebrities’ iCloud accounts were compromised when hackers correctly answered security questions to obtain their passwords, or when they were victimized by a phishing scam to obtain user IDs and passwords. He said none of the Apple IDs and passwords leaked from the company’s servers…When I step back from this terrible scenario that happened and say what more could we have done, I think about the awareness piece,” he said. “I think we have a responsibility to ratchet that up. That’s not really an engineering thing.  

 

He then described which improvements are coming:

• “Mr. Cook said Apple will alert users via email and push notifications when someone tries to change an account password, restore iCloud data to a new device, or when a device logs into an account for the first time.” “Apple said it plans to start sending the notifications in two weeks. It said the new system will allow users to take action immediately, including changing the password to retake control of the account, or alerting Apple’s security team.”
  
• “As part of the next version of its iOS mobile-operating system, due out later this month, [two-factor authentication] will also cover access to iCloud accounts from a mobile device. Apple said a majority of users don’t use two-factor authentication, so it plans to more aggressively encourage people to turn it on in the new version of iOS.”
  

Cook’s interview and announcement of new security features is a stark contrast from the Apple statement earlier this week that effectively just denies any responsibility and pushes blame onto a “common” occurrence on the internet. As a major company, Apple has the responsibility to take care of its customers (even celebrities) and innovate in the security space. Even with his big event coming up next week, Cook has realized this and has begun executing an actual roadmap of improvements.

 

This is the kind of dedication that lacks in all other companies is one of the strong points of Apple.

[LAwLz]

This is the kind of dedication that lacks in all other companies is one of the strong points of Apple.

Ehh... What? Their competitors have had those kinds of things for ages.

Don't praise them for just now caching up with other services.

[LePawel]

Update 2:

Still no mention about brute force attack vulnerability. Fuck him along with that company, spamming news outlets with irrelevant information so not savvy people go "woow they responded quickly". Nope.

[RedRound2]

Ehh... What? Their competitors have had those kinds of things for ages.

Don't praise them for just now caching up with other services.

 

umm no. I don't care if they're first or last. I care on who does the best. Google doesn't have those features nor does MS. Facebook has it though.

 

It still is the celebrities fault and not apple's. They could have just easily enabled 2 factor authentication or disabled iCloud services. But even after everything, they took up the responsibility and is enhancing their security still. It just doesn't happen with others especially with android and google where most data are always being tracked

[RedRound2]

Update 2:

Still no mention about brute force attack vulnerability. Fuck him along with that company, spamming news outlets with irrelevant information so not savvy people go "woow they responded quickly". Nope.

 

Brute force security measures creates more problems than it solves (at least the way others are doing it by blocking the account for a certain period). WIth touch ID, there is very little need to actually remember the passwords and it is one of those things that can easily slip your mind. Its not practical to try a billion passwords after its compulsory to have 8 character with one digit and one caps, so rushing through dictionary words wont get you anywhere. You must be stupid if you can't realize that

[LePawel]

Brute force security measures creates more problems than it solves (at least the way others are doing it by blocking the account for a certain period). WIth touch ID, there is very little need to actually remember the passwords and it is one of those things that can easily slip your mind. Its not practical to try a billion passwords after its compulsory to have 8 character with one digit and one caps, so rushing through dictionary words wont get you anywhere. You must be stupid if you can't realize that

It solves the problem of brute force attacks. But the solution is to inform the victim of what's happening, in an informative way (i.e. email/text with "you had XX login attempts from source Y, if it wasn't you contact Z"). 

Do you think people try brute forcing their way though by hand? Ever heard of a bot? Look for Zip crackers.

Passwords that require more than certain length are plain stupid. It's the length of the password that's harder to crack, not its complexity. |_3\/\/@P is still easier to brute force than MyNickIsLewapAndThisIsMyPassword.

https://howsecureismypassword.net/ check both.

Also, with Touch ID it may be ok to forget Apple related passwords, because of the system around it, but how do you map passwords to 3rd party logons with it? Bank accounts, utilities websites, even my personal email would never land on a list of "TouchID'able" logins.