[Updated]: Apple denies iCloud breach, says ‘very targeted attack’ hit certain celebrities and Tim Cook Responds

[Swndlr]

other than the fact that some pics were released (im not saying that im not happy about those pics, giggity) it happens to a shit ton of companies so i dont see whats so out of the ordinary

[Builder]

other than the fact that some pics were released (im not saying that im not happy about those pics, giggity) it happens to a shit ton of companies so i dont see whats so out of the ordinary

It's Apple, so therefore Apple sucks at security and doesn't know what they're doing. What?

[Builder]

Edit: and honestly, I don't give a damn about the photos. I don't care about real life porn nor do I care about celebrities. What I do care about is Apple having sloppy security, and people who push responsibility onto other people.

It seems like people don't want to take responsibility for anything these days. Raising my kids? The school should do that. Making healthy life style decisions? The government should do that for me. Making sure my nude photos are safe? Apple should do that.

You care because it's Apple, really. Besides which, you cherry pick the brute force example and ignore the fact that the accounts were actually hacked through social engineering and phishing, both of which are extremely difficult if not impossible to protect against in information security.

 

If you don't want people to call you a nerd butthole, maybe you should stop posting stupid shit on the internet.

[LAwLz]

You care because it's Apple, really. Besides which, you cherry pick the brute force example and ignore the fact that the accounts were actually hacked through social engineering and phishing, both of which are extremely difficult if not impossible to protect against in information security.

 

If you don't want people to call you a nerd butthole, maybe you should stop posting stupid shit on the internet.

No I care about sloppy security in general, not just if it's Apple.

I didn't cherry pick anything. The reason why I keep going on about the lack of brute force protection is because that's a very big deal and really easy to protect against.

I don't give Apple crap for not protecting against social engineering because you can't protect against it. I give them crap because they didn't have any protection against brute force, one of the most common attacks ever, and really easy to stop.

A bunch of accounts being compromised through social engineering doesn't make the lack of brute force protection any less relevant.

 

If people in the US died from drinking tap water you wouldn't go "you just want to hate on tap water. People in Africa die from starvation too you know".

Your comment about social engineering is nothing but a red herring.

 

Some accounts were compromised through social engineering, some were from brute force attacks, some were possibly from old exploits that have been patched (Heartbleed perhaps).

Not all photos were collected in a single attack. A lot of the photos were not even from iCloud.

[Builder]

A bunch of accounts being compromised through social engineering doesn't make the lack of brute force protection any less relevant.

No, but this is about the iCloud breach, which was social engineering. While still appalling, the lack of brute force protection is irrelevant to this thread.

[mr moose]

I don't think it's fair to compare common sense to a lecture in physics.

I can even sum it up in a simple sentence: "Don't upload nudes photos of yourself the Internet if you don't want everyone to be able to see them".

I really think that this should be common sense. We have seen this happen over and over and over again. How many times does it have to happen and get reported on before people learn?

Sooner or later, the absolute basics of things we use every day should become common sense. I would put "don't upload naked pictures of yourself online" on the same level as "you have to refuel your car after driving it". Knowing how to refuel a car might not have been common sense before cars became widespread, but once they did you were expected to know how to refuel. I don't see why we give people so much slack for not knowing the basics of computers. If you're going to use something, especially if you rely on it so very much, then at least learn the absolute basics.

If that makes me a "nerd butthole" in your eyes (hi Linus) then too bad for me. I won't stop giving advice to people who desperately need it just because they don't want to learn what's best for them.

Don't want to put yourself in a situation where your nude photos might become public? Then don't upload them to the Internet to begin with.

Edit: and honestly, I don't give a damn about the photos. I don't care about real life porn nor do I care about celebrities. What I do care about is Apple having sloppy security, and people who push responsibility onto other people.

It seems like people don't want to take responsibility for anything these days. Raising my kids? The school should do that. Making healthy life style decisions? The government should do that for me. Making sure my nude photos are safe? Apple should do that.

 

I still think you're seeing from the perspective of someone who understands technology and security, there are many people who don't even know how a web browser works let alone how encryption works.  It's not against common sense if the person is led to the belief that the cloud service they are using is as private and secure as a box of photos in a safe.  

 

EDIT: actually I think on the grander scale of things that common sense should be moot anyway, if a company says they can provide something, then they should have to provide it regardless of how infeasible. 

[LAwLz]

No, but this is about the iCloud breach, which was social engineering. While still appalling, the lack of brute force protection is irrelevant to this thread.

I think it is relevant because it seems like the collection was gathered over the course of a long time (several years) and using multiple exploits (the lack of brute force protection was one of them).

If someone gains unauthorized access through a brute force attack then it is a security breach. It's not as serious as for example gaining access to the entire database (which is probably what Apple are denying, and rightfully so) but it's still a security breach.

Again, this is just a red herring both from you and from Apple.

 

 

EDIT: actually I think on the grander scale of things that common sense should be moot anyway, if a company says they can provide something, then they should have to provide it regardless of how infeasible. 

Well I looked through Apple's website and I didn't see anything about iCloud being secure. So they either never claimed it to be secure, or they removed that claim.

Like I said in the other threat, I think the blame for this is split like this:

10% - Celebrities

30% - Apple

60% - People distributing the images.

 

The celebrities messed up by not taking care of their things and lacking basic knowledge about things they rely on every single day. I am not interested in cars, at all, but I still know the basics of how they work and how to do things like refuel them.

Apple messed up by leaving a big security hole open, and also failed by not providing other types of protection their competitors do (like what Microsoft does).

The people distributing the images is pretty self explanatory.

[MrSuperb]

 

 

 

But... They do have those features.

In fact, I tried it today. I deliberately attacked my own hotmail account. A few minutes later I got an email on my gmail account saying my hotmail account had been locked.

Untitled.png

When I pressed the blue button I had to request a one-time code be sent to my phone or gmail. When I changed IP again I still got the blocked message, so I assume it just defaults to "block any IP that we are unsure about", unless you verify that it's really you with the one-time code.

....

blablabla.

 

You know that iCloud/Apple has does security features as well. You also get an email when you login from a new device. Thing is that one part, that apparantly is also connected to the iCloud account , the "Find my iPhone" function had this vulnerabilty to brute force attacks. I'd bet, that you can't completly exclude, that there are no such vulnerabitlies with any Microsoft or Google services.

 

It is not like you go to an Apple homepage and enter some random passwords, but they evidently used special tools to get acess.

[mr moose]

I think it is relevant because it seems like the collection was gathered over the course of a long time (several years) and using multiple exploits (the lack of brute force protection was one of them).

If someone gains unauthorized access through a brute force attack then it is a security breach. It's not as serious as for example gaining access to the entire database (which is probably what Apple are denying, and rightfully so) but it's still a security breach.

Again, this is just a red herring both from you and from Apple.

 

 

Well I looked through Apple's website and I didn't see anything about iCloud being secure. So they either never claimed it to be secure, or they removed that claim.

Like I said in the other threat, I think the blame for this is split like this:

10% - Celebrities

30% - Apple

60% - People distributing the images.

 

The celebrities messed up by not taking care of their things and lacking basic knowledge about things they rely on every single day. I am not interested in cars, at all, but I still know the basics of how they work and how to do things like refuel them.

Apple messed up by leaving a big security hole open, and also failed by not providing other types of protection their competitors do (like what Microsoft does).

The people distributing the images is pretty self explanatory.

 

Yeah I thought about that as I was typing,  They aren't (or at least certainly not right now) going to make mention of specifically being secure.  That would be playing with fire.  I base my appraisal on the fact that one of the most common reasons people give me for choosing apple products over android/windows etc, is security and safety,  you know the usual, it is much safer than windows, or the,  IOS is more secure than android rhetoric we hear.   We as enthusiast know that that is all the result of marketing, Even some enthusiasts say OSX/ios is more secure than android/windows due to it being locked down.  This belief of security extends to all products because that is how the generic consumer mind works.

[LAwLz]

blablabla.

 

You know that iCloud/Apple has does security features as well. You also get an email when you login from a new device. Thing is that one part, that apparantly is also connected to the iCloud account , the "Find my iPhone" function had this vulnerabilty to brute force attacks. I'd bet, that you can't completly exclude, that there are no such vulnerabitlies with any Microsoft or Google services.

 

It is not like you go to an Apple homepage and enter some random passwords, but they evidently used special tools to get acess.

But that's the thing... The script really just continuously tried passwords over and over against the regular login server. They didn't use "special tools", it was just a brute force script.

As far as we know, Microsoft and Google don't have any similar weaknesses. This really just was a rookie mistake from Apple. They forgot to implement proper protection on one of their services. Stop defending them when they clearly fucked up. Just say "yeah forgetting to implement proper protection on a login service is a big mistake" and this conversation will end.

For some reason people don't want to admit that Apple sometimes messed us, and instead tries to point fingers or come up with poor excuses. Just stop. Apple don't need your defense, nor do they deserve it when they are clearly guilty.

 

 

 

Yeah I thought about that as I was typing,  They aren't (or at least certainly not right now) going to make mention of specifically being secure.  That would be playing with fire.  I base my appraisal on the fact that one of the most common reasons people give me for choosing apple products over android/windows etc, is security and safety,  you know the usual, it is much safer than windows, or the,  IOS is more secure than android rhetoric we hear.   We as enthusiast know that that is all the result of marketing, Even some enthusiasts say OSX/ios is more secure than android/windows due to it being locked down.  This belief of security extends to all products because that is how the generic consumer mind works.

Yes there is a bit misconception about Apple products being secure and I have been trying my hardest to inform people for years now. It's a bit like throwing a bottle of fresh water into a sea of piss.

I think people are responsible for validating sources for themselves though, especially if what the info they heard will affect a very important decision. I mean, you don't start driving recklessly just because you heard one of your friend say the model of your car is so safe you can survive any kind of accident in it, right?

You research if the claim is true and even if it turns out to be true you still should be careful. "It's from Apple!" isn't an excuse to shut your brain off.

[RedRound2]

But that's the thing... The script really just continuously tried passwords over and over against the regular login server. They didn't use "special tools", it was just a brute force script.

 

How do you know that?

 

The report clearly says that the passwords were obtained from phishing scams and predictable answer to security question. The accounts weren't compromised by of trying a billion passwords. If it ever was brute force attacking then we would all have seen high profile actresses like angelina jolie, scarlett johansson, megan fox, cameron diaz and much more swirling around the internet. Common sense I must say

 

You're talking as if you know what truly happened. 

 

And iOS and OS X is much more secure than android/windows. Android is open hence is pretty much bad at security and we reached a point where people don't care. Apple's security flaws will always be in the news because they can easily fix and can promote their OS for actually being secure whereas in android only 2% owners will even get the patch. Desktop OS on the other hand is pretty self-explanatory

[MrSuperb]

But that's the thing... The script really just continuously tried passwords over and over against the regular login server. They didn't use "special tools", it was just a brute force script.

 

It wasn't the "regular login server" as with all other services the account gets locked after several attempts, but rather only the "Find my iPhone" login which by now has been patched.

Also it never has been confirmed that passwords actual have been bruteforced ...

[Builder]

I think it is relevant because it seems like the collection was gathered over the course of a long time (several years) and using multiple exploits (the lack of brute force protection was one of them).

If someone gains unauthorized access through a brute force attack then it is a security breach. It's not as serious as for example gaining access to the entire database (which is probably what Apple are denying, and rightfully so) but it's still a security breach.

Again, this is just a red herring both from you and from Apple.

It's really not a red herring, and it wasn't recovered during a long stretch of time either. You're very quick to point the finger in these kinds of attacks, which is not necessarily a bad thing, it just requires a little more substantiation than you provide. Nobody denies that the brute force was a problem, however what we do deny is that they were accessed by brute force. 

 

I suggest you read this: https://www.nikcub.com/posts/notes-on-the-celebrity-data-theft/

 

It will give you more facts on the subject from an expert. He notes other bugs in their system, however he maintains that brute forcing the accounts WAS NOT HOW THEY WERE ACCESSED!

[LAwLz]

How do you know that?

Because we have the script they used (was uploaded 1 day before the leaks), we have photos of the attack in action and we have reports on Apple patching it.

Source: ZDnet (among others)

Apple also seems to have been very careful with not mentioning brute force attacks.

Even if that's not 100% definite proof that photos were stolen through this particular exploit it's still a security hole that Apple had, and could have been used to collect photos.

 

 

The report clearly says that the passwords were obtained from phishing scams and predictable answer to security question. The accounts weren't compromised by of trying a billion passwords. If it ever was brute force attacking then we would all have seen high profile actresses like angelina jolie, scarlett johansson, megan fox, cameron diaz and much more swirling around the internet. Common sense I must say

Maybe those actresses didn't have their nude photos uploaded to iCloud? Maybe the exploit was patched before the attacker tried them? Maybe their passwords were strong enough to withstand the brute force attack so the attacker moved on to another target?

There are many many logical reasons why some celebrities were compromised and others weren't.

 

 

And iOS and OS X is much more secure than android/windows. Android is open hence is pretty much bad at security and we reached a point where people don't care. Apple's security flaws will always be in the news because they can easily fix and can promote their OS for actually being secure whereas in android only 2% owners will even get the patch. Desktop OS on the other hand is pretty self-explanatory

No they aren't... Open does not mean that it is bad at security. That statement alone should disqualify you from speaking about computer security because it's so blatantly obvious that you have no idea what you're talking about.

You know all the crypto algorithms Apple rely on? AES, SHA, MD5 etc... You know those? All of them are open source.

Android by itself it pretty damn good when it comes to security by the way.

Lots of Trojans != bad security

Rootable != bad security

Open source != bad security

 

 

 

It's really not a red herring, and it wasn't recovered during a long stretch of time either. You're very quick to point the finger in these kinds of attacks, which is not necessarily a bad thing, it just requires a little more substantiation than you provide. Nobody denies that the brute force was a problem, however what we do deny is that they were accessed by brute force. 

 

I suggest you read this: https://www.nikcub.com/posts/notes-on-the-celebrity-data-theft/

 

It will give you more facts on the subject from an expert. He notes other bugs in their system, however he maintains that brute forcing the accounts WAS NOT HOW THEY WERE ACCESSED!

Actually, a lot of people in this thread have argued with me that the brute force vulnerability was acceptable because "implementation protection against brute force attacks does more harm than good".

Okay, let's say that the photos were not accessed by brute force attacks. Even if they weren't, that's still a huge security risk and doesn't invalidate any of my criticism against Apple in this thread.

Besides, that post pretty much says the same things I've been saying in this thread. That the collection of photos were gathered from different sites over a long period of time, using different techniques to get them.

If anything, that post has made me even more mad at Apple for their sloppy security.

[Builder]

Actually, a lot of people in this thread have argued with me that the brute force vulnerability was acceptable because "implementation protection against brute force attacks does more harm than good". Well that's just bullshit. I don't agree with those people.

Okay, let's say that the photos were not accessed by brute force attacks. Even if they weren't, that's still a huge security risk and doesn't invalidate any of my criticism against Apple in this thread. No, not really. However you're one calling people out over red herrings.

Besides, that post pretty much says the same things I've been saying in this thread. That the collection of photos were gathered from different sites over a long period of time, using different techniques to get them. It doesn't say that. It says that there's an underground community devoted to this kind of thing and the attacks were mostly social engineering.

If anything, that post has made me even more mad at Apple for their sloppy security. ​Don't get me wrong. I'm mad at Apple too. But they've promised to change, and I suggest we give them a chance is all. They need to be more open about security, period. That's not up for debate and I agree with you on it.

[LAwLz]

Okay, let's say that the photos were not accessed by brute force attacks. Even if they weren't, that's still a huge security risk and doesn't invalidate any of my criticism against Apple in this thread. No, not really. However you're one calling people out over red herrings.

Yes I think it's a red herring because it draws attention away from the security issues Apple has and should fix.

You don't ignore security issue Y just because security issue Z was exploited this time around. You should focus on both.

 

 

Besides, that post pretty much says the same things I've been saying in this thread. That the collection of photos were gathered from different sites over a long period of time, using different techniques to get them. It doesn't say that. It says that there's an underground community devoted to this kind of thing and the attacks were mostly social engineering.

Yes it does.

 

[...]the suggestion is that the list of celebrities was the internal list of one of the trading networks. Timestamps, forum posts and other data suggests that the collection was built up over a long period of time.

 

To reiterate what the main bugs are that are being exploited here, roughly in order of popularity / effectiveness:

1. Password reset (secret questions / answers)
2. Phishing email
3. Password recovery (email account hacked)
4. Social engineering / RAT install / authentication keys

The last quote is just about iCloud, not what methods they might have used on other services.

So no, not even your own source agrees with you that most of them were through social engineering (although I would argue that phishing email is social engineering).

Since it was known that iCloud was vulnerable to brute force it's really hard to believe that nobody even used it. Just running a brute force script is far easier than compromising someone's email and then request a new password.

[RedRound2]

Because we have the script they used (was uploaded 1 day before the leaks), we have photos of the attack in action and we have reports on Apple patching it.

Source: ZDnet (among others)

Apple also seems to have been very careful with not mentioning brute force attacks.

Even if that's not 100% definite proof that photos were stolen through this particular exploit it's still a security hole that Apple had, and could have been used to collect photos. 

 

Any programmer can make the script. They did clearly mention that it wasn't brute force attack. I don't think they would be lying head on.

 

 

Maybe those actresses didn't have their nude photos uploaded to iCloud? Maybe the exploit was patched before the attacker tried them? Maybe their passwords were strong enough to withstand the brute force attack so the attacker moved on to another target?

There are many many logical reasons why some celebrities were compromised and others weren't.

 

Strong passwords

 

 

No they aren't... Open does not mean that it is bad at security. That statement alone should disqualify you from speaking about computer security because it's so blatantly obvious that you have no idea what you're talking about.

You know all the crypto algorithms Apple rely on? AES, SHA, MD5 etc... You know those? All of them are open source.

Android by itself it pretty damn good when it comes to security by the way.

Lots of Trojans != bad security

Rootable != bad security

Open source != bad security

 

Yes you're right, I don't know much about security but I do know the fact that Android's senior vice president admitted the platform wasn't safe. My point about the updates still stands

 

 

Actually, a lot of people in this thread have argued with me that the brute force vulnerability was acceptable because "implementation protection against brute force attacks does more harm than good".

Okay, let's say that the photos were not accessed by brute force attacks. Even if they weren't, that's still a huge security risk and doesn't invalidate any of my criticism against Apple in this thread.

Besides, that post pretty much says the same things I've been saying in this thread. That the collection of photos were gathered from different sites over a long period of time, using different techniques to get them.

If anything, that post has made me even more mad at Apple for their sloppy security.

 

Using different techniques. Phishing scams and predictable answers were the main one of the main contributors.

 

I do understand that apple has a very minor responsibility but these things can happen to any other company. Nothing is hack proof and who knows someone might be hacking google or MS right now

 

PS: Don't bother responding because I wont be responding anymore

[Builder]

Yes I think it's a red herring because it draws attention away from the security issues Apple has and should fix. By association it's not a red herring, nor did I intend it to be.

You don't ignore security issue Y just because security issue Z was exploited this time around. You should focus on both. I never said it should be ignored, did I? Besides which it's fixed by now, which isn't to say they don't probably have other problems they need to fix.

Yes it does.

The last quote is just about iCloud, not what methods they might have used on other services.

So no, not even your own source agrees with you that most of them were through social engineering (although I would argue that phishing email is social engineering). Three of those five are social engineering. Security question answers are found using social media and popular information.

Since it was known that iCloud was vulnerable to brute force it's really hard to believe that nobody even used it. Just running a brute force script is far easier than compromising someone's email and then request a new password. I agree it's hard to believe. I'm not saying there's zero possibility it was used by anyone for any purpose, I'm saying it doesn't seem that it was used in this case.

[LAwLz]

So no, not even your own source agrees with you that most of them were through social engineering (although I would argue that phishing email is social engineering). Three of those five are social engineering. Security question answers are found using social media and popular information.

That's not social engineering.

Social engineering is when you trick a person into giving you info such as your password or and/or username. For example if you go into a bank claiming to be a security expert from the main office wanting to scan someone's computer for suspicious activities, that would be social engineering. You would gain unauthorized access through tricking a person.

Answering secret question is not social engineering.

[BallGum]

I still think you're seeing from the perspective of someone who understands technology and security, there are many people who don't even know how a web browser works let alone how encryption works.  It's not against common sense if the person is led to the belief that the cloud service they are using is as private and secure as a box of photos in a safe.  

 

EDIT: actually I think on the grander scale of things that common sense should be moot anyway, if a company says they can provide something, then they should have to provide it regardless of how infeasible. 

 

But that's even more worrying. Why tangle with things you don't understand at all?

 

 

It's Apple, so therefore Apple sucks at security and doesn't know what they're doing. What?

 

It's almost as though you want vitriol thrown at Apple. It's analogous to poking a bear repeatedly and expecting it to not hit back.

[mr moose]

But that's even more worrying. Why tangle with things you don't understand at all?

 

 

 

It's almost as though you want vitriol thrown at Apple. It's analogous to poking a bear repeatedly and expecting it to not hit back.

 

People don't understand how a cars works, or the physics behind a car crashes, but they still drive and most people don't even consider the dangers.  Just to continue the analogy, how many people buy bigger cars like 4x4 and SUVs thinking they are safer?  In Australia there was a survey carried out by the Government road insurance agency and they discovered that most people in the city who bough a 4x4 thought they where safer on the road.   Which of course is not entirely true and the concept they are was the result of marketing.

 

Saying this, I think it pertains to all manner of products and services.  Not just IT and cloud storage. 

 

 

Yes there is a bit misconception about Apple products being secure and I have been trying my hardest to inform people for years now. It's a bit like throwing a bottle of fresh water into a sea of piss.

I think people are responsible for validating sources for themselves though, especially if what the info they heard will affect a very important decision. I mean, you don't start driving recklessly just because you heard one of your friend say the model of your car is so safe you can survive any kind of accident in it, right?

You research if the claim is true and even if it turns out to be true you still should be careful. "It's from Apple!" isn't an excuse to shut your brain off.

 

See car analogy above, yes people buy cars thinking they are safer and don't give any further thought to it. That is human nature, unfortunately for those who are not savvy with technology they are at the mercy of marketing and word of mouth for their understanding of how it works.  You, I and most people on this forum have a real advantage when it comes to things like this, we know from past experience, first hand experience, reading many articles relating to it, following the snowden and NSA issues along with many discussions on forums.  Consider if you can fool your parents or friends because you have a superior understanding of IT, then so can marketers.

[Linux User]

If you a thing as stupid as uploading nude pictures/videos of yourself to the internet, especially when you're a celebrity or someone in an important position, you should probably be quite aware that someone will be able to get them.

I have absolutely no sympathy towards any of them, nor would i have if it was someone i knew/close to me.

It's not the same as getting sensitive personal information like your SSN, CCN, Bank Number, Address or whatever else stolen, those are required to perform various actions both on and offline, if you upload nude pictures somewhere then cry about it, then you're just a moron.

I totally agree. Why would anyone take nude photos in the first place?

[OlekKing]

I totally agree. Why would anyone take nude photos in the first place?

I can understand that, just don't upload them to the internet and make sure they can't be easily extracted from where you're storing them.

I mean they literally gave away their intimacy to some company.

[Builder]

That's not social engineering.

Social engineering is when you trick a person into giving you info such as your password or and/or username. For example if you go into a bank claiming to be a security expert from the main office wanting to scan someone's computer for suspicious activities, that would be social engineering. You would gain unauthorized access through tricking a person.

Answering secret question is not social engineering.

I understand what social engineering is. I consider what they did to be very similar because the celebrities might as well have given that information up unwillingly. They don't have much of a choice in maintaining their privacy

 

It's almost as though you want vitriol thrown at Apple. It's analogous to poking a bear repeatedly and expecting it to not hit back.

That's quite a concession to make, comparing yourself to a bear.

 

Loud, angry, shits on everything, eats other peoples' food...the list goes on.