The Faceless Master
Member
choose answers that don't make sense.
-
Hey Guest. Check out your NeoGAF Wrapped 2025 results here!
"No iCloud breach" according to Apple. Targeted attack.
- Thread starter borghe
- Start date
- Status
choose answers that don't make sense.
Dictionary attacks are not the same as brute forcing, the latter which is far too slow seeing as they in best case scenario only get about 25 guesses per second.
The thing is... is it better or worse for Apple PR that there was no "breach" of the iCloud system?
Regardless of the method the hackers used to obtain the information, the fact remains: dozens of celebrities had their private photos stolen from their accounts. They had no idea it had happened.
So what does it say about the security of iCloud for the average user when it's revealed that this WASN'T the result of a security hole in their system (which was then patched and corrected, meaning it would be harder for hackers today to get that same information), but rather the result of their security operating exactly as it was meant to? As in, not very well for these celebrities? Basically, nothing's preventing someone from continuing to gain access to people's private accounts, using the exact same techniques.
I mean, I guess Apple gets to shift the "blame" (or responsibility) to the individual users for not having secure-enough passwords or security questions (under the system Apple set up), but I don't think this statement gets them out of hot water, because the takeaway seems to be that everyone's data - not just celebrities' - is vulnerable to targeted attacks / social engineering methods under their current security setup (unless they start requiring 2-step verification, etc.), and that's just not the way you want to reassure people about their data. "You'll be fine as long as hackers don't make educated guesses about your security questions and password, like they did for these celebrities. You won't know if they do, though.'
EDIT: Valleywag / Gawker made a similar / related point, in less diplomatic fashion
iCloud Isn't Safe, Because Everyone's a Target and Apple Doesn't Care
Like basically, "Nope, no one broke into our system! Our default security is just shitty! Carry on!"
Regardless of the method the hackers used to obtain the information, the fact remains: dozens of celebrities had their private photos stolen from their accounts. They had no idea it had happened.
So what does it say about the security of iCloud for the average user when it's revealed that this WASN'T the result of a security hole in their system (which was then patched and corrected, meaning it would be harder for hackers today to get that same information), but rather the result of their security operating exactly as it was meant to? As in, not very well for these celebrities? Basically, nothing's preventing someone from continuing to gain access to people's private accounts, using the exact same techniques.
I mean, I guess Apple gets to shift the "blame" (or responsibility) to the individual users for not having secure-enough passwords or security questions (under the system Apple set up), but I don't think this statement gets them out of hot water, because the takeaway seems to be that everyone's data - not just celebrities' - is vulnerable to targeted attacks / social engineering methods under their current security setup (unless they start requiring 2-step verification, etc.), and that's just not the way you want to reassure people about their data. "You'll be fine as long as hackers don't make educated guesses about your security questions and password, like they did for these celebrities. You won't know if they do, though.'
EDIT: Valleywag / Gawker made a similar / related point, in less diplomatic fashion
iCloud Isn't Safe, Because Everyone's a Target and Apple Doesn't Care
Like basically, "Nope, no one broke into our system! Our default security is just shitty! Carry on!"
gravitybear
Member
Here is something I read on the internet that I believe (sue me).
I went to /b/, something I rarely rarely do just to see if I could find anything else about this. I saw a post (that is surely gone now) about a secretive ring of celebrity nude traders. The only way you could get in is if you offered original nudes that no one else had, including the nude traders.
Apparently this ring operated for years, a certain small set of individuals individually targeting celebrity accounts through social exploits over time (password resets, etc). This ring hardly ever expanded as very few people could socially engineer and compromise an account.
However, apparently one guy in the ring made an announcement that he was going to post his stash of traded nudes. Not to be outdone, another guy did it first on 4chan (the original leaker). This means that these photos could be months or even years old if they were just collected over time through the nude trading ring.
This would also explain the existence of the nude photos that had ostensibly been deleted some time ago. One of the traders may have compromised the account some time ago, and held on to the photos (after they were deleted) and posted them once they all started coming out.
Personally I find this much more believable than a 1-day, massive strike.
I went to /b/, something I rarely rarely do just to see if I could find anything else about this. I saw a post (that is surely gone now) about a secretive ring of celebrity nude traders. The only way you could get in is if you offered original nudes that no one else had, including the nude traders.
Apparently this ring operated for years, a certain small set of individuals individually targeting celebrity accounts through social exploits over time (password resets, etc). This ring hardly ever expanded as very few people could socially engineer and compromise an account.
However, apparently one guy in the ring made an announcement that he was going to post his stash of traded nudes. Not to be outdone, another guy did it first on 4chan (the original leaker). This means that these photos could be months or even years old if they were just collected over time through the nude trading ring.
This would also explain the existence of the nude photos that had ostensibly been deleted some time ago. One of the traders may have compromised the account some time ago, and held on to the photos (after they were deleted) and posted them once they all started coming out.
Personally I find this much more believable than a 1-day, massive strike.
Thanks!
This makes a lot of sense and explains how this leak contains pictures of so many celebrities.
Uncle Rupee
Banned
Of course Apple would deny any responsibility, a lawsuit by celebrities could cost them hundreds of millions of dollars.
smokeandmirrors
Banned
Yep. if this isn't the case then I will be shocked.
Elfforkusu
Member
A dictionary attack is literally step 1 of a brute force attack. 25 guesses per second is 90,000 an hour. Per computer. That's plenty, considering most security question answers are dictionary/common words/phrases.
You're probably thinking of an offline brute force attack, where CPUs/GPUs crank away at a database with millions of guesses per second. But just because it's online and going much slower doesn't mean it's not brute force.
This was definitely a "targeted attack", though (in that the hackers picked a small number of accounts to go after), which is why it worked.
Yeah, if it had been a 1-day effort, it would be 25% of iCloud users, not just a few celebrities. And apple wouldn't be able to say it wasn't their fault.
mattiewheels
And then the LORD David Bowie saith to his Son, Jonny Depp: 'Go, and spread my image amongst the cosmos. For every living thing is in anguish and only the LIGHT shall give them reprieve.'
This whole thing made me realize that every account I have has two-step authentication except for Amazon. They should get on that.
Well celebrities are high-profile targets and so much of their information is public knowledge due to the massive amount of interviews they do (plus all the daily tweeting and instagramming of their personal life). This innocent tweet from actress Julie Benz probably revealed the answer to one of her security questions (pets name) for example. Most security questions/answers for celebs could be found in a two second Google search - we know when and where they were born, their mothers name, pets name, basically everything.
The only way to make these typical security question/answers secure is by putting in random gibberish and storing that in a password manager. When a website asks me what is my mothers maiden name or whatever, I put in something like "eFsDGxW4TcjK=Mfj.u8cRT" which is randomly generated, impossible to guess, extremely difficult to brute force. Not everyone uses password managers though and they end up picking something easy to remember which is also usually easy for others to guess/research.
I do think Apple (and every other company) should send out an email with some basic security tips. Raise awareness of things like two-factor authentication and maybe even provide some incentives for people to secure their account with 2FA, like a free iTunes song credit or an extra gig of iCloud storage or something.
Social engineering/searching social media for info works for a lot of different services. If the law enforcement stuff was used two step wouldn't matter anyway if someone has the username and password, which is far from exclusive to Apple. IIRC the procedures at Apple and Amazon that allowed the Honan stuff were changed.
And Gawker complaining about social engineering/social media/privacy sends the hypocrisy scale off the charts.
Ivan A Nguyen
Member
Is there a reason to believe this isn't a lie? Like, I don't think it would be illegal for Apple to put out a statement they know is false for a service that is free. No one would get fined or go to jail. Hell the CIA makes a hobby out of lying to congress on a regular basis. Why is this to be believed?
Yeah, but don't a lot of people in our lives - co-workers, classmates, Facebook acquaintances, etc. - have access to the basic answers to our security questions as well? People who want to break into our accounts aren't always going to be anonymous hackers half-way across the country.
And, you know, if companies are going to continue to use the security question method for password recovery, maybe they need to start coming up with better security questions that don't have easily guessable or publicly available information as responses. It doesn't seem like a whole lot of thought is put into them for most websites. "What's a question we can use? Ooh, first pet's name. Or, first car they owned. No one's EVER going to reveal that during something like Throwback Thursday on Facebook."
Not faulting Apple specifically here, but saying "our security's as good as any other online service - as in, not that great" doesn't inspire confidence going forward, and if anything this incident shows there needs to be improvement in user education, and maybe some tweaking to the existing regime.
twinturbo2
butthurt Heat fan
Conan O'Brien is making jokes about this. Uh-oh.
If a comedian tells a joke but it's only heard on cable... Did it really tell a joke?
twinturbo2
butthurt Heat fan
Tough crowd. Is anyone watching Jon Stewart, is he making jokes?
Yeah I feel like there should be a better system in place. Two or three very basic security question/answers just isn't cutting it and allows for accounts to easily be taken over through social engineering.
The one positive thing from all of these hacks is that it will hopefully get people to take their security more seriously. I was kinda lax when it came to passwords and stuff until Mat Honan from Wired was hacked and detailed what happened/provided tips to prevent it. Lots of major sites are publishing security tips so that's good.
All in good fun; I'd say the majority of the most famous modern comedy is stuff most people saw on cable. I'm just telling a joke, ironically bad in more way than one lol. Just in the general spirit of giving Conan a little shit for touching the subject; albeit it's his job lol.
Just a heads-up: while two-step still isn't implemented across all of Apple's services for whatever reason, instating it DOES mean you can't reset a password via email or security question authentication anymore. Resetting a password when 2-step is enabled requires a trusted device and the account recovery key.
Revolutionary
Member
Stewart didn't, Colbert is right now
NekoFever
Member
Pick fake answers. Use real answers but mix them up, so your first car is the name of your first school or whatever. Use deliberate misspellings. Use a password manager that lets you generate gibberish answers (First car? GU7!9jh4$). There are plenty of ways to protect security questions from guesses.
this is friggin brilliant. wow. Thanks for this!
Maninthemirror
Banned
She doesn't know that if you delete the pics from your local album they STILL reside in your photostream.....
There's a story on The Daily Mail (banned site, no link) Access Hollywood about Eva Longoria getting phones calls from Apple employees who accessed her private information.
I can't imagine it was too difficult to hack accounts with such upstanding citizens protecting your data.
I can't imagine it was too difficult to hack accounts with such upstanding citizens protecting your data.
Can't imagine why you'd take the daily mail seriously a breath after acknowledging its status as a banned site.
It's from an interview she did with Access Hollywood. The Daily Mail is just the site I saw it on.
http://www.accesshollywood.com/eva-...licy-by-contacting-her-directly_article_98290
mattiewheels
And then the LORD David Bowie saith to his Son, Jonny Depp: 'Go, and spread my image amongst the cosmos. For every living thing is in anguish and only the LIGHT shall give them reprieve.'
So besides Amazon, I'm noticing that eBay doesn't have two-step. And even though Paypal has two-step, it can be breached through eBay. Is that old news that's been fixed?
Marty Chinn
Member
Well if that's what you have to do, then it's really no longer a security question so the point I think stands that the security question system is really stupid. At that point you're just having a secondary random password. You may as well just say enter a second password rather than what school did you go to or what is your first car.
Wow that makes it totally believable then.
what's your problem? I've provided a link to the interview. Are you saying it's all fake?
there is a reason the daily mail is banned on GAF
they are pretty much the worst paper, and worst source of anything anywhere
edit: hm...someone else is the source. thats ok then
are you people fucking serious?
It's from an interview
here -> http://www.accesshollywood.com/actr...licy-by-contacting-her-directly_article_98290
It's from an interview
here -> http://www.accesshollywood.com/actr...licy-by-contacting-her-directly_article_98290
The first problem is citing a known bad site and speculating. The second problem is she doesn't appear to know what she's talking about, or how she was contacted, much less it being unlikely there's an employee who would identify themselves outright. But it is a hot time to post the words "Apple" and "privacy" together.
Or... Maybe that's reverse engineering at work...
twinturbo2
butthurt Heat fan
Apple stock is down 4% today, and it seems like Tim Cook is sweating a bit.
http://www.businessinsider.com/tim-cook-apple-and-the-icloud-hack-2014-9
http://techcrunch.com/2014/09/02/why-apple-should-be-more-transparent-about-security/
Hell, even Apple is warning some developers against storing stuff in iCloud.
http://www.businessinsider.com/apple-says-healthkit-developers-must-not-store-data-in-icloud-2014-9
I'm shocked that the lawsuits over this haven't happened yet.
http://www.businessinsider.com/tim-cook-apple-and-the-icloud-hack-2014-9
http://techcrunch.com/2014/09/02/why-apple-should-be-more-transparent-about-security/
Hell, even Apple is warning some developers against storing stuff in iCloud.
http://www.businessinsider.com/apple-says-healthkit-developers-must-not-store-data-in-icloud-2014-9
I'm shocked that the lawsuits over this haven't happened yet.
But how would the hacker know what their icloud account ID is inorder to brute force?
Plus a bunch of the leaked pics weren't from icloud.
Something else went down.
Marty Chinn
Member
All it takes is one. You get one person's info, get into iCloud and now you have access to their contacts. Their contacts have e-mails which you use to find more iCloud accounts, and repeat.
twinturbo2
butthurt Heat fan
It really feels like they're covering their ass after the fact, doesn't it?
Yeah, security questions are terrible and should never be used. But they're even recommended by owasp.
One thing people talk about is brute-force protection. That's a rather difficult problem though, since locking accounts also opens up easy ddos options and most brute-force protection can easily be circumvented. Just use a few passwords to attack tons of different accounts and use proxies to switch the ip from which the logins come.
Could simply be that Apple lawyers have determined it's a HIPPA violation?
- Status
Similar threads
- Locked