So i'd wager there'd be quite a few celebrity dick picks available too if hackers wanted them. We know men like to send them unsolicited, and I'm sure those celebrities had received more than a few. But there are none. And why? Because those women were specifically targeted by people with a lot of resources and patience. (it's important that they were targeted specifically for being women).
To all of you idiots blaming the victims out there right now "should have used 2fa, should have used stronger passwords":
1. You don't know if 2FA was in place, you don't know what strength the passwords were.
2. Again: those women were highly targeted. Can you defend yourself if someone takes a week/month long project to break into your phone? (Also this was during heartbleed and other big vulnerabilites)
Come off your bullshit high horse. Don't blame the victims here.
Re: 1) 2FA wasn't in use by these individuals. If you read the Apple release they not only neglect to mention 2FA as a source of the breach but actively encourage users to sign up for it. If 2FA was in place I doubt that this vector would have been successful.
That being said, I think the culpability is on Apple here as much as it is on the individuals responsible for obtaining the links. Security questions were never good security and companies need to start moving away from failed models.
So "This is a very common attack on the Internet that we didn't do much to protect you against by default"?
It's a pain setting up two step authentication across a lot of services, but I guess iCloud is probably one that's worth the effort. Still I'd rather brute force was not an option.
From what I've read on 4-chan, Ars, Slashdot (indiv. comments, not articles) and other sources that this wasn't one person hacking a group of celebs acount, but a leak from an underground celeb nude trading ring that has existed for a while. So multiple hackers over a long period of time, from multiple sources.
I'm sorry, but Apple was hacked. There are multiple layers to security. Even the physical security of the building counts. If you have a terrible, easy to crack security system like "What is your first pet's name?" and your customers lose their data because of it, your system was hacked. Plain and simple. Security isn't just blocking a port or an ip range, it's the entire, the entire, system. Those "security questions" are very easy to find out, therefor the system is insecure.
AAPL stock is up today, despite iCloud being implicated. I'm not sure what exactly that means, but my personal guess would be that cognitive dissonance and a general "slut shame"-y attitude means people blame these celebrities for taking the photos / getting "hacked" and not Apple.
Not saying that's right, I definitely think that's the wrong take-away from all this, but I suspect that's what's happening, at least in these early days...
I've spent some time thinking about and talking about ti with friends in the security world before.
I think it's a good idea, but falls short in reality. Celebrities arguably don't want it, you'd be a babysitter between them and their devices/APIs. Something they'd likely hate and continuously undermine, especially when a large part of their "job" is connectedness.
> After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet.
>None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone.
Um... doesn't "a very targeted attack on user names, passwords and security questions" count as a "breach in... Apple's systems"? A social engineering hack is still a hack.
Is it still a social engineering hack if a well-known celebrity with their personal info broadcasted all over the internet decides to use that personal info to secure their account? Or rather, is that a social engineering hack on Apple, or the celebrity themselves?
And what should Apple do, in this situation? If your names show up in tabloids, don't allow you to answer certain security questions? Require 2FA if your name is mentioned on Google more than a certain number of times?
I don't feel this is an Apple problem any more than it would be if someone created their iCloud password and then posted it on their Twitter.
At what point do tech companies start making two factor authentication mandatory?
It's one thing to say "We tell our users to use two factor authentication - it's their fault if they don't use it" but it's another to say "all user accounts use two factor authentication to ensure security of their data"
> After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet.
So, the brute force attack with reasonable guesses at email addresses?
Or just password recovery with trivially discoverable personal details. To a determined attacker, your mother's maiden name, the street you grew up on, and the name of your first pet are not hard to figure out.
Information like that isn't even secret, the whole practice of using password recovery questions needs to go away.
My guess would be that they found someone an address of someone with ties to a celebrity, compromised their account through security questions, and then found more personal information and iCloud accounts by going the contacts of each person they compromised.
That was my suspicion from the start, security questions tend to be the easiest way to compromise accounts since finding someone's mother's maiden name isn't hard to do anymore.
No as I can try and guess your login credentials and that is a perfectly acceptable and valid workflow which isn't exploiting anything.
I think the issue is that the previously posted Find My Iphone code didn't rate limit invalid logins and this was used to bruteforce creds. This is probably the real underlying issue and not any type of buffer overflow / exploit etc.
Not really. There's a perfectly valid distinction between accounts compromised by poor password recovery processes and more general ways of compromising the system, ie attacks that require targeted information about the account being compromised and attacks that compromise many accounts at once.
People have become so close with their smartphones that they entrust it with more information than their friends know.
In addition no brand is more loved than Apple, with many celebrities being ambassadors to the brand. The brand is planning to introduce new payment and health services next week.
For the average consumer two-factor-authentication means nothing, but they will start distrusting Apple more and will be more careful with data. This does not mean they will use more and better security. The average consumer will just stop using some of these services.
It seems like it would be a feat to gather all the user IDs of these famous people in the first place. I'm guessing there's a black market just for that? I used to work on a service used by quite a few famous people, if anybody on the project was unscrupulous, it would have been easy to pass those emails and other personal information on to a hacker.
If you can break into one person's account and get their contacts then you can recurse from there. It's likely that one celebrity knows another and so on.
Google and Yahoo both had 2FA holes in their mobile authentication entry points. No data to back this up other than my own experience and seeing the last logins coming from mobile devices in another country.
I'm confused. The description of the problem doesn't rule out an issue with IBrute (targetted attack on usernames, passwords) but then they state it wasn't an issue with ICloud or FindMyPhone.
Is this to suggest that its social engineering or just a password reset job? I don't otherwise see how an attack on usernames and passwords translates.
I guess the thing I'm really trying to figure is that if it was IBrute (which personally I would find an embarrassing failure) would they actually admit it?
[+] [-] karl_nerd|11 years ago|reply
To all of you idiots blaming the victims out there right now "should have used 2fa, should have used stronger passwords":
1. You don't know if 2FA was in place, you don't know what strength the passwords were.
2. Again: those women were highly targeted. Can you defend yourself if someone takes a week/month long project to break into your phone? (Also this was during heartbleed and other big vulnerabilites)
Come off your bullshit high horse. Don't blame the victims here.
[+] [-] iaw|11 years ago|reply
That being said, I think the culpability is on Apple here as much as it is on the individuals responsible for obtaining the links. Security questions were never good security and companies need to start moving away from failed models.
[+] [-] edent|11 years ago|reply
Exactly the same way that Sarah Palin's email was hacked - https://en.wikipedia.org/wiki/Sarah_Palin_email_hack
[+] [-] vitamen|11 years ago|reply
It's a pain setting up two step authentication across a lot of services, but I guess iCloud is probably one that's worth the effort. Still I'd rather brute force was not an option.
[+] [-] sp332|11 years ago|reply
[+] [-] modfodder|11 years ago|reply
link to one explanation: http://i.imgur.com/vnd0H9J.jpg
[+] [-] nokiaman|11 years ago|reply
Headlines around the world are "iCloud hacked", "Apple hacking scandal", "Are your photos safe on iCloud?" etc.
Meanwhile celebrities like Kirsten Dunst have described iCloud as a "piece of shit" (a tweet with emoticons).
Timing is not great for Apple since they are supposed to be launching health and payment related features for iOS in the next few days.
Question is, would Apple have responded so quickly if celebrities weren't involved?
[+] [-] chez17|11 years ago|reply
[+] [-] kennywinker|11 years ago|reply
Not saying that's right, I definitely think that's the wrong take-away from all this, but I suspect that's what's happening, at least in these early days...
[+] [-] flog|11 years ago|reply
[+] [-] dpeck|11 years ago|reply
I think it's a good idea, but falls short in reality. Celebrities arguably don't want it, you'd be a babysitter between them and their devices/APIs. Something they'd likely hate and continuously undermine, especially when a large part of their "job" is connectedness.
[+] [-] pjc50|11 years ago|reply
[+] [-] smacktoward|11 years ago|reply
>None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone.
Um... doesn't "a very targeted attack on user names, passwords and security questions" count as a "breach in... Apple's systems"? A social engineering hack is still a hack.
[+] [-] pseudonym|11 years ago|reply
And what should Apple do, in this situation? If your names show up in tabloids, don't allow you to answer certain security questions? Require 2FA if your name is mentioned on Google more than a certain number of times?
I don't feel this is an Apple problem any more than it would be if someone created their iCloud password and then posted it on their Twitter.
[+] [-] nedwin|11 years ago|reply
It's one thing to say "We tell our users to use two factor authentication - it's their fault if they don't use it" but it's another to say "all user accounts use two factor authentication to ensure security of their data"
[+] [-] tvon|11 years ago|reply
So, the brute force attack with reasonable guesses at email addresses?
[+] [-] potatolicious|11 years ago|reply
Information like that isn't even secret, the whole practice of using password recovery questions needs to go away.
[+] [-] level|11 years ago|reply
That was my suspicion from the start, security questions tend to be the easiest way to compromise accounts since finding someone's mother's maiden name isn't hard to do anymore.
[+] [-] tomhschmidt|11 years ago|reply
[+] [-] 64mb|11 years ago|reply
> "None of the cases we have investigated has resulted from any breach in any of Apple’s systems"
Don't these lines contradict each other?
[+] [-] res0nat0r|11 years ago|reply
I think the issue is that the previously posted Find My Iphone code didn't rate limit invalid logins and this was used to bruteforce creds. This is probably the real underlying issue and not any type of buffer overflow / exploit etc.
[+] [-] rtkwe|11 years ago|reply
[+] [-] induscreep|11 years ago|reply
[+] [-] julianpye|11 years ago|reply
For the average consumer two-factor-authentication means nothing, but they will start distrusting Apple more and will be more careful with data. This does not mean they will use more and better security. The average consumer will just stop using some of these services.
[+] [-] csours|11 years ago|reply
[+] [-] fjarlq|11 years ago|reply
Why doesn't Apple at least offer a bug bounty reward? Is it irresponsible that they don't?
All they offer now, as far as I have found, is a mention on this web page:
http://support.apple.com/kb/HT1318
And, does the fact that this bug made it into production suggest a lack of internal security audits at Apple?
[+] [-] kennywinker|11 years ago|reply
[+] [-] philip1209|11 years ago|reply
[+] [-] davis|11 years ago|reply
[+] [-] Torgo|11 years ago|reply
[+] [-] jgrahamc|11 years ago|reply
[+] [-] elliottpayne|11 years ago|reply
[+] [-] learc83|11 years ago|reply
[+] [-] sosuke|11 years ago|reply
[+] [-] omfg|11 years ago|reply
[+] [-] 64mb|11 years ago|reply
[+] [-] davis|11 years ago|reply
[+] [-] ToastyMallows|11 years ago|reply
[+] [-] Quarrelsome|11 years ago|reply
Is this to suggest that its social engineering or just a password reset job? I don't otherwise see how an attack on usernames and passwords translates.
I guess the thing I'm really trying to figure is that if it was IBrute (which personally I would find an embarrassing failure) would they actually admit it?
[+] [-] culturestate|11 years ago|reply
> None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone.
[+] [-] ciiworldwide|11 years ago|reply
[+] [-] curiousDog|11 years ago|reply
[+] [-] LeoPanthera|11 years ago|reply