- My Forums
- Tiger Rant
- LSU Recruiting
- SEC Rant
- Saints Talk
- Pelicans Talk
- More Sports Board
- Fantasy Sports
- Golf Board
- Soccer Board
- O-T Lounge
- Tech Board
- Home/Garden Board
- Outdoor Board
- Health/Fitness Board
- Movie/TV Board
- Book Board
- Music Board
- Political Talk
- Money Talk
- Fark Board
- Gaming Board
- Travel Board
- Food/Drink Board
- Ticket Exchange
- TD Help Board
Customize My Forums- View All Forums
- Show Left Links
- Topic Sort Options
- Trending Topics
- Recent Topics
- Active Topics
Started By
Message
Apple denies iCloud breach for The Fappening
Posted on 9/2/14 at 1:43 pm
Posted on 9/2/14 at 1:43 pm
LINK
Looks like a little social engineering is to blame.
quote:
We wanted to provide an update to our investigation into the theft of photos of certain celebrities. When we learned of the theft, we were outraged and immediately mobilized Apple’s engineers to discover the source. Our customers’ privacy and security are of utmost importance to us. After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved.
To protect against this type of attack, we advise all users to always use a strong password and enable two-step verification. Both of these are addressed on our website at https://support.apple.com/kb/ht4232.
Looks like a little social engineering is to blame.
This post was edited on 9/2/14 at 1:45 pm
8
Posted on 9/2/14 at 1:43 pm to colorchangintiger
Riiiight
Posted on 9/2/14 at 1:49 pm to colorchangintiger
quote:
we advise all users to always use a strong password and enable two-step verification. Both of these are addressed on our website at
because like apple can't enforce stronger password creation rules??
scottrade, salesforce.com and my bank require not only much more rigid letter/number combinations than apple but they also require i change them on regular intervals as well.
eta icloud noods not as important as my last stock trade i guess.
This post was edited on 9/2/14 at 1:51 pm
Posted on 9/2/14 at 1:49 pm to colorchangintiger
wtf is it then Apple
where is my LOL face...
here it is...
where is my LOL face...
here it is...
This post was edited on 9/2/14 at 1:50 pm
Posted on 9/2/14 at 1:51 pm to colorchangintiger
Here's hoping they're not playing games with the word "breach", because if those accounts were brute forced, that would be pretty Clintonesque of them.
Posted on 9/2/14 at 1:51 pm to colorchangintiger
quote:
Looks like a little social engineering is to blame.
Social engineering of some sort was used to obtain the IDs but a flaw in find my iphone allowed for the brute force attempts to occur. apple should have locked the IDs after multiple failed tries but it did not.
Posted on 9/2/14 at 1:53 pm to HailToTheChiz
quote:
Riiiight
It seems pretty plausible to me and honestly is what we should be talking about.
quote:
After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet.
How many SSN's + "Mother's Maiden Names" do you think the bad guys have after hacking Chase and multiple other banks? We need to completely overhaul our security infrastructure.
This post was edited on 9/2/14 at 1:54 pm
Posted on 9/2/14 at 1:55 pm to gmrkr5
quote:
Social engineering of some sort was used to obtain the IDs but a flaw in find my iphone allowed for the brute force attempts to occur. apple should have locked the IDs after multiple failed tries but it did not.
It's still unclear whether the lockout bug had anything to do with it. If it did, I would consider it a "breach", and if Apple doesn't, they just had a "I did not have sexual relations with that woman" moment. (Which BTW Tim Cook could truthfully say.)
Posted on 9/2/14 at 1:57 pm to Spock's Eyebrow
quote:
There are 26 lower-case letters, 26 upper-case letters, 10 digits and, depending on the web site, as many as a couple of dozen special characters (some sites won’t let you use certain characters). If you create a password with 6 digits, there are a million possibilities. If you use, however, six lower-case letters, the number jumps to over 300 million. And if you use a combination of upper- and lower-case letters, you get 2 billion different combinations. Add in special characters and the number of possibilities is in the hundreds of billions.
all of these things can easily be enforced at the point where people are creating their password for the first time.
Posted on 9/2/14 at 2:03 pm to TigerinATL
quote:
It seems pretty plausible to me and honestly is what we should be talking about.
then you are reading it wrong or know nothing about security
Posted on 9/2/14 at 2:04 pm to Spock's Eyebrow
quote:
It's still unclear whether the lockout bug had anything to do with it.
you cant brute force an account that does not suffer from a "lockout bug" unless you are a REALLY good guesser
quote:
a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet.
i mean they are basically describing the components of a brute force attack right here^^^
you social engineer your way into finding the correct answers to the security questions then you have the ID. once you have the ID you brute force the account effected by the "lockout bug"
This post was edited on 9/2/14 at 2:06 pm
Posted on 9/2/14 at 2:04 pm to CAD703X
quote:
because like apple can't enforce stronger password creation rules??
Does Google?
Posted on 9/2/14 at 2:10 pm to gmrkr5
quote:
then you are reading it wrong or know nothing about security
I'm just not assuming that these "leaks" are all tied to the recently patched flaw like you seem to be. If they are then it is on Apple, but we have nothing but timing to correlate the two, and the timing angle is suspect because what I've gleaned from the OT threads on the Fappening is that this is a collection of individual hacks being released at once, not one big breach.
Posted on 9/2/14 at 2:11 pm to CAD703X
quote:
because like apple can't enforce stronger password creation rules??
Why do you assume they don't. Here's a thread from 2011 of people bitching because Apple forced them to strengthen their passwords with iOS5.
quote:
On the new OS5 why is Apple requiring that you change your Apple ID to your e-mail account and requiring that all passwords now be 8 characters with at least one capital letter and two numbers?
LINK
Posted on 9/2/14 at 2:16 pm to TigerinATL
quote:
I'm just not assuming that these "leaks" are all tied to the recently patched flaw like you seem to be. If they are then it is on Apple, but we have nothing but timing to correlate the two, and the timing angle is suspect because what I've gleaned from the OT threads on the Fappening is that this is a collection of individual hacks being released at once, not one big breach.
oh its absolutely a collections of smaller breaches. it doesnt mean they didnt all use the same attack vector
Posted on 9/2/14 at 2:23 pm to CAD703X
quote:
all of these things can easily be enforced at the point where people are creating their password for the first time.
of course they can, but even the bank that processes my student loan payments wouldn't let me have a password over 15 characters and wouldn't let me use symbols.
Posted on 9/2/14 at 2:26 pm to gmrkr5
quote:
it doesnt mean they didnt all use the same attack vector
The most recently patched attack vector isn't the only one though. Looking for the password requirements I ran across this article from June on a Forensic tool that was capable of retrieving and cracking iCloud backups, without a password if you had access to their PC.
quote:
It’s not black magic, but works as a command-line tool extracting the iCloud binary authentication token. The “user must’ve been logged in to iCloud Control Panel on that PC at the time the computer is seized. If the user logged out of the Panel, the authentication tokens are then deleted.”
The newest version of Elcomsoft Phone Password Breaker can recover “the original plain-text passwords protecting encrypted backups for Apple and BlackBerry devices.” Those backups “contain address books, call logs, SMS archives, calendars and other organizer data, camera snapshots, voice mail and email account settings, applications, Web browsing history and cache.” Apple users, even if you don’t manually create backups, backups happen automatically every time you sync your device.
iCloud Control Panel is part of iTunes and comes installed on OS X devices, but has to be installed on Windows devices. “The given feature is confirmed to work even for accounts with Apple's two-step verification enabled, but does NOT work for Microsoft Live! accounts that use 2FA.”
LINK
I said in another thread that Apple has taken a bare minimum strategy with the cloud, so they certainly need to be taken to task over any problems caused by that, but I've seen people connect the wrong attack vector dots based solely on time correlation. After reading the article I posted I think I'll uninstall my iCloud control panel. I never really use it and if a security tool can weaponize it then a virus could too.
Posted on 9/2/14 at 2:31 pm to gmrkr5
quote:
you cant brute force an account that does not suffer from a "lockout bug" unless you are a REALLY good guesser
True, and that gets down to what the meaning of "breach" is. Getting in due to the lockout vulnerability is a breach in my book, and I would hope Apple thinks the same way and isn't drawing such a fine technical distinction between "breach" and "targetted attack". I think it's going to come out if it's the lockout vulnerability, and they'll look like real weasels for not owning up in this statement. If the lockout vulnerability wasn't responsible, they should've explicitly said so, explain they log login attempts and saw no such activity, etc.
JLaw and the rest should reveal their passwords.
Random ones probably could not have been brute-forced given Internet latency and the minimum requirements, which I read yesterday are 8 characters, upper and lower case, and digits. Posted on 9/2/14 at 2:38 pm to Spock's Eyebrow
quote:
I would hope Apple thinks the same way and isn't drawing such a fine technical distinction between "breach" and "targetted attack".
sounds like that is precisely what they are doing
their biggest fanboys just got pwned in the worst kind of way. they arent gonna come right out and go "my bad yall". i also find it hard to believe that apple ran through the entire IR process and has all the answers 40 hours later
This post was edited on 9/2/14 at 2:42 pm
Posted on 9/2/14 at 2:40 pm to TigerinATL
quote:
The most recently patched attack vector isn't the only one though. Looking for the password requirements I ran across this article from June on a Forensic tool that was capable of retrieving and cracking iCloud backups, without a password if you had access to their PC.
and gaining access to all these individuals personal computers would be exponentially harder than brute forcing an online service
plus, how many of them do you think actually sync there apple devices to their personal computers?
Page 1 of 2
Popular
Back to top
Follow TigerDroppings for LSU Football News