or Connect
AppleInsider › Forums › General › General Discussion › Cook says Apple will roll out new iCloud security alerts, expand 2-step authentication after celebrity photo flap
New Posts  All Forums:Forum Nav:

Cook says Apple will roll out new iCloud security alerts, expand 2-step authentication after...

post #1 of 82
Thread Starter 
In response to a recently leaked cache of nude photos apparently stolen from celebrities' iCloud accounts, Apple CEO Tim Cook said the company plans to activate new security measures designed to thwart future attacks.



Speaking to The Wall Street Journal, Cook reiterated Apple's stance that iCloud was not breached before announcing new security protocols meant to give users a heads-up when changes are made to their accounts.

"When I step back from this terrible scenario that happened and say what more could we have done, I think about the awareness piece," Cook said. "I think we have a responsibility to ratchet that up. That's not really an engineering thing."

To add an extra layer of protection, Cook said Apple will start sending out email and push notification alerts when an attempt is made to restore iCloud data to another device. The protocol adds to current safety measures that push out similar messages when a password has been changed or a device is first linked to an iCloud account.

With the alerts in place, iCloud users can quickly react to potential breaches by closing off access or deleting files before a nefarious user has a chance to download potentially sensitive data.

As for Apple's current security measures, Cook thinks the company is doing well, pointing to the iPhone 5s' Touch ID fingerprint recognition feature and iCloud's two-step authentication protocol, which requires users enter both a password and a separate code sent to a trusted device prior to making account changes. Cook said the feature's coverage area will be widened with the release of iOS 8 to include iCloud access from mobile devices. Cook also said Apple will be proactively pushing the two-factor system in the future.

Last weekend, dozens of nude photos taken from iCloud accounts belonging to Jennifer Lawrence, Kate Upton, Ariana Grande and more were dumped on the Web after being collected through various corners of the Internet, including anonymous image board AnonIB. In the ensuing aftermath, Apple issued a statement denying hackers were able to breach iCloud security, instead blaming targeted attacks that have "become all too common on the Internet."

Apple will continue to work with authorities toward finding the culprit or culprits behind the attacks and subsequent mass data leak.

"We want to do everything we can do to protect our customers, because we are as outraged if not more so than they are," Cook said.
post #2 of 82
It's a start.

   Apple develops an improved programming language.  Google copied Java.  Everything you need to know, right there.

 

    AT&T believes their LTE coverage is adequate

Reply

   Apple develops an improved programming language.  Google copied Java.  Everything you need to know, right there.

 

    AT&T believes their LTE coverage is adequate

Reply
post #3 of 82
This is what I like about Cook. He's not afraid to say when they may have messed up (not necessarily saying that happened here) or where they can do better. Similar to what happened with Maps.
You can't spell appeal without Apple.
Reply
You can't spell appeal without Apple.
Reply
post #4 of 82
Quote:
Originally Posted by John.B View Post

It's a start.

 

Agree. The silent download of backups from iCloud by law enforcement tools will also notify users now. I would also like an audit dashboard to see where devices are connecting from that are accessing my data. Seeing IPs being used where I am not would be something that I could easily spot. I think of this like a credit card statement. Being able to see where I used my card lets me see when someone else is playing me and using my card. I want the same for the cloud.

 

I believe it is Google that actually warned me one time about connecting to gmail from a very different address within a short period of time. I was out of the country, but used VPN back into the country as well as accessing it without VPN. They were concerned that I could not be in and out of the country at the same time. Not a Google fan at all, but that was a nice thing to warn me about. 

post #5 of 82
Originally Posted by AppleInsider View Post

...celebrity photo flap

 

You did that on purpose.

 
 In response to the recent leak of nude photos apparently stolen from celebrities' iCloud accounts, Apple CEO Tim Cook announced a planned activation of new security measures designed to thwart future attacks.

 

PLEASE tell me there won’t be any time during the keynote dedicated to this drivel.

Originally Posted by Marvin

The only thing more insecure than Android’s OS is its userbase.
Reply

Originally Posted by Marvin

The only thing more insecure than Android’s OS is its userbase.
Reply
post #6 of 82
NOT good enough, provide the fix to enable two factor authentication for iCloud backups and Photo Stream in iOS 7 THIS month, Tim Cook! Not all devices will run iOS 8, and not all users, especially in corporations, will update to iOS 8 straight away.

Also, what about iOS 6-only devices?!
Edited by libertyforall - 9/4/14 at 7:51pm
post #7 of 82
Quote:
Originally Posted by Phone-UI-Guy View Post
 
I would also like an audit dashboard to see where devices are connecting from that are accessing my data. Seeing IPs being used where I am not would be something that I could easily spot. 

Facebook does something quite similar.

post #8 of 82
He had me until the last line. He's more outraged than the actresses who had their accounts pried open and their personal data stolen and spread all over the internet for every slimy person on earth to salivate and worse over. Um, yeah. No. I don't think so. One step too far Apple PR. Can you please pull your heads out of your holes?
post #9 of 82
Then use better passwords and don't be stupid enough to give it away.
post #10 of 82
Originally Posted by Shogun View Post
One step too far Apple PR. Can you please pull your heads out of your holes?

 

Nah, he’s right.

Originally Posted by Marvin

The only thing more insecure than Android’s OS is its userbase.
Reply

Originally Posted by Marvin

The only thing more insecure than Android’s OS is its userbase.
Reply
post #11 of 82
Quote:
Originally Posted by AppleInsider View Post




To add an extra layer of protection, Cook said Apple will start sending out email and push notification alerts when an attempt is made to restore iCloud data to another device. The protocol adds to current safety measures that push out similar messages when a password has been changed or a device is first linked to an iCloud account.



With the alerts in place, iCloud users can quickly react to potential breaches by closing off access or deleting files before a nefarious user has a chance to download potentially sensitive data.

 



Looks like I was too hasty. According to Apple, iCloud backups are encrypted, contrary to Mashable. And Cook did address expanding 2-factor authentication. I somehow missed that on my first read through. Whoops.
Edited by eponymous - 9/4/14 at 8:26pm
post #12 of 82
Quote:
Originally Posted by Tallest Skil View Post

You did that on purpose.

PLEASE tell me there won’t be any time during the keynote dedicated to this drivel.
I very well hope it isn't, maybe a mention after the keynote to press, or website, maybe within a paragraph of IOS 8 release notes(on website).
post #13 of 82
Apple to address celebrity photo flap after celebrity photo fap?
Apple managed the astonishing feat of getting the equivalent of a personal computer into the hands of everybody from eight to eighty year olds, and did so while providing absolutely no instructions...
Reply
Apple managed the astonishing feat of getting the equivalent of a personal computer into the hands of everybody from eight to eighty year olds, and did so while providing absolutely no instructions...
Reply
post #14 of 82

Thanks Tim. Meanwhile I'll stock up on a little more AAPL before the dust settles :smokey:

Shut up and go away, you useless, pathetic FUDmonger - Tallest Skil
Reply
Shut up and go away, you useless, pathetic FUDmonger - Tallest Skil
Reply
post #15 of 82

That's "photo fap".

post #16 of 82
A pretty well reasoned commentary on this whole thing: http://dankaminsky.com/2014/09/03/not-safe-for-not-working-on/
post #17 of 82
Quote:
Originally Posted by DocNo42 View Post

A pretty well reasoned commentary on this whole thing: http://dankaminsky.com/2014/09/03/not-safe-for-not-working-on/

This alone is worth the click…



Edited by SolipsismX - 9/5/14 at 7:41am

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply

"The real haunted empire?  It's the New York Times." ~SockRolid

"There is no rule that says the best phones must have the largest screen." ~RoundaboutNow

Reply
post #18 of 82
Originally Posted by SolipsismX View Post
This along is worth the click…


Why would his bottom be censored? Everyone has a bottom. It’s not a naughty bit.

Originally Posted by Marvin

The only thing more insecure than Android’s OS is its userbase.
Reply

Originally Posted by Marvin

The only thing more insecure than Android’s OS is its userbase.
Reply
post #19 of 82
Quote:
Originally Posted by Tallest Skil View Post


Why would his bottom be censored? Everyone has a bottom. It’s not a naughty bit.

Everybody has breasts, but they sensor those on chicks 1frown.gif
post #20 of 82
For a fleeting moment, I thought the headline said:

Cook says Apple to alert iCloud users of nude celebrity photos being deposited into their account.

I'm going to bed.
"If the young are not initiated into the village, they will burn it down just to feel its warmth."
- African proverb
Reply
"If the young are not initiated into the village, they will burn it down just to feel its warmth."
- African proverb
Reply
post #21 of 82
Quote:
Originally Posted by alcstarheel View Post

This is what I like about Cook. He's not afraid to say when they may have messed up (not necessarily saying that happened here) or where they can do better. Similar to what happened with Maps.


He's also not afraid to placate the public a bit. The truth is that there is zero proof that all those folks stuff came from iCloud. I believe Jennifer Lawrence is the only confirmed iCloud user in the bunch. The rest could have been Drop Box etc. And in Jennifer's case for all we know the source was a disgruntled employee who knew the log in info and decided to get back at her. Or a greedy current one with the same access. 

 

But folks are screaming they should have more alerts so Tim will give it to them. Kind of like how Steve pointed out that the whole antenna gate thing was actually present on tons of phones but still gave folks free bumpers. 

A non tech's thoughts on Apple stuff 

(She's family so I'm a little biased)

Reply

A non tech's thoughts on Apple stuff 

(She's family so I'm a little biased)

Reply
post #22 of 82

Hey, what d'ya know? So it turns out that I was right, even though there was some protesting as usual in the previous thread. The celebrities were ignorant and careless. And especially if somebody is storing nude photos of themselves on their phones and in the cloud, then maybe, just maybe they should be more careful. In the end, it's their ass that's on the line, literally speaking, so they should take extra care with their personal security.

 

Cook said that if two-step authentication had been enabled, then the hackers would not have been able to guess the security questions. These celebrities who make so much money should have known better, since they are well known, and they are more attractive targets than everybody else who is not a celebrity. Maybe they should hire somebody to look after their web security and teach them some common sense. I'm sure that some of them have bodyguards, lawyers, accountants, private chefs, personal assistants, personal trainers etc. 

 

I'm sure that after this incident, more of them will perhaps think twice before being careless, but then again, some of them will not, and that will end up being their problem eventually.

post #23 of 82

Nice work there with "When I step back from this terrible scenario that happened and say what more could we have done..." Others need to answer this question as well. That's the important one here.

 

While there has been speculation of brute force against Find my iPhone that's not proven yet. Is there a reasonable way to block social engineering, password guesses, phishing, etc? It seems like what happened over the weekend has been a long time coming by a lot of people (see this great post) and the methods used are really old school, non-haxor stuff.

 

These vulnerabilities are there because, well, we are people and there are asshats out there. There's security and there's security theater. I'd argue there are things Apple hasn't done well but they're handling the security part fairly well and I trust they will continue to.

post #24 of 82
What is the point of getting an email or notification that someone is accessing a backup? What if I am asleep?

Should accessing a cloud back-up just require the 2fa?
post #25 of 82
Wonder boy Mark Gurman says this proves no one inside Apple is good enough to run PR. 1rolleyes.gif
post #26 of 82
Quote:
Originally Posted by charlituna View Post
 


He's also not afraid to placate the public a bit. The truth is that there is zero proof that all those folks stuff came from iCloud. I believe Jennifer Lawrence is the only confirmed iCloud user in the bunch. The rest could have been Drop Box etc. And in Jennifer's case for all we know the source was a disgruntled employee who knew the log in info and decided to get back at her. Or a greedy current one with the same access. 

 

But folks are screaming they should have more alerts so Tim will give it to them. Kind of like how Steve pointed out that the whole antenna gate thing was actually present on tons of phones but still gave folks free bumpers. 

 

There's absolutely nothing wrong with implementing two step authentication that covers every part of your data. I use two step my cloud based storage (Onedrive in this case) to protect pictures and financial documents. I don't care what the reasoning was that caused Apple to take security on their cloud based services seriously. There's nothing 'overblown' about more tools to protect private data. Celebrities are just people with a fantastic makeup artist, and just like everyone else they don't know the first thing about managing their information. Companies need to do a better job hand holding in that department in my opinion.

post #27 of 82
Quote:
Originally Posted by Rogifan View Post

Wonder boy Mark Gurman says this proves no one inside Apple is good enough to run PR. 1rolleyes.gif

But he's just a kid, I tell ya...a kid!

Proud AAPL stock owner.

 

GOA

Reply

Proud AAPL stock owner.

 

GOA

Reply
post #28 of 82
You're not getting it. It's great PR, see locally prior to launching iCloud drive:

- first tell you take your customers serious and are doing research
- then tell the service wasn't unsafe but a fact of a bad password
- then let people know you thought about it and still want to do better, also reiterate it wasn't about a security breach.

So basically you take customers serious and at the same time come across as a company who wants to do better for their customers. You also reduce possible legal actions by showing you acted accordingly.

It's also smart for Apple to say "I, Tim Cook, thought about it and what did I think can be improved", instead of a cold dry responds from "Apple, the legal entity".

It's a very careful crafted sequence of events and I can only respect that.
Quote:
Originally Posted by Shogun View Post

He had me until the last line. He's more outraged than the actresses who had their accounts pried open and their personal data stolen and spread all over the internet for every slimy person on earth to salivate and worse over. Um, yeah. No. I don't think so. One step too far Apple PR. Can you please pull your heads out of your holes?
post #29 of 82
Quote:
Originally Posted by Apple ][ View Post
 

Hey, what d'ya know? So it turns out that I was right, even though there was some protesting as usual in the previous thread. The celebrities were ignorant and careless. And especially if somebody is storing nude photos of themselves on their phones and in the cloud, then maybe, just maybe they should be more careful. In the end, it's their ass that's on the line, literally speaking, so they should take extra care with their personal security.

 

Cook said that if two-step authentication had been enabled, then the hackers would not have been able to guess the security questions. These celebrities who make so much money should have known better, since they are well known, and they are more attractive targets than everybody else who is not a celebrity. Maybe they should hire somebody to look after their web security and teach them some common sense. I'm sure that some of them have bodyguards, lawyers, accountants, private chefs, personal assistants, personal trainers etc. 

 

I'm sure that after this incident, more of them will perhaps think twice before being careless, but then again, some of them will not, and that will end up being their problem eventually.

 

As it was mentioned that it was a targeted attack on selected celebrities. No one picked up my nude pictures :-) Just kidding! There is only so much companies like Apple, Google, Facebook, etc. can do. If you are going to make your account named JenniferLawrence and use passwords like HungerGames or AmericanHustler, people are going to figure it out. I mean even if  companies put in all kind of protection measures, if you are going to do stupid thing, you will have to pay the consequences. Who knows? Could it also be a publicity stunt by all those actor?

post #30 of 82
Quote:
Originally Posted by John.B View Post

It's a start.

It's a good start.  I don't think even dropbox or google drive does this?   If someone has your google password(assuming two-factor isn't on), they can just copy stuff from google drive without you getting notice, right?   I could be wrong, but I thought I remember doing that from a random computer and i got no notice.

post #31 of 82
Quote:
Originally Posted by junkie View Post

What is the point of getting an email or notification that someone is accessing a backup? What if I am asleep?

Should accessing a cloud back-up just require the 2fa?

What if you're not asleep?  Of course it's better than NOT having it.  However, I don't think the point of it is to prevent hacks.  It's just so that at least you're aware someone has your password and you better go change it(especially if you use it for other things).   Also, maybe you better check your computer to make sure it's not rooted or something.   It's SO much better to know that you've been hacked instead of letting them CONTINUE to steal your data forever.

post #32 of 82
Quote:
Originally Posted by junkie View Post

What is the point of getting an email or notification that someone is accessing a backup? What if I am asleep?

Should accessing a cloud back-up just require the 2fa?

 

If you have 2fa set up, then which device receives the notification with the verification code to allow you to access iCloud from a new computer (as an example)? It's going to be your iPhone, of course. The device you usually carry with you and can give you an immediate notification if there's activity on your iCloud account.

 

So what if your phone quits working, gets lost or stolen? You have your new iPhone you want to restore from iCloud. Where does the 2fa notification go to? Your old iPhone is gone, so it's not going there. Your new iPhone isn't set up yet, so it's not getting it either. Apple lets you set up more than one device (great for families), but if you're single would you have a second SMS capable iOS device you could set up to also receive the verification code? Even if you did, would you even think it was necessary to add a second device while you're setting up 2fa?

 

There are certain situations where you might need access to iCloud without the hassle of 2fa. And this is the crux of the matter. Some people say Apple should force users to use 2fa, but that's not always an option for everyone in every scenario.

post #33 of 82

The way I see it is like this:

 

Say you drive a Ford Focus and it has a 4 Star crash rating. Ford decides to update the Focus and it now receives a 5 Star crash rating. Sure it's a safer car, but that doesn't mean the old Focus was a death trap - it was still pretty safe.

 

So Apple improves iCloud. It doesn't mean the old iCloud was a sieve that leaked personal data to whoever wanted it.

post #34 of 82
Quote:
Originally Posted by Shogun View Post

He had me until the last line. He's more outraged than the actresses who had their accounts pried open and their personal data stolen and spread all over the internet for every slimy person on earth to salivate and worse over. Um, yeah. No. I don't think so. One step too far Apple PR. Can you please pull your heads out of your holes?

 

I think he meant customers in general, not those actresses specifically.

post #35 of 82
Quote:
Originally Posted by Tallest Skil View Post

 

PLEASE tell me there won’t be any time during the keynote dedicated to this drivel.

 

I doubt they say anything directly about the celeb nudes. 

 

At the same time one of their key features will be trusting all of our photos from Macs and iOS devices to iCloud, they absolutely will need to address how this information will be protected. 

post #36 of 82
Quote:
Originally Posted by Shogun View Post

He had me until the last line. He's more outraged than the actresses who had their accounts pried open and their personal data stolen and spread all over the internet for every slimy person on earth to salivate and worse over. Um, yeah. No. I don't think so. One step too far Apple PR. Can you please pull your heads out of your holes?

 

http://www.apple.com/ios/ios8/photos/?cid=wwa-us-kwg-features-com

 

Photos. Every photo you take. On all your devices.

 

See as this is one of the  main features of iOS 8, I don't think Cooke is only speaking about the actresses. 

post #37 of 82
Quote:
Originally Posted by EricTheHalfBee View Post



If you have 2fa set up, then which device receives the notification with the verification code to allow you to access iCloud from a new computer (as an example)? It's going to be your iPhone, of course. The device you usually carry with you and can give you an immediate notification if there's activity on your iCloud account.

So what if your phone quits working, gets lost or stolen? You have your new iPhone you want to restore from iCloud. Where does the 2fa notification go to? Your old iPhone is gone, so it's not going there. Your new iPhone isn't set up yet, so it's not getting it either. Apple lets you set up more than one device (great for families), but if you're single would you have a second SMS capable iOS device you could set up to also receive the verification code? Even if you did, would you even think it was necessary to add a second device while you're setting up 2fa?

There are certain situations where you might need access to iCloud without the hassle of 2fa. And this is the crux of the matter. Some people say Apple should force users to use 2fa, but that's not always an option for everyone in every scenario.

I understand that but leaving a cloud back up accessible with just password is problematic. Perhaps they need an alternate factor. They have the recovery code. if that's not effective, make another factor.
post #38 of 82
Quote:
Originally Posted by Shogun View Post

He had me until the last line. He's more outraged than the actresses who had their accounts pried open and their personal data stolen and spread all over the internet for every slimy person on earth to salivate and worse over. Um, yeah. No. I don't think so. One step too far Apple PR. Can you please pull your heads out of your holes?

 

Oh, please **** off with your self-righteous, sanctimonious garbage. You mean these actresses who CHOSE to take nude, pornographic images of themselves posing like whores, who CHOSE  to take those images with an internet connected device, who CHOSE to have them uploaded to the cloud, who CHOSE to have extremely shitty passwords, who CHOSE not to enable 2 factor authentication, etc? At what point to these narcissists take accountability and responsibility for their own negligence and complete lack of self respect? It's not blaming the victim to point out that people should do the bare minimum to protect themselves, especially if they're celebrities with nude photos. And what point do people like YOU pull their heads out of their asses, and maybe account for personable responsibility instead of putting all the blame on Apple? These actresses made dozens of moronic decisions that led to that result, God forbid they take some responsibility for it, and God forbid pathetic little white knights like you do the same. Every cloud based service has been breached, in one form or another, at one time. Noone put a gun to the heads of these narcissistic little princesses and made them upload nude photos of themselves to the cloud. I'm assuming they got what they secretly wanted- why else take such photos? Only a fucking idiotic would do what they did if they truly were terrified of these being publicized. 

post #39 of 82

I'm surprised how many people don't realize that deleting a photo from their iPhone doesn't also delete the copy in Photo Stream. With iTunes Match, when I delete a matched song from my library, I get a dialog asking me if I want to delete the copy in the cloud as well. Maybe the same could be applied to Photo Stream. 

"You can't fall off the floor"   From 128k Mac to 8GB MBP

Reply

"You can't fall off the floor"   From 128k Mac to 8GB MBP

Reply
post #40 of 82

I think the main issue is that Apple (like other tech companies) encourage people to share automatically all their data  on iCloud.  Although this concept is easy and appealing, it is a bad practice.  People tend to be very lax with their online account management:  they use the same password on multiple online services, write down password on paper, ...  People should be thought to make a distinction between their public shareable data and their private data, and to keep their private date private.  Private data has no business on a public cloud service

On all 4 Apple devices I have, I have switched off (among others things) the automatic photo stream upload.

I only use a public cloud service for information I want to share with others and that I don't consider as harmful if it would be exposed. 

For syncing my personal data, I 've setup a private cloud service, using the free ownCloud software, a really great package, that supports all my devices and not only the Apple supported ones.

New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: General Discussion
AppleInsider › Forums › General › General Discussion › Cook says Apple will roll out new iCloud security alerts, expand 2-step authentication after celebrity photo flap