When I reluctantly signed up for iCloud in order to preserve my mac.com email address, I disabled Address Book syncing altogether because of security concerns. If vandals can hack Bank of America, they can certainly hack Apple. I do keep a copy of my Address Book on my iPhone and iPad, but I sync them the old-fashioned way: via iTunes. It's a jungle out there.
I avoid iCloud (and Goople) privacy and security issues by using Mac OS X Server, by the way. e-mail, caldav, carddav.
There you go but how can you use Back to My Mac. That is actually the only feature I cannot replicate for myself when the computers are behind a firewall with dynamic NAT IPs. Syncing the contacts across various devices is a nice feature also.
Well you could pick a question and provide an answer that is completely unrelated to the question.
IE:
Q: In what city were you born?
A. Superman001
Only you would know the answer to that. A brute force would have to first guess the correct question then supply a zillion possible answers. Providing an unrelated answer here would throw off a brute force dictionary attack if its definition list was names of cities.
Apple could also use multi-token authentication like banks do. Enter your password, answer question(s) correctly, enter identification code sent to mobile/email, and enter a correct captcha to enter.
Of course this just adds more layers, and the data could be captured in a MITM attack and later decrypted.
z3r0
Quote:
Originally Posted by MacBook Pro
I don't consider that "off topic" and I agree entirely. In fact, everyone please submit a feature request here. You can just copy and paste SolipsismX's text.
I beseech you to add or change questions in iTunes security. While I applaud the additional scrutiny, the questions are too restrictive and quite honestly I can't remember the answers to most of the questions. Unfortunately, since the questions are too restrictive I am unable to purchase any new content from Apple until this is resolved.
Here are examples of questions which Apple is asking:
What was the first care you owned?
Who was your first teacher?
What was the first album you owned?
Where was your first job?
In which city were you first kissed?
Which of the cars you've owned has been your favorite?
Who was your favorite teacher?
What was the first concert you attended?
Where was your favorite job?
Who was your best childhood friend?
Which of the cars you've owned has been your least favorite?
Who was your least favorite teacher?
Where was your least favorite job?
In which city did your mother and father meet?
Where were you on January 1, 2000?
Many of these questions contradict or are contraindicated by good security question principles:
The answer to a good security question should be easy to remember but still not available to others. Ideally, the user should immediately know the answer without doing research or looking up a reference or remembering too far back in time.
Bad examples:
What is your driver's license number? (I haven't memorized mine, have you?)
Car registration number (this may be easy for others to find on the web anyway)
But don't use questions that go back to childhood, or for that matter last year for someone like me.
Bad examples:
What was the name of your first pet?
What was your first car, favorite elementary school teacher, first kiss, etc.
Please add questions that the average person over 40 can actually remember, more imporantly see the website listed above for security question best practices:
In which city, county and state were you born?
What is your maternal grandmother's maiden name?
Thank you very much for your time and consideration,
I don't think I'd hire that IT professional as he should know already that passwords are hacked by sniffing unsecure wireless networks. And also while I don't know this as a fact for me.com, it would be normal for his password to be stored as the one-way hash value...
A bit off topic: One thing I'd like Apple to add to iCloud is to see what devices and what IP addresses (for web based access) are connecting to iCloud for any services. This is important because my Mail, Photos, iMessage, Contacts, Calendar and Find My iDevices are all syncs via one account which makes it easy for a single person to spy on your activates and whereabouts.
Yahoo does this already, and I think it's a fantastic feature.
The most sinister use of hacking someone's iCloud password would be to restore from their iPhone backup. You would get EVERYTHING. Texts, photos (not just photo stream), complete contact list, emails, even proprietary app data.
Apple's new security question policy does much to prevent this kind of thing, however.
Well it is actually quite easy to send an email with a spoofed address. That's how most spam is sent, not via hacked accounts, way too many sendmail servers with little to no verification/authentication.
All it takes if for your address to be harvested on an email list and you are a potential fake address used to generate spam which may get past some spam blockers because it is a valid address in a recipients address book.
The emails in the sent folder are an interesting twist, but more likely due to social engineering or keylogging from a Windows machine. If there was a real exploit within the iCloud infrastructure this would be a widespread problem.
Well it is actually quite easy to send an email with a spoofed address. That's how most spam is sent, not via hacked accounts, way too many sendmail servers with little to no verification/authentication.
All it takes if for your address to be harvested on an email list and you are a potential fake address used to generate spam which may get past some spam blockers because it is a valid address in a recipients address book.
The emails in the sent folder are an interesting twist, but more likely due to social engineering or keylogging from a Windows machine. If there was a real exploit within the iCloud infrastructure this would be a widespread problem.
Here is the first poster who's actually using his brain. This is what also i suspect happened to my account. Since i have a very strong password i suspect it was more a matter of spoofing than hacking.
If you see below i attached a junk mail i received on my @me mail box. You can see the sender and the content.
A bit later i get this error from a mail daemon stating that my mail did not reach the recipient:
I clearly did not send that junk mail to anyone nor did i know of it's existence till i received the error above and i checked the junk mail to trace this.
If anyone wants me to post the full headers i'll be happy to do it.
"I never use my @me email for anything, and I guarantee someone didn't break into the account by guessing my password (or brute force methods) — it's a pseudoly randomly generated string of 15 numbers, letters (upper and lower case) and symbols (I worked in IT for many years and am perhaps overly zealous about password security, which makes memorization a real pain)," they wrote.
People do realize you don't have to, and really never should, type in real answers to any security questions - right?
I use the excellent 1Password application on my Macs and Windows machines, as well as my iPhone and iPad. It makes having different random passwords of a long length, as well as the same for security questions trivial.
And it solves the whole memory problem - I just have to remember the master password.
People do realize you don't have to, and really never should, type in real answers to any security questions - right?
I use the excellent 1Password application on my Macs and Windows machines, as well as my iPhone and iPad. It makes having different random passwords of a long length, as well as the same for security questions trivial.
And it solves the whole memory problem - I just have to remember the master password.
Bull.
Why should you not type in real answers to security questions? If proper questions are used then the information isn't readily discoverable at least no more so than a random answer.
I use 1Password as well but I don't consider that a proper solution for this particular issue.
Oddly enough, this same thing happened to me from Thurs to Friday. Various contacts of mine got spam emails from my me.com address, even though I never use it (it's only linked to my Apple ID account). I'm guessing now it was only those in my iCloud contacts since not everyone got the spam. The emails were along the same lines however. It got to a point that my password was changed. I had to use the reset password process to get back into my account. The next day it was changed again on me to the point I had to again reset it. I ended up having to change my Apple ID completely and so far things seem to be good again.
Unfortunately, I don't this this issue is a joke as something is amiss on the iCloud security side. I've never had any of my accounts hacked until now and I don't use simple passwords nor dictionary words. I'm hoping it was only for a small share of us users, but hopefully Apple investigates this issue.
Comments
I'd love if websites would let me use non-Latin characters for my passwords.
I mean come on! No one would associate a password made of Japanese wordplay with an American who hasn't been anywhere foreign but Ireland and Canada!
When I reluctantly signed up for iCloud in order to preserve my mac.com email address, I disabled Address Book syncing altogether because of security concerns. If vandals can hack Bank of America, they can certainly hack Apple. I do keep a copy of my Address Book on my iPhone and iPad, but I sync them the old-fashioned way: via iTunes. It's a jungle out there.
I do exactly the same thing.
(oops, maybe I shouldn't be saying this)
#$@*& new comment format. ...f$#k it.
You forgot PicAneeBaskets
Quote:
Originally Posted by Cpsro
I avoid iCloud (and Goople) privacy and security issues by using Mac OS X Server, by the way. e-mail, caldav, carddav.
There you go but how can you use Back to My Mac. That is actually the only feature I cannot replicate for myself when the computers are behind a firewall with dynamic NAT IPs. Syncing the contacts across various devices is a nice feature also.
Quote:
Originally Posted by Cpsro
I avoid iCloud (and Goople) privacy and security issues by using Mac OS X Server, by the way. e-mail, caldav, carddav.
Does this imply that Apple's iCloud does not run on Mac OS X Server?
Quote:
Originally Posted by Haggar
Does this imply that Apple's iCloud does not run on Mac OS X Server?
Whether or not it does, it's true.
Well you could pick a question and provide an answer that is completely unrelated to the question.
IE:
Q: In what city were you born?
A. Superman001
Only you would know the answer to that. A brute force would have to first guess the correct question then supply a zillion possible answers. Providing an unrelated answer here would throw off a brute force dictionary attack if its definition list was names of cities.
Apple could also use multi-token authentication like banks do. Enter your password, answer question(s) correctly, enter identification code sent to mobile/email, and enter a correct captcha to enter.
Of course this just adds more layers, and the data could be captured in a MITM attack and later decrypted.
z3r0
Quote:
Originally Posted by MacBook Pro
I don't consider that "off topic" and I agree entirely. In fact, everyone please submit a feature request here. You can just copy and paste SolipsismX's text.
If you would like to make my day, you can copy and paste the following text into another feature request for iTunes Security Info here:
Greetings,
I beseech you to add or change questions in iTunes security. While I applaud the additional scrutiny, the questions are too restrictive and quite honestly I can't remember the answers to most of the questions. Unfortunately, since the questions are too restrictive I am unable to purchase any new content from Apple until this is resolved.
Here are examples of questions which Apple is asking:
What was the first care you owned?
Who was your first teacher?
What was the first album you owned?
Where was your first job?
In which city were you first kissed?
Which of the cars you've owned has been your favorite?
Who was your favorite teacher?
What was the first concert you attended?
Where was your favorite job?
Who was your best childhood friend?
Which of the cars you've owned has been your least favorite?
Who was your least favorite teacher?
Where was your least favorite job?
In which city did your mother and father meet?
Where were you on January 1, 2000?
Many of these questions contradict or are contraindicated by good security question principles:
The answer to a good security question should be easy to remember but still not available to others. Ideally, the user should immediately know the answer without doing research or looking up a reference or remembering too far back in time.
Bad examples:
What is your driver's license number? (I haven't memorized mine, have you?)
Car registration number (this may be easy for others to find on the web anyway)
But don't use questions that go back to childhood, or for that matter last year for someone like me.
Bad examples:
What was the name of your first pet?
What was your first car, favorite elementary school teacher, first kiss, etc.
http://www.goodsecurityquestions.com/designing.htm
Please add questions that the average person over 40 can actually remember, more imporantly see the website listed above for security question best practices:
In which city, county and state were you born?
What is your maternal grandmother's maiden name?
Thank you very much for your time and consideration,
"MacBook Pro"
I don't think I'd hire that IT professional as he should know already that passwords are hacked by sniffing unsecure wireless networks. And also while I don't know this as a fact for me.com, it would be normal for his password to be stored as the one-way hash value...
Quote:
Originally Posted by SolipsismX
A bit off topic: One thing I'd like Apple to add to iCloud is to see what devices and what IP addresses (for web based access) are connecting to iCloud for any services. This is important because my Mail, Photos, iMessage, Contacts, Calendar and Find My iDevices are all syncs via one account which makes it easy for a single person to spy on your activates and whereabouts.
Yahoo does this already, and I think it's a fantastic feature.
The most sinister use of hacking someone's iCloud password would be to restore from their iPhone backup. You would get EVERYTHING. Texts, photos (not just photo stream), complete contact list, emails, even proprietary app data.
Apple's new security question policy does much to prevent this kind of thing, however.
Well it is actually quite easy to send an email with a spoofed address. That's how most spam is sent, not via hacked accounts, way too many sendmail servers with little to no verification/authentication.
All it takes if for your address to be harvested on an email list and you are a potential fake address used to generate spam which may get past some spam blockers because it is a valid address in a recipients address book.
The emails in the sent folder are an interesting twist, but more likely due to social engineering or keylogging from a Windows machine. If there was a real exploit within the iCloud infrastructure this would be a widespread problem.
Quote:
Originally Posted by Hiro
Well it is actually quite easy to send an email with a spoofed address. That's how most spam is sent, not via hacked accounts, way too many sendmail servers with little to no verification/authentication.
All it takes if for your address to be harvested on an email list and you are a potential fake address used to generate spam which may get past some spam blockers because it is a valid address in a recipients address book.
The emails in the sent folder are an interesting twist, but more likely due to social engineering or keylogging from a Windows machine. If there was a real exploit within the iCloud infrastructure this would be a widespread problem.
Here is the first poster who's actually using his brain. This is what also i suspect happened to my account. Since i have a very strong password i suspect it was more a matter of spoofing than hacking.
If you see below i attached a junk mail i received on my @me mail box. You can see the sender and the content.
A bit later i get this error from a mail daemon stating that my mail did not reach the recipient:
I clearly did not send that junk mail to anyone nor did i know of it's existence till i received the error above and i checked the junk mail to trace this.
If anyone wants me to post the full headers i'll be happy to do it.
Quote:
Originally Posted by AndreiD
If anyone wants me to post the full headers i'll be happy to do it.
You may wish to remove your personal information from them if you do, as you missed one in the images you've posted already.
Quote:
Originally Posted by AppleInsider
"I never use my @me email for anything, and I guarantee someone didn't break into the account by guessing my password (or brute force methods) — it's a pseudoly randomly generated string of 15 numbers, letters (upper and lower case) and symbols (I worked in IT for many years and am perhaps overly zealous about password security, which makes memorization a real pain)," they wrote.
Perhaps he's not as overzealous as he thinks?
http://xkcd.com/936/
Quote:
Originally Posted by MacBook Pro
If you would like to make my day, you can copy and paste the following text into another feature request for iTunes Security Info here:
People do realize you don't have to, and really never should, type in real answers to any security questions - right?
I use the excellent 1Password application on my Macs and Windows machines, as well as my iPhone and iPad. It makes having different random passwords of a long length, as well as the same for security questions trivial.
And it solves the whole memory problem - I just have to remember the master password.
Quote:
Originally Posted by DocNo42
People do realize you don't have to, and really never should, type in real answers to any security questions - right?
I use the excellent 1Password application on my Macs and Windows machines, as well as my iPhone and iPad. It makes having different random passwords of a long length, as well as the same for security questions trivial.
And it solves the whole memory problem - I just have to remember the master password.
Bull.
Why should you not type in real answers to security questions? If proper questions are used then the information isn't readily discoverable at least no more so than a random answer.
I use 1Password as well but I don't consider that a proper solution for this particular issue.
full headers could shed some light on origins.
just blank personal info out.
Oddly enough, this same thing happened to me from Thurs to Friday. Various contacts of mine got spam emails from my me.com address, even though I never use it (it's only linked to my Apple ID account). I'm guessing now it was only those in my iCloud contacts since not everyone got the spam. The emails were along the same lines however. It got to a point that my password was changed. I had to use the reset password process to get back into my account. The next day it was changed again on me to the point I had to again reset it. I ended up having to change my Apple ID completely and so far things seem to be good again.
Unfortunately, I don't this this issue is a joke as something is amiss on the iCloud security side. I've never had any of my accounts hacked until now and I don't use simple passwords nor dictionary words. I'm hoping it was only for a small share of us users, but hopefully Apple investigates this issue.