Apple tells everyone they didn't have a "Breach" in any of their systems. So I guess letting brute force scripted password attacks happen on multiple accounts without any notification to the users, Apple network monitors, system admins, etc. is not considered a breach of security or security flaw.. But yet they also admit this is an "all too common" practice on the internet. Hmm.. ?
Apple tells everyone they didn't have a "Breach" in any of their systems. So I guess letting brute force scripted password attacks happen on multiple accounts without any notification to the users, Apple network monitors, system admins, etc. is not considered a breach of security or security flaw.. But yet they also admit this is an "all too common" practice on the internet. Hmm.. ?
You can probably keep your shirt on until they solve this, yes? As the FBI is now involved, they aren't about to divulge information which will allow the perp(s) to cover their trail.
+1 Absolutely... rate-limited and # of attempts are all part of the solution. On the other hand, as suspected by many on this forum, it was not a system wide attack. They went after specific people.
Apple tells everyone they didn't have a "Breach" in any of their systems. So I guess letting brute force scripted password attacks happen on multiple accounts without any notification to the users, Apple network monitors, system admins, etc. is not considered a breach of security or security flaw.. But yet they also admit this is an "all too common" practice on the internet. Hmm.. ?
Even if it allowed brute force attack, if there was no SUCCESSFUL attempt, then I would agree that they were NOT breached. It doesn't sound like that's how the hackers figured out the passwords. I doubt the hackers even KNEW about that.
Apple tells everyone they didn't have a "Breach" in any of their systems. So I guess letting brute force scripted password attacks happen on multiple accounts without any notification to the users, Apple network monitors, system admins, etc. is not considered a breach of security or security flaw.. But yet they also admit this is an "all too common" practice on the internet. Hmm.. ?
It's not a breach if the vulnerability wasn't exploited to gain access to the accounts. Apple said, "None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone." One definition of "breach" is, "an infraction or violation, as of a law, trust, faith, or promise." IMO, allowing a brute force attack on passwords clearly represents a "breach", because it's one of the fundamental things to guard against, an item of trust and faith. They specifically mentioned "Find my iPhone," the service documented to have the vulnerability, and it's hard to believe they would defend it if its vulnerability is what enabled the attack. Note that they're not denying the existence of breaches, as you claimed, just that none of the cases they've looked at was the result of a breach.
Now if it should turn out they're using weasel words, this will look really terrible when the truth comes out, and I'm sure it will come out. It would have been a lot better IMO for them to have acknowledged the vulnerability they just fixed and say whether or not it was a factor, all in plain, unambiguous language.
With paparazzi photographing your every move, it's pretty easy to imagine someone having video or sequenced photos of you entering you Apple ID and password. Oddly enough, Apple is first to seamlessly integrate the Touch ID so this type of privacy can be protected.
With paparazzi photographing your every move, it's pretty easy to imagine someone having video or sequenced photos of you entering you Apple ID and password. Oddly enough, Apple is first to seamlessly integrate the Touch ID so this type of privacy can be protected.
Why ANYONE, let alone celebrities, answer ANY security questions truthfully simply boggles my mind.
Especially after Paris Hilton's [I]sidekick[/I] got hacked years go. And freaking celebrities - really? If they don't want to learn little details like two factor authentication then they can certainly afford to hire someone to secure their online persona :no:
Sigh - then again I still have a significant amount of friends and family that can't be bothered to lock their phones with a PIN code What really drives me nuts are iPhone 5s owners that have a freaking fingerprint reader that works amazingly well.
Too many people assume it can't happen to them - they are wrong. Like it or not, two factor authentication, password managers, etc. are necessary evils. 1Password added their new watchtower feature which alerts you to websites that have reported or tested susceptible to recent vulnerabilities - it was very disheartening to see just how many sites I had accounts on came up as vulnerable at one time or another
It just strikes me as worrying that if a small subset of society (celebrity) can be hacked, and these targeted individuals all had poor passwords and/or security questions, then a lot of people can be hacked there by rendering iCloud unsafe for a lot of people by virtue of their own idiocy.
Yup. Passwords suck. Security questions that revolve around personal info are even worse. Schemes relying on partial numbers like first or last X number of digits of social security, credit card, etc. are even worse yet.
Surely iCloud needs an extra security measure, like a unique alpha numeric pin or something, or something that can't be retrieved or searched for by a hacker. Basically to act as an extra measure for people that don't care about their password or questions being rubbish.
It's a good thing they do. As do most other providers - Google, Dropbox, Yahoo, Microsoft, etc.
If anyone you have an account with that you remotely care about doesn't offer two factor authentication then you need to be burning their phone lines down until they get off their duff and offer it.
And if all they offer are security questions, for gods sake LIE - do not answer them truthfully! And use different answers to the same questions on different sites. Getting a password manager makes this actually pretty easy - along with, more importantly, letting you use nice, long, random passwords that are different on every site as well.
Yup, it's a PITA. But seeing how many sites are getting compromised these days on a ROUTINE basis, if you reuse passwords then I can guarantee every site you use that password on is basically open to 'em. Especially if you are a normal person in picking your password to be word or words out of dictionaries.
Sure, I wouldn't have any objections if Apple implements even stronger security, especially since they are going to be rolling out their new payment system.
Apple has two factor already. If you haven't turned it on, do so!
Why ANYONE, let alone celebrities, answer ANY security questions truthfully simply boggles my mind.
Especially after Paris Hilton's sidekick got hacked years go. And freaking celebrities - really? If they don't want to learn little details like two factor authentication then they can certainly afford to hire someone to secure their online persona
Sigh - then again I still have a significant amount of friends and family that can't be bothered to lock their phones with a PIN code What really drives me nuts are iPhone 5s owners that have a freaking fingerprint reader that works amazingly well.
Too many people assume it can't happen to them - they are wrong. Like it or not, two factor authentication, password managers, etc. are necessary evils. 1Password added their new watchtower feature which alerts you to websites that have reported or tested susceptible to recent vulnerabilities - it was very disheartening to see just how many sites I had accounts on came up as vulnerable at one time or another
I've seen some folks who seem offended with the notion that they should secure their devices. It's strange. I suppose if you have been fortunate and never experienced crime for yourself (theft, mugging, whatever) you believe you cannot be affected by crime. One's experiences inform one's decision making.
I’d also love to be able to write MY OWN QUESTIONS.
Why? The questions aren't the problem. Also they are in plaintext. Answering questions TRUTHFULLY is the problem!!
Get a password manager, and LIE to security questions. Record the question and the bogus answer you put in there. Then use different answers to the same questions on different web sites.
Better still, when you enable two factor authentication on your Apple ID, the questions go away. Poof!
Sure, I wouldn't have any objections if Apple implements even stronger security, especially since they are going to be rolling out their new payment system.
Apple has two factor already. If you haven't turned it on, do so!
Just so you'll know, I neither wrote nor quoted what you attributed to me.
Locking your car and house is a pain too, but we got used to it. Why people think it should be different online - where people don't even have to be physically in your presence but can come at you over the Internet from literally anywhere in the world...
Why? The questions aren't the problem. Also they are in plaintext. Answering questions TRUTHFULLY is the problem!!
Get a password manager, and LIE to security questions. Record the question and the bogus answer you put in there. Then use different answers to the same questions on different web sites.
I've always treated the main password and typical three security questions as:
Password 1: (main password)
Password 2: (security questions)
Password 3:
Password 4:
They're all generated by Keepass, and I typically use long random passwords and shorter random sekrit ansers.
Comments
Apple tells everyone they didn't have a "Breach" in any of their systems. So I guess letting brute force scripted password attacks happen on multiple accounts without any notification to the users, Apple network monitors, system admins, etc. is not considered a breach of security or security flaw.. But yet they also admit this is an "all too common" practice on the internet. Hmm.. ?
You can probably keep your shirt on until they solve this, yes? As the FBI is now involved, they aren't about to divulge information which will allow the perp(s) to cover their trail.
While this may or may not be true, it doesn't excuse Apple from not having rate-limited iCloud login attempts:
http://thenextweb.com/apple/2014/09/01/this-could-be-the-apple-icloud-flaw-that-led-to-celebrity-photos-being-leaked/
+1 Absolutely... rate-limited and # of attempts are all part of the solution. On the other hand, as suspected by many on this forum, it was not a system wide attack. They went after specific people.
Almost as if this was orchestrated a few days before Apple’s announced event. Makes you wonder.
I am Certain this will be corrected on the national tv news, local tv new, Yahoo news, Google news, etc. immediately. /s
I am Certain this will be corrected on the national tv news, local tv new, Yahoo news, Google news, etc. immediately. /s
They'll try, of course. But the news organizations are riddled with talking heads and incompetents.
A 2 step process with a on device token generator that generates an additional password every minute would be a nice option.
I think they're more generally about how to set up and use one's iOS device.
Apple offers a variety of workshops, including how to better use many of their specific apps, like iPhoto, iMovie, Numbers, Pages.
They also have a workshop that specifically is about iCloud. Perhaps more people and celebrities should pay a visit to that one.
http://concierge.apple.com/workshops/R095
Apple tells everyone they didn't have a "Breach" in any of their systems. So I guess letting brute force scripted password attacks happen on multiple accounts without any notification to the users, Apple network monitors, system admins, etc. is not considered a breach of security or security flaw.. But yet they also admit this is an "all too common" practice on the internet. Hmm.. ?
Even if it allowed brute force attack, if there was no SUCCESSFUL attempt, then I would agree that they were NOT breached. It doesn't sound like that's how the hackers figured out the passwords. I doubt the hackers even KNEW about that.
Apple tells everyone they didn't have a "Breach" in any of their systems. So I guess letting brute force scripted password attacks happen on multiple accounts without any notification to the users, Apple network monitors, system admins, etc. is not considered a breach of security or security flaw.. But yet they also admit this is an "all too common" practice on the internet. Hmm.. ?
It's not a breach if the vulnerability wasn't exploited to gain access to the accounts. Apple said, "None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone." One definition of "breach" is, "an infraction or violation, as of a law, trust, faith, or promise." IMO, allowing a brute force attack on passwords clearly represents a "breach", because it's one of the fundamental things to guard against, an item of trust and faith. They specifically mentioned "Find my iPhone," the service documented to have the vulnerability, and it's hard to believe they would defend it if its vulnerability is what enabled the attack. Note that they're not denying the existence of breaches, as you claimed, just that none of the cases they've looked at was the result of a breach.
Now if it should turn out they're using weasel words, this will look really terrible when the truth comes out, and I'm sure it will come out. It would have been a lot better IMO for them to have acknowledged the vulnerability they just fixed and say whether or not it was a factor, all in plain, unambiguous language.
With paparazzi photographing your every move, it's pretty easy to imagine someone having video or sequenced photos of you entering you Apple ID and password. Oddly enough, Apple is first to seamlessly integrate the Touch ID so this type of privacy can be protected.
Good point.
Especially after Paris Hilton's [I]sidekick[/I] got hacked years go. And freaking celebrities - really? If they don't want to learn little details like two factor authentication then they can certainly afford to hire someone to secure their online persona :no:
Sigh - then again I still have a significant amount of friends and family that can't be bothered to lock their phones with a PIN code
Too many people assume it can't happen to them - they are wrong. Like it or not, two factor authentication, password managers, etc. are necessary evils. 1Password added their new watchtower feature which alerts you to websites that have reported or tested susceptible to recent vulnerabilities - it was very disheartening to see just how many sites I had accounts on came up as vulnerable at one time or another
Yup. Passwords suck. Security questions that revolve around personal info are even worse. Schemes relying on partial numbers like first or last X number of digits of social security, credit card, etc. are even worse yet.
It's a good thing they do. As do most other providers - Google, Dropbox, Yahoo, Microsoft, etc.
If anyone you have an account with that you remotely care about doesn't offer two factor authentication then you need to be burning their phone lines down until they get off their duff and offer it.
And if all they offer are security questions, for gods sake LIE - do not answer them truthfully! And use different answers to the same questions on different sites. Getting a password manager makes this actually pretty easy - along with, more importantly, letting you use nice, long, random passwords that are different on every site as well.
Yup, it's a PITA. But seeing how many sites are getting compromised these days on a ROUTINE basis, if you reuse passwords then I can guarantee every site you use that password on is basically open to 'em. Especially if you are a normal person in picking your password to be word or words out of dictionaries.
Apple has two factor already. If you haven't turned it on, do so!
Why ANYONE, let alone celebrities, answer ANY security questions truthfully simply boggles my mind.
Especially after Paris Hilton's sidekick got hacked years go. And freaking celebrities - really? If they don't want to learn little details like two factor authentication then they can certainly afford to hire someone to secure their online persona
Sigh - then again I still have a significant amount of friends and family that can't be bothered to lock their phones with a PIN code
Too many people assume it can't happen to them - they are wrong. Like it or not, two factor authentication, password managers, etc. are necessary evils. 1Password added their new watchtower feature which alerts you to websites that have reported or tested susceptible to recent vulnerabilities - it was very disheartening to see just how many sites I had accounts on came up as vulnerable at one time or another
I've seen some folks who seem offended with the notion that they should secure their devices. It's strange. I suppose if you have been fortunate and never experienced crime for yourself (theft, mugging, whatever) you believe you cannot be affected by crime. One's experiences inform one's decision making.
Apple has two factor already. If you haven't turned it on, do so!
What a pain.
Why? The questions aren't the problem. Also they are in plaintext. Answering questions TRUTHFULLY is the problem!!
Get a password manager, and LIE to security questions. Record the question and the bogus answer you put in there. Then use different answers to the same questions on different web sites.
Better still, when you enable two factor authentication on your Apple ID, the questions go away. Poof!
Sure, I wouldn't have any objections if Apple implements even stronger security, especially since they are going to be rolling out their new payment system.
Apple has two factor already. If you haven't turned it on, do so!
Just so you'll know, I neither wrote nor quoted what you attributed to me.
Locking your car and house is a pain too, but we got used to it. Why people think it should be different online - where people don't even have to be physically in your presence but can come at you over the Internet from literally anywhere in the world...
People really do suck at assessing risk...
And even worse they excel at rationalizing why they don't really suck at it
Why? The questions aren't the problem. Also they are in plaintext. Answering questions TRUTHFULLY is the problem!!
Get a password manager, and LIE to security questions. Record the question and the bogus answer you put in there. Then use different answers to the same questions on different web sites.
I've always treated the main password and typical three security questions as:
Password 1: (main password)
Password 2: (security questions)
Password 3:
Password 4:
They're all generated by Keepass, and I typically use long random passwords and shorter random sekrit ansers.