Brute Force vulnerability isn't really a vulnerability. The most damage it can do is attack password that use dictionary work ('Password', '12345', and so on. And Apple don't you help you use it) Let say you have an eight characters password, there is 92 character you can use, so the password complexity is 92^8 (it's 2^n complexity, grow in exponential level) There is 5132188731375616 password you need to try. Let say you have 100000 computers, try ten password in every second, it takes 1425607 hours To put it in a prospective, there's 8760 hours in a year. It takes about 162 years to crack your iCloud password.
And this is one password, knowing how long the password is, and you don't change password.
It is not fix, but not fixing it is not a big problem. (Even if you submit 1000 request per machine per second, it takes 18 months. And the traffic will get any network administrator notice, and trigger an anti-DDoS attack review. )
None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone
Hacking individual accounts is not breaching the system, where one would have access to everyone's account. It's worded to give people a false sense of security.
So they didnt ignore it. They were told about it. They responded. Just because tthey didn't put in s lockout doesn't mean they were doing nothing. Beside a lockout is a placebo in many respects because someone can still use piss poor security questions or phish for passwords.
And there is still no proof of exactly how those few celeb accounts were accessed to know if this flaw was s factor. Heck we don't even know how many accounts there were that were actually iCloud ones
I'd bet most if not all were phishing exploitations in the so called celebrity hacks.
Ridiculous stories about Apple in the past few days. Sigh. What else is new....
The results as to be expected ... AAPL down just as intended. Anytime now the bash bug will hit AAPL too. Should be a good time to buy sometime next week.
There's probably not just one single solitary way. It's more likely that various methods were used.
"In his first interview on the subject, Apple Chief Executive Tim Cook said celebrities' iCloud accounts were compromised when hackers correctly answered security questions to obtain their passwords, or when they were victimized by a phishing scam to obtain user IDs and passwords."
"In his first interview on the subject, Apple Chief Executive Tim Cook said celebrities' iCloud accounts were compromised when hackers correctly answered security questions to obtain their passwords, or when they were victimized by a phishing scam to obtain user IDs and passwords."
...by correctly answering security questions. The actual account holder wasn't advised of the failed log-in attempts or the fact that the password was recovered. If they had been many of the hacks may never have occurred.
...by correctly answering security questions. The actual account holder wasn't advised of the log-in attempts or the fact that the password was recovered. If they had been many of the hacks may never have occurred.
The funny thing is that Apple emails for everything else. I went to get my son's iPod Touch restored at a Apple store yesterday, because iTunes on my computer was having a problem accessing the software server, and I immediately got a email saying that the iPod had gotten restored.
The funny thing is that Apple emails for everything else. I went to get my son's iPod Touch restored at a Apple store yesterday, because iTunes on my computer was having a problem accessing the software server, and I immediately got a email saying that the iPod had gotten restored.
IIRC Apple has since changed their policies and notifies of password recoveries and data downloads to untrusted devices doesn't it? Not entirely sure.
Social engineering / RAT install / authentication keys
...all from an underground chat group and forum dedicated to doing just this type of thing, with different "task masters" and spreading the work and the treasures around for the last 2-3 years among themselves.
Social engineering / RAT install / authentication keys
...all from an underground chat group and forum dedicated to doing just this type of thing, with different "task masters" and spreading the work and the treasures around for the last 2-3 years among themselves.
Good article and explanation. Thx.
"7. Apple accounts seem particularly vulnerable because of the recovery process, password requirements and ability to detect if an email address has an associated iCloud account. The recovery process is broken up into steps and will fail at each point. While Apple do not reveal if an email address is a valid iCloud address as part of the recover process, they do reveal if it is valid or not if you attempt to sign up a new account using the same email – so verification (or brute force attempts) are simple. The second step is verifying the date of birth and it will pass or fail based on that data alone so can be guessed, while the last step are the two security questions. It would be a good idea for Apple to kill the interface on signup that shows new users if their email account is available to use as an iCloud account or not. It would also be a good idea to make the recovery process one big step where all data is validated at once and the user is not given a specific error message. It would also be wise to attach rate limits and strict lockout on this process on a per-account basis.
Yes, Apple should have addressed this sooner than they did. They get no pass on that.
But: there is no evidence tying this to the recent celebrity photos hack. Those photos were taken from MANY sources, not just Apple, over a long period of time, and using OTHER methods. There was no single "event" other than the mass "leak" of photos BY the criminals who already had them.
IIRC Apple has since changed their policies and notifies of password recoveries and data downloads to untrusted devices doesn't it? Not entirely sure.
But that wouldn't necessarily stop someone from getting sensitive photos. It only takes a minute to download any photos stored on iCloud. Even if someone was immediately notified that their password had been reset it would probably be too late for them to prevent the acquisition of sensitive photos.
Unfortunately the logical extension of that argument implies that one should not be able to determine if an email address is valid, which would contravene RFCs 5321 & 5322, and so there are other non-rate-limited ways to achieve that anyway. I don't think it is reasonable to regard email addresses as secure information.
One very important fact about the entire "celebrity leaks" affair... which I won't name here, is that a large number of the celebs on the official "unnamed event"... did NOT actually have their accounts hacked. It was boyfriends, friends of friends, and a number of other services involved... not only Apple.
In fact, from a lot of the exif data that has been identified on a fair amount of the most "damaging" images... were neither taken on an iPhone nor stored there or anything to do with Apple. Also such formats as .webm and .avi have been quite common.
Sorry to say, nobody outside of the forums and places where you can follow the discussions, has the balls to write about this, because every major media outlet has been warned against viewing the material. I suppose they're also scared that they "partook" in illegal and unsavory peeping even for journalistic merit and correctness.
And of course, putting Apple in a headline get's guaranteed clicks not only on the article, but in the comment sections. This puts the true "stickiness" into the entire fiasco, and why I definitely see why our friend Benjamin Frost likes to call one of those media entities that continually get's it all wrong and "misspelled" on purpose, "the Grauniad".
Edited: just saw that @nagromme pipped me and said it just as well + more efficiently
Comments
Let say you have an eight characters password, there is 92 character you can use, so the password complexity is 92^8 (it's 2^n complexity, grow in exponential level)
There is 5132188731375616 password you need to try.
Let say you have 100000 computers, try ten password in every second, it takes 1425607 hours
To put it in a prospective, there's 8760 hours in a year. It takes about 162 years to crack your iCloud password.
And this is one password, knowing how long the password is, and you don't change password.
It is not fix, but not fixing it is not a big problem. (Even if you submit 1000 request per machine per second, it takes 18 months. And the traffic will get any network administrator notice, and trigger an anti-DDoS attack review. )
What exactly do they mean by this?
Hacking individual accounts is not breaching the system, where one would have access to everyone's account. It's worded to give people a false sense of security.
I'd bet most if not all were phishing exploitations in the so called celebrity hacks.
The results as to be expected ... AAPL down just as intended. Anytime now the bash bug will hit AAPL too. Should be a good time to buy sometime next week.
I think you'd win that bet.
How were the "targeted" accounts compromised? I haven't seen a story that really goes into this.
There's probably not just one single solitary way. It's more likely that various methods were used.
So anyone have more information on the Shellshock vulnerability?
http://www.macworld.com/article/2687857/bigger-than-heartbleed-shellshock-flaw-leaves-os-x-linux-more-open-to-attack.html
What I meant is how they obtained the password.
...by correctly answering security questions. The actual account holder wasn't advised of the failed log-in attempts or the fact that the password was recovered. If they had been many of the hacks may never have occurred.
The funny thing is that Apple emails for everything else. I went to get my son's iPod Touch restored at a Apple store yesterday, because iTunes on my computer was having a problem accessing the software server, and I immediately got a email saying that the iPod had gotten restored.
IIRC Apple has since changed their policies and notifies of password recoveries and data downloads to untrusted devices doesn't it? Not entirely sure.
Nik Cubrilovic has probably done the most in-depth reporting as to how the attacks were most likely carried out.
Here's his first post about the matter on his blog, which John Gruber blogged about as being very likely:
https://www.nikcub.com/posts/notes-on-the-celebrity-data-theft/
Then I saw this post on Wired, that makes me think he's trying to milk his 15 minutes of fame for all it"s worth:
http://www.wired.com/2014/09/three-things-apple-can-fix-iclouds-awful-security/all/1
... and finally here's the interview he did with Vice:
http://www.vice.com/read/the-hacking-involved-in-stealing-celebrity-nude-photos-isnt-even-impressive-987
***TL;DR***
...all from an underground chat group and forum dedicated to doing just this type of thing, with different "task masters" and spreading the work and the treasures around for the last 2-3 years among themselves.
Good article and explanation. Thx.
"7. Apple accounts seem particularly vulnerable because of the recovery process, password requirements and ability to detect if an email address has an associated iCloud account. The recovery process is broken up into steps and will fail at each point. While Apple do not reveal if an email address is a valid iCloud address as part of the recover process, they do reveal if it is valid or not if you attempt to sign up a new account using the same email – so verification (or brute force attempts) are simple. The second step is verifying the date of birth and it will pass or fail based on that data alone so can be guessed, while the last step are the two security questions. It would be a good idea for Apple to kill the interface on signup that shows new users if their email account is available to use as an iCloud account or not. It would also be a good idea to make the recovery process one big step where all data is validated at once and the user is not given a specific error message. It would also be wise to attach rate limits and strict lockout on this process on a per-account basis.
Being able to POST an email address to https://appleid.apple.com/account/validation/appleid and getting back a response indicating if it is a valid account or not, with little to no rate limiting, is a bug."
FWIW these are flaws that Apple has since addressed in the past couple of weeks aren't they?
But: there is no evidence tying this to the recent celebrity photos hack. Those photos were taken from MANY sources, not just Apple, over a long period of time, and using OTHER methods. There was no single "event" other than the mass "leak" of photos BY the criminals who already had them.
But that's not as nice a headline.
But that wouldn't necessarily stop someone from getting sensitive photos. It only takes a minute to download any photos stored on iCloud. Even if someone was immediately notified that their password had been reset it would probably be too late for them to prevent the acquisition of sensitive photos.
Being able to POST an email address to https://appleid.apple.com/account/validation/appleid and getting back a response indicating if it is a valid account or not, with little to no rate limiting, is a bug."
Unfortunately the logical extension of that argument implies that one should not be able to determine if an email address is valid, which would contravene RFCs 5321 & 5322, and so there are other non-rate-limited ways to achieve that anyway. I don't think it is reasonable to regard email addresses as secure information.
In fact, from a lot of the exif data that has been identified on a fair amount of the most "damaging" images... were neither taken on an iPhone nor stored there or anything to do with Apple. Also such formats as .webm and .avi have been quite common.
Sorry to say, nobody outside of the forums and places where you can follow the discussions, has the balls to write about this, because every major media outlet has been warned against viewing the material. I suppose they're also scared that they "partook" in illegal and unsavory peeping even for journalistic merit and correctness.
And of course, putting Apple in a headline get's guaranteed clicks not only on the article, but in the comment sections. This puts the true "stickiness" into the entire fiasco, and why I definitely see why our friend Benjamin Frost likes to call one of those media entities that continually get's it all wrong and "misspelled" on purpose, "the Grauniad".
Edited: just saw that @nagromme pipped me and said it just as well + more efficiently