Apple says iCloud is safe and secure, stolen celebrity pics were targeted accounts

1234689

Comments

  • Reply 101 of 178
    Apple tells everyone they didn't have a "Breach" in any of their systems.  So I guess letting brute force scripted password attacks happen on multiple accounts without any notification to the users, Apple network monitors, system admins, etc. is not considered a breach of security or security flaw.. But yet they also admit this is an "all too common" practice on the internet.  Hmm..  ?
  • Reply 102 of 178
    Quote:
    Originally Posted by SirLance99 View Post



    Apple tells everyone they didn't have a "Breach" in any of their systems.  So I guess letting brute force scripted password attacks happen on multiple accounts without any notification to the users, Apple network monitors, system admins, etc. is not considered a breach of security or security flaw.. But yet they also admit this is an "all too common" practice on the internet.  Hmm..  ?

     

    You can probably keep your shirt on until they solve this, yes? As the FBI is now involved, they aren't about to divulge information which will allow the perp(s) to cover their trail.

  • Reply 103 of 178
    h2ph2p Posts: 329member
    Quote:
    Originally Posted by John.B View Post

     

     

    While this may or may not be true, it doesn't excuse Apple from not having rate-limited iCloud login attempts:

     

    http://thenextweb.com/apple/2014/09/01/this-could-be-the-apple-icloud-flaw-that-led-to-celebrity-photos-being-leaked/


    +1 Absolutely... rate-limited and # of attempts are all part of the solution. On the other hand, as suspected by many on this forum, it was not a system wide attack. They went after specific people.

  • Reply 104 of 178
    h2ph2p Posts: 329member
    Quote:

    Originally Posted by lkrupp View Post

     

    Almost as if this was orchestrated a few days before Apple’s announced event. Makes you wonder.


    I am Certain this will be corrected on the national tv news, local tv new, Yahoo news, Google news, etc. immediately. /s

  • Reply 105 of 178
    Quote:

    Originally Posted by H2P View Post

     

    I am Certain this will be corrected on the national tv news, local tv new, Yahoo news, Google news, etc. immediately. /s


     

    They'll try, of course. But the news organizations are riddled with talking heads and incompetents.

  • Reply 106 of 178
    dasanman69dasanman69 Posts: 13,002member
    sflagel wrote: »
    what there isn't, is a proper secure system that does not require the memory of an elephant and/or the geekiness of an MIT engineer.

    A 2 step process with a on device token generator that generates an additional password every minute would be a nice option.
  • Reply 107 of 178
    apple ][apple ][ Posts: 9,233member
    Quote:

    Originally Posted by SpamSandwich View Post

     

     

    I think they're more generally about how to set up and use one's iOS device.


     

    Apple offers a variety of workshops, including how to better use many of their specific apps, like iPhoto, iMovie, Numbers, Pages.

     

    They also have a workshop that specifically is about iCloud. Perhaps more people and celebrities should pay a visit to that one.

     

    http://concierge.apple.com/workshops/R095

  • Reply 108 of 178
    Quote:

    Originally Posted by SirLance99 View Post



    Apple tells everyone they didn't have a "Breach" in any of their systems.  So I guess letting brute force scripted password attacks happen on multiple accounts without any notification to the users, Apple network monitors, system admins, etc. is not considered a breach of security or security flaw.. But yet they also admit this is an "all too common" practice on the internet.  Hmm..  ?

    Even if it allowed brute force attack, if there was no SUCCESSFUL attempt, then I would agree that they were NOT breached.    It doesn't sound like that's how the hackers figured out the passwords.    I doubt the hackers even KNEW about that.

  • Reply 109 of 178
    jonljonl Posts: 210member
    Quote:

    Originally Posted by SirLance99 View Post



    Apple tells everyone they didn't have a "Breach" in any of their systems.  So I guess letting brute force scripted password attacks happen on multiple accounts without any notification to the users, Apple network monitors, system admins, etc. is not considered a breach of security or security flaw.. But yet they also admit this is an "all too common" practice on the internet.  Hmm..  ?

    It's not a breach if the vulnerability wasn't exploited to gain access to the accounts. Apple said, "None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone." One definition of "breach" is, "an infraction or violation, as of a law, trust, faith, or promise." IMO, allowing a brute force attack on passwords clearly represents a "breach", because it's one of the fundamental things to guard against, an item of trust and faith. They specifically mentioned "Find my iPhone," the service documented to have the vulnerability, and it's hard to believe they would defend it if its vulnerability is what enabled the attack. Note that they're not denying the existence of breaches, as you claimed, just that none of the cases they've looked at was the result of a breach.

     

    Now if it should turn out they're using weasel words, this will look really terrible when the truth comes out, and I'm sure it will come out. It would have been a lot better IMO for them to have acknowledged the vulnerability they just fixed and say whether or not it was a factor, all in plain, unambiguous language.

  • Reply 110 of 178
    With paparazzi photographing your every move, it's pretty easy to imagine someone having video or sequenced photos of you entering you Apple ID and password. Oddly enough, Apple is first to seamlessly integrate the Touch ID so this type of privacy can be protected.
  • Reply 111 of 178
    Quote:

    Originally Posted by tommy0guns View Post



    With paparazzi photographing your every move, it's pretty easy to imagine someone having video or sequenced photos of you entering you Apple ID and password. Oddly enough, Apple is first to seamlessly integrate the Touch ID so this type of privacy can be protected.

     

    Good point.

  • Reply 112 of 178
    docno42docno42 Posts: 3,755member
    Why ANYONE, let alone celebrities, answer ANY security questions truthfully simply boggles my mind.

    Especially after Paris Hilton's [I]sidekick[/I] got hacked years go. And freaking celebrities - really? If they don't want to learn little details like two factor authentication then they can certainly afford to hire someone to secure their online persona :no:

    Sigh - then again I still have a significant amount of friends and family that can't be bothered to lock their phones with a PIN code :p What really drives me nuts are iPhone 5s owners that have a freaking fingerprint reader that works amazingly well.

    Too many people assume it can't happen to them - they are wrong. Like it or not, two factor authentication, password managers, etc. are necessary evils. 1Password added their new watchtower feature which alerts you to websites that have reported or tested susceptible to recent vulnerabilities - it was very disheartening to see just how many sites I had accounts on came up as vulnerable at one time or another :(
  • Reply 113 of 178
    docno42docno42 Posts: 3,755member
    ivince wrote: »
    It just strikes me as worrying that if a small subset of society (celebrity) can be hacked, and these targeted individuals all had poor passwords and/or security questions, then a lot of people can be hacked there by rendering iCloud unsafe for a lot of people by virtue of their own idiocy.

    Yup. Passwords suck. Security questions that revolve around personal info are even worse. Schemes relying on partial numbers like first or last X number of digits of social security, credit card, etc. are even worse yet.

     Surely iCloud needs an extra security measure, like a unique alpha numeric pin or something, or something that can't be retrieved or searched for by a hacker.  Basically to act as an extra measure for people that don't care about their password or questions being rubbish.

    It's a good thing they do. As do most other providers - Google, Dropbox, Yahoo, Microsoft, etc.

    If anyone you have an account with that you remotely care about doesn't offer two factor authentication then you need to be burning their phone lines down until they get off their duff and offer it.

    And if all they offer are security questions, for gods sake LIE - do not answer them truthfully! And use different answers to the same questions on different sites. Getting a password manager makes this actually pretty easy - along with, more importantly, letting you use nice, long, random passwords that are different on every site as well.

    Yup, it's a PITA. But seeing how many sites are getting compromised these days on a ROUTINE basis, if you reuse passwords then I can guarantee every site you use that password on is basically open to 'em. Especially if you are a normal person in picking your password to be word or words out of dictionaries.
  • Reply 114 of 178
    docno42docno42 Posts: 3,755member
    apple ][ wrote: »
    Sure, I wouldn't have any objections if Apple implements even stronger security, especially since they are going to be rolling out their new payment system.

    Apple has two factor already. If you haven't turned it on, do so!
  • Reply 115 of 178
    Quote:

    Originally Posted by DocNo42 View Post



    Why ANYONE, let alone celebrities, answer ANY security questions truthfully simply boggles my mind.



    Especially after Paris Hilton's sidekick got hacked years go. And freaking celebrities - really? If they don't want to learn little details like two factor authentication then they can certainly afford to hire someone to secure their online persona image



    Sigh - then again I still have a significant amount of friends and family that can't be bothered to lock their phones with a PIN code image What really drives me nuts are iPhone 5s owners that have a freaking fingerprint reader that works amazingly well.



    Too many people assume it can't happen to them - they are wrong. Like it or not, two factor authentication, password managers, etc. are necessary evils. 1Password added their new watchtower feature which alerts you to websites that have reported or tested susceptible to recent vulnerabilities - it was very disheartening to see just how many sites I had accounts on came up as vulnerable at one time or another image

     

    I've seen some folks who seem offended with the notion that they should secure their devices. It's strange. I suppose if you have been fortunate and never experienced crime for yourself (theft, mugging, whatever) you believe you cannot be affected by crime. One's experiences inform one's decision making.

  • Reply 116 of 178
    Quote:

    Originally Posted by DocNo42 View Post





    Apple has two factor already. If you haven't turned it on, do so!

     

    What a pain. :)

  • Reply 117 of 178
    docno42docno42 Posts: 3,755member
    I’d also love to be able to write MY OWN QUESTIONS.

    Why? The questions aren't the problem. Also they are in plaintext. Answering questions TRUTHFULLY is the problem!!

    Get a password manager, and LIE to security questions. Record the question and the bogus answer you put in there. Then use different answers to the same questions on different web sites.

    Better still, when you enable two factor authentication on your Apple ID, the questions go away. Poof!
  • Reply 118 of 178
    jonljonl Posts: 210member
    Quote:

    Originally Posted by DocNo42 View Post

     
    Quote:

    Originally Posted by jonl View Post



    Sure, I wouldn't have any objections if Apple implements even stronger security, especially since they are going to be rolling out their new payment system.




    Apple has two factor already. If you haven't turned it on, do so!



    Just so you'll know, I neither wrote nor quoted what you attributed to me.

  • Reply 119 of 178
    docno42docno42 Posts: 3,755member
    What a pain. :)

    Locking your car and house is a pain too, but we got used to it. Why people think it should be different online - where people don't even have to be physically in your presence but can come at you over the Internet from literally anywhere in the world...

    People really do suck at assessing risk...

    And even worse they excel at rationalizing why they don't really suck at it :p
  • Reply 120 of 178
    jonljonl Posts: 210member
    Quote:

    Originally Posted by DocNo42 View Post



    Why? The questions aren't the problem. Also they are in plaintext. Answering questions TRUTHFULLY is the problem!!



    Get a password manager, and LIE to security questions. Record the question and the bogus answer you put in there. Then use different answers to the same questions on different web sites.

     

    I've always treated the main password and typical three security questions as:

     

    Password 1: (main password)

    Password 2: (security questions)

    Password 3:

    Password 4:

     

    They're all generated by Keepass, and I typically use long random passwords and shorter random sekrit ansers.

Sign In or Register to comment.