Apple says iCloud is safe and secure, stolen celebrity pics were targeted accounts

1234568

Comments

  • Reply 141 of 178
    Originally Posted by ifij775 View Post

    Can we finally put user generated passwords to rest as a useless security mechanism?

     

    Well, Safari already auto-suggests and auto-saves its own passwords... 

     

    Just need to get idiots to stop using Chrome and Firefox.

  • Reply 142 of 178
    Quote:
    Originally Posted by Apple ][ View Post

     

     

    No worries here! I've had two factor enabled for quite some time now.;)


    Apple's implementation of two-factor only protects certain iCloud services. In particular, two-factor protection does not extend to photo streams (http://techcrunch.com/2014/09/02/apples-two-factor-authentication-doesnt-protect-icloud-backups-or-photo-streams/).

  • Reply 143 of 178
    MarvinMarvin Posts: 15,309moderator
    ifij775 wrote: »
    Can we finally put user generated passwords to rest as a useless security mechanism?

    Passwords have a number of flaws:

    - they are annoying to type in
    - people choose short or easy to remember passwords for convenience
    - people reuse passwords across sites
    - the act of typing in and sending a password can be intercepted over the shoulder, via communication interception, via phishing etc
    - they can be guessed or brute forced
    - there are too many services that need passwords so it's hard to remember them all and it's not nice changing them all after a security breach
    - someone can hack a database and get millions/billions of passwords all at once

    The question is what to replace them with that will be better. Whatever it is needs the following conditions:

    - no interception possible
    - no bruteforcing or guessing
    - easy to setup
    - easy to login from multiple devices
    - easy to reset after a security breach
    - no central database of all passwords

    Companies like Google have come up with ideas like wearing jewellery or swallowing an authentication pill to use as a security token but I don't think those are very practical. I think the way forward is to use encryption key pairs, possibly multiple keys.

    Say you sign up to an online service like iCloud, you'd visit the page with a browser. You'd type in your email address and then your device, not the server would generate a public and private key pair. The public key would be sent to and stored on the server and both keys stored on the device in a secure location. That's the setup done. When you ask the server to login, it will check the IP location for anything suspect as well as multiple attempts (it's a computer controlled login so there should be no mistaken logins), it would then generate a random phrase on the server and encrypt it using the public key on the server. Only your device has the private key to decrypt it to send it back unencrypted. The server would then check that the decrypted phrase matches the random string it sent. Even if that return string is intercepted, it's random so it doesn't matter, it would send different ones each time and it can include a timestamp to limit the validity of it.

    This means the only database that exists is of public keys, which aren't important on their own so it doesn't matter if someone hacks the database. There's no possibility for looking at typed in passwords or guessing them.

    The security here hinges on protecting the private keys on the device and the convenience of using multiple devices has to be allowed for. No private keys can go onto the internet. This means protecting them in a keychain-like storage and these can require a passcode to access locally or use the fingerprint on the device. Each key can be isolated so that it's only made accessible to the OS if the user tries to logon to a given service so that way if there is a local compromise, it only affects one service and not all keys are compromised at once. The private keys can be secured too so that a local process can never distribute them online e.g only grant read access to a specific piece of OS code that would have to be compromised via root access.

    Multiple device access is harder because the private keys are not put online so syncing them has to be done via a local network or bluetooth. This would mean if you setup iCloud on a computer, you couldn't access it directly from your mobile phone as your device wouldn't have the private keys generated on the computer. The way round this is to allow the phone to setup its own access, it doesn't matter how many login keys you have as long as it's tied to the same account - since the device has the public key, it can use this to check which pair you use but local syncing of private keys (again via an OS process) is an option too.

    Possible compromises would be someone at work syncing all private keys from a laptop to their own phone. This can be prevented by requiring an admin password to sync keys as well as the password to unlock access to the keys. If you have that access, you can install a keylogger anyway or open the keychain.
    Another might be spoofing a server after getting a public key to try and figure out the private key with multiple requests but the keys can be generated using a domain so that they will only respond to that domain and view multiple requests as suspicious.
    If someone compromises the local password for securing the keys, they still can't read the keys directly and updating this password is easy. If the local password if forgotten, they may have to wipe all the keys but reissuing is fairly trivial, even for multiple services.

    It is backwards compatible with every existing authentication system. They all use databases, all this needs is a column in a database for public keys and some code to encrypt random strings with the key. Every company can have their own implementation for how to store the private keys but it would be nice to have some standardization for form filling so that addresses can be entered easily without relying on browser auto-fills.

    I think large companies would be scared to try something so different out on a wide scale in case their entire system was compromised but they can do a limited beta test for a small subset of users, even dummy users and get security professionals to try and compromise it. It's dangerous for them to keep promoting the use of password systems though because it expects users to understand and account for their weaknesses, security needs to be handled for them.
  • Reply 144 of 178
    gatorguygatorguy Posts: 24,176member
    There may be more to the story than Apple was willing to discuss.

    "If a hacker can obtain a user’s iCloud username and password with iBrute, he or she can log in to the victim’s iCloud.com account to steal photos. But if attackers instead impersonate the user’s device with Elcomsoft’s tool, the desktop application allows them to download the entire iPhone or iPad backup as a single folder, says Jonathan Zdziarski, a forensics consult and security researcher. That gives the intruders access to far more data, he says, including videos, application data, contacts, and text messages.

    On Tuesday afternoon, Apple issued a statement calling the security debacle a “very targeted attack on user names, passwords and security questions.” It added that “none of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone.”

    But the conversations on Anon-IB make clear the photo-stealing attacks aren’t limited to a few celebrities. And Zdziarski argues that Apple may be defining a “breach” as not including a password-guessing attack like iBrute. Based on his analysis of the metadata from leaked photos of Kate Upton, he says he’s determined that the photos came from a downloaded backup that would be consistent with the use of iBrute and EPPB. If a full device backup was accessed, he believes the rest of the backup’s data may still be possessed by the hacker and could be used for blackmail or finding other targets. “You don’t get the same level of access by logging into someone’s [web] account as you can by emulating a phone that’s doing a restore from an iCloud backup,” says Zdziarski. “If we didn’t have this law enforcement tool, we might not have the leaks we had.”

    http://www.wired.com/2014/09/eppb-icloud/
  • Reply 145 of 178

    So, apparently according to one person looked at this with some depth (https://www.nikcub.com/posts/notes-on-the-celebrity-data-theft/), celebrity data theft is something that goes on all the time. Usually, these thing don't become public, because they are worth money, and in general only people who pay get to see it. 

     

    Now we know where some of Samsung's enormous marketing budget went.

  • Reply 146 of 178
    sflagel wrote: »
    If I ever saw an excellent use case for a smart iWatch, it is to send instant two-factor verification codes at every login! That would make iCloud super secure!

    That is, until someone other than you is in possession of both of those factors.
  • Reply 147 of 178
    gatorguygatorguy Posts: 24,176member
    Marvin wrote: »

    Companies like Google have come up with ideas like wearing jewellery or swallowing an authentication pill to use as a security token but I don't think those are very practical. I think the way forward is to use encryption key pairs, possibly multiple keys.... etc

    Marvin, what do you think of something like SlickLogin as a password replacement? I realize the sticking point is still getting "the web" to cooperate.
    http://techcrunch.com/2014/02/16/google-acquires-slicklogin-the-sound-based-password-alternative/
  • Reply 148 of 178
    fallenjtfallenjt Posts: 4,053member
    sirlance99 wrote: »
    Apple tells everyone they didn't have a "Breach" in any of their systems.  So I guess letting brute force scripted password attacks happen on multiple accounts without any notification to the users, Apple network monitors, system admins, etc. is not considered a breach of security or security flaw.. But yet they also admit this is an "all too common" practice on the internet.  Hmm..  ?
    Brute force was a lie. It didn't hack any account. The script rabdomly enters passwords and guess how many passwords it has total? 500. Yup Five Hundred...how bs is that?
  • Reply 149 of 178
    dasanman69dasanman69 Posts: 13,002member
    hill60 wrote: »
    Why not use the answers to the questions you'd like to write?

    There's less chance of guessing nonsensical answers that don't relate to the questions.

    There's a word for that, 'redirection'. ????
  • Reply 150 of 178
    fallenjtfallenjt Posts: 4,053member
    gatorguy wrote: »
    There may be more to the story than Apple was willing to discuss.

    "If a hacker can obtain a user’s iCloud username and password with iBrute, he or she can log in to the victim’s iCloud.com account to steal photos. But if attackers instead impersonate the user’s device with Elcomsoft’s tool, the desktop application allows them to download the entire iPhone or iPad backup as a single folder, says Jonathan Zdziarski, a forensics consult and security researcher. That gives the intruders access to far more data, he says, including videos, application data, contacts, and text messages.

    On Tuesday afternoon, Apple issued a statement calling the security debacle a “very targeted attack on user names, passwords and security questions.” It added that “none of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone.”

    But the conversations on Anon-IB make clear the photo-stealing attacks aren’t limited to a few celebrities. And Zdziarski argues that Apple may be defining a “breach” as not including a password-guessing attack like iBrute. Based on his analysis of the metadata from leaked photos of Kate Upton, he says he’s determined that the photos came from a downloaded backup that would be consistent with the use of iBrute and EPPB. If a full device backup was accessed, he believes the rest of the backup’s data may still be possessed by the hacker and could be used for blackmail or finding other targets. “You don’t get the same level of access by logging into someone’s [web] account as you can by emulating a phone that’s doing a restore from an iCloud backup,” says Zdziarski. “If we didn’t have this law enforcement tool, we might not have the leaks we had.”

    http://www.wired.com/2014/09/eppb-icloud/
    And i don't believe any shyt he said and Bruteforce. There're many pictures taken long before iCloud and even with Blackberry and other flat forms and even fake confirmed by some celebrities. The whole hacking celebrity accounts so far has been speculation and sounded bs too, nothing proven. They could've claimed the hacked Dropbox, Google Drive too and no one knows, but they didnt because celebrity dont use android or MS phone, but iPhone.
  • Reply 151 of 178

    The iWatch has a built in permanent biometric sensor that works only if you wear it.

  • Reply 152 of 178
    Quote:

    Originally Posted by SpamSandwich View Post





    That is, until someone other than you is in possession of both of those factors.

    The iWatch can have a built in biometric sensor that notices whether you are wearing it or someone else. A combination of temperature, blood pressure, skin pressure, etc

  • Reply 153 of 178
    chadbagchadbag Posts: 1,999member
    Quote:

    Originally Posted by JONOROM View Post





    Actually, they are the brightest peas in the pod. Physical attractiveness has been shown to be positively correlated with intelligence in numerous studies.

    Sorry to insult your intelligence, but your assumption is dumb, sexist prejudice.

    Links for your claim?

     

    4 words

     

    Steven Hawking

    Paris Hilton

     

    And hardly sexist, I am an equal opportunity mocker of celebrity idiots.   I can think of plenty of male celebrities that would have been included had this most recent issue included male celebrities...

  • Reply 154 of 178
    chadbagchadbag Posts: 1,999member
    Quote:

    Originally Posted by fallenjt View Post





    And i don't believe any shyt he said and Bruteforce. There're many pictures taken long before iCloud and even with Blackberry and other flat forms and even fake confirmed by some celebrities. The whole hacking celebrity accounts so far has been speculation and sounded bs too, nothing proven. They could've claimed the hacked Dropbox, Google Drive too and no one knows, but they didnt because celebrity dont use android or MS phone, but iPhone.

     

    I don't know or have an opinion on this latest "scandal" but having originally been taken on a Blackberry is no proof that it was not on someone's iPhone and in iCloud.  I have photos in my camera roll on my iPhone that date back to my original 2007 iPhone as well as ones taken with other devices/cameras.

  • Reply 155 of 178
    Just imagine if we could harness the energy generated by the rush to be offended.
  • Reply 156 of 178
    ipenipen Posts: 410member

    There must be something more...  AAPL drops over 4%.

  • Reply 157 of 178
    ipen wrote: »
    There must be something more...  AAPL drops over 4%.

    One of my buy orders at $99 went through, placed another order at $90, just in case the whole market is dumping today.
  • Reply 158 of 178

    So iCloud is safe and secure...unless you're targeted and don't have 2-step verification enabled?

     

    Well I for one had no idea if I had it enabled or how to enable two-step verification until recently and I'm hardly a typical Apple user so I'd love to know what the average adoption rates of two-step verification are.  I never even noticed a prompt to enable it until signing in to Yosemite public beta.

     

    Rather than be so pompous and arrogant all the time maybe Apple should take the opportunity to push two-step verification harder or even make it mandatory!

  • Reply 159 of 178
    Last night on MSNBC (Lawrence O'donnel show ) there was an interview with a Buzzfeed rep, already forgot his name. It was worthy of a slander suit, seriously. I don't think he weaseled enough, and left himself wide open to legal action from Apple. Is Buzzfeed invited to the Sept 9 event? They shouldn't be. Assholes.

    Good god I am sick of the manipulation that goes on in this stock. One of these days Samsung is going to really step in it and destroy their own reputation.
  • Reply 160 of 178
    palomine wrote: »
    Last night on MSNBC (Lawrence O'donnel show ) there was an interview with a Buzzfeed rep, already forgot his name. It was worthy of a slander suit, seriously. I don't think he weaseled enough, and left himself wide open to legal action from Apple. Is Buzzfeed invited to the Sept 9 event? They shouldn't be. Assholes.

    Good god I am sick of the manipulation that goes on in this stock. One of these days Samsung is going to really step in it and destroy their own reputation.

    People love to attack the leader. This is nothing new.
Sign In or Register to comment.