So i'd wager there'd be quite a few celebrity dick picks available too if hackers wanted them. We know men like to send them unsolicited, and I'm sure those celebrities had received more than a few. But there are none. And why? Because those women were specifically targeted by people with a lot of resources and patience. (it's important that they were targeted specifically for being women).
To all of you idiots blaming the victims out there right now "should have used 2fa, should have used stronger passwords":
1. You don't know if 2FA was in place, you don't know what strength the passwords were.
2. Again: those women were highly targeted. Can you defend yourself if someone takes a week/month long project to break into your phone? (Also this was during heartbleed and other big vulnerabilites)
Come off your bullshit high horse. Don't blame the victims here.
Re: 1) 2FA wasn't in use by these individuals. If you read the Apple release they not only neglect to mention 2FA as a source of the breach but actively encourage users to sign up for it. If 2FA was in place I doubt that this vector would have been successful.
That being said, I think the culpability is on Apple here as much as it is on the individuals responsible for obtaining the links. Security questions were never good security and companies need to start moving away from failed models.
Security questions are just horrible. 2FA is good, but these celebs have people that handle their social media, so even if the technical leaks are plugged, things would just move to social eng. tactics, bribe an assistant, etc.. Probably a number of people have a celebs Twitter password.
Pretty worthless statement by APPL. "happpens all the time", "not our fault", etc.. They should be called out for security questions in the 1st place if that's what they use at all. Even after Sarah Palin which was greatly publicized. These companies learn nothing.
So "This is a very common attack on the Internet that we didn't do much to protect you against by default"?
It's a pain setting up two step authentication across a lot of services, but I guess iCloud is probably one that's worth the effort. Still I'd rather brute force was not an option.
From what I've read on 4-chan, Ars, Slashdot (indiv. comments, not articles) and other sources that this wasn't one person hacking a group of celebs acount, but a leak from an underground celeb nude trading ring that has existed for a while. So multiple hackers over a long period of time, from multiple sources.
I'm sorry, but Apple was hacked. There are multiple layers to security. Even the physical security of the building counts. If you have a terrible, easy to crack security system like "What is your first pet's name?" and your customers lose their data because of it, your system was hacked. Plain and simple. Security isn't just blocking a port or an ip range, it's the entire, the entire, system. Those "security questions" are very easy to find out, therefor the system is insecure.
While I wouldn't disagree with the stupidity of "security questions" answered straight, I don't know if this is something to lay on Apple's doorstep, because anyone with a modicum of knowledge either lies or supplies "custom" security questions-- it's basically a "if you forget password A, remember password B" system. But explaining that to users who have issues with a password is a lot more far-reaching and widespread than any one company.
Additionally, making "security questions" passwords in and of themselves is going to tremendously increase the volume of your support tickets. At some point, you need to make a cost/benefit analysis and make a decision including that, not just looking at "what's more secure if we assume our users are stupid".
If you really want a niche market, though, "social media security consultant" for celebrities would probably make you a pretty penny nowadays...
>Additionally, making "security questions" passwords in and of themselves is going to tremendously increase the volume of your support tickets. At some point, you need to make a cost/benefit analysis and make a decision including that, not just looking at "what's more secure if we assume our users are stupid".
I think as long as you can choose your own level of security, this is actually the best solution, even though some people will not have a firm grasp on how much security they are choosing to have. Right now the default is a fairly low level of security (answer the security questions correct, plus possibly an e-mail loop), but you can just answer the security questions with another password if you want to, assuming that they don't have any kind of thing that detects weird answers. Unfortunately, almost no one lets you selectively disable things like security questions or password resets.
Whenever these types of questions are required for account recovery, I use a false set of answers as an additional security measure. Probably a good practice for a celebrity.
I agree, however sometimes your front brakes are out and you still need to bike home. A bit of critical thinking can allow you to largely overcome a serious safety issue. Saying "the system is broken" is less helpful than saying "since it's broken, give this hack a try," IMO.
Don't most companies use this very same "insecure" system? 99% of the population won't have this problem because not even some of your closest friends know what street you grew up on or your mother's maiden name. If you are going to use this information as part of your personal security, don't go telling people. Because, duh, you might as well tell them your password.
I forget the term for it, but it's exactly like Terms and Conditions. Always expect the user to solve any puzzle put to them using the least amount of energy/effort. It's quite honestly not worth it to anyone to go through the work of securing their information/data/whatever until it's actually genuinely at risk or they have lost something in the past. Until then it's an impedance and an annoyance that makes them very unhappy.
Once something like this happens it's impressive how much cognitive dissonance there is behind the excuses those very same people make or their claims that not enough was done to protect them. Don't get me wrong, these individuals were horribly victimized and it's not ok, but we can't allow ourselves to be satisfied by just blaming the company, especially if they otherwise provided the tools that would have kept the account secure. We can only realistically expect the companies we entrust our data to be responsible for making it possible for us to secure our data and not leaking it through other systemic failures. If we choose to shortcut it then it's our responsibility to learn from that and do better next time. We can't blame anyone involved here for doing what they should otherwise be motivated/expected to do. Apple provided the tools to protect the accounts, and as far as we know didn't allow them to be otherwise compromised. The victims set up their accounts in a way that they could easily access/recover them in the future (honestly, it's now required to remember around 20+ account passwords to manage our lives and it's only getting worse) regardless if they knew the risks or not. Security education is out there and it's as loud as we could hope to get it, people just won't internalize it until the risk is tangible. We can demand that companies like Apple, but it won't actually improve anything if people can't be bothered to use them or more importantly find it WAY more inconvenient and seek ways to bypass them in whatever way possible just to get them out of the way.
It's a shame that this is blowing up for Apple as if it's all Apple's fault, but maybe some good can come from it.
My favorite are banks that require you to use their security questions which are along the lines of "What city were you born in?"
The average user probably trusts their bank, and assumes that their bank is doing everything to protect them, and unknowingly compromise themselves by putting in correct answers to trivial questions.
"99% of the population won't have this problem because"
they don't use facebook or photo sharing sites or ... oh wait I guess they do. That might be a problem.
I don't think this is rocket science here. Find my FB account, find my mom, what is her brother/uncle/fathers last name, or just look at her "friends" list and try the most common last names. Or heck just try them all, there won't be more than a couple hundred to try and thats easier than bruteforcing the entire phone book. Heck just use my friends list, I know enough men on my moms side of the family. Done. Next.
Find my FB account and get a general idea where I grew up (just to make sure, although my name is weird enough for this not to matter). Go to genealogy website, search old phone books for my mom's name or just my last name, street name was Greenfield. Maybe you'll find my house and my aunts house, so two names to try. Done. Next.
Find my FB account, look thru old pix, here's me and my girlfriend in front of this 80s subcompact POS that being my first car which was a falling apart POS when I got it, but whatever. Ask an "old" guy to id the car. Its either a Dodge Omni or a Plymouth Horizon. And its red, if thats the question. Done. Next.
Its very unusual to have a "personal security question" that isn't answered by facebook, twitter, linkedin, any of the photo sites, classmates.com, etc.
>99% of the population won't have this problem because not even some of your closest friends know what street you grew up on or your mother's maiden name.
Those are the same hand-wavey thought processes used by people who are paid to know better that get them hacked.
If I knew your name and where you live, I could find out your mother's maiden name and the street you grew up on in not much more time than it took me to type this comment - especially if it were something I did all the time. Fact-based additional confirmation questions are stupid, and non-fact based ones are impossible to remember.
seriously: http://www.peekyou.com/ or any of these services will work, and many of them allow you to buy prepaid packages.
Personally I don't believe using preset security questions should ever be allowed. People should be allowed to type their own security question and answer.
AAPL stock is up today, despite iCloud being implicated. I'm not sure what exactly that means, but my personal guess would be that cognitive dissonance and a general "slut shame"-y attitude means people blame these celebrities for taking the photos / getting "hacked" and not Apple.
Not saying that's right, I definitely think that's the wrong take-away from all this, but I suspect that's what's happening, at least in these early days...
I've spent some time thinking about and talking about ti with friends in the security world before.
I think it's a good idea, but falls short in reality. Celebrities arguably don't want it, you'd be a babysitter between them and their devices/APIs. Something they'd likely hate and continuously undermine, especially when a large part of their "job" is connectedness.
>I think it's a good idea, but falls short in reality. Celebrities arguably don't want it, you'd be a babysitter between them and their devices/APIs. Something they'd likely hate and continuously undermine, especially when a large part of their "job" is connectedness.
If Entourage has anything to do with the real world, you could as well be talking about their agents. And as far as I know, there is no celebrity without agent.
> When you set up two-step verification, you register one or more trusted devices. A trusted device is a device you control that can receive 4-digit verification codes using either SMS or Find My iPhone. You're required to provide at least one SMS capable phone number.
> Then, any time you sign in to manage your Apple ID at My Apple ID or make an iTunes, App Store, or iBooks Store purchase from a new device, you'll need to verify your identity by entering both your password and a 4-digit verification code, as shown below.
> After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet.
>None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone.
Um... doesn't "a very targeted attack on user names, passwords and security questions" count as a "breach in... Apple's systems"? A social engineering hack is still a hack.
Is it still a social engineering hack if a well-known celebrity with their personal info broadcasted all over the internet decides to use that personal info to secure their account? Or rather, is that a social engineering hack on Apple, or the celebrity themselves?
And what should Apple do, in this situation? If your names show up in tabloids, don't allow you to answer certain security questions? Require 2FA if your name is mentioned on Google more than a certain number of times?
I don't feel this is an Apple problem any more than it would be if someone created their iCloud password and then posted it on their Twitter.
"Require 2FA for everybody, full stop" would do the trick.
The proposed solutions you outline all assume that "password + security question" is only an insecure system for celebrities. But we have enough experience by now to know it's an insecure system for everyone.
Most 2FA schemes give you some backup codes. I'm sure people use Find My iPhone differently, but it's not unreasonable to suspect them to be used rarely. Once your device is back in-hand you could generate a few new backup codes.
At what point do tech companies start making two factor authentication mandatory?
It's one thing to say "We tell our users to use two factor authentication - it's their fault if they don't use it" but it's another to say "all user accounts use two factor authentication to ensure security of their data"
> After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet.
So, the brute force attack with reasonable guesses at email addresses?
Or just password recovery with trivially discoverable personal details. To a determined attacker, your mother's maiden name, the street you grew up on, and the name of your first pet are not hard to figure out.
Information like that isn't even secret, the whole practice of using password recovery questions needs to go away.
My guess would be that they found someone an address of someone with ties to a celebrity, compromised their account through security questions, and then found more personal information and iCloud accounts by going the contacts of each person they compromised.
That was my suspicion from the start, security questions tend to be the easiest way to compromise accounts since finding someone's mother's maiden name isn't hard to do anymore.
I think it‘s quite easy to argue that when accounts are compromised because of security questions whoever implemented those questions is at fault. They are a convenient, if crap way to secure accounts. Apple and everyone else have to do better.
(I suppose the good news is that you can actually protect yourself from this. However, how to protect themselves won’t reach most people, so in the big picture this is cold comfort. I do think it’s the job of the platform owner to make sure that users cannot easily leave themselves open to attacks. Most people don’t know about security, the platform owner does.)
I always put in made-up or nonsense information for the answers to the security questions, and store it all in the same encrypted file with my passwords. Seems more secure than using correct information that would not be hard for an attacker to discover. ("Then how will you get password recovery?" "I will never need that.")
No as I can try and guess your login credentials and that is a perfectly acceptable and valid workflow which isn't exploiting anything.
I think the issue is that the previously posted Find My Iphone code didn't rate limit invalid logins and this was used to bruteforce creds. This is probably the real underlying issue and not any type of buffer overflow / exploit etc.
Not really. There's a perfectly valid distinction between accounts compromised by poor password recovery processes and more general ways of compromising the system, ie attacks that require targeted information about the account being compromised and attacks that compromise many accounts at once.
Systems aren't just technical (software), they involve human beings, feedback loops, interactions, etc. Apple's security systems are in fact weak, just not weaker than the norm.
Actually I think the Apple press release was poorly worded. This in particular:
>None of the cases we have investigated has resulted from any breach in any of Apple’s systems
There was indeed a breach in Apple's system, there just wasn't a system wide breach that compromised all accounts, just a select few.
It seems significantly more likely that the "hack" was in the account recovery system which allows -- via a couple of often easily discovered personal details -- a complete, immediate account takeover.
People have become so close with their smartphones that they entrust it with more information than their friends know.
In addition no brand is more loved than Apple, with many celebrities being ambassadors to the brand. The brand is planning to introduce new payment and health services next week.
For the average consumer two-factor-authentication means nothing, but they will start distrusting Apple more and will be more careful with data. This does not mean they will use more and better security. The average consumer will just stop using some of these services.
The way they worded it can be interpreted to mean that it is still a possibility that the Find My iPhone bug was involved. And anyway, I'm still wondering if it was exploited in this celeb pic scandal or other breaches we haven't heard about yet, so I still have those questions.
It seems like it would be a feat to gather all the user IDs of these famous people in the first place. I'm guessing there's a black market just for that? I used to work on a service used by quite a few famous people, if anybody on the project was unscrupulous, it would have been easy to pass those emails and other personal information on to a hacker.
If you can break into one person's account and get their contacts then you can recurse from there. It's likely that one celebrity knows another and so on.
Google and Yahoo both had 2FA holes in their mobile authentication entry points. No data to back this up other than my own experience and seeing the last logins coming from mobile devices in another country.
Why "ugh"? Introducing a delay makes it much more difficult for an attacker to use 2FA to lock a user out of a compromised account. It's actually a really smart idea.
I'm confused. The description of the problem doesn't rule out an issue with IBrute (targetted attack on usernames, passwords) but then they state it wasn't an issue with ICloud or FindMyPhone.
Is this to suggest that its social engineering or just a password reset job? I don't otherwise see how an attack on usernames and passwords translates.
I guess the thing I'm really trying to figure is that if it was IBrute (which personally I would find an embarrassing failure) would they actually admit it?
That's certainly what they want you to take away from it, but is it what they actually said?
Failing to rate limit login attempts is a fuzzy sort of failure. I would probably call it a "vulnerability", but I wouldn't call it a "breach" to take advantage of it to figure out someone's password.
To me, this reads as a carefully crafted non-denial that looks like a denial if you don't really pay close attention.
>> They seem to have specifically ruled it out later in the statement
>> > None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone.
Have they ruled it out? When you factor that the statement's intended audience is the entire world, not just cyber security experts, the wording becomes muddy, as it depends on you how you interpret the word "breach".
If someone successfully uses a password attack, is it actually a 'breach' of Apple's systems? After all, the systems successfully prevented entry until a valid password was entered, which is exactly what the systems were designed to do.
I'm curious what you base that on... that they own up to problems. I know it's certainly not true with hardware issues. They may eventually fix it, but it's rare that they'll comment on it.
Not necessarily. They could make an argument that the services themselves were not "breached", however the users weak passwords allowed them to be compromised.
I am kinda of sick of hearing about how celebs got hacked and how it is such a big deal.
The media over hypes these things and really the celebs involved should of used stronger passwords and/or 2 factor authentication. They should of known better.
People get "hacked" this way tons of times by using weak passwords and/or security questions. You'll never see that appear in the media.
The inequality here is the importance the media places on Kate Upton, Jennifer Lawrence, etc. It a waste of tax payer money to get the "FBI" invoked. I see it also has a waste for the government to chummy up with these "celebs". Some of them are great entertainers no doubt, but what have they done to really deserve the popularity they have.
Have they build something that tremendously improves people lives. Are they key decision makers on items that effect people? Yes Jennifer Lawrence is a great actress but c'mon.
Stop giving importance to celebs by not reading news about them. Radaronline, Tmz, etc.
They are performing artist, how you feel about their contribution to society is based upon how you feel about performing artists in general.
Is society enriched by the eloquence of humanity of ballet? Does humanity prove itself to the universe when our best singers hold a pure note for a brief moment in time? What impact does a movie exploring some aspect of the human experience have upon the world?
Popular performing artists are popular because their performances bring some amount of joy to people's lives.
To all of you idiots blaming the victims out there right now "should have used 2fa, should have used stronger passwords":
1. You don't know if 2FA was in place, you don't know what strength the passwords were.
2. Again: those women were highly targeted. Can you defend yourself if someone takes a week/month long project to break into your phone? (Also this was during heartbleed and other big vulnerabilites)
Come off your bullshit high horse. Don't blame the victims here.