dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
7184

Link Logger
MVM
join:2001-03-29
Calgary, AB

2 recommendations

Link Logger

MVM

Glitch in Apple iCloud security may have been behind photo 'leak'

quote:
A weakness in Apple's iCloud security which allowed hackers to repeatedly try new passwords for as long as it took to find the correct one may have been behind the celebrity photo scandal.

A hacker who “leaked” more than 100 nude photographs of some of Hollywood’s most famous female stars may have accessed the images due to a “vulnerability” in Apple’s security system, technology experts claimed.

The anonymous user of photo sharing website 4chan posted explicit pictures of celebrities such as Oscar-winning actress Jennifer Lawrence which are thought to have been obtained via Apple’s iCloud service.

Apple and the FBI are investigating the hack which is suspected to have exploited a weakness in the Find My iPhone cloud-based service.

The leak saw British names including model Cara Delevigne and former Downton Abbey actress Jessica Brown Findlay linked to the list of 101 famous people whose intimate pictures had reportedly been accessed.

Initial reports suggest the hacker may have used a computer programme which guesses likely passwords again and again until a correct one is found.

»www.telegraph.co.uk/tech ··· aim.html

»ca.finance.yahoo.com/new ··· c=_start

Forget googling to get your daily celebrity porn, time to start surfing iCloud. Also it will be interesting how many more 'want to be' celebrities start uploading nudies and sex tapes to iCloud in hopes of getting that 'magic' exposure.

Blake
lorennerol
Premium Member
join:2003-10-29
Seattle, WA

5 recommendations

lorennerol

Premium Member

Okay, bad on Apple for this, #1. And #2.

And...who in their right mind takes compromising pictures of themselves and then uploads them to the "Cloud"? Particularly public figures (except politicians because well, I've come to accept an inferior level of thought from them).

Even if there wasn't an external weakness, all it takes is one bad employee in the right location and you've been Snowden'd.

Link Logger
MVM
join:2001-03-29
Calgary, AB

Link Logger

MVM

quote:
Mr Troshichev, a security researcher with HackApp - his online security firm, - said that he started looking for weaknesses in iCloud after photographs and emails apparently belonging to Dmitry Medvedev, the Russian prime minister and a prominent user of Apple products, were hacked and released on August 14.

Apple fixed the problem with the FindMyiPhone app, which allows remote tracking of Apple devices, on Monday %u2013 shortly after the nude celebrity photos began spreading online.

"The end of fun, Apple have just patched FindMyiphone bug," Mr Troshichev wrote on Twitter at the time.

He said he did not report the fault to Apple before going public because Apple does not usually respond to such information, and because he believed it was not a serious threat.
»www.telegraph.co.uk/news ··· law.html

Maybe Apple will start responding now.

Blake
Edit - I wonder if the Sept 9 Apple event will include how to take better nude selfies? I know I post nude selfies of myself to the cloud but as a security feature (and boost sales of eye bleach).
Link Logger

Link Logger

MVM

I was going to post this earlier but I was out of town over the weekend.
quote:
iBrute iForce iHack

The breach of the celebrities’ iCloud accounts was reportedly made possible by a vulnerability in Apple’s Find My iPhone application programming interface—at least, that's what has been suggested. Proof-of-concept code for the exploit, called iBrute, allowed for brute-force password cracking of accounts. It was uploaded to GitHub on August 30, just a day before the breach occurred, as ZDNet’s Adrian Kingsley-Hughes noted. Apple patched the vulnerability early on September 1.

If your password is in this list, you might want to choose something else.

»github.com/hackappcom/ibrute

Blake

mackey
Premium Member
join:2007-08-20

1 recommendation

mackey to Link Logger

Premium Member

to Link Logger
said by Link Logger:

Maybe Apple will start responding now.

Nah, the aura of Jobs' ghost protects almost all of their stuff, this was just a fluke

/M
Nanaki (banned)
aka novaflare. pull punches? Na
join:2002-01-24
Akron, OH

Nanaki (banned) to Link Logger

Member

to Link Logger
What i find funny is a old pass i have used for 15 years for things i do not honestly care much about has never shown up on any password list dictionaries and it is only like 6 chars long no caps etc. It is far from random ither. How ever to any one who found it wrote down somewhere it would seem to be total nonsense.
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to Link Logger

MVM

to Link Logger
...I'm with lorennerol See Profile ... and getting vibes of this .

So is it life imitating art, or art imitating life?

Regards

Blackbird
Built for Speed
Premium Member
join:2005-01-14
Fort Wayne, IN

Blackbird to Nanaki

Premium Member

to Nanaki
said by Nanaki:

What i find funny is a old pass i have used for 15 years for things i do not honestly care much about has never shown up on any password list dictionaries and it is only like 6 chars long no caps etc. It is far from random ither. How ever to any one who found it wrote down somewhere it would seem to be total nonsense.

If there were just letters and numbers in it, there would be ~2.18 billion permutations... so the odds are indeed against it showing up on any pw list unless it's a very common word/name.
Frodo
join:2006-05-05

Frodo to lorennerol

Member

to lorennerol
said by lorennerol:

And...who in their right mind takes compromising pictures of themselves and then uploads them to the "Cloud"?

According to this article, uploads are on by default for Iphone and IPad owners.
quote:
If you have an iPhone or iPad, all your photos are being uploaded to iCloud by default. Most people don't even realise that all their photos are being stored on iCloud servers.
So, it is up to the user to shut off the "feature" if not needed, once they figure out the feature is on.
dave
Premium Member
join:2000-05-04
not in ohio

dave

Premium Member

Presumably only if you actually have an iCloud account...
lorennerol
Premium Member
join:2003-10-29
Seattle, WA

lorennerol to Frodo

Premium Member

to Frodo
said by Frodo:

According to this article, uploads are on by default for Iphone and IPad owners.

The default when you get into a car is for the seatbelt to be unbuckled. These folks are more than wealthy enough to have some savvy IT help, if they can't figure out how to buckle themselves up on the Interwebs.

chip89
Premium Member
join:2012-07-05
Columbia Station, OH

1 recommendation

chip89 to Link Logger

Premium Member

to Link Logger
It's mostly there fault for not doing safe hex!

siljaline
I'm lovin' that double wide
Premium Member
join:2002-10-12
Montreal, QC

1 recommendation

siljaline to Link Logger

Premium Member

to Link Logger
Currently, the blame game is key - was it Apple's iCloud service, was it the failings of the same Celebs who practice poor security judgement and had simply not had 2FA turned on ?

Apple are currently denying it was their fault.
»www.theverge.com/2014/9/ ··· oto-hack

Some compelling stuff from Wired Mag how a Police tool was used for the pic robbery.
»www.wired.com/2014/09/ep ··· -icloud/

Celeb photo hacks could not have come at a worse time for Apple.
»www.wired.com/2014/09/th ··· r-apple/
siljaline

siljaline to Link Logger

Premium Member

to Link Logger
Kirsten Dunst flips Apple the bird.
»twitter.com/kirstendunst ··· 14317312
siljaline

siljaline to Link Logger

Premium Member

to Link Logger
Have an Apple ID ? Two factor authentication (2FA)
»support.apple.com/kb/ht4232

Those than run Apple iTunes and other media that talk | interface with your devices should be as secure as possible. Those with iTunes should log out when the software is not in use. Permanent login is a default.

carpetshark3
Premium Member
join:2004-02-12
Idledale, CO

carpetshark3 to Link Logger

Premium Member

to Link Logger
»www.osnews.com/story/279 ··· _privacy

»www.slashgear.com/celebr ··· 2344083/

BTW - Justin Verlander (Detroit Tiger Pitcher) got caught in it. He's dating one of the celebs.
mr weather
Premium Member
join:2002-02-27
Mississauga, ON

mr weather to Link Logger

Premium Member

to Link Logger
said by Link Logger:

Maybe Apple will start responding now.

I doubt it at least not publicly. To do so will admit some negligent activity on their part which will open them up to a mega-buck lawsuit.
Riamen
Premium Member
join:2002-11-04
Calgary

Riamen

Premium Member

said by mr weather:

said by Link Logger:

Maybe Apple will start responding now.

I doubt it at least not publicly. To do so will admit some negligent activity on their part which will open them up to a mega-buck lawsuit.

Apple actually replied Monday (before this thread was started) and on Tuesday.

Monday's reply was rather terse.

“We take user privacy very seriously and are actively investigating this report” said Apple spokeswoman Natalie Kerris.

Tuesday's reply.

»www.apple.com/pr/library ··· ory.html

Weak passwords and lack of 2FA may be to blame but Apple needs to step it up on their iCloud security.
Nanaki (banned)
aka novaflare. pull punches? Na
join:2002-01-24
Akron, OH

Nanaki (banned) to Blackbird

Member

to Blackbird
Yeh it is a archaic spelling of a common word. Like ither and nither vs either and neither . It is not one of those how ever. It is funny how something so simple as using a archaic spelling can just ruin a pass word list lol. I have looked through a few and laughed because my pass was there but in the normal every day form.
Nanaki

Nanaki (banned) to siljaline

Member

to siljaline
I say apple is to blame. I base this on the fact that by default you can bypass any mac os pass word with in 30 seconds and not loose any user data and gain full root access to the computer in uestion. 99% of all apple mac users will leave it default. I can own that computer in seconds if i have physical access to it. In fact i can literally own a mac just by going to bestbuy and doing it there then registering the apple with apple like i bought it. The rest is just getting apple to replace a stolen laptop a little investment in insurance and its mine for like 50 to 100 bucks. Im just to honest a person to do it.

I already have a kindle fire hd 8.9 that some one pulled such a scam with. Buy insure report lost or stolen return get for 50 bucks. Now i honestly did not care i seen the receipt for it from a few days before and i knew the person for a couple years. So they wanted to get some of their money back and i wanted the kindle and took a chance i could root and rom it which i did.

But i would not want to put some one else through that sort of hassle. Apple needs to tighten things up where security is concerned and relax restrictions on what you can do with what you own.

Carpie
join:2012-10-19
united state

Carpie to lorennerol

Member

to lorennerol
said by lorennerol:

And...who in their right mind takes compromising pictures of themselves and then uploads them to the "Cloud"?

I know right? That is so far fetched that it should be a storyline for a movie. Maybe one starring Cameron Diaz....
TheWiseGuy
Dog And Butterfly
MVM
join:2002-07-04
East Stroudsburg, PA

TheWiseGuy to mr weather

MVM

to mr weather
said by mr weather:

said by Link Logger:

Maybe Apple will start responding now.

I doubt it at least not publicly. To do so will admit some negligent activity on their part which will open them up to a mega-buck lawsuit.

They and every major company should learn from the GM debacle. Trying to make believe you have not done anything wrong will cost you a lot more in the long run!

siljaline
I'm lovin' that double wide
Premium Member
join:2002-10-12
Montreal, QC

1 recommendation

siljaline to Link Logger

Premium Member

to Link Logger
The Verge has a fairly comprehensive chain of events.
»www.theverge.com/2014/9/ ··· ebrities
Riamen
Premium Member
join:2002-11-04
Calgary

1 recommendation

Riamen to Link Logger

Premium Member

to Link Logger
An interesting write-up on how this came to be:

»www.nikcub.com/posts/not ··· a-theft/

Chubbzie
join:2014-02-11
Greenville, NC

2 recommendations

Chubbzie to Link Logger

Member

to Link Logger
Link to supposed "leaked" images or it didn't happen...

Anav
Sarcastic Llama? Naw, Just Acerbic
Premium Member
join:2001-07-16
Dartmouth, NS

Anav to Link Logger

Premium Member

to Link Logger
said by Link Logger:



Blake
Edit - I wonder if the Sept 9 Apple event will include how to take better nude selfies? I know I post nude selfies of myself to the cloud but as a security feature (and boost sales of eye bleach).

Argggg, thats the last thing I need to read in the morning..., but how do we advertise this - could single handedly remove motivation for many hackers!

siljaline
I'm lovin' that double wide
Premium Member
join:2002-10-12
Montreal, QC

siljaline to Link Logger

Premium Member

to Link Logger
The Verge probably has the best story stream going that's not offensive, given the subject matter.
»www.theverge.com/2014/9/ ··· ebrities

mouse
Premium Member
join:2007-03-29
australia

mouse to Link Logger

Premium Member

to Link Logger
Interesting - most are just names, nothing surprising but why would passwords like Tbfkiy9oN or 2wsx@WSX or 12qw!@QW appear in this list? Obviously a brute force attack can try anything but I don't see these as easy/obvious candidates or am I missing something?

Snowy
Lock him up!!!
Premium Member
join:2003-04-05
Kailua, HI

Snowy

Premium Member

said by mouse:

Interesting - most are just names, nothing surprising but why would passwords like Tbfkiy9oN or 2wsx@WSX or 12qw!@QW appear in this list? Obviously a brute force attack can try anything but I don't see these as easy/obvious candidates or am I missing something?

Yup, 2wsx@WSX & 12qw!@QW are what I call 'pattern passwords' in that they are relative to a standard keyboard.
If you type "2wsx@WSX" on your keyboard, watch where the keys fall - you will see a pattern to the key positions.
Pattern passwords are very easy to crack, especially if you have any history on the password owner since they tend to use the same pattern over & over with just a switch of starting key, if even that.
Snowy

1 recommendation

Snowy to Chubbzie

Premium Member

to Chubbzie
said by Chubbzie:

Link to supposed "leaked" images or it didn't happen...

Yeah, I couldn't find them either. LOL