iCloud Leak

[donheff]

This seemed obvious to me as well, but then I thought about the implications. Wouldn't the real user (especially high profile people) just get locked out all the time from the false attempts? As soon as the hour re-try limit was passed, the crooks would hit it again three times.


-ERD50

Yes, it has happened to me me more than a few times since I am a touch ADD and keep banging away without noticing my caps lock is on But poking around with three tries every few hours is not a dictionary or brute force attack. It might get into an account that used something truly brain-dead like "password123" but would not likely work with even a very weak normal password.

Dictionary attacks require an ability to pound the server continually with automated logon attempts -- or, (required with sensibly protected sites) pounding away at a stolen copy of the encrypted password file residing on evildoer's server. Then evildoer can logon to any of the accounts whose userIDs and passwords the attack cracks.

 

[ERD50]

Yes, it has happened to me me more than a few times since I am a touch ADD and keep banging away without noticing my caps lock is on But poking around with three tries every few hours is not a dictionary or brute force attack. It might get into an account that used something truly brain-dead like "password123" but would not likely work with even a very weak normal password.

Dictionary attacks require an ability to pound the server continually with automated logon attempts -- or, (required with sensibly protected sites) pounding away at a stolen copy of the encrypted password file residing on evildoer's server. Then evildoer can logon to any of the accounts whose userIDs and passwords the attack cracks.

Except if the bad guys have accumulated many, many usernames, they can hit each three times, then move to the next and the next, and rotate back after the timeout. Day after day after day. They'll eventually get a few of them.


-ERD50

 

[Fermion]

I keep all of my private pics in a subfolder. The main folder has two candid pics of my 97 y.o. grandmother doing the cat daddy dance topless. It is somewhat like when pirates used to bury the real treasure underneath a much smaller, easier to find treasure.

 

[donheff]

Except if the bad guys have accumulated many, many usernames, they can hit each three times, then move to the next and the next, and rotate back after the timeout. Day after day after day. They'll eventually get a few of them.


-ERD50

Could be. I would be relieved if that is what happened at Apple. In that case we can get back to dissing the stars for posting their selfie porn with poor passwords.

 

[target2019]

Could be. I would be relieved if that is what happened at Apple. In that case we can get back to dissing the stars for posting their selfie porn with poor passwords.

The security is usually of the type where it locks out your IP for some interval of time. But it can be different implementation.

 

[M Paquette]

There is one gotcha on the use of a lockout mechanism to block brute force attacks.

The lockout mechanism is also used for selective denial of service attacks. The account of a well-known person is typically targeted, with random passwords sent frequently enough to maintain the lockout. By using a botnet to host the attack, IP-specific lockouts that would typically block a script kiddie don't stop the doorknob-rattling, and often the account gets deactivated requiring the victim to go through a 'help desk' to regain access.

I've seen this variant used on everyone from executives, to PR persons, and just folks that some 4chan 1337 d00d didn't like.

The particular channel being used to guess passwords in the Apple attack is not one I'd want to find myself locked out of after the loss/theft of equipment. That's all the detail I care to go into on this one.