iCloud Leak

[easysurfer]

So much for safety in the cloud if the entrance isn't protected

The apparent leak of hundreds of naked photos purportedly belonging to more than 100 high-profile singers, actors and celebrities has raised questions of the safety and security of digital services.

Although Apple’s encryption on the data itself is considered robust, access could have been gained through more indirect means - such as guessing users' passwords or simply resetting their accounts by finding their email address and then answering traditional ‘security questions’.

Is Apple's iCloud safe after leak of Jennifer Lawrence and other celebrities' nude photos? - Gadgets and Tech - Life and Style - The Independent

 

[MichaelB]

So much for safety in the cloud if the entrance isn't protected

From the article

Although the involvement of iCloud has not been confirmed

 

[powerplay]

Oh my gosh, what a surprise!

 

[aja8888]

......"hundreds of naked photos purportedly belonging to more than 100 high-profile singers, actors and celebrities....."

Clue me in, but is it common for famous people like above to routinely have naked images of themselves on their cell phones and I pads? Am I missing something here?

 

[MuirWannabe]

......"hundreds of naked photos purportedly belonging to more than 100 high-profile singers, actors and celebrities....."

Clue me in, but is it common for famous people like above to routinely have naked images of themselves on their cell phones and I pads? Am I missing something here?

It is hard to believe. Guess I need to see the evidence for proof



Sent from my iPad using Early Retirement Forum

 

[easysurfer]

There is speculation that the brute force method was used to try a lot of passwords since initially things weren't set up to suspend the account after bad attempts. In otherwords..."nope, didn't work..try again"

 

[Walt34]

It is hard to believe. Guess I need to see the evidence for proof

Be careful what you wish for....

 

[M Paquette]

Hai Guys!

Hint: Don't use yur username as yur passwd!

Also: these ones might not be gud either...

SplashData's "Worst Passwords of 2013":

[B]Rank[/B]               [B]Password[/B]        [B]Change   from 2012[/B]             
1                     123456                     [I]Up 1[/I]                                                           
2                     password                   [I]Down 1[/I]                                                           
3                     12345678                  [I]Unchanged[/I]                                                           
4                     qwerty                     [I]Up 1[/I]                                                          
5                     abc123                     [I]Down 1[/I]                                                           
6                     123456789                     [I]New[/I]                                                           
7                     111111                     [I]Up 2[/I]                                                           
8                     1234567                     [I]Up 5[/I]                                                           
9                     iloveyou                     [I]Up 2[/I]                                                           
10                     adobe123                     [I]New[/I]                                                           
11                     123123                     [I]Up 5[/I]                                                           
12                     admin                     [I]New[/I]                                                           
13                     1234567890                     [I]New[/I]                                                           
14                     letmein                     [I]Down 7[/I]                                                           
15                     photoshop                     [I]New[/I]                                                          
16                     1234                     [I]New[/I]                                                           
17                     monkey                     [I]Down 11[/I]                                                           
18                     shadow                     [I]Unchanged[/I]                                                           
19                     sunshine                     [I]Down 5[/I]                                                           
20                     12345                     [I]New[/I]                                                           
21                     password1                     [I]Up 4[/I]                                                           
22                     princess                     [I]New[/I]                                                           
23                     azerty                     [I]New[/I]                                                           
24                     trustno1                     [I]Down 12[/I]                                                           
25                     000000                     [I]New
[/I]

(Any time someone can hack this many accounts using an online dictionary attack, weak, weak passwords are the thing. All a provider can do is slow the attack's progress, and enable a denial of service attack variation.)

 

[M Paquette]

Oh, and the thing about anything 'secret' that exists? It will leak out eventually.

If something is too embarrassing to be let out, perhaps it is best to not do that. Applies to movie stars, athletes, and governments alike.

Everything leaks. Everything.

 

[ls99]

Years ago at a company I spent some time hired a high priced Computer security consultant company. Their pass word was #24 on the list. I broke it on my fourth try. And I never was a computer geek. Did it for the fun of it.

They were shocked I tell ya. Then they changed it to start with capital letter. I did not not tell them about that. Stupid is as stupid does.

 

[jetpack]

The news on this story has been pretty pitiful. From my tech friends, these seem to be collections from various sources (no one single hacking event) .. All the standard online security measures still hold true. Good Passwords. Don't use unsecured networks with non secure connections. Don't carry around unprotected files. etc.

 

[donheff]

......"hundreds of naked photos purportedly belonging to more than 100 high-profile singers, actors and celebrities....."

Clue me in, but is it common for famous people like above to routinely have naked images of themselves on their cell phones and I pads? Am I missing something here?

+1 That was my reaction too. If these people are don't want to share naked photos why take them in the first place? Even more to the point, why dump them into cloud storage? You know at a minimum NSA techs are looking at them.

 

[Tailgate]

Apple has just changed their logo

 

[steelyman]

I'm not worried about iCloud at all. I do use it from two devices (iTouch and iPhone) but adjusted the settings on what is backed up for storage reasons.

I wouldn't like to see my contact list stolen for the reason of privacy of family and friends.

 

[MichaelB]

Well, it seems Apple has acknowledged some user accounts were hacked Apple - Press Info - Apple Media Advisory

After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone.

According to Apple, iCloud wasn't compromised. ARS Technica has a different view, they see this as a weakness in the iCloud security architecture Update: What Jennifer Lawrence can teach you about cloud security | Ars Technica

brute force attack did was test combinations of e-mail addresses and passwords from two separate “dictionary” files. It required knowledge (or good guesses) of the targets’ iCloud account e-mail addresses and a huge list of potential passwords. Because of this weakness, the Find My iPhone service did not lock out access to the account after a number of failed attempts—so the attacker was able to keep hammering away at targeted accounts until access was granted. Once successful, the attacker could then connect to iCloud and retrieve iPhone backups, images from the iOS Camera Roll, and other data.

Have to agree with ARS on this one. Preventing brute force attacks should be the first line of defense. If this is confirmed, it looks like Apple really dropped the ball.

ER forum members should be careful to store their compromising pics somewhere else.

 

[steelyman]

ER forum members should be careful to store their compromising pics somewhere else.

I'd better take down my Anthony Weiner-style shot

 

[donheff]

Have to agree with ARS on this one. Preventing brute force attacks should be the first line of defense. If this is confirmed, it looks like Apple really dropped the ball.

ER forum members should be careful to store their compromising pics somewhere else.

+1. No one should be able to mount a brute force attack on any site. The only reason for brute force attacks should be that they compromised the system and obtained the shadow password file (or whatever systems use these days). Once they have the encrypted password file and know the encryption methodology in use, they can run dictionary attacks off line to their heart's content. If Apple allowed an external source to pound away at an account access interface they really F'd up. If so, it is outrageous that they are blaming the victims. Lets face it, even with social engineering it is highly unlikely that attackers will guess your password and/or secret questions/answers in three attempts.

 

[Chuckanut]

Interesting. I would think that any decent security system would limit the number of consecutive failed logon attempts. After, a certain number of attempts, the attacker would need to answer a security question (keep those answers weird!), use second factor authentication, or even wait for an hour or two before being able to logon again.

 

[Chuckanut]

The use of dictionary words is a very common way to attack an account. The fact that it was used here is another reason to use a random password generator, or some personal algorithm that depends on information unknown to the outside world.

 

[easysurfer]

The use of dictionary words is a very common way to attack an account. The fact that it was used here is another reason to use a random password generator, or some personal algorithm that depends on information unknown to the outside world.

I'm a fan of using a random password generator. I just updated a few of my passwords with a longer length password.

Now when I get interrogated as to what's my password I'll say "your guess is as good as mine" and won't be telling a lie

 

[Chuckanut]

The real public fiasco, IMHO, is the fact people put compromising photos out in the cloud in the first place. What is that about?

Several years ago, I read a travel tip that recommended scanning one's passport and uploading the scan to a cloud like service such as Evernote or DropBox. Supposedly, this would help a person if she lost her passport.

But, these sites, the last time I checked, do not encrypt the data uploaded to the site. So..... this was not such a good idea.

 

[Chuckanut]

Apple has two step authentication for certain iCloud functions.

Two-step verification is an additional security feature for your Apple ID that's designed to prevent anyone from accessing or using your account, even if they know your password.
It requires you to verify your identity using one of your devices before you can take any of these actions:

• Sign in to My Apple ID to manage your account
• Make an iTunes, App Store, or iBooks Store purchase from a new device
• Get Apple ID related support from Apple

Frequently asked questions about two-step verification for Apple ID

 

[ERD50]

+1. No one should be able to mount a brute force attack on any site. .... If Apple allowed an external source to pound away at an account access interface they really F'd up. If so, it is outrageous that they are blaming the victims. Lets face it, even with social engineering it is highly unlikely that attackers will guess your password and/or secret questions/answers in three attempts.

Interesting. I would think that any decent security system would limit the number of consecutive failed logon attempts. After, a certain number of attempts, the attacker would need to answer a security question (keep those answers weird!), use second factor authentication, or even wait for an hour or two before being able to logon again.

This seemed obvious to me as well, but then I thought about the implications. Wouldn't the real user (especially high profile people) just get locked out all the time from the false attempts? As soon as the hour re-try limit was passed, the crooks would hit it again three times.

Of course, these celebrities are idiots (unless they were looking for publicity) to put stuff they don't want in the hands of others on a cloud server with hack-able passwords and security questions. Many accomplished people may not have much sense in other areas of their lives, but still - think! Plus, you'd think young celebs would have a bit more 'internet-smarts' (the equivalent of 'street-smarts' from our times).

-ERD50

 

[easysurfer]

I think the lessoned learned (again) is that "Private" is not private and "Deleted" is not deleted no matter how nice "The Cloud" sounds.

Now I read that the hackers are from this ring that trade these violations and not just some lone hacker.

The news is a reminder why come tax time I'm happy to just download tax software to my PC and create the forms locally then use the "safety" offsite.

 

[Tailgate]

another conspiracy theory...