iCloud Leak

[easysurfer]

So much for safety in the cloud if the entrance isn't protected

Quote:

The apparent leak of hundreds of naked photos purportedly belonging to more than 100 high-profile singers, actors and celebrities has raised questions of the safety and security of digital services.

Quote:

Although Apple’s encryption on the data itself is considered robust, access could have been gained through more indirect means - such as guessing users' passwords or simply resetting their accounts by finding their email address and then answering traditional ‘security questions’.

Is Apple's iCloud safe after leak of Jennifer Lawrence and other celebrities' nude photos? - Gadgets and Tech - Life and Style - The Independent

[MichaelB]

Quote:

Originally Posted by easysurfer So much for safety in the cloud if the entrance isn't protected

From the article

Quote:

Although the involvement of iCloud has not been confirmed

[powerplay]

Oh my gosh, what a surprise!

[aja8888]

......"hundreds of naked photos purportedly belonging to more than 100 high-profile singers, actors and celebrities....."

Clue me in, but is it common for famous people like above to routinely have naked images of themselves on their cell phones and I pads? Am I missing something here?

[MuirWannabe]

Quote:

Originally Posted by aja8888 ......"hundreds of naked photos purportedly belonging to more than 100 high-profile singers, actors and celebrities....." Clue me in, but is it common for famous people like above to routinely have naked images of themselves on their cell phones and I pads? Am I missing something here?

It is hard to believe. Guess I need to see the evidence for proof



Sent from my iPad using Early Retirement Forum

[easysurfer]

There is speculation that the brute force method was used to try a lot of passwords since initially things weren't set up to suspend the account after bad attempts. In otherwords..."nope, didn't work..try again"

[Walt34]

Quote:

Originally Posted by MuirWannabe It is hard to believe. Guess I need to see the evidence for proof

Be careful what you wish for....

[M Paquette]

Hai Guys!

Hint: Don't use yur username as yur passwd!

Also: these ones might not be gud either...

SplashData's "Worst Passwords of 2013":

Code:

Rank               Password        Change   from 2012             
1                     123456                     Up 1                                                           
2                     password                   Down 1                                                           
3                     12345678                  Unchanged                                                           
4                     qwerty                     Up 1                                                          
5                     abc123                     Down 1                                                           
6                     123456789                     New                                                           
7                     111111                     Up 2                                                           
8                     1234567                     Up 5                                                           
9                     iloveyou                     Up 2                                                           
10                     adobe123                     New                                                           
11                     123123                     Up 5                                                           
12                     admin                     New                                                           
13                     1234567890                     New                                                           
14                     letmein                     Down 7                                                           
15                     photoshop                     New                                                          
16                     1234                     New                                                           
17                     monkey                     Down 11                                                           
18                     shadow                     Unchanged                                                           
19                     sunshine                     Down 5                                                           
20                     12345                     New                                                           
21                     password1                     Up 4                                                           
22                     princess                     New                                                           
23                     azerty                     New                                                           
24                     trustno1                     Down 12                                                           
25                     000000                     New

(Any time someone can hack this many accounts using an online dictionary attack, weak, weak passwords are the thing. All a provider can do is slow the attack's progress, and enable a denial of service attack variation.)

[M Paquette]

Oh, and the thing about anything 'secret' that exists? It will leak out eventually.

If something is too embarrassing to be let out, perhaps it is best to not do that. Applies to movie stars, athletes, and governments alike.

Everything leaks. Everything.

[ls99]

Years ago at a company I spent some time hired a high priced Computer security consultant company. Their pass word was #24 on the list. I broke it on my fourth try. And I never was a computer geek. Did it for the fun of it.

They were shocked I tell ya. Then they changed it to start with capital letter. I did not not tell them about that. Stupid is as stupid does.

[jetpack]

The news on this story has been pretty pitiful. From my tech friends, these seem to be collections from various sources (no one single hacking event) .. All the standard online security measures still hold true. Good Passwords. Don't use unsecured networks with non secure connections. Don't carry around unprotected files. etc.

[donheff]

Quote:

Originally Posted by aja8888 ......"hundreds of naked photos purportedly belonging to more than 100 high-profile singers, actors and celebrities....." Clue me in, but is it common for famous people like above to routinely have naked images of themselves on their cell phones and I pads? Am I missing something here?

+1 That was my reaction too. If these people are don't want to share naked photos why take them in the first place? Even more to the point, why dump them into cloud storage? You know at a minimum NSA techs are looking at them.

[Tailgate]

Apple has just changed their logo

[steelyman]

I'm not worried about iCloud at all. I do use it from two devices (iTouch and iPhone) but adjusted the settings on what is backed up for storage reasons.

I wouldn't like to see my contact list stolen for the reason of privacy of family and friends.

[MichaelB]

Well, it seems Apple has acknowledged some user accounts were hacked Apple - Press Info - Apple Media Advisory

Quote:

After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone.

According to Apple, iCloud wasn't compromised. ARS Technica has a different view, they see this as a weakness in the iCloud security architecture Update: What Jennifer Lawrence can teach you about cloud security | Ars Technica

Quote:

brute force attack did was test combinations of e-mail addresses and passwords from two separate “dictionary” files. It required knowledge (or good guesses) of the targets’ iCloud account e-mail addresses and a huge list of potential passwords. Because of this weakness, the Find My iPhone service did not lock out access to the account after a number of failed attempts—so the attacker was able to keep hammering away at targeted accounts until access was granted. Once successful, the attacker could then connect to iCloud and retrieve iPhone backups, images from the iOS Camera Roll, and other data.

Have to agree with ARS on this one. Preventing brute force attacks should be the first line of defense. If this is confirmed, it looks like Apple really dropped the ball.

ER forum members should be careful to store their compromising pics somewhere else.

[steelyman]

Quote:

Originally Posted by MichaelB ER forum members should be careful to store their compromising pics somewhere else.

I'd better take down my Anthony Weiner-style shot

[donheff]

Quote:

Originally Posted by MichaelB Have to agree with ARS on this one. Preventing brute force attacks should be the first line of defense. If this is confirmed, it looks like Apple really dropped the ball. ER forum members should be careful to store their compromising pics somewhere else.

+1. No one should be able to mount a brute force attack on any site. The only reason for brute force attacks should be that they compromised the system and obtained the shadow password file (or whatever systems use these days). Once they have the encrypted password file and know the encryption methodology in use, they can run dictionary attacks off line to their heart's content. If Apple allowed an external source to pound away at an account access interface they really F'd up. If so, it is outrageous that they are blaming the victims. Lets face it, even with social engineering it is highly unlikely that attackers will guess your password and/or secret questions/answers in three attempts.

[Chuckanut]

Interesting. I would think that any decent security system would limit the number of consecutive failed logon attempts. After, a certain number of attempts, the attacker would need to answer a security question (keep those answers weird!), use second factor authentication, or even wait for an hour or two before being able to logon again.

[Chuckanut]

The use of dictionary words is a very common way to attack an account. The fact that it was used here is another reason to use a random password generator, or some personal algorithm that depends on information unknown to the outside world.

[easysurfer]

Quote:

Originally Posted by Chuckanut The use of dictionary words is a very common way to attack an account. The fact that it was used here is another reason to use a random password generator, or some personal algorithm that depends on information unknown to the outside world.

I'm a fan of using a random password generator. I just updated a few of my passwords with a longer length password.

Now when I get interrogated as to what's my password I'll say "your guess is as good as mine" and won't be telling a lie