Apple Officially Denies iCloud Breach

[HardOCP News]

Apple has officially denied any iCloud breach occurred, instead blaming targeted attacks. I guess an iCloud exploit, the one used to access the accounts in the first place, can be considered "targeted attacks."

We wanted to provide an update to our investigation into the theft of photos of certain celebrities. When we learned of the theft, we were outraged and immediately mobilized Apple’s engineers to discover the source. Our customers’ privacy and security are of utmost importance to us. After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved.

 

[Red Falcon]

But the cloud is secure and magical and perfect.

 

[Reimu]

Again, Apple is trying to stay away from being seen as negligent, since that's one thing in the ToS that they could get sued on.

 

[Galvin]

Trust the cloud, its hack proof, apple said so!

 

[bmaytum]

Right Apple, a "targeted attack" absolves your iCloud of any responsibility. What Geniuses you are...............

 

[Reimu]

Right Apple, a "targeted attack" absolves your iCloud of any responsibility. What Geniuses you are...............

Notice that they wouldn't mention about "iCloud."
I am going to be a prick on Apple since they mention "certain celebrities" when ordinary users' photos were also compromised and disseminated. It's a despicable thing for them to have worded their update in this way.

 

[Robertmarcus]

it sounded like it was a s.e attack from many different people over a long period of time. Probably started well before dual stage login was implemented. Their was nothing apple could have done in this case, and until hard evidence emerges, icloud has gone unhacked. Trust the cloud, don't trust the people who hold the keys to the kingdom when they get duped by people on the phone.

 

[bigdogchris]

Everything is pointing to the accounts being hacked into due to weak passwords or security questions. Apples not at fault for any of that.

If the system itself was compromised, it wouldn't be targeted people who's information was leaked, it would be anyone and everyone.

 

[Reimu]

Everything is pointing to the accounts being hacked into due to weak passwords or security questions. Apples not at fault for any of that.

If the system itself was compromised, it wouldn't be targeted people who's information was leaked, it would be anyone and everyone.

Go look at AnonIB then. It wasn't nearly so limited in scope.

 

[evilsofa]

Guessing celebrity security questions is not a new thing, and people have and will go to prison for it:

"In 2008, college student David Kernell hacked then-Alaska Gov. Sarah Palin's email account by finding the answers to her security questions -- like the fact that she met her husband in high school -- via Google search. In 2010, Kernell was sentenced to a year in prison.

Also in 2010, Christopher Chaney, 35, hacked the email accounts of about 50 celebrities -- including actress Scarlett Johansson and pop singer Christina Aguilera -- by using publicly available information to guess the answers to their security questions. He then posted nude photos of Johansson that surfaced on celebrity websites. In 2012, Chaney was sentenced to 10 years in prison."

http://www.huffingtonpost.com/2014/...3270.html?utm_hp_ref=technology&ir=Technology

 

[Danny Dawg]

Naked photos + the cloud = disaster?

 

[Ducman69]

10 YEARS for tits? People serve less time for beating the living crap out of their wives.

 

[pgaster]

10 YEARS for tits? People serve less time for beating the living crap out of their wives.

Or for killing people. I live near Chicago, so here's a nice example:

http://heyjackass.com/enlightening-commentary/honor-student-of-the-month/

Typically we bestow our “Honor Student of the Week” award on that deserving individual who best illustrates the values of folly, imbecility, inanity, lunacy, idiocy and downright stupidity. However, this time around, we cannot in good conscience limit it to just one week, therefore Richard Magnan will be our “Honor Student of the Month” (and maybe year).

“Richard Magnan, who has numerous face tattoos, including one that reads, “Fuck the world” and a White Sox logo, was friends with Joel Bentley — the man he shot in the early morning hours of July 5, Assistant State’s Attorney Alexandra Molesky said.
.
.
.

“Magnan was previously sentenced to eight years in prison for a 2003 murder.

He also has two convictions for possession of a stolen vehicle and a 2004 weapon conviction from Nevada.”

 

[Twisted Kidney]

Or for killing people. I live near Chicago, so here's a nice example:

http://heyjackass.com/enlightening-commentary/honor-student-of-the-month/

Typically we bestow our “Honor Student of the Week” award on that deserving individual who best illustrates the values of folly, imbecility, inanity, lunacy, idiocy and downright stupidity. However, this time around, we cannot in good conscience limit it to just one week, therefore Richard Magnan will be our “Honor Student of the Month” (and maybe year).

“Richard Magnan, who has numerous face tattoos, including one that reads, “Fuck the world” and a White Sox logo, was friends with Joel Bentley — the man he shot in the early morning hours of July 5, Assistant State’s Attorney Alexandra Molesky said.
.
.
.

“Magnan was previously sentenced to eight years in prison for a 2003 murder.

He also has two convictions for possession of a stolen vehicle and a 2004 weapon conviction from Nevada.”

I know it's not related to the thread or anything but...

...That first neck tattoo is like a flashing sign that shows the world you've given up on decency.

 

[Nonchalance]

Never answer security questions with real answers!

 

[pgaster]

I know it's not related to the thread or anything but...

...That first neck tattoo is like a flashing sign that shows the world you've given up on decency.

Awww...you mean you wouldn't hire guys like this:

Yes, it's an AK-47 tat on his forehead, and yes, it also from Chicago. There are some winners here.
And sorry to get off track, but I bet this guy even gets less than 10 years.
10 years for hacking a system and leaking pictures is too much.
Invasion of privacy, yes. Very wrong, yes. Major prison time? I think something better could be done with these people, like maybe putting them to work for the government to hack anything ISIS related. Shut them and their backers down.

 

[pgaster]

Oops, still a bit off track, so let me try to get back....

Apple said "After more than 40 hours of investigation.." That's it? That's only 5 guys, one 8 hour day each, and part of that time was probably several meetings.

Also they say "targeted attacks". Well, yes, but why did they have a system that allowed these brute force attacks, and why didn't anyone notice what was going on? After a few failed attempts at passwords or whatever, why didn't that set off any flags? Why isn't the real account holder notified somehow also?

 

[Nicterys]

Everything is pointing to the accounts being hacked into due to weak passwords or security questions. Apples not at fault for any of that.

If the system itself was compromised, it wouldn't be targeted people who's information was leaked, it would be anyone and everyone.

Sorry, we hate Apple around these parts so anything negative with the slightest involvement of Apple is always Apple's fault because they're a company for n00bs and they suxors the dixors.

 

[Freebo]

Pfft then why did they patch it after that hack?

 

[Freebo]

People really need to understand that yes Apple is at fault for this. Why? because they set unlimited attempts...... in short they stuffed up.

They should have set it to 5 attempts lockout.... problem solved. One of the oldest hacks in the book, very simple to protect.

 

[pothb]

Sorry, we hate Apple around these parts so anything negative with the slightest involvement of Apple is always Apple's fault because they're a company for n00bs and they suxors the dixors.

So this wasn't real?

It’s believed that the images were stolen by exploiting a glitch in Apple’s Find My iPhone service for people looking to track or shut down their lost devices. Normally, an iPhone user’s account would be locked out after a few failed password attempts, but the glitch allowed a remote hacker to run through multiple passwords until finding the one that unlocked the account.

 

[Hornet]

it sounded like it was a s.e attack from many different people over a long period of time. Probably started well before dual stage login was implemented. Their was nothing apple could have done in this case, and until hard evidence emerges, icloud has gone unhacked. Trust the cloud, don't trust the people who hold the keys to the kingdom when they get duped by people on the phone.

For me personally, the problem with cloud is that you are storing your stuff on another computer, which means there's always a chance that someone else can access your stuff. Whether it's because the password got compromise, the cloud got hacked, someone inside the company, etc.

IMO, if it's something that is very important, we should never trust the cloud, there's always a chances that something might go wrong and it's not worth taking the risk.

 

[jimmyb]

IMO, if it's something that is very important, we should never trust the cloud, there's always a chances that something might go wrong and it's not worth taking the risk.

Do you use online banking?

 

[shade91]

Apple isn't lying. This wasn't a breech. It was simply a lack of security mechanisms against brute forcing of passwords. Celebs are a level of stupid that they use ridiculously easy passwords because they "cant be bothered" to remember something difficult like that. They got what was coming to them and deserve whatever else comes their way as a result of their own stupidity. Hoorah to the hackers and let the celeb nudies commence over and over.

 

[Hornet]

Do you use online banking?

Yes, because it's a necessity. People do get phishing attack, risk of card skimmer, etc, but banking is a necessity as you cant magically do online payment without online banking, and the benefits of keeping your money in a bank far out weight it's risk.

It's hardly comparable to cloud storage. There's absolutely no necessity in storing pictures of our naked body on cloud storage.

And IMO because banks have more at stake when it comes to security, it stands to reason that they would employ the best security possible, and I would certainly trust their security more than Apple's (not that I hate Apple, but based on what's at stake)

 

[Ocean]

Well. Hacking iCloud vs convincing the iCloud that you are the person because you have so much of their info (including their email address already) is technically different.

 

[evilsofa]

Oops, still a bit off track, so let me try to get back....

Apple said "After more than 40 hours of investigation.." That's it? That's only 5 guys, one 8 hour day each, and part of that time was probably several meetings.

You know full well that wasn't 40 man-hours of investigation.

Also they say "targeted attacks". Well, yes, but why did they have a system that allowed these brute force attacks, and why didn't anyone notice what was going on? After a few failed attempts at passwords or whatever, why didn't that set off any flags? Why isn't the real account holder notified somehow also?

Let's say you put such a notification on the account of the most popular young female in the world. How often would it go off? Ten times an minute? Ten times a second? Do you think these attacks happen in a vacuum?

 

[evilsofa]

It seems that many of you are vastly underestimating the level of attack that the privacy of celebrities is under. There are legions of data thieves, and the effort is nearly governmental in scale. The Find My iPhone exploit that some of you are criticizing is noted as "not necessary or never discovered"; it's trivial compared to the array of tools and techniques already in use.

Apple will not come out of this vindicated or looking good no matter how they spin it; they need significant changes to iCloud security to make it so they aren't the easiest target. Apple needs to completely rethink iCloud security; they erred by going too far on the convenience side of the convenience vs security dilemma.

 

[DPI]

FTFY.

 

[Reimu]

Speaking of which, Apple has changed their App store developers review guidelines.

-HealthKit framework cannot be used to store any user's health information to the iCloud.
-No sharing of health data.
-Diagnoses, treatment, control software to diagnose/treat medical conditions that aren't approved by FDA will get rejected.
-Apps using the HealthKit framework have to provide privacy policy or they'll be rejected.
-Apps are not allowed to use data gathered from HomeKit, API for adverts or for datamining.
-Apps may not use HealthKit API for medical research

Looks like Apple doesn't want to bear the user responsibilities with iCloud.

 

[mkygod]

Technically, its not a breach as there is no code that was compromised or backdoor that was used. They're using this fact absolve themselves from any responsibilities, despite having a flawed security scheme that makes it too easy for people recall passwords based on security questions.

 

[daglesj]

Amazing how 'tepid/insipid' the media are when Apple or a product of Apple gets some negative spotlight.

If this was Microsoft it would be a pack of rabid dogs reporting on the story.

 

[daglesj]

Oh and any security changes that come down the line for iCloud will be listed by the media as "welcome enhancements to security'.

 

[Godmachine]

Amazing how 'tepid/insipid' the media are when Apple or a product of Apple gets some negative spotlight.

If this was Microsoft it would be a pack of rabid dogs reporting on the story.

I think its hysterical. Hollywood has an incestous relationship with Apple if you've watched a movie in the last 25 years you could easily see that (which I'm sure you have). So when Apple is part of a major problem you don't see it really reflecting in movies that glorify Apple products which are just splashed all over the place as set dressing.

Its really crazy how much product placement Apple gets in Hollywood. One of many , many examples (House of Cards) :

 

[SGA76]

iCloud is 100% secure!
Nobody hacked shit, we gave it away!

 

[daglesj]

I think its hysterical. Hollywood has an incestous relationship with Apple if you've watched a movie in the last 25 years you could easily see that (which I'm sure you have). So when Apple is part of a major problem you don't see it really reflecting in movies that glorify Apple products which are just splashed all over the place as set dressing.

Its really crazy how much product placement Apple gets in Hollywood. One of many , many examples (House of Cards) :

Indeed.

However, its a fairly recent thing to be honest as Apple didn't have much in the way of sexy pre 2007. Up until 2009 if you watched a movie or TV show the laptop that was most likely to be used was....

A 2006/7 Dell Inspiron 1500 type in silver with white trim.

I don't know how but Hollywood must have bought a shit load of them. We tended to notice because my Gf had one and it was amazing how often you'd see them centre of shot. "There's your laptop again!"

 

[Pantalaimon]

I bet most people who are making light of this were also ready to storm the NSA offices with pitchforks and tar because they felt their privacy were invaded.

 

[Skripka]

Speaking of which, Apple has changed their App store developers review guidelines.

-HealthKit framework cannot be used to store any user's health information to the iCloud.
-No sharing of health data.
-Diagnoses, treatment, control software to diagnose/treat medical conditions that aren't approved by FDA will get rejected.
-Apps using the HealthKit framework have to provide privacy policy or they'll be rejected.
-Apps are not allowed to use data gathered from HomeKit, API for adverts or for datamining.
-Apps may not use HealthKit API for medical research

Looks like Apple doesn't want to bear the user responsibilities with iCloud.

Actually...I'd call all of those basic decency that I'd honestly expect (or hope for perhaps) in the first place.

 

[m heisty]

Just like Apple wasn't responsible for that neat little trick iTunes had several years back that all it took to change the password was a couple of wrong guesses and then click the button for change password. No question, no put in old password, just enter new password. Yep they tried to blame that on users too. The joke is that the cloud sucks in every possible way, most people have zero idea that when they delete something on their phone it's not really deleted. Not to mention that most people likely have zero idea they even use any cloud service.

 

[m heisty]

It seems that many of you are vastly underestimating the level of attack that the privacy of celebrities is under. There are legions of data thieves, and the effort is nearly governmental in scale. The Find My iPhone exploit that some of you are criticizing is noted as "not necessary or never discovered"; it's trivial compared to the array of tools and techniques already in use.

Apple will not come out of this vindicated or looking good no matter how they spin it; they need significant changes to iCloud security to make it so they aren't the easiest target. Apple needs to completely rethink iCloud security; they erred by going too far on the convenience side of the convenience vs security dilemma.

It seems you have forgotten that Apple makes devices for idiots. They don't really have much choice as to which side of the convenience vs security dilemma they pick.