Apple: Stolen Celeb Nudes Were Result Of Good Guessing, Not Data Breach

Consumerist ^ | September 2, 2014

[John Robinson]

I admit I have no idea what iCloud is, this is the first time I’ve heard of it, I do not know what it’s intended purpose is; however, if it is intended to store any type of sensitive data the vendor is really doing it wrong.

This is how I approached my argument, that my assumption is it is some type of online backup service or WAN-NAS. In either case, the security-minded approach is to provide a client-side application that encrypts data with a client-private key that the server will never know. The API is simply “Server, store this in block #123”. Server responds, “okay, looks like line noise but you’re the boss.” Client later goes, “server, give me block #123.” Server responds, “here you go client, I sure hope to hell you know what this is because I have no idea.”

Once the service is doing anything with plaintext the whole chain of security breaks down, therefore the service can never see plaintext. With this approach there is no need for a server account other than for billing purposes. I could request all of JLaw’s blocks and still have no idea what they are unless I had NSA-level gear and a strong desire.

[editor-surveyor]

>> “biometrics of all kinds as the technology is perfected.” <<

.
Yes, you have already established that you are a fan of the beast.
.

[John Robinson]

(Little herderp, needs some type of security so that user’s don’t overwrite each other’s data, but that’s a different issue and isn’t as big of a breach as losing propriety of your data.)

[editor-surveyor]

“Don’t blame the victims of their own stupidity!”
.

[MediaMole]

Honestly, the pix are just pretty mundane photos teen-20-something young women send to their boyfriends these days. They clearly aren’t blackmail photos, just pix sent to distant lovers, bawdy moments and occasionally some pretty anonymous sexual mechanics.

If the women involved weren’t famous, no one would even notice these photos among the millions of naked photos on the internet of women posing in mirrors holding their phones blocking part of their face.

It is reflective of our society normalizing the idea of sending naked selfies to lovers rather than any archaic idea of blackmailing women with nude photos.

[DBrow]

If I hacked FR and took some members’ private messages and made them all public, that would be the member’s fault first, then FR’s security system, right?

Not my fault.

[nascarnation]

Couldn’t tell by me. I don’t follow Hollywood much, had never heard of her before.

[wally_bert]

I give bogus answers to those.

[TChad]

My understanding is that Apple allows one to recover their userid and/or password by answering a few security questions. Let’s see - mother’s maiden name, pet, ... - all likely publicly available

It should be taught in elementary school: Lie about that information, but make sure you can remember or locate a backup of those lies.

[Lizavetta]

Why anybody would give a damn about a bunch of whiny hypocrite jesters is beyond me.

This story isn't about them. It's about privacy. With them it's their lame pictures. With you or someone else it could be financial information.

[batterycommander]

I guess I’m from another century. I did not realize the extent of this practice. My cell phone is ancient and has no capability to photograph. Have all the young women turned into sluts? Is promiscuity now common? Are there any nuns left? I guess it went down hill when our priests started diddling the young children. G-d help us.

[Defiant]

10 is way to few. A hacker is not going to “brute force” a password with 100 tries.

Right, but anyone failing 10 times, with a warning, should be locked out until the secondary verification is done. No one needs more than 10 tries, and anyone trying more than that is usually up to no good. If you forget the password, hit the link for resetting the password. Brute force might require millions of tries, true; however someone using social engineering (family info, birthdays, phone numbers, etc.) might guess after 20 or 30 tries. Some systems only allow 4 or 5 mistakes--financial places usually. That is smart.

[batterycommander]

I guess that’s why the muzzies hate us so. They don’t put up with this promiscuity at all. They cut off heads and other members for even showing your ankle.

[BwanaNdege]

Passwords are ridiculous. We should go to fingerprints, eye scans, voice ... biometrics of all kinds as the technology is perfected.

We should go to hanging hackers in the public square. Keep a webcam on them until the crows & maggots are through with the remains.

On a less violent and vengeful note, perhaps Symantec should offer a "Norton 360 Payback" version. The main feature being the option of "You steal my data, you also get an embedded virus/Trojan/worm that will absolutely FRY your computer & LAN".

[Swordmaker]

If I understand what happened correctly, they were able to get the codes because Apple doesn’t lock out a person after a certain number of incorrect attempts are made to guess the password. So, you can try to get on using one of the millions of easy passwords that people typically use, and try endlessly until one works. That, if true, is a very bad flaw in a system that contains very private data online. It should lock a user out after 10 attempts or so.

No, the Apple does lock you out after five attempts. What was done using the "I forgot my password" reset system where the user is allowed to change passwords by answering security questions. For most people, this is safe. Not so for celebrities. It is easy to learn, for example, the answer to "What was the make of your first car?” from reading fan magazine bios of the celebrity, where pictures from their early life are shown. Other questions like "Where did your parents meet?" are often included in such articles that fans read. For the rest of us nobodies, those are unknowables.

Apple investigated and discovered that all of the compromised accounts had their passwords changed in the past week. There was no brute force invasion, just research. . . and NONE of the celebrities used Apple's recommended two-factor security requirement to access their account which would have prevented this.

[Swordmaker]

Well, the celebrity accounts were breached NOT by hacking but by good research. The hacker used "I forgot my password" to reset the celebrity user's password by answering her security questions. For most of us, these are a good way to provide a secure way to let us get in but not so for celebrities. No one will be able to easily learn the answers to "Where did your parents meet?" or "What was the first car you owned?" for us nobodies, but for celebrities, the answers to these questions can be often found in fan magazine biographies.

The "hacker," it turns out, merely went in, claiming he was the celebrity who had forgotten her password, answered the simple security questions, and changed the password. . . and downloaded the photos and videos. Had these celebrities used Apple's recommended two-factor authentication, it could not have happened because the women would have been contacted before the hacker could get any farther. . . but they did not use it. Every celebrity that was compromised had her password changed.—PING

Apple iCloud Hollywood Hack Answer Ping!

If you want on or off the Mac Ping List, Freepmail me.

[roadcat]

If I understand what happened correctly, they were able to get the codes because Apple doesn’t lock out a person after a certain number of incorrect attempts are made to guess the password.

I don't think that's the case. You get several tries, then you need to reset your password via link in your email. The situation is that these vacuous stars use weak passwords, or no password at all. The "hackers" used an attack hunting for accounts that used nonexistent, simple or default passwords such as "password". I've helped people by fixing their computers, and am astounded at how many use the default login ID and default password present from opening a new computer. Same goes for Internet use; many can't be bothered with a "complex" password and resort to using "password" or "1111" or some variant.

[Swordmaker]

Apple requires a very complex password. Must have been a helluva brute force attack.

Turns out it wasn't a brute force attack. . . it was finessing the security questions by researching the celebrities and knowing what the answer was. . . then changing her password.

[Defiant]

Thanks for clearing that up.

[Swordmaker]

John, it is encrypted. First by the user at 128bit, then by Apple to an additional 256bits on top of that after being anonymized in storage. BUT, accessing your data with a password decrypts the data so the user can access it.

What occurred here is that a “hacker” used research into the celebrities to be able to answer their security questions and change their passwords. Security questions that would work fine for average people are not useful for people whose lives are lived under microscopes and chronicled in Fanzines. Every one of the compromised celebrities’ accounts had their passwords changed in the past week. . . by someone other than the owner who correctly answered the questions.

Had these women used Apple’s recommended two-factor security, the hacker would have been stopped in his tracks. Unfortunately, they opted to not be bothered with that.