We wanted to provide an update to our investigation into the theft of photos of certain celebrities. When we learned of the theft, we were outraged and immediately mobilized Apple’s engineers to discover the source. Our customers’ privacy and security are of utmost importance to us. After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone.
So, iCloud accounts were compromised, but iCloud was not compromised.
Ok.
Well, i don’t see iCloud compromised – Brute forcing single accounts says nothing about the security of a system.
That brute forcing should not have worked without two major flaws at Apples end:
1. the found my iphone service lacked a working lock-out mechanism, essentially making iCloud hacking a childs play.
2. the 2-factor authorization was not working correctly, making even 2-factor protected accounts hackable.
so yeah, iCloud was breached due to security vulnerabilities in Apple services.
Edited 2014-09-02 21:14 UTC
It does when the system failed to lock the accounts after several attempts, no one allows unlimited login attempts on a modern system.
Nope, sorry but you are wrong, its being reported now it was a flaw in the “find my iPhone” feature that allowed UNLIMITED ATTEMPTS WITHOUT A TIME LIMIT…do I really need to post a double facepalm for how pants wettingly DUMB having unlimited attempts without a time limit is?
I mean c’mon guys, that is security 101, you NEVER EVER allow unlimited attempts with no time limit, you are just asking for brute force attacks!
The fact that you can brute-force accounts relatively easily says a lot about the security of the system.
Actually it has a lot to do with the security of the system – it should have locked out the user on the second or third failed attempt. Most websites I know have a limited number of tries before the account is locked either for a set period of time (in the case of NZ with the RealMe service for government services the lock out is for 15 minutes) whilst another website I use locks you out and you have to ring up the company, go through some security verification and then the account is unlocked. What ever the case maybe the simple fact of the matter is that Apple could have and should have installed security measures so that brute force attacks do not work but decided that ‘ease of use’ was more important than security.
I know some people wanted to immediately steer this conversation into an Apple bashing frenzy, but that’s not what needs to happen, regardless of whether Apple was at fault here or not. It might give people the impression of, ‘Well, iCloud obviously sucks, so let me upload my nude pics and/or other sensitive data to Google Drive or Dropbox, where they’ll be secure ….’
No! Just, no. Remember, there is no such thing as ‘the cloud’. It’s just a bunch of hard drives that don’t belong to you, run by people you don’t know. Just stop and think about that for a minute.
The takeaway here should be to not load sensitive data to the cloud, EVER! For ANY reason. And if you absolutely must, make sure you’re using end-to-end encryption and be prepared for the fact that it may still get compromised, esp if somebody hacks into a computer where the private key is stored, or someone with access decides to share it with everyone.
Edited 2014-09-02 20:22 UTC
To do encryption, the celebrities should hire a software developer to do it. How can you store encrypted files in the cloud? By doing end to end encryption yes. But is iCloud capable of end-to-end encryption? Don’t know. But if not, people should always save their files in the cloud and be done with it. So, a storage provider should provide first the end-to-end encryption especially for high-profile users, they need to, since these people are vulnerable to hacking. Then provide them the tools they need so that their accounts even if compromised will only see gibberish data. But Apple seems to not implement this and when hackers hacked into their accounts, they’ve seen files in plain text and in high-res pictures.
With this view, iCloud is insecure by default if not, the accounts cannot be hacked in the first place. As a Software developer, you need to make sure that your user will not mess with your software and that security measures must be developed. One example is that the account must be locked if it detects three or more failed login attempts.
First, let’s talk about Apple for a bit, because it’s a bit rich letting them off the hook so easily. While Apple’s security *wasn’t* compromised, Apple offers *compromised security* on iCloud. Considering that they own the entire stack, it’s unacceptable that they cannot offer appropriate security with appropriate usability.
Now, let’s talk about trust. Imagine a bridge fell over, and the bridge builder started talking about how people shouldn’t have been walking on the bridge that way, which for some reason everyone accepted, and then we started seeing comments like: “The key takeaway here should be to not walk over bridges, EVER!”
This doesn’t happen. The situation is unique to computers and the internet, because (1) we write software poorly. If we designed software as well as we design bridges, we wouldn’t be having this conversation; and (2) Everyone is taking advantage. From Google to the NSA to random hackers on the internet. It would be like having a literal troll living under the bridge who looked at all your personal details. Worse, there’s no regulation, and the attitude seems to be “Hey, just don’t use computers”. It’s sickening.
Note that you can’t just draw the line here on “the cloud”. Any computer connected to the internet could be compromised this way, and phones are computers connected to the internet. Should one stop using phones, too?
So no, the key takeaway is not to stop using the cloud or the internet or computers. It’s to make these things trustworthy again. It’s to make the institutions and companies trustworthy again. It’s to fix all our software and take security seriously. It’s to teach society to value that security.
Who said anything about stop using the cloud? I just said don’t upload anything sensitive there. Even on your own computer, you should at the very least have sensitive data password protected.
And I suppose your solution to rape is to just tell men not to do it? Sorry, but the rest of us have to live in this little thing called reality, where we take precautions against things that should not be, but are.
Edited 2014-09-03 02:07 UTC
What do you mean trustworthy again? Unless you’re naive, they were never trustworthy to begin with. And events like this celebrity nudes leak help remind people of the value of security by reminding them that security in the digital world is more illusion than reality.
So it’s just like security in the real world then.
We should also not immediately steer this conversation into a cloud bashing frenzy.
This is the Apple PR machine ramped to 11.
Of course they failed… If it turns out that their systems didn’t recognise a brute force attack.
As I understand it the normal iCloud software reacts to repeated and frequent failed login attempts… But the find my phone service didn’t.. Which was the way in. I read that engineers quickly implemented rate limiting….
So yes it was a failure of basic security measures by apple.
I would expect Google’s services to recognise brute force attempts and react accordingly.
Edited 2014-09-02 21:12 UTC
Agreed 100%.
Sadly, most sites have just published the press release verbatim without pointing out the obvious flaws in it. I guess thats the price you have to pay to get early access to iphone6 review units…
update – seems apple are denying that findmyphone was the entry.
would be good to know what it was… to, you know, build trust.
Thank you for your complex password, which no human could ever guess, now please answer one of these 5 very easily guessable security questions, which will be used in case you forget your password. Would you like to enable a cookie that will make it so that you don’t have to remember your password, and will henceforth make this particular device completely insecure if stolen?
It’s entirely believable that this may have been failures of security on the users’ end. Of course certain policies lend themselves to creating users with habits that leave themselves vulnerable.
I can’t believe we still have security experts telling us to create complex passwords.
We don’t want complex passwords.
We want *good* passwords, that are easy for us to remember but hard for the baddies to guess.
Like the first letters from each words of a favourite song …..
Or how about we build in proper password managers into computers. Generate site-specific passwords, store in encrypted keyring, encryption key to keyring and the passphrase to decrypt it never leaves the device and is not reused elsewhere. That’s what I do, albeit with shell commands and EcryptFS, so it lacks a certain bit of polish.
Me, I just use Keepass2 on my tablet, phone, laptop and desktop and I have the Keepass2 database on autosync to my ownCloud-server. I also have a script that encrypts the database with yet another phrase and then makes a backup of it on Dropbox.
Well done for taking those measures. Sadly you are more of the exception rather than the rule.
Do you think that ‘celebs’ would (in the main) have enough brain cells in working order to even consider doing something like that? Somehow I doubt it.
Perhaps this is the wakeup call that they need to change their behaviour.
– Don’t take piccies of their private parts with their phone or tablet (don’t matter what sort of device it is, just don’t do it)
– Don’t leave anything on your mobile device that could embarass you if it fell into the wrong hands. Again this is device independant
– Don’t use the name of your pet poodle/lap dog as your phone password.
The question is will they? Nah, not a hope in hell.
This will happen again. you can bet on that.
Plus I am sure that some Publicists are thinking? Hmmm…. Can we get my client’s image out there by engineering something like this? Yes, lets do it.
Any sex tape/nude picture of a B grade celebrity has probably been deliberately leaked for publicity purposes.
Edited 2014-09-03 06:43 UTC
It’s not as if using complex passwords is a bad idea. It’s not. The more complex a password is, the harder it is to crack. But since people tend to care more about convenience than security, yes better passwords is a step in the right direction.
More complex passwords aren’t a bad idea– but the way most people insist on you creating them is terrible.
When you consider the difficulty in cracking:
thisismyfavoritepassword2014
vs.
I!2mIu2b
The second password was one I used on a system that only allowed 8 character passwords. Of course, if you can get the hash these days, the time difference is about 12 seconds, but assume the hacker has no hash:
Rating complexity of the first password:
Length: 28 characters
Character Combinations: 36
Calculations Per Second: 4 billion
Possible Combinations: 37 tredecillion
And the complexity of the second:
Length: 8 characters
Character Combinations: 77
Calculations Per Second: 4 billion
Possible Combinations: 1 quadrillion
Note, the second password can be brute forced on an average desktop in about 3 days. The first one… many, many, many years.
Now, if you’re really good at passwords, you *might* notice that the 8 character password is derived from the song Yesterday by the Beatles (“I’m not half the man I used to be”), so you might be able to remember it (I could never remember if the “t” from “the” was included).
The first password, however, is trivial to remember (although a serious pain to enter on a phone/tablet, unless they let you use predictive text entry on the password, which I’ve never seen).
And of course, all of this is undone by recovery systems that will tell you someone’s username and password all because you know that their dog’s name is Rusty and that they were born in Topeka.
Then there’s Windows, which won’t let you create an account without creating a password hint that it displays the first time you mis-type the password.
How about:
thisismyfavoritepassword2014
vs.
I!2mIu2bI!2mIu2bI!2mIu2b2014
Sure. Now, go ahead… type that into a field where you’ve got no terminal echo, and type it reliably.
I had that password for 6 months, and I typically had to type it twice every time I used it (usually around 1-2 times a week).
So as an industry, we insist on insanely complex password rules, with arbitrary expiration dates, and when the customer calls because they’ve forgotten their terribly difficult to remember password, the industry implements a password recovery system that undermines the entire system, leading to this week’s news story.
So again– why are complex passwords better, if they lead to so-called security questions that can be answered by anyone reading your facebook page?
If you consider the overall security of a system, complex passwords just make it harder on the users– not the hackers, or the programmers, not the computers, just the users.
When our passwords were only 8 characters, complexity made sense– we’ve moved beyond that, and security concepts need to catch up.
I understand the point you’re trying to make but the truth is a repeating 8 character pattern is neither complex nor impossible to memorize, but it is more difficult to brute force. I suspect that’s why you didn’t provide the numbers. Also, typing that repeating password is no more challenging than typing the one you prefer.
People who take security seriously know enough to memorize their password, they don’t answer challenge questions in a way that could be revealed by their Facebook posts, and they tend to manage their data better. Yes, the methods used to recover lost passwords leaves something to be desired. But, so does peoples attitude towards passwords. People are lazy and whenever there’s real work involved, especially the kind that invokes a mental exercise like memorization, they look for the easy way out. The average user only takes security seriously after the fact. Since asking people to be more committed to their own security is out of the question, the only alternative is to force it on them by requiring passwords that are more complex.
Btw, “thisismyfavoritepassword2014” could be attacked a number of different ways (dictionary, alphanumeric, etc) and be compromised without taking many many years. A dictionary attack would never break “I!2mIu2bI!2mIu2bI!2mIu2b2014”. I fail to see how “thisismyfavoritepassword2014” is any better by being an easier & more susceptible target.
Being smart about passwords in my opinion starts with not being so lazy. After all, passwords are supposed to be the wall between your precious data and the world. You would think people would be willing to put in a little extra effort.
You don’t really need complex passwords. You just need a 15 minute access lock if three consecutive false attempts are made (my bank does this). This makes guessing or brute force attacks effectively impossible.
A complex password to crack doesn’t directly translate into a complex password to memorize. A good example of this is a repeating 8 random character password as mentioned in other posts. Memorizing 8 random characters is not exactly rocket science. Repeating it 4 times takes no extra brain power. But brute forcing that 32 character password would take ridiculously long. I would trust that before I trust a far more simplistic password & fingers crossed some hacker (or his auto-hacking tool) doesn’t have the patience for 3 attempts every 15 minutes.
Three passwords per 15 minutes is a maximum of 26,000 attempts per year. This is never going to happen unless vital state secrets are involved.
A basic English dictionary attack would take several decades. That means virtually any 5+ letter alphanumeric password except password is safe in practice. To be totally safe you could simply freeze the account after 10 failed attempts in 24 hour period.
If it’s as simple as you claim, why do you suppose this is such a big problem?
Mmmm cloud storage open to the NSA and vulnerable to crackers who will try and try to breaking in to the system / vulnerable accounts. Obviously being open to brute force attacks is a fault.
As for strong password “#7fgQP9)(^7gdT” are impossible to remember what we should be asked is to remember are phrases “apples are not better than oranges but I like figs” which are much easier to remember and hard to crack.
I curse a lot again these sites which have a max length of password,’no space allowed’, or ‘not this char in your password’.
Microsoft is a big culprit in these practice
Randomized passwords like “#7fgQP9)(^7gdT” are not impossible to remember. They’re just not convenient to memorize. Also, using phrases for passwords is worse than people using personal references to their favorite food, car, teacher, sibling, vacation spot, or whatever else because it removes anything specific to that person. Using a phrase is too generic.
Humans are almost infinitely better at remembering meaningful phrases than random sequences. Most people can easily memorise a paragraph (or even an entire chapter) from a book with 100% accuracy. Virtually no one can remember multiple rarely used long random alphanumeric sequences.
Her’s an example of a very easy to remember and sufficiently strong passphrase: Do you like bananas?.
That’s like saying people are infinitely better at solving addition/subtraction problems than they are algebra problems. One being easier doesn’t automatically mean the other is more difficult. It may just take a little more effort on your part.
You don’t think anyone can memorize a random 8 character sequence that repeats a couple times? That’s an absurd claim. You’re either vastly underestimating what the average person is capable of, or you’re vastly lazy.
Sufficiently strong against what? Common phrases like that can be successfully attacked a number of different ways so I would suggest people put a little more effort into not using completely generic passwords. Recommending people use passwords that can be compromised several ways may seem `good enough` but is it actually secure? No, and certainly not more than a password that can only be brute forced.
If the answer to this problem was so simple, we wouldn’t have this problem. Laziness is a big part of it, and so is over-simplification. I’m not suggesting it needs to be rocket science however, just people being less lazy and passwords less simplified.
Edited 2014-09-04 15:35 UTC
Wrong. Experiments show that memorising random data is several orders of magnitude more difficult than remembering a meaningful pattern. This applies equally to the written word, music and chess moves.
Of course meaningful or associative passwords are easier to memorize. That was never in question. But, I did and am calling BS on the idea that the average people can’t memorize a randomized 8 character pattern. That’s hardly challenging an average persons mental capacity. Repeating that short 8 character pattern takes zero effort, but makes the password a magnitude more difficult to break with each repeat. If you honestly believe memorizing 8 random characters is an extremely herculean task then we’ll have to agree to disagree.
So, I stand by what I said… Difficulty isn’t the issue with people creating harder-to-break passwords, laziness is. It’s simply not that you can’t, it’s that you don’t want to bother.
Making / forcing people to do ‘secure’ passwords is a pipe dream.
Ever worked at a place that tried to implement ‘secure’ passwords? Every day you would get a call because someone forgot their password.. they set yesterday.
Security questions are lame, but it is a good speed bump. But as for the brute force attack, it could have been over weeks, slowly attacking the accounts. Im sure accounts are always being attacked in some form, to do lockouts all the time would be a support nightmare.
If these accounts had proper two-factor auth turned on, I doubt they would have been hacked. Unless their email account was already hacked, or something else.
A 10-20 minute lockout will readily deter hackers. It won’t generate too many support calls because it is more hassle to call customer support than to wait.
Is that your eye in the avatar? Could be used for biometric access… ;P
Even if those accounts had not been hacked, the pictures were stored on Apple servers, for all Apple sysadmins to see.
I don’t care abour the breach. Syncing to the cloud without the user knowing is just wrong, and no amount of excuse can change that. I don’t want excuses, I want policy change. My phone should not sync before I tell it to do it explicitely and when it does it should ask me to confirm and explain what it does in plain text, clearly. I’m not sure the current behaviour is even legal.
Edited 2014-09-03 06:36 UTC
Of course Apple have fscked up with regards to allowing people to try passwords too many times. That is unacceptable and needs fixing if it hasn’t already been done. But at least it does seem like the iCloud servers haven’t been compromised. Not sure what kind of comfort this gives the users that have gotten their personal images leaked though.
As for “should have known better” before posting nude or pornographic pictures to the cloud, I would like to point out that iCloud automatically syncs all images to the cloud as long as you’ve signed up. There is no additional upload button. So if you usually get your normal photos uploaded, I imagine it is pretty easy to forget about it when you take a raunchy picture.
Apple needs to fix their login procedure and make it much easier to keep your privacy. Perhaps a “private” mode for the camera, just like in the browser, where the photo is strictly kept on the camera?
There is a lot of talk on the internets about “brute forcing” this, cloud security that, but the reality is probably something as simple and common as people using the same password on a bunch of websites.
All it takes is someone using the same password and email on some dinky little website out there, and later when that site is compromised and the passwords leak, all the attacker has to do is try that email and password combination on a bunch of other websites to see where they can get in.
It is likely to be something as dumb as that.
That is definitely one option, and it happens all the time. Many people tend to use the same passwords all over the place.
But once you’ve run a server, you’ll see that brute forcing isn’t just something that happens to other people. A while back, we tried setting up several services, and removed all restrictions on retries (forum accounts, some blog software and even ssh), and then kept an eye on the logs.
Within hours from setting up the server everything had crazy amounts of failed password attempts to root, admin, administrator and so on, all from very few IP-adresses. This was on a completely new setup, with zero interesting content.
So yes, a weak password is enough in itself, if brute forcing is allowed; you don’t necessarily have to use dodgy websites that’ll share your login info.
It takes ages to do it, but if no one is keeping and eye on it, and nothing stops it automatically, you have all the time you want.
This is the most detailed and informative analysis I have come across, worth a read.
https://www.nikcub.com/posts/notes-on-the-celebrity-data-theft/
It’s like an entirely new level of sad, pathetic losers.
I only take polaroids of my John Thomas and store them under the bed in an old shoe box
1 apples systems should have been able to detected multiple failures and react, eg; lock account or rate limit etc.
2 using just a password is a pipe dream, but we need
authentication solutions that are easy for normal people to use. per device level certs, that are part
of the auth exchange would be ideal. because, only devices with a provisioned “cert” would be able to auth;
3 when it comes to passwords, how long they are is almost more important than complexity. tho, there does need to be some complexity.
1 — Bad on Apple for not tightening up some basic security stuff on their Find My mac login.
2 — If you take nekkid pics of yourself on your phone and don’t immediately delete them, you want people to see them.
I don’t believe shy people take naked selfies. I don’t think people take a naked selfie to stay private. If you have someone to fug, then go fug them don’t send pictures.
I say if you took the picture on your cell phone, in 2014 with the radio on, then you knew strangers would eventually see those pictures.
If people use the same password on different sites I think websites should not allow you to register.
Imaging signing up for a new account at OSNews and it tells you: “We’re sorry, you must use a different password, we were able to use your same user id and log into 12 different web sites”
I know this was a brute force attack and shame on Apple for not rate limiting login attempts, but still…
That’s an even worse idea since it would mean a site would actually have to know what your plan text password is for some period of time. Best practices dictate that websites should only keep the plain text password long enough to create a one-way, salted hash.
Also, there’s no way for a site to know what other sites a user frequents so what sites should it check and how many? 10? 50? 100? 1000?
That would never work, or be implemented, for many reasons. First off, sites shouldn’t keep your plain text password. Second, they wouldn’t know what sites to try for logins.
And imagine if the sites they tried were compromised in some way; they’d have given off your login/password.
One way you could do something like this is have a local program of some kind that keeps an eye on what kinds of passwords you use, and then warn you when you keep using the same for different sites. Of course, this would need all kinds of security too.
Apple are never at fault. It is obvious that the user is to blame./sarc
I’ve read that when it comes to brute force attacks, the hardest to break are nonsensical phrases combining real words with misspellings.
1 – Tw1l1ght!
2 – Twilightstinks2014
3 – Vamp Stoopid? 8flutez
#1 is easiest to crack because it’s a single dictionary word with ones substituted for I’s. Crack programs try that early.
#2 is second easiest to crack because it’s also 2 dictionary words and obvious numeric, with no punctuation or unusual characters.
#3 would take longest by brute force method, because it has 1 dictionary word and 2 non-dictionary words, punctuation, and no way to predict the phrase from known phrases. The cracker might get “Vamp” and then try to predict next dictionary words but would have infinite possibilities since Flutez or Stoopid have nothing to do with it and aren’t in any dictionary. In fact the match on “Vamp” would lead the crack program astray and ultimately it would move to the next attack.
#3 might only be slightly harder to memorize than #2. Therefore the most secure password method might be to have short nonsensical phrases for your passwords:
Garbage lamp5 Footran
Koffee clatch 4u
Big dawg7 Tuffnutz
roller Have7 Stinkbut
Mista Fr3k Iz allthut
Of course – we might get to a future without passwords:
http://wfnk.com/blog/2014/08/your-password-or-your-soul/
We already have fingerprint and iris scanners in use today. DNA scanners exist but aren’t quite small enough or fast enough to a good replacement for passwording. But, they will be in the near future. I can’t say I prefer any of those over what we have now though – they would feel too much like an invasion of privacy. Gaining entry into a top secret facility, sure. But logging into your forum account or unlocking your phone? Ehhhh, no thanks.
It might make me miss passwords if every system required a piece of your DNA or Iris or fingerprint matched before authenticating.
But then again I like anonymity on the internet, or at least not a direct link back to your singular legal profile, which this would allow.
I bet the feds are already very interested in Apple’s fingerprint records on file.
I think this criticism is unfair. There is no proof that this hack had anything to do with iCloud (except maybe more should be done to remind users that photos exist in the cloud even after on-device deletion) .
What if the user just used the same password everywhere and another website was compromised? What if it was a result of social engineering? Phishing? Key logging?
I just think there are too many equally plausible scenarios to single out Apple here.