Apple’s iCloud is secure; weak passwords and gullible users are not

“The week before a crucial launch of its new iPhone, Apple Inc said intimate photos of celebrities including Oscar-winner Jennifer Lawrence were leaked online through the apparent hacking of individual iCloud accounts,” Edwin Chan and Christina Farr report for Reuters.

“Apple rushed to restore confidence in its systems’ security, saying the celebrity photo scandal that also ensnared swimsuit model Kate Upton, actress Kirsten Dunst and possibly dozens more was the result of targeted attacks on accounts storing personal data and not a direct breach of Apple systems,” Chan and Farr report. “‘We have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet,’ Apple said in a statement. ‘None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find My iPhone.'”

“The celebrity hacking that came to light over the long Labor Day weekend nevertheless ranks among the highest-profile public fiascos for Apple in recent years. Regardless of how the leaking of nude celebrity photos actually happened, the timing could not have been worse for Apple as it prepares to launch a new iPhone next week,” Chan and Farr report. “Cybersecurity experts say the perpetrators possibly gleaned the celebrities’ email addresses and mounted a long-term phishing attempt – a relatively straightforward attack through which hackers gain access to users’ accounts by getting them to click on a compromised URL or Internet link.”

Read more in the full article here.

MacDailyNews Take: The problem, beyond those who click links in emails willy-nilly, is that too many people use one password for multiple services and weak passwords at that. Once hackers guess it, they then have access to all sorts of things: cloud storage, bank accounts, Facebook, Twitter, email, etc.

Regardless of the origination of these photo and videos, social engineering hacks can be thwarted, at least for iCloud. Use two-step verification for Apple ID to keep your personal information as secure as possible. More info here.

As we’ve written before: Always use unique passwords and use Apple’s Keychain Access and iCloud Keychain to create and manage them. When used properly, it works like a dream.

Related articles:
Apple: No iCloud breach in celebrity nude photos leak – September 2, 2014
FBI, Apple investigating alleged iCloud hack of celebrity nude, sex photos and videos – September 2, 2014
Celebrity or not, Apple isn’t responsible for your nude photos – September 2, 2014
Apple ‘actively investigating’ Jennifer Lawrence, other nude celebrity photos hack – September 1, 2014
Apple’s iCloud not likely the sole source of leaked Jennifer Lawrence, other nude celebrity photos and videos – September 1, 2014

45 Comments

  1. Two step verification is being used to deflect the blame. The celebs are idiots for taking the photos in the first place.

    However, All vendors including Apple need to take privacy and notifying users of a potential hack seriously. I have never received an email when I typed the wrong password. How hard is it to give users the option to receive text and or email on every failed login attempt or an arbitrary number chosen by the user within a given time period selected by the user.

    Users are too trusting and do not take security seriously which I think is dumb but more importantly those who just blame users or recommend using complicated methods are self-promoting hacks who do not live in the real world.

    It is very simple to keep users informed and empowered to take the right action.

    Apple is the only company I trust to finally take this on and I bet Apple has been working on this to make sure iPay or whatever pay service is called will be world class secure.

  2. 1- Storing anything of value on a 3rd party server she you really do not need to is kind of stupid IMHO.
    2- My iCloud account and my Apple ID are completely different. Makes things a touch more complex to set up, but works better in the end.
    3- I will NOT be using Apple mobile payments any time in the near future until I am sure the style over substance crowd in Cupertino have finally done their homework. Apple’s track record of effed up web services is long and undistinguished.
    4- Isolate your bank accounts from internet accounts with a 3rd party service where you can insulate your exposure. Does not have to be Pay Pal, but it is an option. The new AmEx Serve looks promising at $1/ month as a place to put money as an intermediary between bank and internet commerce.

    If you are a movie star and can get extra dollars for doing nudity, why would you put crappy iPhone pix up on a cloud server? Jennifer Lawrence has now done nudity and she didn’t get paid for it. Anyone who wanted to see her nips has by now.

  3. My dad always says if one man makes it, another man can break into it.

    This is exactly what happened here.

    I would never put nude selfies or anything else that personal on any cloud storage service. Because then you’re placing your privacy in the hands of a computer and the corporation that runs it.

    Now the guy who was able to ‘hack’ iCloud is to blame here, but so are the celebrities themselves in part for even having those kinds of images on there. Perhaps now people will learn just how dangerous putting stuff like that on a cloud server, or anywhere on the internet for that matter, can be.

  4. Perhaps a compromise could be made in 2-factor authorization to only require such steps when using devices on ‘untrusted’/new access points. Sort of how my bank and credit card sites will have me authenticate myself using 2 or 3 means when I access their site from an unrecognized IP address (or maybe other device identifier).

  5. The headline is a contradiction.
    “Apple’s iCloud is secure; ” + “weak passwords and gullible users are not”

    How is iCloud secure, if it’s protecting gullible user’s accounts through their weak passwords?

    Not saying I know an easy solution – but at least I can identify the point of failure: the reliance on password.

    Many of you are pointing to two-step authentication. If that’s really the answer, then it should completely replace the password system that’s proven insecure too many times already. However, I have lingering doubts about two-factor. It’s not practical yet to expect everyone to have a phone and have it charged all the time – and even when I do have it, all those text message still annoy me for some reason. There’s got to be a better way…

  6. Security is there and sufficient for any user that cares about security, nothing more really needs to be done.

    If you care: In a reasonable priority order

    1) Enable long passwords on IOS (for your iPhone)
    2) Enable 2 step verification
    3) Have at least a 9 digit upper, lower, number and letter random password unique to iCloud.

    Now you can store moderately confidential data on iCloud

    Have very confidential data for the cloud, like dropbox

    Create a 256 bit encrypted file with Truecrypt (don’t worry about the alleged and totally unproven true crypt back door unless your a terrorist etc., no one will get through a properly encrypted Truecrypt folder see your stuff. Store that file with it’s encrypted content on the cloud with a password as described above.

    Theres really no excuse, if you have data you want protected take the time to learn how to do it correctly………

  7. I’m impressed… Really.

    I know people on MDN are fanatics but since this story of leaked pics came out it has reached a new level. Not a word about Apple’s failure but just stupid jokes and insults for the hacked celebrities. I can only smile when I imagine what the comments would have been if the same had happened with a Google service.

    I just want to remember you a few things…

    Apple products are designed to be easily used by everyone with no IT knowledge (I think nobody here contests that.). In short they are designed for people who don’t understand what a 2 step verification is and don’t give a shit about it.

    Many other services that are used on a daily basis don’t need a 2 step verification and are considered as decently secure (getting money from an ATM for example). How can these “non-technical users” guess that Apple hasn’t the same level of security?

    How is it possible to avoid that a non 2 step verification keeps secure? Simply by avoiding to use too stupid passwords on user side AND DETECTING A BRUTE FORCE ATTACK ON SERVER SIDE.

    So yes… If the technical aware user understood the absence of a brute force attack detection mechanism on server side it is his fault not to implement the 2 step verification process, but NO… Apple can’t hide behind that and say its services are secure and the user “should have known”.

    Apple is responsible for not having implemented a decent mechanism to detect a brute force attack. This is just a simple fact that no insult or stupid joke will change. Apple should correct this ASAP.

    1. dude you are another clueless troll.

      Apple already stated NONE of the people compromised was due to Apple security being breached. None were due to “Find My iPhone”.

      ” AND DETECTING A BRUTE FORCE ATTACK ON SERVER SIDE.”

      wow all caps emphasis! I’m impressed… WELL:

      APPLE LOCKS ID AFTER FIVE UNSUCCESSFUL PASSWORD ATTEMPTS.

      if an idiot makes password that can be breached under that is apple to be blamed? Like ONE try? slip your finger and you get locked out?
      How many tries do you suggest to stop so called ‘brute force’ attempts?

      “are considered as decently secure (getting money from an ATM for example)”
      are you trying deliberately to to be funny and ‘act’ stupid are you really just stupid?

      Dude there have been countless cases where LOST atm cards have been compromised (if the owner users a password like 1234) , fake cards (they place fake scanners at locations to pick up ATM passwords and then make their own cards. they are so common they have a name for them: ATM skimmers ) ETC ETC have been known.

      article:
      “a device made to be affixed to the mouth of an ATM and secretly swipe credit and debit card information when bank customers slip their cards into the machines to pull out money. Skimmers have been around for years, of course, but thieves are constantly improving them, and the device pictured below is a perfect example of that evolution. This particular skimmer was found Dec. 6, 2009, attached to the front of a Citibank ATM”

      Gizmodo:
      “When it comes to new and creative ways of pilfering personal financial data, ATM crime is enjoying something of a renaissance here in the US. In the past year alone, devices like skimmers have been found on POS machines, inside gas pumps, on ticket vending machines, and affixed to ATMs throughout Northern California and the rest of the country. In some cases, thieves have successfully made off with tens of thousands in cash and/or personal card data before anyone was the wiser.”

      1. Yeah yeah yeah…

        You hear something you don’t like and … Oh surprise… Insults again.

        I didn’t explain it but it seemed obvious that if ONE Apple service can be compromised like this, with users habit to use the same password everywhere other services are at risk… But anyway… Read this:

        http://www.iphonehacks.com/2014/09/celebrity-photo-leaks-attributed-vulnerability-icloud-service.html

        The interesting part here is:

        “The vulnerability allegedly discovered in the Find my iPhone service appears to have allowed attackers to use this method to guess passwords repeatedly without any sort of lockout or alert to the target. Once the password has been eventually matched, the attacker can then use it to access other iCloud functions freely.”

        == wow all caps emphasis! I’m impressed

        Looks like it worked well as you read only what was in upper case… So here the FULL sentence again (please ALSO read the first part):

        Simply by avoiding to use too stupid passwords on user side AND DETECTING A BRUTE FORCE ATTACK ON SERVER SIDE.

        Have you seen the little part about “stupid passwords”??

        I specifically targeted passwords like the “1234” you’ve mentioned which BTW are the only password that can be brute force cracked with an automatic lockout policy in place.

        And please… Don’t become (even more) silly… I mentioned the example of the ATM to show that the password itself can’t be craked easily by brute force. We all know about skimming and fishing but this has nothing to do with the subject discuss here.

        Grow up please and learn to have a decent talk. Being polite is also possible without being hidden behind a screen. Or you respond as an “educated” adult or you’ll be talking to an empty chair

        1. like I said are you REALLY stupid or pretending to be?

          that article is GUESSING from BEFORE apple did their investigation.
          your link says “the vulnerability allegedly discovered in the Find my iPhone service appears to have allowed attackers to use this method””

          BUT:
          As apple has released today in an official statement after doing their checks:

          “None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone.”

          (and I ALREADY told you this in my first post!!!)

          “Grow up please and learn to have a decent talk. ”

          wow…. like numerous fallacies, lack of comprehension and knowledge (about ATm cards etc) , didn’t do research like READ Apple’s statement and you say ‘grow up”

          lol.

          1. You’re a joke… A sad one but hey… It’s better than nothing.

            – The article tries to guess what happen but the flaws that were shown are real ones. And these flaws are a failure on Apple’s side. Like it or not… I don’t care. If Apple doesn’t fix its security problems then they are at risk of facing one scandal after the other… Not sure this is what you would want for your beloved brand.

            – Apple’s PR is not “the word of God”. Investigations (real ones) are still on their way… So let’s wait for the result to know exactly how these pics has been accessed.

            – It’s funny you talk about my “lack of knowledge”. It’s more than 15 years now I work to improve complexe infrastructure with sensible Data (like banks and hospitals)… What’s your CV? Writing angry rants on fanboy sites?

            And oh… Yes… I’m not interested in your pissing contest. So no more answer from me. Have a nice day

            1. after I caught you in numerous, NUMEROUS errors and showed you DID NOT EVEN READ APPLE’S STATEMENT ON THE INVESTIGATION before you started trolling — so rushed you were to jump on the hate, slavering at the mouth that words rushed out BEFORE passing through the cerebral cortex (what little there is).

              … (hey checking apple’s statement that’s KINDERGARTEN, nay nursery day care! level research!) : that no ‘brute force’ “Find My iPhone” flaw was involved in the celeb leaks you come back with a pitiful PITIFUL… attempt to weasel out (LOL!) of your idiotic oversights of it by arguing (although it’s shown it did NOT happen) .. “The article tries to guess what happen but the flaws that were shown are real ones….

              “Guess” is the key word! A guess which was proven wrong and EASILY shown by rudimentary research like READING the MDN article a posted before this that had the Apple statement! which you didn’t do but posted hate anyways…

              (hey have some GUTS dude and ADMIT you made an oversight by not reading apple’s statement , at least I’ll say even without brains you have some honour! but no.. weasel… weasel… )

              and any flaws that were there have been promptly patched.

              and people wonder why we shake our heads at apple hater trolls. sad.

            2. I forgot to address this earlier, another of your stupidities

              you say “Apple products are designed to be easily used by everyone with no IT knowledge”

              every new technology requires some investment in learning it, not doing so isn’t the fault of apple.
              it’s like the first automobiles, will you argue the same way if the first users smashed their cars and said ” I don’t freaking want to learn how to use brakes!! my HORSE didn’t have brakes! ”

              If the auto was BUILT by APPLE you’ll argue “the drivers are right!, automobiles should be used by people with none, not a smidgin, nada mechanical knowledge. It’s all apple’s fault, they should design it so that people needn’t learn something new like brakes. shame on that fruit company”.

              see how dumb your arguments are?

    2. Where is the proof, that these photos came from iCloud?

      Did you realize the photos were taken with Android devices as well, which are NOT connected to iCloud in any way at all?

      It is again bashing, because jealous users of less secure and cheaper shit need to troll a lot.

      Of course the iCloud isn’t 100% secure, but where is the proof these images are taken from iCloud? Tell me, come on.
      Pointing your finger is very easy. And when we point our fingers on Google, it is because they are selling our data, which we did not allow AND we struggle to avoid that Google collects them when we are surfing.

      If you are not capable of understand the differences here, you got a lot to learn.

    3. A long secure password and preventing brute force attack on the server side are both completely useless at stopping a phishing attack.

      So that’s a problem – your suggestion is utterly ineffective against one of the most common methods of hijacking an account.

      I don’t conclusively know if these photos were stolen using phishing, but that is likely given what’s known about the incident.

      (ATM’s are a good example of two-factor authentication, by the way, requiring both a memorized pin and a physical ATM card to verify an identity)

  8. It appears this access to the celeb’s photo account in iCloud occurred in the background pipeline between the user’s computer and the iCloud photo server.

    Basically, every time the photo app on the iOS device or Mac/PC contacts the iCloud photo server to transfer a photo, it authenticates in the background using the credentials stored on the user’s device. The fault on Apple’s part was in not implementing the same threshold failure limit on its background authentication process that it places on direct user authentication, where three failed attempts usually locks you out.

    So, once the hackers had the Apple IDs of the targeted users, and the Apple server names/IP addresses of the iCloud photo servers, all they had to do was set up a computer to run the script pretending to be a user’s computer trying to login to transfer photos. The easier the user’s password, the fewer iterations needed to get the correct one to login.

    So, technically no security breach occurred, since real credentials were used, but Apple still messed up by not setting a threshold failure limit on its background authentication process.

    1. No, they did not use the photo system. They literally changed the users passwords by researching the celebrities backgrounds and answering their security questions. Once they changed the passwords, they had access to download the photographs and videos. Simple. Security questions that are obscure information for average citizens are fodder for fanzine biographies. “What was your first car?” and “Where did you go to high school?” are easily learned about famous actors but not so easy about nobodies. . . some fanzines will even list their childhood pet’s name. That’s how the breech was accomplished.

      1. for simple security questions like high school, i either use a fake name or if I think I’ll forget, I use the real name but add a code like 242424 attached to the name (same numbers all the time easy to remember). Not full proof but better than nothing and I think sufficient for denial due to wrong password to kick in.

  9. Hey stupid Androids, I just took some shots of my naked girlfriend (she is super hot, looks like Chloe Moretz, more curves!) with my iPhone and synced it to the iCloud.

    Could you trolls do me a favor, HACK IT PLEASE and post them on Facebook or here or …. and you get 100k$ for sure…

    Otherwise you proofed that you do not believe everything that is written on the internet 😉

    Being compromised does not mean that everybody else is, being stupid does not mean the whole world is stupid AND being a Celeb does not mean you are not human or do things you might regret.

    But outlining the weaknesses of others, if those weaknesses are not really infringing somebody else, is just a proof of your own despair.
    Think different, get a life, do some good, enjoy life while you can.
    And maybe you begin to help sick and starving people instead of bashing Apple.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.