Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Apple Not Hacked In Celebrity Nude Photo Breaches
Newest First  |  Oldest First  |  Threaded View
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
9/5/2014 | 4:08:44 AM
Re: the responsibility is on the user
Regarding the incident, despite Apple denies any exploitation of the mentioned flaw we must be conscious that the vulnerability was anyway present at the time of the attack.

I afraid the hack is much more extended and may have impacted many other Apple users. Not only celebrities are exposed to such risks. No matter if you are a manager or a common individual, your data are a precious commodity in the cybercrime ecosystem. For this reason, it is important to know the main cyber threats and the principal mitigation practices. This could be just the beginning. 

I think that all principal storage service providers are under attack and need to improve their security implementing further countermeasures.

 

 

 
the5thHorseman
50%
50%
the5thHorseman,
User Rank: Apprentice
9/4/2014 | 6:57:45 PM
Just a thought...
Call me crazy, but here's a thought... DON'T TAKE NAKED PICTURES OF YOURSELF WITH YOUR PHONE! So far, I've read lots of technical explanations for how this dastardly deed could have been perpitrated, yet no one has pointed out the obvious; if you are a celebrity, you are a target. Whether it's the National Enquirer, Russian techno-perverts or horny teenagers in Somalia... accounts owned by celebrities are always going to be ransacked. The real question is, ESPECIALLY in lieu of the terrifying data provided by Eric Snowden proving beyond ANY doubt that cell phones, and almost anything else with a power cord,  are absolutely 150% compromised, "What kind of idiot takes naked pictures of themselves with their cell phones"? It takes a special kind of stupid to do that, and somehow not expect to see yourself on every porn site on the net by sundown. Apple does need to own it's responsibility for its screen door security policies, but lets not lose sight of the fact that if you weren't taking dirty pictures of yourself in the first place, you wouldn't be in the predicament. That's the responsibility to be owned by our celebrity "victims". Maybe they should consult with Bret Favre regarding image damage control related to cellular phone services. I'm sorry, once everybody lawyers up and the lawsuits start flying, I don't think Apple should have to pay damages to celebrity morons participating in questionable behaviors...
TomM234
50%
50%
TomM234,
User Rank: Apprentice
9/4/2014 | 3:29:15 PM
Secure Camera on nCrypted Cloud
Thank you for mentioning us.

 

We do way more than protect naked photos, but since that is the discussion, you can use our "secure camera" to take photos on IOS devices (ANDROID COMING).

The photos do NOT go into the standard camera roill but into an encrypted camera roll.

The photos are encrypted using 256 bit AES zip files as an enveloping technology.

Want to share those naked photos with someone?  No problem we do it seamlessly.

Want to revoke that persons access (even after they sync it to other machines)?   No problem, we take care of it.

 

Try us www.ncryptedcloud.com

 
Robert McDougal
100%
0%
Robert McDougal,
User Rank: Ninja
9/3/2014 | 2:16:45 PM
Re: the responsibility is on the user
Unfortunately, I did not document my efforts.  However, it appears that some people in this reddit thread had the same testing experience that I did myself.

https://www.reddit.com/r/netsec/comments/2f5eyl/appleid_password_unlimited_bruteforce_p0c/
GonzSTL
100%
0%
GonzSTL,
User Rank: Ninja
9/3/2014 | 11:32:33 AM
Re: the responsibility is on the user
That is interesting. Based on your own testing, it is evident that at the time of the breach, there was no lockout provision in a brute force attack mitigation strategy. That in itself violates well known security practices. Also interesting is that Apple claims a two-step verification process, as stated in their media advisory, would protect users from this type of attack. Are they deliberately misleading the public? If you have documented information regarding the test results that you conducted personally, perhaps you should make that more public, to clarify the situation. There has to be transparency somewhere, right?

Although I am not a huge fan of Apple products in the enterprise, I do love their mobile devices. Also, I prefer not to use iCloud because cloud services in general scare the daylights out of me. I suppose this event justifies that reservation.
Robert McDougal
100%
0%
Robert McDougal,
User Rank: Ninja
9/3/2014 | 11:09:47 AM
Re: the responsibility is on the user
A couple of points.

Firstly, I am highly disappointed with Apple's stance on this issue. This IS a breach of their iCloud service. Over the weekend I did testing on my own iCloud account using this python script. I had a word list of 1000 passwords and buried my password at the end of the list. The script was initially able to find my password but later in the day on Sunday, the script was halted after 10 tries. From my testing it appears there was indeed a flaw that Apple quietly patched over the weekend.

Secondly, Apple's two factor authentication does not protect your iCloud backup. Currently, Apple's two factor authentication only protects My Apple ID sign-ins and purchases from the App Store.
GonzSTL
0%
100%
GonzSTL,
User Rank: Ninja
9/3/2014 | 9:00:02 AM
Re: the responsibility is on the user
It never ceases to amaze me how little effort people put into protecting themselves or their privacy. Two Factor Authentication (2FA) is available in Apple's iCloud service, and I believe none of those celebrities took advantage of that security measure. The reason probably lies in their mistaken belief that having a password is enough to secure their accounts. So it comes down to how much they want to protect their privacy, and how they balance that desire with the complexity of a secure configuration. It really is a personal risk analysis. Do they want the "hassle" of remembering a complex password and on top of that, a second authentication factor to protect their privacy, or risk exposure? Well I am willing to bet that a lot more people are opting for that 2FA now! I view this as a microcosm of the security environment of organizations. How many organizations out there are complacent on their security? It usually takes a breach in their industry before they take notice and scramble to enforce rigid security.
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
9/3/2014 | 7:44:43 AM
Re: the responsibility is on the user
@Bkosh I suspect a lot of Hollywood publicists and attorneys are adding internet privacy protection to their resumes and job descriptions. 
bkosh
50%
50%
bkosh,
User Rank: Apprentice
9/2/2014 | 7:35:26 PM
the responsibility is on the user
There is a secure camera feature for iphones that anyone can use and it works with Dropbox free. A company called nCrpyted Cloud developed this it for federal law enforcement and healthcare providers who need to protect photos of patients. But celebrities or anyone who needs privacy in the cloud can access it. Perhaps celebrities need to make privacy not just publicity someone's job and learn about these tools?


COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Exploiting Google Cloud Platform With Ease
Dark Reading Staff 8/6/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-16219
PUBLISHED: 2020-08-07
Delta Electronics TPEditor Versions 1.97 and prior. An out-of-bounds read may be exploited by processing specially crafted project files. Successful exploitation of this vulnerability may allow an attacker to read/modify information, execute arbitrary code, and/or crash the application.
CVE-2020-16221
PUBLISHED: 2020-08-07
Delta Electronics TPEditor Versions 1.97 and prior. A stack-based buffer overflow may be exploited by processing a specially crafted project file. Successful exploitation of this vulnerability may allow an attacker to read/modify information, execute arbitrary code, and/or crash the application.
CVE-2020-16223
PUBLISHED: 2020-08-07
Delta Electronics TPEditor Versions 1.97 and prior. A heap-based buffer overflow may be exploited by processing a specially crafted project file. Successful exploitation of this vulnerability may allow an attacker to read/modify information, execute arbitrary code, and/or crash the application.
CVE-2020-16225
PUBLISHED: 2020-08-07
Delta Electronics TPEditor Versions 1.97 and prior. A write-what-where condition may be exploited by processing a specially crafted project file. Successful exploitation of this vulnerability may allow an attacker to read/modify information, execute arbitrary code, and/or crash the application.
CVE-2020-16227
PUBLISHED: 2020-08-07
Delta Electronics TPEditor Versions 1.97 and prior. An improper input validation may be exploited by processing a specially crafted project file not validated when the data is entered by a user. Successful exploitation of this vulnerability may allow an attacker to read/modify information, execute a...