Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Celeb Hack: Is Apple Telling All It Knows?
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
dak3
50%
50%
dak3,
User Rank: Moderator
9/4/2014 | 11:15:31 PM
Re: Spot on!
If you can prove that they don't remove them when you request, there's a big pay day ahead...
theb0x
50%
50%
theb0x,
User Rank: Ninja
9/4/2014 | 9:25:16 PM
Re: Spot on!
Synced deletions or not you as client have no control of the replication of your files in a farm of data centers. They can claim your files are destroyed all they want but have no way of ever proving it to you.
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
9/4/2014 | 5:36:34 PM
Re: What should Apple do?
Simple. Bite the bullet and admit that there was no lockout feature, but they have remedied that oversight. Then, state that they are undergoing a thorough internal security assessment and independent audit of the iCloud service, to make sure that all configurations follow best practices (oh, how I hate that term). A sincere mea culpa will show that they have adult pants on and are willing to admit when they are wrong, and the assessment and audit will show that they are serious about security. That sure beats being outed by external sources and not even acknowledging it.
dak3
50%
50%
dak3,
User Rank: Moderator
9/4/2014 | 5:12:16 PM
Re: Spot on!
Well, a backup solution (which is what this is) wouldn't be very good if it sync'd to all your deletions. But I'll agree there should be a way to edit, or remove, files from the backup...
theb0x
50%
50%
theb0x,
User Rank: Ninja
9/4/2014 | 4:34:48 PM
Apples 2 Factor Authentication still a FAIL
I just wanted to point out the Apple 2 Factor Authentication does NOT protect iCloud Backups and can be installed with only an Apple ID and password. Access to iPhone backups can easily be obtained using malware or a phishing attack to steal the authentication token created by iTunes. This method does NOT require a password.


A verification code is not required to restore a iCloud backup to a new device. This is a major flaw that needs to be addressed by Apple and has been well known for over a year.

Even if all these Celebs had 2 factor authentication enabled, their iCloud backups and Photo Streams would still have been compromised.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
9/4/2014 | 4:17:44 PM
What should Apple do?
So Apple has clearly not impressed the Dark Reading community with its transparency over the celeb nude photo  hack. So what would it take for them to win you over?
Some Guy
50%
50%
Some Guy,
User Rank: Moderator
9/4/2014 | 4:05:38 PM
Re: Spot on!
Sure it is. Apple just needs to make their iCloud users aware that there are two copies of every picture you stream and you have to delete both -- that's where the "deleted" pictures came from in this attack.
theb0x
50%
50%
theb0x,
User Rank: Ninja
9/4/2014 | 4:02:22 PM
Re: Spot on!
That is not something Apple can fix or any other cloud service. It is impossible to confirm that when a file is 'deleted' from the cloud that it is actually destroyed. This is one of the major drawbacks to any cloud service.
Some Guy
50%
50%
Some Guy,
User Rank: Moderator
9/4/2014 | 1:57:46 PM
Spot on!
I think you nailed them right between the eyes on this one. The other thing to mention is that some of the celebs talk about how they are seeing photos that they DELETED, and deleted a long time ago. Apple needs to fix that, too (even if it's just better user training on how photo streaming really works).

As for Apple's posturing on this, it's all PR. And PR, as we all know, is for when the truth just won't do.
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
9/4/2014 | 11:44:56 AM
Re: Great Article!
This whole situation is almost comical. First of all, I fail to understand why a lockout feature was not in place to mitigate a brute force attack on user credentials. That violates one of the oldest security practices established decades ago! This should have been handled at the configuration, testing, and audit phases of the rollout. Heads should roll on that one, I think. Next is the whole practice of storing that kind of personal information in the cloud without some form of strong authentication. What were they thinking? Then there's Apple's media release exculpating themselves. Really? No brute force protection - really? I realize that no organization is invulnerable, but certainly this event has tarnished Apple's brand, and their response did not help. Apple, step up to the plate and come up with something more than what you released to the media. At least admit that you did not have what should have been the minimum required protection for user credentials, instead of having it revealed by outsiders who did their own testing and proved that you did not have it in place at the time of the breach. To be clear, I am not here to bash Apple; I love and use their mobile devices, and will continue to do so. I just want a little transparency, especially in light of this event.
Page 1 / 2   >   >>


Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
US Sets $5 Million Bounty For Russian Hacker Behind Zeus Banking Thefts
Jai Vijayan, Contributing Writer,  12/5/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19719
PUBLISHED: 2019-12-11
Tableau Server 10.3 through 2019.4 on Windows and Linux allows XSS via the embeddedAuthRedirect page.
CVE-2019-19720
PUBLISHED: 2019-12-11
Yabasic 2.86.1 has a heap-based buffer overflow in the yylex() function in flex.c via a crafted BASIC source file.
CVE-2019-19707
PUBLISHED: 2019-12-11
On Moxa EDS-G508E, EDS-G512E, and EDS-G516E devices (with firmware through 6.0), denial of service can occur via PROFINET DCE-RPC endpoint discovery packets.
CVE-2019-19708
PUBLISHED: 2019-12-11
The VisualEditor extension through 1.34 for MediaWiki allows XSS via pasted content containing an element with a data-ve-clipboard-key attribute.
CVE-2019-19709
PUBLISHED: 2019-12-11
MediaWiki through 1.33.1 allows attackers to bypass the Title_blacklist protection mechanism by starting with an arbitrary title, establishing a non-resolvable redirect for the associated page, and using redirect=1 in the action API when editing that page.