Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Celeb Hack: Is Apple Telling All It Knows?
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
dak3
50%
50%
dak3,
User Rank: Moderator
9/4/2014 | 11:15:31 PM
Re: Spot on!
If you can prove that they don't remove them when you request, there's a big pay day ahead...
theb0x
50%
50%
theb0x,
User Rank: Ninja
9/4/2014 | 9:25:16 PM
Re: Spot on!
Synced deletions or not you as client have no control of the replication of your files in a farm of data centers. They can claim your files are destroyed all they want but have no way of ever proving it to you.
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
9/4/2014 | 5:36:34 PM
Re: What should Apple do?
Simple. Bite the bullet and admit that there was no lockout feature, but they have remedied that oversight. Then, state that they are undergoing a thorough internal security assessment and independent audit of the iCloud service, to make sure that all configurations follow best practices (oh, how I hate that term). A sincere mea culpa will show that they have adult pants on and are willing to admit when they are wrong, and the assessment and audit will show that they are serious about security. That sure beats being outed by external sources and not even acknowledging it.
dak3
50%
50%
dak3,
User Rank: Moderator
9/4/2014 | 5:12:16 PM
Re: Spot on!
Well, a backup solution (which is what this is) wouldn't be very good if it sync'd to all your deletions. But I'll agree there should be a way to edit, or remove, files from the backup...
theb0x
50%
50%
theb0x,
User Rank: Ninja
9/4/2014 | 4:34:48 PM
Apples 2 Factor Authentication still a FAIL
I just wanted to point out the Apple 2 Factor Authentication does NOT protect iCloud Backups and can be installed with only an Apple ID and password. Access to iPhone backups can easily be obtained using malware or a phishing attack to steal the authentication token created by iTunes. This method does NOT require a password.


A verification code is not required to restore a iCloud backup to a new device. This is a major flaw that needs to be addressed by Apple and has been well known for over a year.

Even if all these Celebs had 2 factor authentication enabled, their iCloud backups and Photo Streams would still have been compromised.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
9/4/2014 | 4:17:44 PM
What should Apple do?
So Apple has clearly not impressed the Dark Reading community with its transparency over the celeb nude photo  hack. So what would it take for them to win you over?
Some Guy
50%
50%
Some Guy,
User Rank: Moderator
9/4/2014 | 4:05:38 PM
Re: Spot on!
Sure it is. Apple just needs to make their iCloud users aware that there are two copies of every picture you stream and you have to delete both -- that's where the "deleted" pictures came from in this attack.
theb0x
50%
50%
theb0x,
User Rank: Ninja
9/4/2014 | 4:02:22 PM
Re: Spot on!
That is not something Apple can fix or any other cloud service. It is impossible to confirm that when a file is 'deleted' from the cloud that it is actually destroyed. This is one of the major drawbacks to any cloud service.
Some Guy
50%
50%
Some Guy,
User Rank: Moderator
9/4/2014 | 1:57:46 PM
Spot on!
I think you nailed them right between the eyes on this one. The other thing to mention is that some of the celebs talk about how they are seeing photos that they DELETED, and deleted a long time ago. Apple needs to fix that, too (even if it's just better user training on how photo streaming really works).

As for Apple's posturing on this, it's all PR. And PR, as we all know, is for when the truth just won't do.
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
9/4/2014 | 11:44:56 AM
Re: Great Article!
This whole situation is almost comical. First of all, I fail to understand why a lockout feature was not in place to mitigate a brute force attack on user credentials. That violates one of the oldest security practices established decades ago! This should have been handled at the configuration, testing, and audit phases of the rollout. Heads should roll on that one, I think. Next is the whole practice of storing that kind of personal information in the cloud without some form of strong authentication. What were they thinking? Then there's Apple's media release exculpating themselves. Really? No brute force protection - really? I realize that no organization is invulnerable, but certainly this event has tarnished Apple's brand, and their response did not help. Apple, step up to the plate and come up with something more than what you released to the media. At least admit that you did not have what should have been the minimum required protection for user credentials, instead of having it revealed by outsiders who did their own testing and proved that you did not have it in place at the time of the breach. To be clear, I am not here to bash Apple; I love and use their mobile devices, and will continue to do so. I just want a little transparency, especially in light of this event.
Page 1 / 2   >   >>


COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/1/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8937
PUBLISHED: 2020-06-01
Lexiglot through 2014-11-20 allows denial of service because api/update.php launches svn update operations that use a great deal of resources.
CVE-2014-8938
PUBLISHED: 2020-06-01
Lexiglot through 2014-11-20 allows local users to obtain sensitive information by listing a process because the username and password are on the command line.
CVE-2014-8939
PUBLISHED: 2020-06-01
Lexiglot through 2014-11-20 allows remote attackers to obtain sensitive information (full path) via an include/smarty/plugins/modifier.date_format.php request if PHP has a non-recommended configuration that produces warning messages.
CVE-2014-8940
PUBLISHED: 2020-06-01
Lexiglot through 2014-11-20 allows remote attackers to obtain sensitive information (names and details of projects) by visiting the /update.log URI.
CVE-2014-8941
PUBLISHED: 2020-06-01
Lexiglot through 2014-11-20 allows SQL injection via an admin.php?page=users&from_id= or admin.php?page=history&limit= URI.