Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Careers and People
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
Celeb Hack: Is Apple Telling All It Knows?
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
dak3
dak3,
 User Rank: Moderator
9/4/2014 | 11:15:31 PM
Re: Spot on!
If you can prove that they don't remove them when you request, there's a big pay day ahead...
theb0x
theb0x,
 User Rank: Ninja
9/4/2014 | 9:25:16 PM
Re: Spot on!
Synced deletions or not you as client have no control of the replication of your files in a farm of data centers. They can claim your files are destroyed all they want but have no way of ever proving it to you.
GonzSTL
GonzSTL,
 User Rank: Ninja
9/4/2014 | 5:36:34 PM
Re: What should Apple do?
Simple. Bite the bullet and admit that there was no lockout feature, but they have remedied that oversight. Then, state that they are undergoing a thorough internal security assessment and independent audit of the iCloud service, to make sure that all configurations follow best practices (oh, how I hate that term). A sincere mea culpa will show that they have adult pants on and are willing to admit when they are wrong, and the assessment and audit will show that they are serious about security. That sure beats being outed by external sources and not even acknowledging it.
dak3
dak3,
 User Rank: Moderator
9/4/2014 | 5:12:16 PM
Re: Spot on!
Well, a backup solution (which is what this is) wouldn't be very good if it sync'd to all your deletions. But I'll agree there should be a way to edit, or remove, files from the backup...
theb0x
theb0x,
 User Rank: Ninja
9/4/2014 | 4:34:48 PM
Apples 2 Factor Authentication still a FAIL
I just wanted to point out the Apple 2 Factor Authentication does NOT protect iCloud Backups and can be installed with only an Apple ID and password. Access to iPhone backups can easily be obtained using malware or a phishing attack to steal the authentication token created by iTunes. This method does NOT require a password.


A verification code is not required to restore a iCloud backup to a new device. This is a major flaw that needs to be addressed by Apple and has been well known for over a year.

Even if all these Celebs had 2 factor authentication enabled, their iCloud backups and Photo Streams would still have been compromised.
Marilyn Cohodas
Marilyn Cohodas,
 User Rank: Strategist
9/4/2014 | 4:17:44 PM
What should Apple do?
So Apple has clearly not impressed the Dark Reading community with its transparency over the celeb nude photo  hack. So what would it take for them to win you over?
Some Guy
Some Guy,
 User Rank: Moderator
9/4/2014 | 4:05:38 PM
Re: Spot on!
Sure it is. Apple just needs to make their iCloud users aware that there are two copies of every picture you stream and you have to delete both -- that's where the "deleted" pictures came from in this attack.
theb0x
theb0x,
 User Rank: Ninja
9/4/2014 | 4:02:22 PM
Re: Spot on!
That is not something Apple can fix or any other cloud service. It is impossible to confirm that when a file is 'deleted' from the cloud that it is actually destroyed. This is one of the major drawbacks to any cloud service.
Some Guy
Some Guy,
 User Rank: Moderator
9/4/2014 | 1:57:46 PM
Spot on!
I think you nailed them right between the eyes on this one. The other thing to mention is that some of the celebs talk about how they are seeing photos that they DELETED, and deleted a long time ago. Apple needs to fix that, too (even if it's just better user training on how photo streaming really works).

As for Apple's posturing on this, it's all PR. And PR, as we all know, is for when the truth just won't do.
GonzSTL
GonzSTL,
 User Rank: Ninja
9/4/2014 | 11:44:56 AM
Re: Great Article!
This whole situation is almost comical. First of all, I fail to understand why a lockout feature was not in place to mitigate a brute force attack on user credentials. That violates one of the oldest security practices established decades ago! This should have been handled at the configuration, testing, and audit phases of the rollout. Heads should roll on that one, I think. Next is the whole practice of storing that kind of personal information in the cloud without some form of strong authentication. What were they thinking? Then there's Apple's media release exculpating themselves. Really? No brute force protection - really? I realize that no organization is invulnerable, but certainly this event has tarnished Apple's brand, and their response did not help. Apple, step up to the plate and come up with something more than what you released to the media. At least admit that you did not have what should have been the minimum required protection for user credentials, instead of having it revealed by outsiders who did their own testing and proved that you did not have it in place at the time of the breach. To be clear, I am not here to bash Apple; I love and use their mobile devices, and will continue to do so. I just want a little transparency, especially in light of this event.
Page 1 / 2   >   >>


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
Managing system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-1142
PUBLISHED: 2023-03-27
In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use URL decoding to retrieve system files, credentials, and bypass authentication resulting in privilege escalation.
CVE-2023-1143
PUBLISHED: 2023-03-27
In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use Lua scripts, which could allow an attacker to remotely execute arbitrary code.
CVE-2023-1144
PUBLISHED: 2023-03-27
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contains an improper access control vulnerability in which an attacker can use the Device-Gateway service and bypass authorization, which could result in privilege escalation.
CVE-2023-1145
PUBLISHED: 2023-03-27
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 are affected by a deserialization vulnerability targeting the Device-DataCollect service, which could allow deserialization of requests prior to authentication, resulting in remote code execution.
CVE-2023-1655
PUBLISHED: 2023-03-27
Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.4.0.