Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Careers and People
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
Celeb Hack: Is Apple Telling All It Knows?
Oldest First  |  Newest First  |  Threaded View
Page 1 / 2   >   >>
Robert McDougal
Robert McDougal,
 User Rank: Ninja
9/3/2014 | 2:22:05 PM
Great Article!
I agree 100%.  I think that when all is said and done Apple will regret this statement.  

It appears to me they are attempting to define a breach as an event that involves attackers gaining access to company servers.  So, in this case, since the attackers only gained access to individual accounts there wasn't a breach.  

In my opinion, if the accounts were compromised by bruteforce then your systems were breached.  A matter of semantics I suppose.
StuAllard
StuAllard,
 User Rank: Apprentice
9/3/2014 | 3:00:36 PM
Re: Great Article!
The fact that Apple is vehemently denying something is not true, is often the best indication that in fact, the opposite is true. In this case, however you twist it, Apple was hacked in a massive way, and they did bot block the hack.  Their reputation is tarnished and is only getting blacker by the denials. 

Celebs should get some security awareness training as well, stop uploading highly private pictures to the cloud, and start using 2-factor authentication combined with strong passwords.

Stu Sjouwerman

CEO, KnowBe4

www.knowbe4.com
aws0513
aws0513,
 User Rank: Ninja
9/3/2014 | 3:02:49 PM
Re: Great Article!
Yes...  Excellent article.

Apple did not satisfy me with their answer.

They responded with a statement that is, in its own way, a form of social engineering.

Those who are in the security industry would quickly smoke out the fact that Apple has not provided any evidence that they really were not at fault.  All I saw were statements of misdirection that many people would likely fall for.

Until Apple provides specific details on how the data was obtained, I will continue to hold them at fault.

IMHO, the only outs that Apple has at this point are
  • The victim(s) fell for some kind of MITM or phishing scheme.
  • The victim(s) shared their account credentials with other people in their entourage (a bad practice, but we know it happens).  Thus providing another vector for compromise of their account and data.
  • It is proven that the victim(s) released the data themselves as a form of self promotion.  Would not be the first case of such activity in Hollywood.
dak3
dak3,
 User Rank: Moderator
9/3/2014 | 3:15:06 PM
Re: Great Article!
A MITM attack isn't something the user can defend against, easily, but can be detected by the host/server - so that's Apple's bad.

 

Even a phishing attack which acquires credentials can suffer detection based on IP address (although it could be spoofed), another factor which a good risk-based authentication system would have caught.

 

-dave
GonzSTL
GonzSTL,
 User Rank: Ninja
9/4/2014 | 11:44:56 AM
Re: Great Article!
This whole situation is almost comical. First of all, I fail to understand why a lockout feature was not in place to mitigate a brute force attack on user credentials. That violates one of the oldest security practices established decades ago! This should have been handled at the configuration, testing, and audit phases of the rollout. Heads should roll on that one, I think. Next is the whole practice of storing that kind of personal information in the cloud without some form of strong authentication. What were they thinking? Then there's Apple's media release exculpating themselves. Really? No brute force protection - really? I realize that no organization is invulnerable, but certainly this event has tarnished Apple's brand, and their response did not help. Apple, step up to the plate and come up with something more than what you released to the media. At least admit that you did not have what should have been the minimum required protection for user credentials, instead of having it revealed by outsiders who did their own testing and proved that you did not have it in place at the time of the breach. To be clear, I am not here to bash Apple; I love and use their mobile devices, and will continue to do so. I just want a little transparency, especially in light of this event.
Some Guy
Some Guy,
 User Rank: Moderator
9/4/2014 | 1:57:46 PM
Spot on!
I think you nailed them right between the eyes on this one. The other thing to mention is that some of the celebs talk about how they are seeing photos that they DELETED, and deleted a long time ago. Apple needs to fix that, too (even if it's just better user training on how photo streaming really works).

As for Apple's posturing on this, it's all PR. And PR, as we all know, is for when the truth just won't do.
theb0x
theb0x,
 User Rank: Ninja
9/4/2014 | 4:02:22 PM
Re: Spot on!
That is not something Apple can fix or any other cloud service. It is impossible to confirm that when a file is 'deleted' from the cloud that it is actually destroyed. This is one of the major drawbacks to any cloud service.
Some Guy
Some Guy,
 User Rank: Moderator
9/4/2014 | 4:05:38 PM
Re: Spot on!
Sure it is. Apple just needs to make their iCloud users aware that there are two copies of every picture you stream and you have to delete both -- that's where the "deleted" pictures came from in this attack.
Marilyn Cohodas
Marilyn Cohodas,
 User Rank: Strategist
9/4/2014 | 4:17:44 PM
What should Apple do?
So Apple has clearly not impressed the Dark Reading community with its transparency over the celeb nude photo  hack. So what would it take for them to win you over?
theb0x
theb0x,
 User Rank: Ninja
9/4/2014 | 4:34:48 PM
Apples 2 Factor Authentication still a FAIL
I just wanted to point out the Apple 2 Factor Authentication does NOT protect iCloud Backups and can be installed with only an Apple ID and password. Access to iPhone backups can easily be obtained using malware or a phishing attack to steal the authentication token created by iTunes. This method does NOT require a password.


A verification code is not required to restore a iCloud backup to a new device. This is a major flaw that needs to be addressed by Apple and has been well known for over a year.

Even if all these Celebs had 2 factor authentication enabled, their iCloud backups and Photo Streams would still have been compromised.
Page 1 / 2   >   >>


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
Managing system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-1142
PUBLISHED: 2023-03-27
In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use URL decoding to retrieve system files, credentials, and bypass authentication resulting in privilege escalation.
CVE-2023-1143
PUBLISHED: 2023-03-27
In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use Lua scripts, which could allow an attacker to remotely execute arbitrary code.
CVE-2023-1144
PUBLISHED: 2023-03-27
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contains an improper access control vulnerability in which an attacker can use the Device-Gateway service and bypass authorization, which could result in privilege escalation.
CVE-2023-1145
PUBLISHED: 2023-03-27
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 are affected by a deserialization vulnerability targeting the Device-DataCollect service, which could allow deserialization of requests prior to authentication, resulting in remote code execution.
CVE-2023-1655
PUBLISHED: 2023-03-27
Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.4.0.