
Update to Celebrity Photo Investigation - ssclafani
http://www.apple.com/pr/library/2014/09/02Apple-Media-Advisory.html
======
karl_nerd
So i'd wager there'd be quite a few celebrity dick picks available too if
hackers wanted them. We know men like to send them unsolicited, and I'm sure
those celebrities had received more than a few. But there are none. And why?
Because those women were specifically targeted by people with a lot of
resources and patience. (it's important that they were targeted specifically
for being women).

To all of you idiots blaming the victims out there right now "should have used
2fa, should have used stronger passwords":

1\. You don't know if 2FA was in place, you don't know what strength the
passwords were.

2\. Again: those women were highly targeted. Can you defend yourself if
someone takes a week/month long project to break into your phone? (Also this
was during heartbleed and other big vulnerabilites)

Come off your bullshit high horse. Don't blame the victims here.

~~~
iaw
Re: 1) 2FA wasn't in use by these individuals. If you read the Apple release
they not only neglect to mention 2FA as a source of the breach but actively
encourage users to sign up for it. If 2FA was in place I doubt that this
vector would have been successful.

That being said, I think the culpability is on Apple here as much as it is on
the individuals responsible for obtaining the links. Security questions were
never good security and companies need to start moving away from failed
models.

~~~
dpweb
Security questions are just horrible. 2FA is good, but these celebs have
people that handle their social media, so even if the technical leaks are
plugged, things would just move to social eng. tactics, bribe an assistant,
etc.. Probably a number of people have a celebs Twitter password.

Pretty worthless statement by APPL. "happpens all the time", "not our fault",
etc.. They should be called out for security questions in the 1st place if
that's what they use at all. Even after Sarah Palin which was greatly
publicized. These companies learn nothing.

------
edent
So, basically find any celebrity interview where they state what school they
went to, their first pet, etc.

Exactly the same way that Sarah Palin's email was hacked -
[https://en.wikipedia.org/wiki/Sarah_Palin_email_hack](https://en.wikipedia.org/wiki/Sarah_Palin_email_hack)

------
vitamen
So "This is a very common attack on the Internet that we didn't do much to
protect you against by default"?

It's a pain setting up two step authentication across a lot of services, but I
guess iCloud is probably one that's worth the effort. Still I'd rather brute
force was not an option.

~~~
sp332
The recently fixed "find my phone" feature doesn't support two-factor auth
because, presumably, you can't find your phone to get the second factor.

------
modfodder
From what I've read on 4-chan, Ars, Slashdot (indiv. comments, not articles)
and other sources that this wasn't one person hacking a group of celebs
acount, but a leak from an underground celeb nude trading ring that has
existed for a while. So multiple hackers over a long period of time, from
multiple sources.

link to one explanation:
[http://i.imgur.com/vnd0H9J.jpg](http://i.imgur.com/vnd0H9J.jpg)

------
nokiaman
The damage has been done, surely?

Headlines around the world are "iCloud hacked", "Apple hacking scandal", "Are
your photos safe on iCloud?" etc.

Meanwhile celebrities like Kirsten Dunst have described iCloud as a "piece of
shit" (a tweet with emoticons).

Timing is not great for Apple since they are supposed to be launching health
and payment related features for iOS in the next few days.

Question is, would Apple have responded so quickly if celebrities weren't
involved?

~~~
chez17
I'm sorry, but Apple was hacked. There are multiple layers to security. Even
the physical security of the building counts. If you have a terrible, easy to
crack security system like "What is your first pet's name?" and your customers
lose their data because of it, your system was hacked. Plain and simple.
Security isn't just blocking a port or an ip range, it's the entire, the
_entire_ , system. Those "security questions" are very easy to find out,
therefor the system is insecure.

~~~
TheHypnotist
Don't most companies use this very same "insecure" system? 99% of the
population won't have this problem because not even some of your closest
friends know what street you grew up on or your mother's maiden name. If you
are going to use this information as part of your personal security, don't go
telling people. Because, duh, you might as well tell them your password.

~~~
bsilvereagle
Just because a lot of companies are using the system does not make it secure.

Many security conscience people don't answer security questions truthfully
because the application of security questions is inherently insecure.

~~~
TheHypnotist
You're right. I guess I have too much faith in the average user to not pick a
question with a potentially obvious or easily discovered answer to it.

~~~
yojimbo311
I forget the term for it, but it's exactly like Terms and Conditions. Always
expect the user to solve any puzzle put to them using the least amount of
energy/effort. It's quite honestly not worth it to anyone to go through the
work of securing their information/data/whatever until it's actually genuinely
at risk or they have lost something in the past. Until then it's an impedance
and an annoyance that makes them very unhappy.

Once something like this happens it's impressive how much cognitive dissonance
there is behind the excuses those very same people make or their claims that
not enough was done to protect them. Don't get me wrong, these individuals
were horribly victimized and it's not ok, but we can't allow ourselves to be
satisfied by just blaming the company, especially if they otherwise provided
the tools that would have kept the account secure. We can only realistically
expect the companies we entrust our data to be responsible for making it
possible for us to secure our data and not leaking it through other systemic
failures. If we choose to shortcut it then it's our responsibility to learn
from that and do better next time. We can't blame anyone involved here for
doing what they should otherwise be motivated/expected to do. Apple provided
the tools to protect the accounts, and as far as we know didn't allow them to
be otherwise compromised. The victims set up their accounts in a way that they
could easily access/recover them in the future (honestly, it's now required to
remember around 20+ account passwords to manage our lives and it's only
getting worse) regardless if they knew the risks or not. Security education is
out there and it's as loud as we could hope to get it, people just won't
internalize it until the risk is tangible. We can demand that companies like
Apple, but it won't actually improve anything if people can't be bothered to
use them or more importantly find it WAY more inconvenient and seek ways to
bypass them in whatever way possible just to get them out of the way.

It's a shame that this is blowing up for Apple as if it's all Apple's fault,
but maybe some good can come from it.

------
flog
If I was in Hollywood right now I'd be offering high-price security
consultation services to teach celeb's how to use 2FA.

~~~
dpeck
I've spent some time thinking about and talking about ti with friends in the
security world before.

I think it's a good idea, but falls short in reality. Celebrities arguably
don't want it, you'd be a babysitter between them and their devices/APIs.
Something they'd likely hate and continuously undermine, especially when a
large part of their "job" is connectedness.

~~~
josu
>I think it's a good idea, but falls short in reality. Celebrities arguably
don't want it, you'd be a babysitter between them and their devices/APIs.
Something they'd likely hate and continuously undermine, especially when a
large part of their "job" is connectedness.

If Entourage has anything to do with the real world, you could as well be
talking about their agents. And as far as I know, there is no celebrity
without agent.

------
smacktoward
_> After more than 40 hours of investigation, we have discovered that certain
celebrity accounts were compromised by a very targeted attack on user names,
passwords and security questions, a practice that has become all too common on
the Internet._

 _> None of the cases we have investigated has resulted from any breach in any
of Apple’s systems including iCloud® or Find my iPhone._

Um... doesn't "a very targeted attack on user names, passwords and security
questions" count as a "breach in... Apple's systems"? A social engineering
hack is still a hack.

~~~
pseudonym
Is it still a social engineering hack if a well-known celebrity with their
personal info broadcasted all over the internet decides to use that personal
info to secure their account? Or rather, is that a social engineering hack on
Apple, or the celebrity themselves?

And what should Apple do, in this situation? If your names show up in
tabloids, don't allow you to answer certain security questions? Require 2FA if
your name is mentioned on Google more than a certain number of times?

I don't feel this is an Apple problem any more than it would be if someone
created their iCloud password and then posted it on their Twitter.

~~~
smacktoward
"Require 2FA for everybody, full stop" would do the trick.

The proposed solutions you outline all assume that "password + security
question" is only an insecure system for celebrities. But we have enough
experience by now to know it's an insecure system for everyone.

~~~
enraged_camel
>>"Require 2FA for everybody, full stop" would do the trick.

How do you require 2FA for the Find My iPhone application when the only
context for using that application is one in which your phone is lost?

~~~
aganders3
Most 2FA schemes give you some backup codes. I'm sure people use Find My
iPhone differently, but it's not unreasonable to suspect them to be used
rarely. Once your device is back in-hand you could generate a few new backup
codes.

------
nedwin
At what point do tech companies start making two factor authentication
mandatory?

It's one thing to say "We tell our users to use two factor authentication -
it's their fault if they don't use it" but it's another to say "all user
accounts use two factor authentication to ensure security of their data"

------
tvon
> _After more than 40 hours of investigation, we have discovered that certain
> celebrity accounts were compromised by a very targeted attack on user names,
> passwords and security questions, a practice that has become all too common
> on the Internet._

So, the brute force attack with reasonable guesses at email addresses?

~~~
level
My guess would be that they found someone an address of someone with ties to a
celebrity, compromised their account through security questions, and then
found more personal information and iCloud accounts by going the contacts of
each person they compromised.

That was my suspicion from the start, security questions tend to be the
easiest way to compromise accounts since finding someone's mother's maiden
name isn't hard to do anymore.

~~~
arrrg
I think it‘s quite easy to argue that when accounts are compromised because of
security questions whoever implemented those questions is at fault. They are a
convenient, if crap way to secure accounts. Apple and everyone else have to do
better.

(I suppose the good news is that you can actually protect yourself from this.
However, how to protect themselves won’t reach most people, so in the big
picture this is cold comfort. I do think it’s the job of the platform owner to
make sure that users cannot easily leave themselves open to attacks. Most
people don’t know about security, the platform owner does.)

------
64mb
> "we have discovered that certain celebrity accounts were compromised by a
> very targeted attack on user names, passwords and security questions"

> "None of the cases we have investigated has resulted from any breach in any
> of Apple’s systems"

Don't these lines contradict each other?

~~~
induscreep
Answer: "Hack" was due to weak passwords and no 2-factor, not because of any
weakness in Apple's systems.

~~~
mbesto
> _Apple 's systems_

Systems aren't just technical (software), they involve human beings, feedback
loops, interactions, etc. Apple's security systems are in fact weak, just not
weaker than the norm.

Actually I think the Apple press release was poorly worded. This in
particular:

> _None of the cases we have investigated has resulted from any breach in any
> of Apple’s systems_

There was indeed a breach in Apple's system, there just wasn't a system wide
breach that compromised _all_ accounts, just a select few.

------
julianpye
People have become so close with their smartphones that they entrust it with
more information than their friends know. In addition no brand is more loved
than Apple, with many celebrities being ambassadors to the brand. The brand is
planning to introduce new payment and health services next week.

For the average consumer two-factor-authentication means nothing, but they
will start distrusting Apple more and will be more careful with data. This
does not mean they will use more and better security. The average consumer
will just stop using some of these services.

~~~
csours
Nitpick: Ambassadors work in an Embassy.

~~~
kennywinker
[http://www.merriam-webster.com/dictionary/ambassador](http://www.merriam-
webster.com/dictionary/ambassador)

> 2 a : an authorized representative or messenger

> b : an unofficial representative <traveling abroad as ambassadors of
> goodwill>

~~~
csours
Parent had ambassador spelled as embassador.

------
fjarlq
I'm still wondering if the Find My iPhone brute force bug was exploited.

Why doesn't Apple at least offer a bug bounty reward? Is it irresponsible that
they don't?

All they offer now, as far as I have found, is a mention on this web page:

[http://support.apple.com/kb/HT1318](http://support.apple.com/kb/HT1318)

And, does the fact that this bug made it into production suggest a lack of
internal security audits at Apple?

~~~
kennywinker
They specifically mention "Find My iPhone" as NOT the source. I'm not sure if
you missed that bit, or you are you saying you don't believe them?

~~~
fjarlq
The way they worded it can be interpreted to mean that it is still a
possibility that the Find My iPhone bug was involved. And anyway, I'm still
wondering if it was exploited in this celeb pic scandal or other breaches we
haven't heard about yet, so I still have those questions.

------
philip1209
I had no idea that Apple supports two-step verification.

~~~
davis
[https://twofactorauth.org/#retail](https://twofactorauth.org/#retail) ;)

------
Torgo
It seems like it would be a feat to gather all the user IDs of these famous
people in the first place. I'm guessing there's a black market just for that?
I used to work on a service used by quite a few famous people, if anybody on
the project was unscrupulous, it would have been easy to pass those emails and
other personal information on to a hacker.

~~~
jgrahamc
If you can break into one person's account and get their contacts then you can
recurse from there. It's likely that one celebrity knows another and so on.

------
elliottpayne
2FA is no panacea. My yahoo account (only used for flickr) was compromised
with 2FA & 20+ character password.

~~~
learc83
How? Did you have another email account attached as a backup that was
compromised?

------
omfg
If anyone wants to setup 2FA for their Apple ID here's their support page on
it: [http://support.apple.com/kb/ht5570](http://support.apple.com/kb/ht5570)

~~~
64mb
_enables 2FA_ Apple: "Please wait 3 days to continue." Ugh.

~~~
duskwuff
Why "ugh"? Introducing a delay makes it much more difficult for an attacker to
use 2FA to lock a user out of a compromised account. It's actually a really
smart idea.

------
davis
Just a friendly remind of the sites that support 2FA, Apple is on the list:
[https://twofactorauth.org/](https://twofactorauth.org/)

~~~
ToastyMallows
Wow thanks for the link, I didn't know half of these had 2 Factor
Authentication. Time to enable them all!

------
Quarrelsome
I'm confused. The description of the problem doesn't rule out an issue with
IBrute (targetted attack on usernames, passwords) but then they state it
wasn't an issue with ICloud or FindMyPhone.

Is this to suggest that its social engineering or just a password reset job? I
don't otherwise see how an attack on usernames and passwords translates.

I guess the thing I'm really trying to figure is that if it was IBrute (which
personally I would find an embarrassing failure) would they actually admit it?

~~~
culturestate
They seem to have specifically ruled it out later in the statement, as iBrute
was targeted at Find my iPhone:

> None of the cases we have investigated has resulted from any breach in any
> of Apple’s systems including iCloud® or Find my iPhone.

~~~
Quarrelsome
Understood. My second question then is just asking whether Apple have a
reputation for truthiness in this arena. I genuinely don't know, I'm asking.

~~~
sigzero
I think that have a pretty good record on owning up to something. It would
hurt them much much more to lie about it at this point.

~~~
DigitalJack
I'm curious what you base that on... that they own up to problems. I know it's
certainly not true with hardware issues. They may eventually fix it, but it's
rare that they'll comment on it.

------
ciiworldwide
Full investigation means full...Apple will clear this issue and do the
best...and do the full investigation.. Ciiworldwide

------
curiousDog
Why not make 2FA mandatory?

~~~
LeoPanthera
Because not everyone has an iPhone.

~~~
davis
Not all 2FA requires an iPhone. Any phone with SMS will do.

~~~
Oletros
Any phone on a supported carrier.

------
pptr1
I am kinda of sick of hearing about how celebs got hacked and how it is such a
big deal.

The media over hypes these things and really the celebs involved should of
used stronger passwords and/or 2 factor authentication. They should of known
better.

People get "hacked" this way tons of times by using weak passwords and/or
security questions. You'll never see that appear in the media.

The inequality here is the importance the media places on Kate Upton, Jennifer
Lawrence, etc. It a waste of tax payer money to get the "FBI" invoked. I see
it also has a waste for the government to chummy up with these "celebs". Some
of them are great entertainers no doubt, but what have they done to really
deserve the popularity they have.

Have they build something that tremendously improves people lives. Are they
key decision makers on items that effect people? Yes Jennifer Lawrence is a
great actress but c'mon.

Stop giving importance to celebs by not reading news about them. Radaronline,
Tmz, etc.

~~~
com2kid
They are performing artist, how you feel about their contribution to society
is based upon how you feel about performing artists in general.

Is society enriched by the eloquence of humanity of ballet? Does humanity
prove itself to the universe when our best singers hold a pure note for a
brief moment in time? What impact does a movie exploring some aspect of the
human experience have upon the world?

Popular performing artists are popular because their performances bring some
amount of joy to people's lives.

