back to article Hot Celebrity? Stash of SELFIES where you're wearing sweet FA? Get 2FA. Now

Apple has denied any compromise of its systems in relation to this weekend's nude celebrity photo dump. The company said that none of its iCloud or Find My iPhone databases were breached in the attack, which resulted in the release of nude photos of a number of prominent actresses and models. "After more than 40 hours of …

  1. Buzzword

    Two-factor auth for Find My iPhone?

    Two-factor authentication typically relies on a separate secure channel, such as SMS or a telephone call. If you're using Find My iPhone, it's because you've lost your iPhone, so that second channel isn't available to you.

    1. Oninoshiko

      Re: Two-factor auth for Find My iPhone?

      the phone call could be to a real phone. some of us luddites do still have those, you know

      1. Anonymous Coward
        Trollface

        Re: Two-factor auth for Find My iPhone?

        Why, I remember way back when everyone had a landline phone.... See, back then, Ike was in office and we all felt that the commies would win unless every American family owned it's own phone and did business with a monolithic company we all used to call Ma Bell for some reason!! Them was the good ol' days, when a man could get java for a dime and he didn't need to know Italian just to let the bartender know what size cup he wanted!! And don't get me started about TV! Why, TV went south when they took Donna Reed off the air!!

      2. Anonymous Coward
        Anonymous Coward

        Re: Two-factor auth for Find My iPhone?

        Apple's 2fa is a joke. Microsoft and Google hate each other, but their authenticator apps are cross-compatible, and both support 3rd parties like Dropbox. So no, you don't have to use the same Android/WP device you make calls on. You can even use Google's app your iPod, iPad, or an iPhone instead--again, to authorize either an MS or Google account. Why isn't Apple willing to join in? And why does it take, what is it, 2 days for Apple to authorize the activation of 2fa? You're vulnerable that whole time. And then you activate it by clicking a link received by email?!?

        I'm not here to say I predicted this failure, but it's been clear for several years that they aren't taking the threat seriously. I greatly fault them for refusing to cooperate with those who have already solved the problem they're having now. Nobody is an enemy when it comes to protecting your clients.

      3. a53

        Re: Two-factor auth for Find My iPhone?

        and if you don't have a "real phone" ?

        1. Mike Bell

          Re: Two-factor auth for Find My iPhone?

          and if you don't have a "real phone" ?

          Information is listed here. It would seem that you have the option of registering any SMS-capable phone as one of your trusted devices as part of setting up 2-factor authentication.

        2. Anonymous Coward
          Anonymous Coward

          Re: Two-factor auth for Find My iPhone?

          Or better, how many phones you have to carry around to use real 2FA auth?

    2. bigtimehustler

      Re: Two-factor auth for Find My iPhone?

      I guess then when you enable two factor authentication your also one of these people who ignores all the warnings to save the backup codes they tend to provide when you enable two factor for just such a time so you have to ring up support and tell them you didn't bother saving them.

    3. Matt Bryant Silver badge
      Joke

      Re: Buzzword Re: Two-factor auth for Find My iPhone?

      "....If you're using Find My iPhone, it's because you've lost your iPhone....." This is the new Apple growth plan - their knew iAuthenticator (TM) app, which requires the purchase of a second iPhone!

    4. big_D Silver badge

      Re: Two-factor auth for Find My iPhone?

      Using a Smartphone as second factor is silly, especially as more and more, you are authorising services on the phone!

      I use a YubiKey with a few services now. Either plug it into your PC to get second factor or hold it to the NFC reader on the phone... Okay, it won't work with the iPhone, but most mid and high end Android and WindowsPhone devices from the last couple of years it works a treat.

    5. Mike Bell

      Re: Two-factor auth for Find My iPhone?

      Two-factor authentication typically relies on a separate secure channel, such as SMS or a telephone call. If you're using Find My iPhone, it's because you've lost your iPhone, so that second channel isn't available to you.

      When I've seen Apple's 2-factor authentication swing into action - e.g when changing passwords, once enabled - you may use any authorised device, which may be an iPad or iMac, as the source of the acknowledgment.

  2. Old Handle

    I'm not impressed much by this response. Yeah technically Apple wasn't hacked, but allowing unlimited login attempts with no timeout is pretty indefensible for anything serious.

    1. Steven Raith

      This is pretty much my take on it - having no rate limiting on the API seems, frankly, a bit bonkers given what it potentially gives access to.

      Is there a technical reason why the API shouldn't be rate limited? Serious question!

      Steven R

      1. Anonymous Coward
        Anonymous Coward

        Nudey Pics => Publicity => Paid Interviews => $£€£$€

        So B-List celebs take nudey pics and then upload them to public accessible websites using easily guessed IDs and commonly used passwords? What did they think was going to happen? So they get a mention in the tabloids and a little added notoriety? They make their living by being in the public conscientiousness...

    2. Steven Roper

      I'm just... gobsmacked... that system designers aren't limiting login attempts by default without even thinking about it.

      Way back in the early 80s, when banks first started introducing ATMs, it was made very clear that if you got your PIN wrong 3 times the machine keeps your card. And in high school in 1983 on the old BBC Micro network (remember the old *I AM NAME and *PASSLOOK anyone?) 3 failed login attempts locked your account and you had to go and see the teacher to reset it.

      Ever since then, I've always designed systems to lock an account after 3 failed login attempts, believing this to be industry standard practice. That it clearly now is not is utterly unbelievable, not to mention stupendously irresponsible. I say that any systems engineer designing a system without a failed-login lockout condition should be charged with criminal negligence.

      1. dan1980

        @Steven Roper

        Would you believe my school was still using those in 1993?*

        Locking out user accounts after 3 unsuccessful attempts is a pretty blunt response and can result in unnecessary support overhead for the provider, not to mention irate users/customers. Yes, it's their fault and for their own good but when has that ever stopped someone complaining?

        A better solution - at least for normal accounts - is to put delays on the logins after unsuccessful attempts. If I was designing a system, I'd allow 2-3 attempts and then have an increasing time out applied - starting with 15 seconds. Depending on the type of service you might then put a lock-out after 10 or more attempts in a short space of time.

        Again, depending on the service, this might be a timed lock-out - say 30 minutes. If this gets hit to much, you can have stronger lock-outs that require intervention to resolve.

        You could also make it so that it has separate timers per IP and can track when multiple attempts are made from different IPs in a short space of time, indicating potential access by a botnet.

        Going more advanced, you can add a notification system that sends an e-mail or SMS to the owner of the account when there have been X amount of attempts.

        The point is that the options are numerous and very flexible so there is even less excuse not to implement at least something. None of the above options are in any way new - all are in use and any vendor supplying the type of service that Apple are will have a development team who are are more than capable of implementing any combination of these measures.

        * - Actually, through to 1997 . . .

    3. Voland's right hand Silver badge

      Client certificates

      Out of all cloud providers Apple is in the only one in the unique position where it can easily deploy client side x509 (or at the very least client side keys). All devices are known, all software is controlled, it is a closed ecosystem - adding client side strong crypto into the authentication is a piece of cake.

      From there on it becomes a matter of simple ACL management based on certs - do you allow Apple ID XXXX-ZZZZ known as AAAA belonging to YYYY access to your account (Yes, No, Think Different).

      1. Dan 55 Silver badge
        Thumb Up

        Re: Client certificates

        They assume people want to log in on the iCloud website as well but the percentage of people who do this must be relatively tiny. They could either drop the feature altogether or install a certificate on the browser.

        I'm more and more convinced passwords have had their day, unless it's used with a certificate to confirm that the device is legit or as part of some kind of recovery method should the certificate have been lost (difficult to do anyway). If the computer you're at is not yours then the mobile you're carrying certainly is.

        The likes of Apple, Google, MS, Yahoo, Amazon, and so on have the entire world banging on their door all day every day and once they've got your user name it's probably just a matter of time unless you're one of those few people who know how to use passwords.

    4. theblackhand

      Re: unlimited login attempts/client certificates

      Limiting login attempts on a cloud service becomes a denial-of-service path - don't like someone? Attempt to log onto to their cloud account with a guessed password. If it works, you get access, if not repeat X times and lock out the account.

      On top of that, how do you unlock the account? You probably can't verify the account holder is who they say they are with any great certainty (i.e. e-mail may have been breached, phone may have been stolen, a lot of the default questions in password recovery Q+A's can be be answered from Internet searches if filled in literally (i.e. mothers maiden name, schools, addresses).

      As for using client certificates, I would have thought that an app that ties in your cloud sign up (for mobile devices) or licensing for Windows would be fairly straight-forward and maybe this already happens. The problem that I see is that providing an easy way to add more devices to an account or swapping between an old and new device probably voids any benefit from this approach as it would allow either a way of moving certificates or adding new certificates with minimal fuss.

      1. JoshOvki

        Re: unlimited login attempts/client certificates

        In that case have a 30 minute time out, 3 wrong attempts you need to wait 30 minutes. 720 passwords can then be tried in a day, which makes it infeasible. As for becoming a denial-of-service path, I would rather that than my nude pictures get released, and then my password changed which becomes a denial-of-service path.

        1. a53

          Re: unlimited login attempts/client certificates

          They can have my nudie pics any time. Just need to ask.

        2. mccp

          Re: unlimited login attempts/client certificates

          "In that case have a 30 minute time out..."

          That still gives you a DoS vector - just script something to constantly try logging in.

          "720 passwords can then be tried in a day..."

          I make it 144 - max 6 an hour, 24 hours a day.

      2. Anonymous Coward
        Anonymous Coward

        Re: unlimited login attempts/client certificates

        You don't block the whole account, but you blacklist for a while the IP(s) the requests comes from.

        1. dan1980

          Re: unlimited login attempts/client certificates

          @LDS

          "You don't block the whole account, but you blacklist for a while the IP(s) the requests comes from."

          Exactly - there are so many options and you can implement whatever method works best for your situation. There's just no excuse for not having at least something there to help mitigate these problems.

  3. Moosh

    Maybe Apple shouldn't shove the iCloud in the system set up and actually tell people that deleting local content will not delete it from the cloud.

  4. Tom 35

    guessed password-recovery questions

    Stupid "what is your pets name" questions + Famous people who post the answer on their facebook page.

    If there is no Apple weakness why is it that as far as I've read it's all Apple users that have been hit?

    1. Tim99 Silver badge

      Re: guessed password-recovery questions

      @Tom 35

      If there is no Apple weakness why is it that as far as I've read it's all Apple users that have been hit?

      Because this collection of material seems to include selfies that show Android and Blackberry devices too?

      It appears that the material has been leaked from a privately traded collection obtained by a number of different people over a period of several years, that mainly includes Apple stuff. As an observation, as many celebrities have iPhones, that is where more of the material is likely to originate?

      A modern version of the "private" 8mm movie and Polaroid film pictures that would only become publicly available if you were burgled, or one of the participants leaked it. Technology can change quickly, human psychology not so much...

    2. This post has been deleted by its author

    3. AndrueC Silver badge
      Facepalm

      Re: guessed password-recovery questions

      Stupid "what is your pets name" questions

      I had to sign up to an Apple account for something a couple of years ago. I forget what (possibly iTunes) and it offered me four questions I could provide an answer to as a security measure. I don't think I could answer any of them because they were inane crap like 'What's the name of your favourite teacher' (I'm 47 years old, I wouldn't remember even if I ever had a favourite). 'What's your favourite colour' (I don't have one) 'What's your best friend's name' (don't have one. I have a few mates I chat to that's all).

      1. Anonymous Coward
        Anonymous Coward

        Re: guessed password-recovery questions

        Simple - there need to be no semantic connection between the Q and A, so use an unrelated, but memorable (to you), answer:

        Q: What's your best friend's name:

        A: The purple horse is on the moon.

        Ignore the question asked and submit your "strong" response.

        1. AndrueC Silver badge
          Thumb Down

          Re: guessed password-recovery questions

          Q: What's your best friend's name:

          A: The purple horse is on the moon.

          I suppose if it was a common scenario I might have a standard stock answer but it's not that common. That means I must have made something up and there's zero chance of me remembering it.

          1. Kristian Walsh Silver badge

            Re: guessed password-recovery questions

            I thought of this, and It won't work. Apple insists on three separate security questions, and insist that you give UNIQUE answers to each question.

            The questions are utterly inane, and are only one step away from "Where did you play little-league baseball?" for their cultural narrowness. And "Best Friend??" yeah, maybe if I was a 13-year-old girl I might have decided who that is, but I'm an adult, I have several close friends, and I don't maintain a bloody league table.

            Apple have some questions to answer on why they didn't deal with brute-force attacks at the client. As it happens, an anti-brute-force block is enforced by the clients, where it is of maximum inconvenience to legitimate users and provides minimum security, but it's alarming that Apple assumed that a hacker will only use the proper client to attack a service.

      2. Version 1.0 Silver badge

        Re: guessed password-recovery questions

        I always use Wayne Kerr's name for these questions - am I at risk?

        I was told by Apple that my account had been compromised and my nude pictures of the wife have been stolen - apparently the perp went blind and is now suing me. He should have stopped when he needed glasses.

      3. Steve I

        Re: guessed password-recovery questions

        Well, the easiest thing for any of these type of questions if to use your wife or girlfriend's place_of_birth/mothers_maiden_name/pet/car/colour etc.

        but I guess that's not going to work either, is it?

  5. admiraljkb
    Joke

    "after 40 hours of investigation"

    So 40 engineers spent 1 hour taking a quick glance? (probably before lunchtime)

    Joke icon for the obvious reason, although I fear there might be some truth in my joke. Truthfully, I would have expected more than 40 staff hours spent on something of this magnitude.

  6. Anonymous Coward
    Anonymous Coward

    What I don't get

    1. Who has nude pics of themselves anyway?

    2. If so, who lets them out of their direct control?

    3. See 1.

    1. Michael Thibault

      Re: What I don't get

      >Who has nude pics of themselves anyway?

      And why? Are the pictures more real, or something? What?!

  7. Jin

    2 may be weaker than 1 in the real world

    2 is larger than 1 on paper, but in the real world two weak boys may well be far weaker than one toughened guy. Physical tokens and phones are easily lost or stolen. Then the password would be the last resort. It should be strongly emphasized that a truly reliable 2-factor solution requires the use of the most reliable password.

    A sufficiently strong password alone could well be more effective than the combination of a weak password and a vulnerable second factor.

  8. Mike Bell

    Breach or not?

    "None of the cases we have investigated has resulted from any breach in any of Apple's systems including iCloud or Find My iPhone."

    When is a breach not a breach? When you can successfully guess someone's password?

    If Apple have "discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions", it still sounds like a breach to me .

    1. Kevin Johnston

      Re: Breach or not?

      How true, perhaps a more penetrating question in these situations would be..

      'Does your default security system prevent brute-force style attacks?'

      We all know that no security model is perfect but as many commentors abovce have said, there is an assumption from the public that you have a limited number of guesses since they see that on their bank cards etc etc etc.

  9. i like crisps
    Facepalm

    INSTEAD OF AN 'AGE RATING' TO JOIN SITES....

    ...how about an 'IQ' rating or 'Common Sense' rating? When you join the site or service, you have to sit a little test and be able to pass it before you can join. The test would involve understanding basic online security. This would then give the operators of the site/service peace of mind knowing that if a members acount is compromised, then its not been through the incompetence of the acount holder.

    If i was in charge of Apple i'd invoice these 'Airheads' for wasting my f**king time!

    1. Pascal Monett Silver badge
      Coat

      Re: INSTEAD OF AN 'AGE RATING' TO JOIN SITES....

      What's that ? Common sense ? Man, this the 3rd millennium, there's none of that stuff left.

      And making users complete a test in order to sign up to a service is just putting a big roadblock on your highway to money.

      Not gonna happen.

  10. Matt Bryant Silver badge
    Pirate

    Obvious question.

    Does Apple count it as a breach if it was an inside job?

  11. Nick Ryan Silver badge

    Security Questions?

    Start with a password and as long as the user chooses an appropriate password this is relatively secure. Automated checks and constraints can be put in on this to help and rate-limiting for unsuccessful password attempts is a trivial implementation task.

    Now add "security questions" from a narrow predefined list implying answers that are usually easily guessable or readily available elsewhere. Security? Fuckwits. Essentially there is no security left now. And still we have these dumb "security" questions on all these so-called secure services.

  12. Anonymous Coward
    Anonymous Coward

    If we're lucky....

    ....this might be the end of 4chan/b, which given some of their behaviour over the years, is well past due.

  13. ukgnome
    Terminator

    Brute Force Attack

    That's so 90's

    Obvs ------>

  14. Anonymous Coward
    Anonymous Coward

    Could be worse.. Could be Verified by VISA

    Forgotten your password to your verified by visa online 'extra' security step?

    Just reset it by using the details on the bank card plus your date of birth.

    No secret questions, no 2FA.

    Doesn't matter how many times I complain about that... They don't care.

    </rant>

    Feel better now. Until the next time I order online.

  15. This post has been deleted by its author

  16. Anonymous Coward
    Anonymous Coward

    We couldn't find any compromission...

    .... we believed it was the NSA!

  17. ColonelClaw

    I'm not remotely surprised iCloud itself wasn't breached. If I was trying to hack celebrity grumble pics would I go down the arduous risky route of hacking a cloud server, or just getting an email address via social engineering and brute-force the password? Pretty easy answer.

    A chain is only as strong as it's weakest link etc etc

  18. Anonymous Coward
    Anonymous Coward

    "Says celebs should have used strong passwords, two-factor authentication"

    Or, you know, not store private material on a stranger's computer system.

  19. Zot

    Apple denying it was their fault.

    Everyone else is doing it wrong.

    There's a surprise.

  20. Mikel

    2FA on the front door

    Back door with simple lock for ease of access.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like