Apple 'outraged' as it admits iCloud security questions WERE to blame for leaked celebrity pictures


comments

Apple has admitted its iCloud service was to blame for the theft of hundreds of celebrity pictures.

The firm said it was 'outraged' by the attacks, and said they were the result of 'a very targeted attack on user names, passwords and security questions'.

It advised worried customers to update their accounts with a 'strong' password and enable two-step verification.

Scroll down for video 

Apple's online system for resetting iCloud passwords has come under scrutiny for its part in the hacking case.

Apple's online system for resetting iCloud passwords has come under scrutiny for its part in the hacking case.

HOW TO PROTECT YOUR ACCOUNT

Experts say worried consumers should turn on two-step verification for their iCloud account.

The tool prevents people accessing accounts - even if they have the password.

To set up two-step verification, go to My Apple ID.Select Manage your Apple ID and sign in, then select Password and Security.

Under Two-Step Verification, select Get Started and follow the onscreen instructions.

When a user sets up two-step verification, they register one or more trusted devices.

A trusted device is one that can receive 4-digit verification codes using either SMS or Find My iPhone. 

'Our customers' privacy and security are of utmost importance to us,' it said in a statement.

'We wanted to provide an update to our investigation into the theft of photos of certain celebrities. 

'When we learned of the theft, we were outraged and immediately mobilized Apple's engineers to discover the source.'

'After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet.'

None of the cases resulted from any breach in any of Apple's systems including iCloud or Find my iPhone, the firm said.

MailOnline revealed that Hackers could have gained access to celebrity iCloud accounts using just an email address and a search engine.

Apple's password reset system for accounts has become the latest target in the hunt to find out how nude photos of Jennifer Lawrence and '100 other celebrities' were leaked.

 

'We are continuing to work with law enforcement to help identify the criminals involved.' 

The system allows people to reset a password by answering two security questions - the answers to which can often be found online for celebrity users.

The reset system allows those who have forgotten their password to reset it by answering a series of questions.

The reset system allows those who have forgotten their password to reset it by answering a series of questions.

Users are asked to first confirm their date of birth - which is straightforward to find online

Users are asked to first confirm their date of birth - which is straightforward to find online

They are then offered two options - to change their password using email authentication or by answering security questions

They are then offered two options - to change their password using email authentication or by answering security questions

HOW THEY DID IT

Hackers are believed to have used iCloud's password reset function to gain access to accounts.

This allows users to reset their password by entering their username, date of birth and correctly answering two security questions.

Experts say this information should be relatively easy to find for celebrities.

Apple has admitted it is 'actively investigating' claims a flaw in the 'Find My iPhone' function of its iCloud service may have helped a hacker to steal the photos.

Today it emerged hackers may also have used the service's password reset function to gain access to accounts.

This allows users to reset their password by entering their username, date of birth and correctly answering two security questions.

Experts say this information should be relatively easy to find for celebrities.

Apple does email users to tell them their password has been changed. 

However, on the AnonIB hacking messageboard, those who say they have used the method claim that it's often best to reset the password at night so that the password reset email can be read and deleted before the target is awake. 

Rich Mogull, a security expert with Securosis, warned celebrities not to use the real answers to these questions as hackers would be able to find many of the answers online.

'The key is not to put the real answers to these questions,' he told MailOnline.

The system then asks users two question to copmplete the process and allow them to reset their password

Users are then asked to answer two security questions, which range from their first car to their favourite job, which were set up when they signed up for the account.

Mogull, who admitted hackers had tried to access his account, warned that it was still unclear exactly what happened.

'We don't know what happened yet, and In the security world, you need all the facts.'

He also believed consumers were likely to stay with the firm despite the breaches.

'Historically we don't see a mass exodus from breaches, consumers don't seem to change their behaviour.

In the case of celebrities, these secret questions are very easy to find online - either in Wikipedia or by searching through some interviews 

'There's a lot of historical precedent here - and this is just a first strike for Apple.

'It does appear that there was a flaw in iCloud - and we need to hear from Apple what the problem was, and what they are going to do to make it better,'

Experts believe the breadth of the celebrities affected could be down to a 'chain effect' - once one celebrities phonebook was accessed, it could lead to dozens more.

Security consultant Graham Cluley told MailOnline: 'For these attacks to work, you also need email addresses of target.

'But what we have seen is that hackers can access address books - and this would have helped the hackers.'

Clulely also believes the 'reset password' system may have been used.

'It certainly possible that people would have used this,' he said.

'In the case of celebrities, these secret questions are very easy to find online - either in Wikipedia or by searching through some interviews.' 

Dropbox requires users to respond to an email sent to their address to reset a password

Dropbox requires users to respond to an email sent to their address to reset a password

Cluley said that anger was growing at Apple among iCloud users. 

'Even though we don't know exactly what happened, the feeling is growing that Apple wasn't doing enough to stop this,' he said.

However, Cluley believes customers will stick with Apple.

'I don't think we'll see a mass exodus - people's memory are very short. 

Jeffifer Lawrence and model Cara Delevingne are among those hit by the leaks so far

Jeffifer Lawrence and model Cara Delevingne are among those hit by the leaks so far

'Apple is about to announce a new iPhone, and people will use iCloud to move their data do it, because it's such a simple process. 

The hacker claims he or she broke into stars' iCloud accounts, including those of the Hunger Games actress, Kate Upton and Rihanna, before publishing them on 4chan, the image-sharing forum.

A list of the alleged victims of the hack - a staggering 101 in total - has also been posted online; most of whom have not seen any photographs leaked by the hacker.

Cluley said he thought 'more leaks are to come'. 

Experts also think a flaw in Apple's Find my Phone was used for some of the hacks. 

However, despite not admitting the bug was caused by its system, the tech giant issued a 'patch', or fix, for the alleged 'Find My iPhone' bug some claim is responsible. 

Code on software development site Github called iBrute, would have allowed malicious users to use 'brute force' to gain an account's password on Apple iCloud, and in particular its Find my iPhone service.

Apple has since issued a fix for the bug. 

'The end of the fun, Apple has just patched,' read an update on the post.

The hacker who posted the first batch of pictures said it was the result of 'several months of hard work by all those involved'

The hacker who posted the first batch of pictures said it was the result of 'several months of hard work by all those involved'

Brute force, also known as 'brute force cracking', is a trial-and-error method used to get plain-text passwords from encrypted data.

Just as a criminal might break into, or 'crack' a safe by trying many possible combinations, a brute-force cracking attempt goes through all possible combinations of characters in sequence.In a six-letter attack.

'Many users use simple passwords that are the same across services so it's entirely possible to guess passwords using a tool like this,' said Owen Williams form The Next Web. 

And in a statement issued on Monday afternoon, the FBI confirmed that it had also begun an investigation.

'The FBI is aware of the allegations concerning computer intrusions and the unlawful release of material involving high profile individuals, and is addressing the matter.

'Any further comment would be inappropriate at this time.'

Kirsten Dunst became the first celebrity to publicly criticise Apple on Monday when she posted a sarcastic message on Twitter.

The Spiderman star tweeted 'Thank you iCloud', the day after naked photos of her were published online. 

 



IFTTT

Put the internet to work for you.

Turn off or edit this Recipe

0 comments:

Post a Comment