Nude photos of celebrities hacked; released on web

[blankslate]

People do need to be aware of what exactly the "cloud" is and that it is not 100% secure...

but when a company that has made a point that they are more secure than competitors in the past then drops the ball like this...

http://techcrunch.com/2014/09/02/ap...esnt-protect-icloud-backups-or-photo-streams/

However, Apple’s two-factor solution is actually incomplete. It does not cover many other iCloud services, including backups.

It does not, however, make you enter a verification code if you restore a new device from an iCloud backup. And that’s the design ‘feature’ that hackers are taking advantage of here.

Once they gain access to an Apple account, some are using the login and password to ‘restore’ an iCloud backup using an application by Elcomsoft called the Phone Password Breaker — exporting data including photos and more to a folder which they can then sift through.

Even if the hackers do not actually download the entire backup — or if there is no backup on the account — they still have access to a user’s Photo Stream at this point, which is also not protected by two-factor authentication.

So, even if all of the people who have had their photos compromised had two-factor enabled, their iCloud backups and Photo Streams would still be accessible.

If you thought this was a vulnerability that was fresh and new for Apple — that it wasn’t aware of this loophole — you’d be incorrect. The fact that Apple’s iCloud backups are not protected by two-factor authentication has been known for over a year.

Then there is something wrong....

If in fact the above link has correct information then Apple should be held liable because they were, in my opinion, exceedingly negligent in making sure that their security implementation for iCloud services were reasonably hardened. Especially if they knew about the problem for about a year. It's not as if they did not have the resources to take reasonable steps to secure this service.

Although they'll probably spend money on having lawyers stifle any (imo) justified lawsuit against them instead of on something useful like hiring knowledgeable security experts to help them find and fix flaws in their products security implementations.



....

 

[Knowing]

I learned something new about this yesterday and I thought that it's omission from the story was something of an oversight.

http://www.wired.com/2014/09/eppb-icloud/

Hackers openly discuss using a piece of software called EPPB or Elcomsoft Phone Password Breaker to download their victims’ data from iCloud backups. That software is sold by Moscow-based forensics firm Elcomsoft and intended for government agency customers. In combination with iCloud credentials obtained with iBrute, the password-cracking software for iCloudreleased on Github over the weekend, EPPB lets anyone impersonate a victim’s iPhone and download its full backup rather than the more limited data accessible on iCloud.com.

Good to see Apple leaving the door open for "government agency customers" who apparently buy software from Russia.