Apple Just Patched A Security Flaw In iCloud

Business Insider ^ | September 1, 2014 | James Cook

[ConservativeMind]

Engadget reports that Apple has fixed a major bug in its Find My iPhone software that allowed hackers to gain access to iCloud accounts. The fix comes just hours after a hacker leaked hundreds of nude celebrity photos on 4chan in return for Bitcoin donations.

Apple's Find My iPhone login page was discovered to have been vulnerable to so-called "brute force" hacks. Hackers are usually locked out of sites if they try to gain access using multiple passwords, but it was discovered that the Find My iPhone API allows users to repeatedly try different passwords. Security researcher Alexey Troshichev revealed that it's possible to combine this exploit with a list of common passwords in order to make a tool that can gain access to iCloud accounts.

[houeto]

After 7 years w/ a dinosaur cellphone, I bought a Samsung Galaxy 4 just last week.

You will not regret that move. IMO, and that of several family and friends, the Galaxy phones are far superior to the iphones.

[Age of Reason]

After 7 years w/ a dinosaur cellphone, I bought a Samsung Galaxy 4 just last week. I'm still sliding up the learning curve but so far, I'm really impressed.

What's so impressive about it compared to your old cellphone?

[minnesota_bound]

The cable company has a record of all your searches and whatever you downloaded.
This reminds me, I need a bigger hard drive for er... storage.

[oh8eleven]

My old cellphone (LG 8300) was very reliable, but feature poor.
The screen was only about 1.5 inches square, had no real browser, no apps, and the keys were very small.
The Galaxy S4 has a ~5 inch HD screen, and there's little it can't do, much like having a mini-PC.
I had a $35/month plan w/ Verizon, no limits and decided to upgrade to a $45/month plan, unlimited calls/texts and 500MB of data.
With that, I was able to get the Galaxy S4 (pre-enjoyed) for $199 ... and if I autopay my bill, which I do, I get another 500MB of data per month - free.

[minnesota_bound]

BTW that will be $225 to fix a cracked screen. My Samsung Galaxy S4 had a small x crack above the home button. The screen started out with multiple colors then the next day turned black. Not under warranty.

My sisters S4 had an overheating issue and would not charge. Samsung knew of the issue and it was under warranty and she sent it off to Plano, Texas for repair. They replaced the motherboard which if you paid for it would be about $120. If your usb port goes bad it is only $4 plus the cost of a repair toolkit consisting of small screwdivers and plastic picks costing maybe $8

[Swordmaker]

Thanks for the additional Ping, Conservative. Yes, Apple did patch a flaw in The FindMyiPhone API. However, the creator of the Brute Force exploit, when contacted, had this to say about the overall issue:

"We discussed the tool with its creator, Hackapp, over Twitter, who said “This bug is common for all services which have many authentication interfaces” and that with “basic knowledge of sniffing and reversing techniques” it is “trivial” to uncover them. When asked if the method could have been used in the celebrity hack today, Hackapp said “I’ve not seen any evidence yet, but I admit that someone could use this tool.”

Reviews of the metadata from the nude celebrity photographs that have been released have found that while many were taken with Apple equipment, many were also taken with Android phones and webcams on Windows PCs, which would not be likely to be stored on Apple's iCloud.

The script does apparently implement a brute force serial attack through the FindMyiPhone API using a list of the 500 most commonly used passwords such as "password, password1, passw0rd, p@ssw0rd, p@ssword, princess, princess1, etc."

Strangely, all of Alexey Troshichev's direct articles and evidence of the script and claims have been removed from the web for some reason.

Apple has been recommending for some time that users employ a two-level authentication to avoid this exact kind of exploit.

Apple iCloud Security Ping!

If you want on or off the Mac Ping List, Freepmail me.

[Swordmaker]

I’ll, of course, have to see the photos in question in order to determine the severity of the breech.

Pretty severe. . . up to full porn level activity.

[Swordmaker]

Are the finger prints stored in the cloud? How would you know?

No, fingerprint data never leaves the iPhone. . . and is stored on the iPhone as an encrypted hash.

[martin_fierro]

[Swordmaker]

I had a $35/month plan w/ Verizon, no limits and decided to upgrade to a $45/month plan, unlimited calls/texts and 500MB of data.

You're likely to blow through 500MB of data very quickly.

[dennisw]

lol

[GeronL]

yep

We go through 10 GB of data rather quickly with my sister watching movies on her IPAD at dialysis

and sometimes forgetting to switch off “cellular data” at home

[dennisw]

http://www.celebjihad.com/celeb-jihad/jennifer-lawrence-nude-cell-phone-pics-leaked

[Citizen Zed]

"No, fingerprint data never leaves the iPhone. . . and is stored on the iPhone as an encrypted hash."

How do you restore a lost iPhone if you also lose your encrypted hash?

[AFreeBird]

A pin is also required when you set up Touch ID. And restoring from backup is a different password.

[Swordmaker]

How is an Apple better?

Well, let's see.

Upgradability: iOS devices OS can be upgraded wirelessly for a number of OS cycles for years. Normally Android devices' OS can only be upgraded IF your carrier and device maker both permit it. Your Samsung Galaxy 4 may have Android 4.2.2 Jelly Bean, or 4.4 (KitKat), but 90% of Android phones cannot be upgraded.

Fragmentation: Only 21.9% of Android users are on devices with KitKat, 54.2% are on Jelly Bean, 10.6% are on the older 4.03/4 Ice Cream Sandwich, 13.6% on even older 2.3.3-2.3.7 Gingerbread, and 0.7% on 2.2 Froyo. Many of those cannot be upgraded at all. On the other hand, Apple IOS 7 is now on over 90% of all Apple mobile devices, with fewer than 8% on iOS 6, and less than 1% on iOS 5. App designers have very little problems making and testing software for Apple devices, but Android designers have to design and test for literally thousands of variations.

Apps: in terms of sheer numbers! the apps available for each platform are close, but there are qualitative differences.

In Apple iOS, once you buy an App, it is yours for life, installable on all your devices. The App Store is curated. . . which means the apps are tested for malware and other bad stuff. Don't believe the myth that the app stores and apps are equal, they aren't. iOS reviews in comparison to Android consistently find the iOS apps are, in general, more polished than Android apps. Most apps are released first on iOS and only later, if at all, for Android.

Privacy: Android is Google. Google's primary product is YOU! Google makes no secret they mine any data that passes through their servers for any information about you to sell to their advertisers. Your email on their servers is not secure from their crawlers. Your browsing on chrome or other browsers on your Android device is not immune from their prying eyes, any ads that are displayed you see are duly recorded, searches are noted and catalogued, activity of any kind is charted automatically. Where your device goes is tracked for commercial Google purposes. Google has already signed agreements with the government. Nothing is secret.

Apple sells no information to third parties, and has refused blanket cooperation with the government, unless under court order. Any data collected in Apple maps is generic and non-ID connected. No advertising will appear in any Apple apps, other than those where you expect it, such iTunes, the Apple Store, or the App Store. However other Apple supplied apps are ad free. Apple Mail, and other data, is encrypted and Apple itself cannot decrypt it without your password. . . which is only kept as an algorithmic hash.

Malware: How about Android phones have more and better Malware. 97% of all mobile malware targets Android devices. You might think that the 3% left over must be targeting iOS devices! but that is not the case. That 3% targets Symbian, Windows Mobile devices, and RIM devices. The total number of unjailbroken iPhone and iPad malware is ZERO. There is some for Jailbroken iPhones, but it represents less than 0.01%. Google is attempting to "curate" the Play Store, but at last check, there were still about 1% of the apps found with active Malware found. Other Android stores were found with malware percentages ranging from 3-24% with an average of 8%. Your safest approach to avoiding Malware is to stick to Google's Play store .and never getting anything from a third party store.

Here's an excerpt about one of the more egregious malware now appearing in the wild for Android.

Android vulnerability allows malware to compromise most devices and apps

Attackers can impersonate trusted developers to gain powerful privileges on the OS, researchers from Bluebox Security said.

By Lucian Constantin, IDG News Service | Security

July 29, 2014, 10:32 AM — The majority of Android devices currently in use contain a vulnerability that allows malware to completely hijack installed apps and their data or even the entire device.

The core problem is that Android fails to validate public key infrastructure certificate chains for app digital signatures, said Jeff Forristal, chief technology officer of Bluebox Security, a San Francisco company whose researchers discovered the issue.

According to Google's documentation, Android applications must be signed in order to be installed on the OS, but the digital certificate used to sign them does not need to be issued by a digital certificate authority. "It is perfectly allowable, and typical, for Android applications to use self-signed certificates," the documentation says.

[Swordmaker]

How do you restore a lost iPhone if you also lose your encrypted hash?

I think you are misunderstanding. The fingerprint sensor only unlocks the iPhone. It has nothing to do with accessing your iCloud account. The fingerprint unlocks iPhone. Your data on the iCloud should be encrypted. . . and protected by a two-level access. Password and pin-code. That keeps creeps like these OUT.

If Apple made an error, and it is indeed possible, it was apparently in the API for the FindMyIPhone app on a computer. The API evidently failed to lockout multiple password attempts which would allow what is called a brute force attack where a bad guy just keeps guessing weak passwords until he gets in. If he knows something about the target, he can try things like pet's names and numbers like birthdays, anniversaries, etc. this particular script merely used the list of 500 most commonly passwords on the targets' user names. It got them in.

This kind of attack would be useless against password in the pass phrase style such as:

23katsCleanbarf5Xs
dawgsLess8p0lecats
9bottlesOFsnoshoes

If you were unable to retrieve a lost iPhone, you would be able to buy a new one, input your Apple ID, password, secondary code (hopefully you set one to keep the baddies out), and your new iPhone would be restored with everything intact.

[Pikachu_Dad]

Nope, not at all.

Took me a long time to get my first iPhone.

Used to have nV phones.

Made a big mistake if getting a Brigade. Never worked right.

When Apple finally came out with a Verizon phone, I got one and never looked back.

I have lots of friends who have tried the Samsung options. Not impressed.

[Swordmaker]

and sometimes forgetting to switch off “cellular data” at home

Just leave the WIFI setting turned to "ON" and the iPad will switch to WIFI automatically when your home network is available. The iPad will automatically switch back to the fastest cellular connection when you leave the WIFI area. When the WIFI is operational, the cellular is not transmitting. . . and you are not using bandwidth.

Check to see if the dialysis clinic has WIFI. They should. If so, ask for the local password and use their bandwidth for the movies. The iPad will remember their password and auto-connect when you arrive for your wife's dialysis and you can stop burning your bandwidth.

[Swordmaker]

Sorry, “your sister’s”