TranceAddict Forums

TranceAddict Forums (www.tranceaddict.com/forums)
- Chill Out Room
-- Nude Photo (iCloud?) hack affecting celebs (Jennifer Lawrence/Kate Upton...) via 4chan
Pages (4): « 1 2 [3] 4 »


Posted by r5a on Sep-04-2014 02:10:

holy jesus christ. i have no idea how fucking ISIS, NSA or any of that bullshit ends up in a thread like this.

a group/person of hackers pwned apple. leaked a bunch of shit. happens all the time. the only reason this is a big deal is because the severity of the breach. also notice how apple is trying to downplay it? (oh yeah WE didnt get hacked, rather individual users got hacked. yeah you fucking assclowns with your shitty api)


there's a big fucking difference between a bunch of smart kids causing trouble then a government body tapping/sniffing actively for your traffic. hi NSA!

what concerns me more is a significant fucking amount of teir 1/bgp'd providers use Cisco gear. and there's been talk about NSA stealing shipments and dropping chips in Cisco gear. now thats fucked up.

it sucks for the people that got hit but what can you do? oh yeah don't store your naked photos on the "cloud." even then you're still not protected. its a risk you take if you take these photos.


Posted by on Sep-04-2014 02:17:

quote:
Originally posted by DJ RANN
Yeah, because the pictures were "leaked", weren't they?

Like when someone breaks in to your house by trying every possible key combination on your door lock and takes all your shit, it's not theft, it's just you leaking you possessions

Now you know how the RIAA feels about you stealing their music.


Posted by djnitride on Sep-04-2014 03:09:

quote:
Originally posted by r5a
holy jesus christ. i have no idea how fucking ISIS, NSA or any of that bullshit ends up in a thread like this.

a group/person of hackers pwned apple. leaked a bunch of shit. happens all the time. the only reason this is a big deal is because the severity of the breach. also notice how apple is trying to downplay it? (oh yeah WE didnt get hacked, rather individual users got hacked. yeah you fucking assclowns with your shitty api)


there's a big fucking difference between a bunch of smart kids causing trouble then a government body tapping/sniffing actively for your traffic. hi NSA!

what concerns me more is a significant fucking amount of teir 1/bgp'd providers use Cisco gear. and there's been talk about NSA stealing shipments and dropping chips in Cisco gear. now thats fucked up.

it sucks for the people that got hit but what can you do? oh yeah don't store your naked photos on the "cloud." even then you're still not protected. its a risk you take if you take these photos.


Until people stop using bad passwords and security practices in general nothing will change. Even if their API had rate limiting people still could have guessed their passwords, just slower.

Its like leaving your backdoor open and setting your safe combination to "1111" and expecting robbers to not be able to easily break in and open it...

Yeah, its wrong that they got hacked but they neglected nearly all cyber security best practices. I don't have sympathy for anyone who doesn't take their own security seriously, whether that be physical or digital.


Posted by Redd on Sep-04-2014 11:35:

quote:
Originally posted by enydo
It also doesn't make sense to me that people lose their shit over a small trove of nudes when the internet is literally filled with porn that was put up with some form of consent. Go get your rocks off somewhere else, ffs.


Not the same rocks though.


Posted by DJ RANN on Sep-05-2014 21:53:

quote:
Originally posted by Jon_Snow
Now you know how the RIAA feels about you stealing their music.


Yeah because the RIAA owns the content, right?

(but whatevs as I'm sure you're just trolling anyway).

quote:
Originally posted by Jon_Snow
Until people stop using bad passwords and security practices in general nothing will change. Even if their API had rate limiting people still could have guessed their passwords, just slower.

Its like leaving your backdoor open and setting your safe combination to "1111" and expecting robbers to not be able to easily break in and open it...

Yeah, its wrong that they got hacked but they neglected nearly all cyber security best practices. I don't have sympathy for anyone who doesn't take their own security seriously, whether that be physical or digital.


What the fuck are you on about?

Whether you use a great password or a shit password, with the methods that were used (and I'll say it again, it wasn't just a easy to access to API) they were going to get the data anyway.

How easy or difficult it was to break in has nothing to do with the point.

Whether someone picks your simple lock or ram-raids your house, the intention is still the same. With these guys in this data sharing ring, they'd be happy to either pick your lock or go get the forklift.

Yes, take your security seriously, and I actually don't have much sympathy for the actual content - if you don't want the chance or a pic with jizz on your face, well, then don't have a picture taken with jizz on your face - but this was bunch of really creepy people endlessly trying to find ways in to someones personal data.

The latest indications are that some of these guys actually did it for monetary gain with is another whole layer of wrong as well.


Posted by PaULiN0 on Sep-05-2014 21:56:

quote:
Originally posted by Spacey Orange
So these guys are fapping to jennifer lawrence's saggy tits now. Oh the fucken travesty sweet jesus.



That guy with the green shirt's tits are just as saggy imo.


Posted by Redd on Sep-06-2014 04:18:

If you take a picture of yourself nude and upload it to whatever cloud, resulting in you getting hacked it's your own fault. So you're saying putting money in the bank isn't safe? I'd love the internet to be as safe as a bank. Really. It's not.

Want to send nude picture to someone? Do it, but don't upload that shit to a server. If you're ignorant enough to not know what I'm talking about? Well it sucks to be you.

But you're right. Ideally there wouldn't even be anyone watching this. The torrent got 40k seeders on piratebay just about 1 hour after the leak.

Criminuls.


Posted by djnitride on Sep-06-2014 04:30:

RANN I understand your point but you are misinformed about the actual technical details behind the methods people were using. Using a strong password and hard to guess recovery questions WOULD have stopped brute force attacks against their account. There was no magic exploit. They exploited people who employed poor security practices, plain and simple.

Yes its creepy, but this is a much farther reaching problem in society than just "nude pics"... You can't just look at it from that angle without addressing the root cause of all of this.

People neglect security for far more important things and only address it once shit hits the fan.


Posted by Redd on Sep-06-2014 04:44:

quote:
Originally posted by djnitride
People neglect security for far more important things and only address it once shit hits the fan.


and then they blame the people who share it. yeah, cause that's ever gonna stop.


Posted by DJ RANN on Sep-08-2014 22:08:

quote:
Originally posted by djnitride
RANN I understand your point but you are misinformed about the actual technical details behind the methods people were using. Using a strong password and hard to guess recovery questions WOULD have stopped brute force attacks against their account. There was no magic exploit. They exploited people who employed poor security practices, plain and simple.

Yes its creepy, but this is a much farther reaching problem in society than just "nude pics"... You can't just look at it from that angle without addressing the root cause of all of this.

People neglect security for far more important things and only address it once shit hits the fan.


That would be true if this was solely a brute force attack - it wasn't; it was a group of people sharing various pictures, often working together with little snippets of info to get in to some people's accounts. It has already been confirmed that with at least two of the people, it wasn't even and icloud account that was breached.

Good passwords don't mean anything. A brute force checks millions of combinations of every possible key combination so whether it's simple or has upper and lower case, with special characters, just means it takes the brute force attack slightly longer, but trust me, these guys were at it for months, if not years.

A friend of mine just had her citibank account emptied a week ago; they traced it back to the Quickbooks help service. She was having trouble installing QB on her work PC, so they did the remote access option. It turns out the people that QB contract out their tech support to in Bangkok installed a key logger at the same time, dumped the file later that afternoon and did an international wire transfer to themselves.

When she reported unusual activity to citibank they told her there's no way as they have stringent password security and even use two step verification etc.

But eventually she traced it and as the key logger also included her email credentials when she logged in to her email, they also were able to go through the two step verification process for her password when her citi login detected an IP that was in a different territory.

Simply put, passwords will help but difficult passwords don't mean shit when you have sophisticated means of acquiring those passwords or credentials.

The biggest flaw was that apple did not have a brute force checker on their API for icloud, and that meant the attack could do on uninterrupted until it yielded access.

But again, that was only way way they got the pictures. Some were phishing attacks and others apparently involved even more nefarious means such as phone hacking and remote access.

As mentioned, previously, I actually know two of the people affected by this and one of them had nothing on their icloud account to get. They are at a loss as to how they got access to old images.


Posted by djnitride on Sep-08-2014 22:44:

quote:
Originally posted by DJ RANN
Good passwords don't mean anything. A brute force checks millions of combinations of every possible key combination so whether it's simple or has upper and lower case, with special characters, just means it takes the brute force attack slightly longer, but trust me, these guys were at it for months, if not years.


Each additional digit adds another power to the potential number of combinations, past a certain point it doesn't matter if they rate limit brute force or not, it simply isn't feasible to crack the password.

For example, a 20 char alpha numeric password with capital letters would be 62^20 = 7.0442342554699802296833026461637e+35 possible combinations. Even if the attacker could run 1 million combinations a second, it would take 670113608777585638287985 days to crack if they had to check 50% of combinations before finding the password.

Yeah, I am sure some of them used extremely targeted and personalized social engineering techniques to get peoples pictures who had better security.

Here is one problem, there is no definitive defense against social engineering attacks besides restricting yourself to a very limited list of service providers. For example, gmail is extremely strict about providing account access if you lose your password.


Posted by Swamper on Sep-09-2014 03:50:

In my hacking/wannabe-unix-security-nerd days (circa 1994-1995) I used a spare 486 and it took 2 weeks running 24/7 against a bunch of dictionaries (in multiple languages) before it cracked anything. I used Crackerjack.

I can still remember the audible beep... it was like christmas in july. lol

Good times.

As for password difficulty... have some numbers... mixed case...and a word you know and then vary the numbers within a certain range and that's all you need.


Posted by DJ RANN on Sep-09-2014 23:40:

quote:
Originally posted by djnitride
Each additional digit adds another power to the potential number of combinations, past a certain point it doesn't matter if they rate limit brute force or not, it simply isn't feasible to crack the password.

For example, a 20 char alpha numeric password with capital letters would be 62^20 = 7.0442342554699802296833026461637e+35 possible combinations. Even if the attacker could run 1 million combinations a second, it would take 670113608777585638287985 days to crack if they had to check 50% of combinations before finding the password.

Yeah, I am sure some of them used extremely targeted and personalized social engineering techniques to get peoples pictures who had better security.

Here is one problem, there is no definitive defense against social engineering attacks besides restricting yourself to a very limited list of service providers. For example, gmail is extremely strict about providing account access if you lose your password.


But that's the problem; 20 digit alpha numeric passwords aren't really realistic. I have to use one system for one of ht businesses that requires me (and 4 of my employees) to log in at least 20-40 times a day. Having to type 20 mixed fucking characters is an absolute ballache that many times a day so guess what? Everyone does the minimum (8 chars, 1 num, one spec char). That's really not that difficult to brute force in a couple of days.

Average password length is guess what? 8-9 characters (in fact the actual figure is 61% of the worlds population uses a password that is within one digit of the minimum required).

But again, this was only part of the breach in question - several of the people involved were phished, some it's now believed were straight up hacked with malware, and one or two others had their phones actually compromised/data copied/stolen.

Unless you're going to add two step verification (and still keylogging attacks do nothing against this) or algorithmic dongles, passwords are not going to get more secure.

I mean if the swampmeister was able to do it on a 486 fifteen years ago then imagine what's possible today.

Combine these attacks with just a tiny bit of social engineering, and basically anyone can get access to any normal password protection system.


Posted by djnitride on Sep-10-2014 00:06:

quote:
Originally posted by DJ RANN
But that's the problem; 20 digit alpha numeric passwords aren't really realistic. I have to use one system for one of ht businesses that requires me (and 4 of my employees) to log in at least 20-40 times a day. Having to type 20 mixed fucking characters is an absolute ballache that many times a day so guess what? Everyone does the minimum (8 chars, 1 num, one spec char). That's really not that difficult to brute force in a couple of days.

Average password length is guess what? 8-9 characters (in fact the actual figure is 61% of the worlds population uses a password that is within one digit of the minimum required).

But again, this was only part of the breach in question - several of the people involved were phished, some it's now believed were straight up hacked with malware, and one or two others had their phones actually compromised/data copied/stolen.

Unless you're going to add two step verification (and still keylogging attacks do nothing against this) or algorithmic dongles, passwords are not going to get more secure.

Combine these attacks with just a tiny bit of social engineering, and basically anyone can get access to any normal password protection system.


This problem has been solved. Its not without its own problems, but it is a far more secure system then using a short password.

Just one example:
http://keepass.info/

2FA in addition to that is a must for anyone who might have a big target painted on them


Posted by on Sep-10-2014 00:35:

Ariana Grande Nude Photos


Posted by Swamper on Sep-10-2014 03:11:

^ She's 21? I thought she was like 17.


Posted by Sushipunk on Sep-10-2014 03:52:


Posted by Lews on Sep-10-2014 04:01:

On the topic of password length, I hate the companies that have a maximum password length, especially one that is only 8-12 characters. Which I find it completely ludicrous to blame those who were hacked, I do try to have my own internet stuff secure (at least banking/email/etc). It's not that hard to remember a line of poetry that can end up being 25-30 characters. Muscle memory easily remembers it, too.


Posted by on Sep-10-2014 04:06:

quote:
Originally posted by Swamper
^ She's 21? I thought she was like 17.
She was 17... 4 years ago

Never heard of her until the leak and started to feel bad for her then I read that article lol


Posted by Viber on Sep-10-2014 10:26:

quote:
Originally posted by Lews
a line of poetry that can end up being 25-30 characters. Muscle memory easily remembers it, too.


That's a brilliant idea


Posted by Dykes_on_Jay on Sep-10-2014 16:38:

Lews.

Vegetarians protect the world with haiku's.


Posted by Silky Johnson on Sep-10-2014 16:58:

quote:
Originally posted by Swamper
^ She's 21? I thought she was like 17.


quote:
Originally posted by Sushipunk



quote:
Originally posted by Swamper
^ She's 21? I thought she was like 17.


quote:
Originally posted by Sushipunk


quote:
Originally posted by Swamper
^ She's 21? I thought she was like 17.


quote:
Originally posted by Sushipunk



quote:
Originally posted by Swamper
^ She's 21? I thought she was like 17.


quote:
Originally posted by Sushipunk


quote:
Originally posted by Swamper
^ She's 21? I thought she was like 17.


quote:
Originally posted by Sushipunk



quote:
Originally posted by Swamper
^ She's 21? I thought she was like 17.


quote:
Originally posted by Sushipunk



quote:
Originally posted by Swamper
^ She's 21? I thought she was like 17.


quote:
Originally posted by Sushipunk



quote:
Originally posted by Swamper
^ She's 21? I thought she was like 17.


quote:
Originally posted by Sushipunk


quote:
Originally posted by Swamper
^ She's 21? I thought she was like 17.


quote:
Originally posted by Sushipunk



quote:
Originally posted by Swamper
^ She's 21? I thought she was like 17.


quote:
Originally posted by Sushipunk



quote:
Originally posted by Swamper
^ She's 21? I thought she was like 17.


quote:
Originally posted by Sushipunk



quote:
Originally posted by Swamper
^ She's 21? I thought she was like 17.


quote:
Originally posted by Sushipunk



quote:
Originally posted by Swamper
^ She's 21? I thought she was like 17.


quote:
Originally posted by Sushipunk



quote:
Originally posted by Swamper
^ She's 21? I thought she was like 17.


quote:
Originally posted by Sushipunk


quote:
Originally posted by Swamper
^ She's 21? I thought she was like 17.


quote:
Originally posted by Sushipunk



quote:
Originally posted by Swamper
^ She's 21? I thought she was like 17.


quote:
Originally posted by Sushipunk



quote:
Originally posted by Swamper
^ She's 21? I thought she was like 17.


quote:
Originally posted by Sushipunk



quote:
Originally posted by Swamper
^ She's 21? I thought she was like 17.


quote:
Originally posted by Sushipunk


Posted by Joss Weatherby on Sep-10-2014 17:18:

quote:
Originally posted by Viber
That's a brilliant idea


Throw in something like 3s for Es and other random switch outs (using a sequence of non-alphanumeric characters for whitespaces) and you have a password that is very secure. Bruteforcing it would take a huge amount of time and any system that has lockouts would make it almost impossible to get into.

That being said if the server is storing your password in plaintext then you are fucked if the server is compromised. Also if they are using MD5 or even SHA1 then the potential for collision is high, so if they aren't salting it, you're password is vulnerable to rainbow tables and shit like that.


Posted by Lagrangian on Sep-10-2014 17:28:

Are you hacking Tinder, Nou?


Posted by on Sep-10-2014 18:39:

I use the Gettysburg address as my password


Pages (4): « 1 2 [3] 4 »

Powered by: vBulletin
Copyright © 2000-2021, Jelsoft Enterprises Ltd.