|
| quote: | Originally posted by djnitride
RANN I understand your point but you are misinformed about the actual technical details behind the methods people were using. Using a strong password and hard to guess recovery questions WOULD have stopped brute force attacks against their account. There was no magic exploit. They exploited people who employed poor security practices, plain and simple.
Yes its creepy, but this is a much farther reaching problem in society than just "nude pics"... You can't just look at it from that angle without addressing the root cause of all of this.
People neglect security for far more important things and only address it once shit hits the fan. |
That would be true if this was solely a brute force attack - it wasn't; it was a group of people sharing various pictures, often working together with little snippets of info to get in to some people's accounts. It has already been confirmed that with at least two of the people, it wasn't even and icloud account that was breached.
Good passwords don't mean anything. A brute force checks millions of combinations of every possible key combination so whether it's simple or has upper and lower case, with special characters, just means it takes the brute force attack slightly longer, but trust me, these guys were at it for months, if not years.
A friend of mine just had her citibank account emptied a week ago; they traced it back to the Quickbooks help service. She was having trouble installing QB on her work PC, so they did the remote access option. It turns out the people that QB contract out their tech support to in Bangkok installed a key logger at the same time, dumped the file later that afternoon and did an international wire transfer to themselves.
When she reported unusual activity to citibank they told her there's no way as they have stringent password security and even use two step verification etc.
But eventually she traced it and as the key logger also included her email credentials when she logged in to her email, they also were able to go through the two step verification process for her password when her citi login detected an IP that was in a different territory.
Simply put, passwords will help but difficult passwords don't mean shit when you have sophisticated means of acquiring those passwords or credentials.
The biggest flaw was that apple did not have a brute force checker on their API for icloud, and that meant the attack could do on uninterrupted until it yielded access.
But again, that was only way way they got the pictures. Some were phishing attacks and others apparently involved even more nefarious means such as phone hacking and remote access.
As mentioned, previously, I actually know two of the people affected by this and one of them had nothing on their icloud account to get. They are at a loss as to how they got access to old images.
|