Apple Says It Is “Actively Investigating” Celeb Photo Hack, by Arik Hesseldahl,
Apple said Monday it was ‘actively investigating’ the violation of several of its iCloud accounts, in which revealing photos and videos of prominent Hollywood actresses were taken and posted all over the Web.
* * *
Security experts said the hacking and theft of revealing pictures from the Apple iCloud accounts of a few celebrities might have been prevented if those affected had enabled two-factor authentication on their accounts.
Apple hasn’t yet said anything definitive about how the attacks were carried out, but security researchers at the security firm FireEye, examined the evidence that has emerged so far, and said it appears to have been a fairly straightforward attack. That said, it is also one that could have been thwarted had some additional steps to secure the targeted accounts been taken.
That additional step is known as two-factor authentication. Apple calls it ‘two-step verification,’ although it doesn’t work very hard to tell people about it, said Darien Kindlund, director of threat research at FireEye.
‘In general Apple has been a little late to the game in offering this kind of protection, and doesn’t advertise it,’ he said. ‘You have to dig through the support articles to find it.’
When enabled, two-factor authentication requires users to enter a numerical code that is sent to their phone or another device, in addition to using their regular password. Since the number constantly changes, it makes it much more difficult for attackers to gain access the account, even if they know the password.
Assuming the compromised accounts were running without the two-step option turned on, it would then have been relatively easy for the attacker to gain access to the accounts.
As The Next Web reported earlier today the attack may be linked to software on GitHub called iBrute that is capable of carrying out automated brute-force attacks against iCloud accounts. In this scenario, an attacker simply guesses a password again and again until they succeed. While tedious and time-consuming for a person, it’s a simple and infinitely faster process for a computer.
The as-yet unknown attacker had one other thing going for him: Apple allows an unlimited number of password guesses. Normally, systems limit the number of times someone can try to log in to a system with an incorrect password before the account is locked down entirely. Apple has since fixed that aspect of the vulnerability.
‘The attackers never should have been allowed to make an unlimited number of guesses,’ Kindlund said. . . . [Emphasis added.]