Apple now sending email notifications when users sign in to iCloud.com

Screen Shot 2014-09-08 at 15.39.22

Apple is now sending emails to users when they log in to iCloud.com. This is part of Apple’s latest security upgrades to iCloud, which Tim Cook announced late last week. In the interview, Cook said Apple planned to launch the feature within two weeks, but obviously it has been deployed much sooner. The notification is supposed to act as a warning for users, to detect account infiltrations as early as possible. Supposedly, these emails will only be sent once, the first time an account logs in to a particular device, so it shouldn’t spam your inbox with login notifications.

Read more

One third of Americans have improved their online security since the iCloud hacks

image002

A YouGov survey of more than 1,000 American consumers commissioned by security company Tresorit found that just over a third of them have taken steps to beef-up their online security in response to the iCloud hacks.

The most common response was to change passwords for stronger ones, with 13 percent creating different passwords for each online service and 6 percent enabling two-step verification …  Read more

Apple’s digital stores face second outage this week across all platforms (update: resolved)

Screen Shot 2014-09-04 at 7.22.22 PM

Earlier this week, iOS users discovered that the App Store was experiencing some technical issues that caused every item for sale to become unavailable. Now, only two days later, the company’s status page indicates that the App Store on Mac and iOS, iBooks Store, and various iTunes services such as the music store and Radio, are all suffering from even more downtime.

According to the status page, the issues first cropped up around 4:30 PM and have persisted for about three hours so far. A notice on the page states that only “some users” are having difficulty accessing the store, but there’s no mention of exactly how many users could be impacted.

Read more

Opinion: After the celebrity hacks, the vulnerability that still exists and what needs to be done

main

There are still many unknowns surrounding the leaked celebrity nudes. While Apple appears to have ruled out a theory that a Find My iPhone vulnerability allowed easy brute-force password attacks, some commentators are suggesting that the wording was sufficiently vague that this may indeed have been one route in. (Apple might be arguing that it’s not a breach if the correct password was required.)

But one thing does now appear clear: rather than a single hacker gaining wide access to iCloud, the photos were instead amassed over time by a number of different individuals likely using several different approaches. Phishing was doubtless one of them – some of the claimed emails from Apple are reasonably convincing to a non-techy person – but another was almost certainly to exploit one of the greatest weaknesses found in just about every online service, including iCloud: security questions.

[Update: Tim Cook has confirmed these were the two methods used] 

Read more

Metadata analysis of leaked photos suggest complete iPhone backups obtained

eppb

A forensics consult and security researcher who analyzed metadata from leaked photos of Kate Upton said that the photos appear to have been obtained using software intended for use by law enforcement officials, reports Wired. The software, Elcomsoft Phone Password Breaker (EPPB), allows users to download a complete backup of all data on an iPhone once the iCloud ID and password have been obtained.

If a hacker can obtain a user’s iCloud username and password with iBrute, he or she can log in to the victim’s iCloud.com account to steal photos. But if attackers instead impersonate the user’s device with Elcomsoft’s tool, the desktop application allows them to download the entire iPhone or iPad backup as a single folder, says Jonathan Zdziarski, a forensics consult and security researcher. That gives the intruders access to far more data, he says, including videos, application data, contacts, and text messages …

Read more

Apple sets developer rules for HealthKit, HomeKit, TestFlight, and Extensions ahead of iOS 8 launch

Screenshot 2014-09-02 22.39.30

Today, Apple has updated its official App Store developers Review Guidelines to outline the requirements for iOS 8 applications that will make use of the new HealthKit, HomeKit, TestFlight, and Extensions services. Today’s update indicates that Apple is nearing the release of iOS 8, the next-generation mobile operating system for the iPhone, iPad, and iPod touch ahead of the September 9th Apple media event. Apple will provide developers with a golden master seed of iOS 8 on the day of the event, according to sources with knowledge of the plans. The review guidelines are a “living document” that list reasons that App Store apps could be rejected. Below are the full lists for HealthKit, HomeKit, TestFlight, and Extensions, but here are some of the more significant points:

  • “Apps using the HealthKit framework that store users’ health information in iCloud will be rejected.” This point should reduce fears of intruders being able to access a user’s health data, especially after the scandal surrounding the leak of celebrity photos potentially stored in iCloud.
  • “Apps that share user data acquired via the HealthKit API with third parties without user consent will be rejected.”
  • “Apps that provide diagnoses, treatment advice, or control hardware designed to diagnose or treat medical conditions that do not provide written regulatory approval upon request will be rejected.” This point is crucial in that these fine print allows Apple to work around the FDA’s regulatory guidelines for mobile health applications.
  • “Apps using the HealthKit framework must provide a privacy policy or they will be rejected.”
  • “Apps must not use data gathered from the HomeKit APIs for advertising or other use-based data mining.” Same deal with HealthKit, as we noted earlier this week.
  • There are also a number of third party keyboard guidelines that will be critical for developers to follow.

In addition to those four new sections, Apple has also updated the guidelines to say that “if your app is plain creepy, it may not be accepted.” You can read all of the new bullet points below:

Read more

Apple denies iCloud/Find my iPhone breach, says ‘very targeted attack’ hit certain celebrities

icloud

Apple has responded to this week’s hackings of celebrity iCloud accounts, which resulted in postings of private photographs. Here’s Apple’s statement in full:

CUPERTINO, Calif.–(BUSINESS WIRE)–We wanted to provide an update to our investigation into the theft of photos of certain celebrities. When we learned of the theft, we were outraged and immediately mobilized Apple’s engineers to discover the source. Our customers’ privacy and security are of utmost importance to us. After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved.

To protect against this type of attack, we advise all users to always use a strong password and enable two-step verification. Both of these are addressed on our website at http://support.apple.com/kb/ht4232.

Apple says that it conducted an investigation for more than 40 hours, and denies that iCloud or Find my iPhone was actually breached. Apple is presenting this as a very targeted username, password, and security questions hack on “certain celebrity accounts.” Apple recommends that users utilize the 2-step verification service for Apple IDs/iCloud. The company also says it is continuing to work with law enforcement on finding the hackers involved.

Read more

FBI investigating alleged iCloud celebrity hack as Reddit ‘suspect’ declares innocence

photosharing_updates_image

The FBI is now leading the investigation into the alleged iCloud hack in which nude photographs of a number of celebrities were obtained, reports the Telegraph. FBI spokesperson Laura Eimiller said:

[The FBI is] aware of the allegations concerning computer intrusions and the unlawful release of material involving high profile individuals, and is addressing the matter. Any further comment would be inappropriate at this time.

It has been suggested that a vulnerability in the Find My Phone service may have allowed attackers to brute-force passwords in order to access the iCloud accounts of celebrities …  Read more

Vulnerability in Find My Phone service and weak passwords may explain alleged celebrity photo leaks

celebrity-hack

The Next Web is reporting that a vulnerability in the Find My Phone service may have allowed attackers to brute-force passwords in order to access the iCloud accounts of celebrities.

The vulnerability allegedly discovered in the Find my iPhone service appears to have allowed attackers to use this method to guess passwords repeatedly without any sort of lockout or alert to the target. Once the password has been eventually matched, the attacker can then use it to access other iCloud functions freely.

A tool to exploit the weakness was uploaded to Github, where it remained for two days before being shared on Hacker News …  Read more

Countless celebrity nude photo leaks being blamed on supposed iCloud hack (Updated)

icloud

A plethora of reports are swirling around the internet that countless private celebrity photos have leaked (no, we’re not going to link you), and—what are as of right now baseless—rumors claim that someone found a vulnerability in Apple’s iCloud platform and exploited it to obtain the images. Of the celebrities reportedly involved are Jennifer Lawrence, Kate Upton, Avril Livigne, Mary Elizabeth Winstead, Mary Kate Olsen, Hillary Duff, and many others.

Read more

Dropbox dramatically cuts pricing to compete, 1TB now just $9.99/month

Dropbox-Pro-Logo

Dropbox has today slashed its pricing and doubled the maximum storage space from 500GB to 1TB. Up until yesterday, you’d have been paying $500/year for 500GB; today you can pay just $120/year (or $99/year when paying annually) for a terabyte.

The new deal finally brings Dropbox into line with Google Drive and Microsoft OneDrive. Apple users may want to hold off for now, however, with Apple’s new iCloud pricing – which includes iCloud Drive – expected to be broadly similar …  Read more

Apple releases OS X Yosemite Developer Preview 6 with new wallpapers & icons

Screenshot 2014-08-18 09.58.10

Right on schedule, Apple has released the sixth preview of the upcoming OS X Yosemite to developers today. This new seed comes two weeks following the previous release, and it likely continues to bring performance enhancements, interface tweaks, and bug fixes. We’ll be updating this post with the changes in Preview 6 as they are discovered. If you find something new, you can let us know at tips@9to5mac.com. The release version of Yosemite is currently scheduled for the later half of October, and it will ship separately from iOS 8, which is not seeing a new beta today. Here’s what’s new:

Read more