Apple is now sending emails to users when they log in to iCloud.com. This is part of Apple’s latest security upgrades to iCloud, which Tim Cook announced late last week. In the interview, Cook said Apple planned to launch the feature within two weeks, but obviously it has been deployed much sooner. The notification is supposed to act as a warning for users, to detect account infiltrations as early as possible. Supposedly, these emails will only be sent once, the first time an account logs in to a particular device, so it shouldn’t spam your inbox with login notifications.
A YouGov survey of more than 1,000 American consumers commissioned by security company Tresorit found that just over a third of them have taken steps to beef-up their online security in response to the iCloud hacks.
The most common response was to change passwords for stronger ones, with 13 percent creating different passwords for each online service and 6 percent enabling two-step verification … Read more
Earlier this week, iOS users discovered that the App Store was experiencing some technical issues that caused every item for sale to become unavailable. Now, only two days later, the company’s status page indicates that the App Store on Mac and iOS, iBooks Store, and various iTunes services such as the music store and Radio, are all suffering from even more downtime.
According to the status page, the issues first cropped up around 4:30 PM and have persisted for about three hours so far. A notice on the page states that only “some users” are having difficulty accessing the store, but there’s no mention of exactly how many users could be impacted.
There are still many unknowns surrounding the leaked celebrity nudes. While Apple appears to have ruled out a theory that a Find My iPhone vulnerability allowed easy brute-force password attacks, some commentators are suggesting that the wording was sufficiently vague that this may indeed have been one route in. (Apple might be arguing that it’s not a breach if the correct password was required.)
But one thing does now appear clear: rather than a single hacker gaining wide access to iCloud, the photos were instead amassed over time by a number of different individuals likely using several different approaches. Phishing was doubtless one of them – some of the claimed emails from Apple are reasonably convincing to a non-techy person – but another was almost certainly to exploit one of the greatest weaknesses found in just about every online service, including iCloud: security questions.
[Update: Tim Cook has confirmed these were the two methods used] …
A forensics consult and security researcher who analyzed metadata from leaked photos of Kate Upton said that the photos appear to have been obtained using software intended for use by law enforcement officials, reports Wired. The software, Elcomsoft Phone Password Breaker (EPPB), allows users to download a complete backup of all data on an iPhone once the iCloud ID and password have been obtained.
If a hacker can obtain a user’s iCloud username and password with iBrute, he or she can log in to the victim’s iCloud.com account to steal photos. But if attackers instead impersonate the user’s device with Elcomsoft’s tool, the desktop application allows them to download the entire iPhone or iPad backup as a single folder, says Jonathan Zdziarski, a forensics consult and security researcher. That gives the intruders access to far more data, he says, including videos, application data, contacts, and text messages …
Today, Apple has updated its official App Store developers Review Guidelines to outline the requirements for iOS 8 applications that will make use of the new HealthKit, HomeKit, TestFlight, and Extensions services. Today’s update indicates that Apple is nearing the release of iOS 8, the next-generation mobile operating system for the iPhone, iPad, and iPod touch ahead of the September 9th Apple media event. Apple will provide developers with a golden master seed of iOS 8 on the day of the event, according to sources with knowledge of the plans. The review guidelines are a “living document” that list reasons that App Store apps could be rejected. Below are the full lists for HealthKit, HomeKit, TestFlight, and Extensions, but here are some of the more significant points:
- “Apps using the HealthKit framework that store users’ health information in iCloud will be rejected.” This point should reduce fears of intruders being able to access a user’s health data, especially after the scandal surrounding the leak of celebrity photos potentially stored in iCloud.
- “Apps that share user data acquired via the HealthKit API with third parties without user consent will be rejected.”
- “Apps that provide diagnoses, treatment advice, or control hardware designed to diagnose or treat medical conditions that do not provide written regulatory approval upon request will be rejected.” This point is crucial in that these fine print allows Apple to work around the FDA’s regulatory guidelines for mobile health applications.
- “Apps must not use data gathered from the HomeKit APIs for advertising or other use-based data mining.” Same deal with HealthKit, as we noted earlier this week.
- There are also a number of third party keyboard guidelines that will be critical for developers to follow.
In addition to those four new sections, Apple has also updated the guidelines to say that “if your app is plain creepy, it may not be accepted.” You can read all of the new bullet points below:
Apple has responded to this week’s hackings of celebrity iCloud accounts, which resulted in postings of private photographs. Here’s Apple’s statement in full:
CUPERTINO, Calif.–(BUSINESS WIRE)–We wanted to provide an update to our investigation into the theft of photos of certain celebrities. When we learned of the theft, we were outraged and immediately mobilized Apple’s engineers to discover the source. Our customers’ privacy and security are of utmost importance to us. After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved.
To protect against this type of attack, we advise all users to always use a strong password and enable two-step verification. Both of these are addressed on our website at http://support.apple.com/kb/ht4232.
Apple says that it conducted an investigation for more than 40 hours, and denies that iCloud or Find my iPhone was actually breached. Apple is presenting this as a very targeted username, password, and security questions hack on “certain celebrity accounts.” Apple recommends that users utilize the 2-step verification service for Apple IDs/iCloud. The company also says it is continuing to work with law enforcement on finding the hackers involved.
[The FBI is] aware of the allegations concerning computer intrusions and the unlawful release of material involving high profile individuals, and is addressing the matter. Any further comment would be inappropriate at this time.
The vulnerability allegedly discovered in the Find my iPhone service appears to have allowed attackers to use this method to guess passwords repeatedly without any sort of lockout or alert to the target. Once the password has been eventually matched, the attacker can then use it to access other iCloud functions freely.
A plethora of reports are swirling around the internet that countless private celebrity photos have leaked (no, we’re not going to link you), and—what are as of right now baseless—rumors claim that someone found a vulnerability in Apple’s iCloud platform and exploited it to obtain the images. Of the celebrities reportedly involved are Jennifer Lawrence, Kate Upton, Avril Livigne, Mary Elizabeth Winstead, Mary Kate Olsen, Hillary Duff, and many others.
Dropbox has today slashed its pricing and doubled the maximum storage space from 500GB to 1TB. Up until yesterday, you’d have been paying $500/year for 500GB; today you can pay just $120/year (or $99/year when paying annually) for a terabyte.
The new deal finally brings Dropbox into line with Google Drive and Microsoft OneDrive. Apple users may want to hold off for now, however, with Apple’s new iCloud pricing – which includes iCloud Drive – expected to be broadly similar … Read more
Right on schedule, Apple has released the sixth preview of the upcoming OS X Yosemite to developers today. This new seed comes two weeks following the previous release, and it likely continues to bring performance enhancements, interface tweaks, and bug fixes. We’ll be updating this post with the changes in Preview 6 as they are discovered. If you find something new, you can let us know at email@example.com. The release version of Yosemite is currently scheduled for the later half of October, and it will ship separately from iOS 8, which is not seeing a new beta today. Here’s what’s new: