icloud
Latest
Feedback Loop: Online security, the Note Edge, fitness trackers and more!
Happy Saturday, and welcome to another edition of Feedback Loop! With all the talk of online data breaches this week, we're discussing ways to better protect your data stored in the cloud. After you're done auditing your passwords, let us know what you think of Samsung's new curved Galaxy Note Edge and find out how much fitness trackers are helping your fellow readers. Make yourself comfy and join us after the break for some in-depth tech talk.
Apple extending two-factor authentication to iCloud, adding new security alerts
In an interview with the Wall Street Journal, Apple CEO Tim Cook confirmed the company was taking additional steps to increase the security of iCloud accounts following the theft of private celebrity photos. These new measures will add new security alerts for account changes, expand the current two-factor authentication system to include iCloud and raise awareness about securing individual accounts. "When I step back from this terrible scenario that happened and say what more could we have done, I think about the awareness piece," he said. "I think we have a responsibility to ratchet that up. That's not really an engineering thing." The new notification system will go into effect in the next few weeks and will alert users via email or push notification when an account password change is requested, when iCloud data is restored to a new device and when a device logs into an account for the first time. Each alert will be actionable, allowing the user to notify Apple's security team of a breach or regain control of their account by changing the password. Tim Cook also confirmed Apple will expand two-factor authentication in its next version of iOS that is slate for release this fall. Besides securing an iTunes account, iOS 8 also will support two-factor authentication for mobile iCloud accounts. This security system requires a person to have two factors to login into an account. A user must have the password to the account and either a unique one-time-use code or an access key provided by the service when the user first opened the account.
Tim Cook says new security alerts for Apple's iCloud are coming soon
Although Apple's initial response to a recent release of stolen celebrity photos stated that its iCloud and Find My iPhone systems had not been breached, now CEO Tim Cook is talking about how to beef up its security. In an interview with the Wall Street Journal, Cook said that several changes are coming very soon, with email and push notifications to alert users any time someone tries to change their iCloud password, restore data to a new device or add a new device to an account. When the notifications pop up, users can respond by changing their password or alerting Apple to a possible breach. Those changes are due in two weeks, however Cook reaffirmed that criminals gained access to victim's accounts by using phishing scams to get their IDs and passwords, or answering their security questions. In response, Apple is also going to start pushing two-factor authentication harder (which currently does not cover access to iCloud from a mobile device, but will after the release of iOS 8), and Cook said its aim will be to increase "awareness" of hackers, and using security measures like strong passwords -- we'll see if there are any other security changes revealed during next week's new iPhone event.
Menote is yet another diary app
Your iPhone or iPad can make remarkably handy devices to chronicle your life with. Diary and note taking apps can make the process easier and perhaps even fun. But not all diary apps are equal. Menote is YADA-Yet Another Diary App. It's free, relatively good looking, but awkward to use and has limited features. Menote requires iOS 7.0 or later and is compatible with iPhone, iPad, and iPod touch. The app is free with In-app purchase for premium features for $2.99. I am a strong advocate of keeping a journal or diary. It's a very useful exercise, and not just for writers. I have the 100 year old line-a-day journal that one of my great uncles kept and it's a fascinating piece of family history. I keep my own on my desk and write in it every day. There are lots of options for keeping a diary using iOS devices, including the built-in Notes app. You can use heavy-duty apps like Evernote, or purpose-built diary apps like the award-winning Day One. The promise of these apps it to make it easier to keep a diary because your device is with you and you can also capture images, location information, and more. As I gave Menote a trial run I found that it didn't offer special features or a significantly different or better experience than using other apps. In fact there were more than a few frustrations with using Menote. The app looks nice on the iPhone, but on the iPad it's just blown up for the bigger screen. That's disappointing. The app doesn't allow a switch to landscape in the main view and when creating or editing an entry and you switch to landscape the app removes the menus and controls. You are required to turn your device back to portrait orientation to save, add pics, or return to the main view. Syncing in Menote is not automatic or easy. I created an entry, with photos, using my iPhone and then checked my iPad. Nothing there. I opened and closed both apps repeatedly and eventually the entry sync'd over. There is an option for manual syncing and it's more reliable, but that's a poor substitute for reliable automatic syncing. On top of all that I am also not sure just how "free" the app is. Menote uses proprietary storage, limited to 50 MB. You'll need to purchase the premium option at $2.99 to gain an extra 1 GB. I am uncertain how many entries and photos the initial 50 MB represents. Purchasing the premium features will gain you that 1 GB extra storage, password protection for individual notes, notifications, and a night mode theme. I did not test the premium features. If you are committed to keeping a diary or journal I'd recommend Day One. The app is $4.99 for the iOS app and $9.99 for the Mac OS app. I find it to be really well thought out apps for both iOS and Mac. Day One also syncs with iCloud, not proprietary storage. Menote might be worth a try if you don't require a Mac version and use only a single iOS device and you're looking for a free option.
The only way to make your iCloud security questions actually secure
The recent leak of nude photographs from some of America's biggest female celebrities has drawn attention to the security of Apple's iCloud. If there's one takeaway from this incident, other than people who share the private photos of other are scum, it's that sometimes it's the simplest things that betray our security. In this case, it was security questions. According to Apple these leaks weren't caused through complicated computer hacking; instead, they were brought about through conventional (security question/username) password reset methods. All someone needs is your Apple ID (often an easily guessed common email) and some personal information. When you tell iCloud that you forgot your password it offers the option to use security questions to get the information. Once you enter your Apple ID it will ask for your birthday. Depending on your privacy settings on Facebook, anyone could have that. That's all someone needs to gain access to your security questions. Obviously Apple should probably fix how easy this process is, but in the meantime there is a surefire way to keep your security question answers secure -- lie, lie, lie. Lie in the answers to your security questions to make them unguessable. Here are some examples. What was your first job? WillieNelsonDrugDealer4242 What was the first concert you went to? 777BuTTsAreFunny What was the name of your first pet? 5GrandMasOldSocks5 Trust us. Lie in your security code questions. We understand why these questions exist, to aid people with crummy memory who often forget their passwords. For those of you who cannot keep track of your password, consider writing down the answer to security code question on a piece of paper and storing it in your home. Sure, someone might find it, but they'll just assume it's your normal password. No one assumes you've written down your security questions. You can also use password-secured apps like 1Password to store those made-up answers to your security questions instead of writing them down. Until Apple finally introduces two-step verification for iCloud accounts this is the best way to be secure. It is also the silliest security measure we will ever recommend. We're in good company with this opinion, as shown by this xkcd comic. What's your security code answer? Let us know in the comments if you missed the point of this article.
Engadget Daily: The deal with Twitch.tv, iCloud celebrity photo leak and more!
Today, we dive into the world of Twitch.tv, learn why many new apps are rejected from the App Store, check out a bling-tastic Galaxy Gear S, investigate the iCloud celebrity photo leak and more! Read on for Engadget's news highlights from the last 24 hours.
Apple: Celebrity photo breach not due to iCloud or Find my iPhone issues
Apple has just released a press statement updating its investigation into the weekend breach of celebrity photos. As noted in the press release, the company says that none of the cases investigated were the result of any breach of Apple's systems including iCloud and Find my iPhone. Apple believes that it was a "very targeted attack on user names, passwords and security questions" that caused the breach -- essentially saying that it's most likely a social engineering attack that made the photos vulnerable to being exposed to the public. Apple reiterates that using a strong password and two-step verification can help protect against this type of attack. Show full PR text Apple Media Advisory Update to Celebrity Photo Investigation We wanted to provide an update to our investigation into the theft of photos of certain celebrities. When we learned of the theft, we were outraged and immediately mobilized Apple's engineers to discover the source. Our customers' privacy and security are of utmost importance to us. After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple's systems including iCloud® or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved. To protect against this type of attack, we advise all users to always use a strong password and enable two-step verification. Both of these are addressed on our website at http://support.apple.com/kb/ht4232.
Apple says iCloud wasn't breached in celebrity photo leak
It wasn't long at all after personal and explicit photos of some 100 celebrities started making the rounds when people started attributing the leak to a breach of Apple's iCloud storage system. After a nearly two day long investigation, Apple has released a statement to try and clear things up -- to hear the folks in Cupertino tell it, the incident was a "very targeted attack on user names, passwords and security questions" in which some celebrity accounts were "compromised" and that none of its systems were breached in the process. In other words, we may not be looking at a savvy hack exploiting a Find my iPhone security flaw so much as some very dedicated account brute-forcing and phishing. Of course, that's not to say that the pictures in question (well, the ones that weren't taken with Android devices anyway) didn't come from iCloud, just that hackers apparently didn't directly crack the sanctity of Apple's services. The exact vector of entry remains unknown right now, but AnonIB, one of the 4chan-esque imageboards that appears to be involved in the proliferation of this mess, seems to have no shortage of people who were ready and willing to "rip" iCloud accounts in exchange for the right sort of loot. Of course, one has to wonder about the role semantics plays in all this -- while Apple's systems may not have been technically "breached", they may still have been cajoled into giving up user credentials with tools like the now defunct ibrute. In any case, you can check out the full statement after the jump for yourself.
Think iCloud's two-factor authentication protects your privacy? It doesn't
As the forensic analysis of the weekend's celebrity intimate photo leak continues, plenty of attention is being focused on iCloud's photo storage as a likely vector for the criminal theft of the images. Proof of concept code for a brute-force attack on iCloud passwords (via the Find My iPhone API) was revealed late last week, and subsequently blocked off by Apple in a fix to the FMI service. Update 2:53 pm ET 9/2: Apple has released a statement confirming that the company's investigation found no evidence that any of its services were compromised; the accounts affected were attacked using conventional (security question/username) password reset methods. Of course, there are plenty of other ways to break into an account, including using easily-discoverable personal information to socially engineer tech support reps and get a password reset done on the fly. To combat this and other bad behaviors, Apple (along with other online giants like Google, Dropbox etc.) has built out an optional two-factor authentication scheme (2FA) for iCloud. Simply turn it on, register your iOS devices, and you'll be shielded from hacks and phishing attempts. Unfortunately, Apple's 2FA protection doesn't go as far as you might think. I noticed yesterday that our friend and former colleague Christina Warren's post at Mashable gave extra credit to 2FA: If [two-factor auth is] enabled, this means that before a new computer or device can gain access to your iCloud data, you must approve that device with a four-digit authentication code (sent to your phone via SMS) or grant access from another enabled machine. It's true that if you want to register a new "trusted" iOS device, you'll need 2FA. If you're not doing that, however, 2FA on iCloud is only triggered by a short list of interactions: getting Apple ID support from Apple; signing into the My Apple ID management console; or making an iTunes, App Store or iBooks purchase from a new device. [Update: At the end of June 2014, several outlets including Mashable, Cult of Mac and, well, TUAW all reiterated this AppleInsider report about iCloud.com testing 2FA challenges for webmail, calendar, contacts and other services. As you can easily confirm yourself by walking over to the nearest unfamiliar computer and logging into iCloud.com, this security feature has not been rolled out to all iCloud users as of September 2014.] If you're not doing one of these specific things, you are not required to enter the confirmation code from your known device to clear 2FA. It's pretty clear that Apple's doing its best to guard your wallet with this implementation -- anything that might cause a credit card charge via an unfamiliar iOS device is going to force you to authenticate. Other than that, 2FA doesn't get involved in guarding your privacy as far as I can tell. [Both security research firm Elcomsoft and the estimable Ars Technica made a similar set of points about iCloud/Apple ID 2FA back in 2013. --MR] I made a slightly narrower assumption (in response to a Next Web commenter) in my post yesterday about the photo theft: In theory, [adding an iCloud account to a new Mac or PC] should trigger a notification email to the account owner that a new device is connected -- but of course, if the hacker has the victim's account password, they've also got access to the iCloud email and could quickly delete the inbound email alert. It turns out that I was also being more generous than wise in assuming that iCloud would proactively send an email alert when photos or bookmarks were synced to an unknown computer. I decided to test that assumption, using a fresh (spun up and installed from scratch) Windows 8 virtual machine running on Parallels 10. After installing the iCloud Control Panel for Windows (as seen above), I logged in with my iCloud credentials and checked off the options to synchronize bookmarks and photos with my new, never-before-seen PC. Within a few minutes, my photo stream photos downloaded neatly into the appropriate folders and my bookmarks showed up in my Windows-side browser, and nary a 2FA alert to be seen. I turned to my iCloud email account to wait for the obligatory "Your account was accessed from a new computer" courtesy alert... which never arrived. A moment's consideration of the consequences of having either your iCloud Photo Stream or your Safari bookmarks available to anyone who has uncovered your iCloud password should be enough to realize that this is a strange and potentially troubling omission from iCloud's security and notification regimen. Sure, it would be aggravating to get an email notification every time you access iCloud webmail from a new computer (although there should be some fraud catching algorithm in place to note that I'm probably not logging in simultaneously in New York and New Caledonia, for instance); but the act of adding a new computer to sync photos and bookmarks should be relatively infrequent and almost certainly merits a quick heads-up to the user. If indeed the iCloud photo stream was the hack vector for this high-profile series of thefts, the lack of any alert when a new computer syncs with Photo Stream might have made it a lot easier for the criminals to operate undetected for so long.
Apple, FBI investigating possible iCloud celebrity photo theft
Both the FBI and Apple are investigating the theft of private celebrity photos in an intrusion that may have used iCloud to gain access to the images. As reported by The Telegraph, FBI spokesperson Laura Eimiller confirmed the government agency's activation investigation into the theft. "[The FBI is] aware of the allegations concerning computer intrusions and the unlawful release of material involving high profile individuals, and is addressing the matter. Any further comment would be inappropriate at this time." This statement follows an earlier statement from Apple that it "takes user privacy very seriously and is actively investigating the report." The hacker who leaked the photos on 4chan's image boards claimed he used iCloud to download the images. Subsequent analysis of photo exif data and other information have not definitely identified iCloud as the source of the photos.
iCloud password hack published, blocked as celebrity photo theft confirmed [Updated: Apple comment]
If you've been enjoying the US holiday weekend away from sources of news, well done. If not, you may well have seen reports of a large cache of explicit photos of celebrities being published to 4chan's image boards, including Academy Award winner Jennifer Lawrence, supermodel Kate Upton and other female and male actors. The publisher apparently was seeking Bitcoin contributions in exchange for the images. While several of the people pictured in the image cache have called the images fakes, others have acknowledged that the photos of them were unaltered. Update 9/2: Apple has released a statement confirming that the company's investigation found no evidence that any of its services were compromised; the accounts affected were attacked using conventional (security question/username) password reset methods. Update 2:35 pm ET: Over at The Guardian, tech reporter Charles Arthur summarizes the current thinking about the image release from security researchers. Some are surmising that these images were gathered over months or years (the earliest timestamps are from 2011, the most recent from last month) and then the repository itself was hacked or stolen. iCloud is still under scrutiny as a vector for gaining access to private images. Update 6:50 pm ET: Re/code has a statement from Apple on the story; spokesperson Natalie Kerris says the company takes user privacy very seriously and is actively investigating. Early reports noted the alleged hacker's assertion that an iCloud exploit was used to gain access to the target accounts and harvest the images. That has not been confirmed in any way (security researchers are eyeing several other services including Dropbox as potential attack vectors), but both The Next Web and our own former contributor Richard Gaywood took note of the release this weekend of an iCloud password crack tool that could, theoretically, have been used to attack specific iCloud accounts. Our sister site Engadget has a good overview of how the attack would have worked. The "ibrute" tool leveraged a security oversight -- a lack of brute-force protection -- within Apple's Find My iPhone tool. After the code was in the wild for a couple of days, Apple apparently patched the flaw, so the code is now only a proof of concept demonstration. The core functionality was pretty simple: given a target iCloud account ID, ibrute would simply run through a list of the 500 most commonly used passwords that complied with Apple's password rules (sourced from the infamous RockYou hack that revealed millions of real-world passwords) and try to nail down the password for the account. Since the Find My iPhone API did not throttle or lock out after a certain number of guesses in a given time period, it was possible to "brute force" passwords without tripping any security alarms. This lockout is where Apple has now changed things; trying random passwords via the Find My iPhone API will now lock your account after five attempts. One Next Web commenter pointed out that just having the iCloud password doesn't necessarily mean you have instant access to iCloud's Photo Stream; you would still need to log in via an iOS device, via iPhoto on a Mac or the iCloud control panel on a Windows PC. In theory, that should trigger a notification email to the account owner that a new device is connected -- but of course, if the hacker has the victim's account password, they've also got access to the iCloud email and could quickly delete the inbound email alert. [Update 9/2: Thinking that iCloud would send an email was over-optimistic; see here.] Apple's two-factor authentication setting for iCloud does require entering a security code for certain kinds of account actions, but it's not clear that "accessing Photo Stream photos from a new PC" is one of the triggers. (I'm testing this now.) [Test and documentation show it's not one of the triggers.] As our friend Christina Warren noted in her solid summary of iCloud security over at Mashable, we don't know at this stage whether or not iCloud is implicated as a vector for this most public hack; that said, there are steps you can take today (complex, longer passwords; avoiding password reuse; 2-factor auth; turning off iCloud backup for photos if they are sensitive or compromising) which will provide you better security and more peace of mind regardless.
Apple's now storing some personal user data in China
It's no secret that the relationship between Apple and China hasn't always been the best. From the banning of its products for government use, to the Chinese state media wanting the Cupertino company "severely punished" for NSA spying, these cases are well-documented. That said, China's consumer market is extremely important to Apple -- which isn't really surprising, given the sheer magnitude of it. But now, with a number of new iDevices hitting shelves there of late, Apple's had to look to servers located in mainland China to store Chinese users' personal data. As Reuters notes, this is the first time the company has begun storing this type of data in that country -- Apple says the decision was made as part of a plan to improve the overall performance of its cloud service, iCloud.
Apple's new online content network should deliver your files faster
If you're an iOS or Mac user, your downloads and streams are going to improve in the near future -- if they haven't already. Apple has quietly switched on its own content delivery network (CDN), letting it deliver files directly instead of leaning on services from Akamai and Level 3. The change gives the folks in Cupertino a ton of headroom, according to Frost & Sullivan analyst Dan Rayburn. In addition to offering "multiple terabits per second" of bandwidth, Apple has clearly struck Netflix-like connection deals that link it directly to internet providers. If all goes well, you should get speedy app updates and media streams even when the internet is extra-busy.
Here's a fix for disappearing contacts in iOS 7.1.2
Here's a tip from iMore's Ally Kazmucha for users who are suffering from disappearing or improperly syncing iCloud contacts once they've upgraded to iOS 7.1.2. It turns out the issue isn't with iCloud, it's with a new default in iOS 7.1.2. The update causes your iOS device to switch your contacts back to the On My iPhone group. To fix the issue, simply switch your contacts group back to iCloud in settings. 1. Go to the Settings app. 2. Go to Mail, Contacts, Calendars, and scroll to the bottom. 3. Select Contacts. 4. Click on Default Account. 5. Finally, select "iCloud" instead of "On my iPhone." Kazmucha has also written up a tutorial on how to weed out disappearing contacts from your phone. To read that head over to iMore.
The TUAW Daily Update Podcast for July 16, 2014
It's the TUAW Daily Update, your source for Apple news in a convenient audio format. You'll get some the top Apple stories of the day in three to five minutes for a quick review of what's happening in the Apple world. You can listen to today's Apple stories by clicking the player at the top of the page. Be sure that your podcast software is set up to subscribe to the new feed in the iTunes Store here.
Apple starts encrypting iCloud emails
There's good news for privacy-minded Mac users; Apple has improved the quality of iCloud's email security. All emails sent or received via iCloud email is now encrypted, even when sent to a third-party email service. Previously only emails sent between iCloud users was encrypted by Apple. While the company hasn't announced the changes, you can the evidence on Google's transparency report website. Transparency Report shows what percentage of emails sent between Gmail and other providers are encrypted in transit. We'll keep you updated if Apple releases a statement about the changes.
Apple testing two-step verification on iCloud site, apps
Update 9/2/2104: It looks like this test never made it to full release, as iCloud users are still not prompted to authenticate with 2FA when logging into iCloud.com. With all the security risks populating the world, two-step verification is the strong standard to have for information safety. Apple brought the process to your Apple ID last year, now iCloud and its associated apps are getting it as well. With a two-step verification users must enter a code that is sent to their device after you enter your password. This current wave of two-step verification hasn't hit all users just yet -- as noticed by the folks at AppleInsider this morning, some users aren't seeing the prompt when they login to their iCloud accounts. You'll be able to tell if the two-step verification has been activated on your iCloud account the moment you login, as your web apps will all be greyed-out with a lock over them. Once the verification process is completed all of the apps will be accessible. There's one exception to the greyed-out apps; Find My Phone. Given that it's possible you may have lost the trusted device Apple would be sending your verification code to, that was a wise move on Apple's part. If you login to iCloud today and nothing has changed, don't worry. You can expect to see the added layer of security hitting your setup sometime in the near future.
iWork for iCloud now picks up exactly where you left off
Web-based apps are supposed to let you easily hop between devices without missing a beat, but that hasn't been the case with iWork for iCloud -- you've had to tweak settings and otherwise break your flow. The experience should be much smoother after today, though. Apple has updated the online versions of Keynote, Numbers and Pages so that they remember your settings, such as the last page you were on and the zoom level. You won't have to spend a few minutes getting everything just so simply because you've moved to your laptop, in other words. Although it's a seemingly small change, it could matter a lot if you'd rather get things done instead of getting fussy.
Apple announces iCloud Drive
Apple has announced the next evolution for iCloud, called iCloud Drive, at the WWDC 2014 keynote. The service will work similarly to Dropbox. You'll be able to quickly pull up your files from across your iCloud directly in your Finder folders. This includes any iCloud apps and files you might have on your iOS device but not your computer, like SketchBook Pro. This promises to link iCloud, iOS, and OS X together in one neat place. Interestingly Apple, is also offering support for Windows along with OS X and iOS. For iPhone fans who are still latched onto Microsoft this feature will be a blessing.
Apple takes on Dropbox with iCloud Drive
Apple's slowly improved iCloud since it transitioned from MobileMe, but this year, it's getting a serious upgrade. On stage at WWDC 2104, Apple's SVP of Software Craig Federighi introduced us to a better way to manage files with the new iCloud Drive. With Drive, all of your iCloud files are available right inside Finder, letting you access documents and media wherever you are on your Mac. Because they're on iCloud, they're automatically auto-synced across devices and are fully searchable and taggable. You will, of course, need OS X Yosemite to take advantage of Finder support, but Apple hopes you'll ditch Dropbox's and Google's services in favor of Drive's deep OS support. As expected, iOS 8 will also include iCloud Drive functionality, letting you to work with a single version of a document on all of your devices (which surprisingly includes Windows machines).
