By now, you and pretty much everybody else on planet Earth have heard about the Great Naked Celebrity Photo Leak 2014. Mainstream media has been buzzing away about yet another nefarious scoundrel hacker breaking into female celebrities’ iCloud personal accounts, stealing nude photos and posting them on the web (seriously, what gives these guys the right? Perverts!).
The revealing images purportedly include actress Jennifer Lawrence, singer Rihanna, selfie extraordinaire Kim Kardashian, model Kate Upton, plus a whole host of other celebs, were posted on the forum 4chan before spreading with the ferocity of a bush fire over social media networks.
What’s worrying about this whole pervy debacle is that security in the cloud is again making headlines.
But how did the hacker gain access to such personal images? Well, let’s rule out the initial reports that suggested iCloud itself sustained a large security attack, as the service is 128-bit encrypted both ways of delivery and as Jeff Dodd, CEO for cloud-based managed IT services provider entrustIT Europe, said to me: “This seems like a weird one to me; I can’t see any way for it to have been a breach of security at iCloud because the sheer logistics of locating individual celebs in a whole mass of data more or less works against you. That implies that whoever stole the data logged in as those celebs and then downloaded their pics.”
Apple itself stated in a press release that no such breach was made of its systems: “After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone.”
So how did the hacker do it? Well, unlike other recent celebrity hacks such as the 2012 Scarlett Johansson rude piccie leak, this breach appears different in that it used a near-zero-day vulnerability in an Apple cloud interface. Instead of using social engineering or some low-tech research to gain control of the accounts, the attacker basically knocked down the front door. Apple didn’t find out until the attack was over. Opps!
The original hack, it would seem, looks to have been done by “chaining” between accounts: whereby gaining access to one person’s account, the hacker could access their address book and use that to attack others.
While an unusual, long, convoluted password may have prevented the attack; it seems unlikely that even Apple’s two-factor authentication would have helped, which according to reports the tech giant is broadening to avoid future intrusion. On Friday [5 September] Apple announced that tools will be put in place for legitimate users of accounts to seize back control. The company’s Chief Exec Tim Cook was quoted as saying that Apple also wants to make people savvier when it comes to guarding against hackers with strong passwords and other techniques.
“When I step back from this terrible scenario that happened and say what more could we have done, I think about the awareness piece,” Cook was quoted as saying.
Brute Force Attack
The signs are that it was a brute force attack as a posting on online code-sharing site GitHub said a user had discovered a bug in Apple’s Find My iPhone service, which tracks the location of a missing phone and allows a user to disable the phone remotely if it is stolen. The bug allowed a hacker to keep trying passwords until identifying the right one.
Most online services lock down an account after multiple incorrect password attempts to prevent this type of attack and it would seem Apple haven’t rested on their laurels, as the GitHub post was updated on Monday to read: “The end of fun, Apple have just patched.”
Jeff told me that if it was a brute force attack, “then it emphasises how important it is to look after your online passwords because half of your authentication (your email address) is probably public domain already. If you’re using the same password for more than one service then that’s like Russian roulette with two chambers loaded. The third chamber would be letting other people know your password too.”
Jeff added: “Although I don’t frequent such exalted circles myself these celebs generally have an entourage and limited privacy. I imagine that access to their online accounts isn’t as secret as they’d hope or like. In those circumstances the only solution is incredible care about what you upload to the cloud because being brutally honest, a celebs personal life has value and criminals are dedicated.”
What’s worrying about this whole pervy debacle is that security in the cloud is again making headlines. This breach, no matter who is to blame, ultimately still alerts businesses to the risk of cloud storage, but this unfortunate opportunity should, in my opinion, be used to highlight areas where improvements can be made and cloud security awareness can be heightened. Plus, despite the negativity there are now more opportunities than ever for channel partners who specialise in cloud security to move in and toughen up security, particularly on previously ‘trusted’ platforms.