Naked celebrities revealed by “iCloud hack”

I was young and I really wanted the job.

I was young and I needed the money!.

We awoke this morning to the entirely unnecessary sight of the personal photos of several celebrities, the pictures range from the fully clothed “mirror selfie” to the far more explicit. Victims include Jennifer Lawrence, Ariana Grande, Kate Upton and Victoria Justice. For obvious reasons, clicking on links to “naked celebrity” photos, or opening email attachments would be a *very* bad idea right now, expect criminals to ride this bandwagon immediately.

The images first surfaced on the infamous 4chan image board where the author is claiming to have much more photographic and even video material, stolen from iCloud accounts and for sale to the highest bidder. Of course the release of the photos has also prompted a rash of fake images but the reality of many of these images, confirmed in some cases by the victim’s agents, poses an uncomfortable question for anyone using iCloud and indeed anyone who has anything they would rather keep private… Is my cloud storage safe?

A wide scale “hack’ of Apple’s iCloud is unlikely, even the original poster is not claiming that. The fact that certain celebrities are involved and the nature of the stolen material makes this seem far more targeted. So how could it have happened?

1- (Least likely) All the celebrities affected had weak, easy to guess, passwords. The hacker simply worked them out and logged in.

2 – If the attacker already knew the email address which the victim is using for iCloud, then they could have used the “I forgot my password” link, assuming that the victim had not enabled two-factor authentication for iCloud. Without two factor authentication, the password reset uses the traditional “security question” method. The peril in this for celebrities is that much of their personal information is already online and a security question such as “Name of my first pet” may be a lot less “secret” for a celebrity that it is for you and I?

3 – The attacker broke into another connected account with weaker security or password, perhaps a webmail account that is used to receive password reset emails sent by iCloud.

4 – Password reuse. Too many people are happy to reuse the same password across multiple services. With so many people affected by recent high-profile mega-breaches, simple lookup services for stolen credentials and the number of details for sale online have skyrocketed, while at the same time the price of stolen data has tumbled, through oversupply. Of course if the victim is using the same password for iCloud as for another, already compromised or easily compromised, service the doors to iCloud are opened.

5 – Phishing. It’s old school but it still works. A targeted phishing mail sent to a number of celebrities, enticing them to enter their iCloud credentials onto a fake login page would do the job just as well as any more complex hack.

What are the lessons here for all of us?

If any online service is offering you options that increase your security, enable them. Even if you feel that turning on two-factor authentication may be slightly more inconvenient for you when logging in, I’m willing to bet that a compromise of a service at the heart of your digital life will be considerably more so.

Do not reuse passwords. It is never a good idea to use the same password across multiple web sites, so try to have a unique one for every site you use or better yet, use a Password Manager which offers you the convenience of only having to remember a single password with the security of unique passwords for every service.

As for those security or password reset questions, consider whether the answers are really secure. Secure means that you are the only person who can answer the question. If the possibility exists to create your own questions, use it. If you are obliged to answer more standard questions such as “First school” or “First pet” remember the answer doesn’t have to be the truth, it only has to be something you can remember.

Deleted may not always mean deleted, as some of these victims are discovering. Familiarise yourself with the online services you use, find out if backups or shadow copies are taken and how they can be managed. In this case it seems that some of the victims may have believed that deleting the photos from their phones was enough, perhaps forgetting about Apple’s Photo Stream.

Oh and the other thing stop taking naked photos.

Compromised Facebook accounts create scam events

Compromised Facebook accounts are being used in new ways to make sure that Spam reaches its intended audience.

As I was sitting working away at my computer, an event notification popped up on my screen that confused me.

OS Notification

This notification confused me for a number of reasons, firstly I was pretty sure I hadn’t accepted any invitation to knock-off designer goods events and secondly, on inspecting my calendar and inbox I could find no trace of the event in question.

While I was checking through my calendar, enabling and disabling feeds to try to track down the source, a second notification popped up, this time within Facebook, for the same event and all became clear.

The account of one of my old school friends had obviously been compromised and used to create a scam event, a new form of social media Spam. Of course I have notified my friend immediately and reported the scam event. Quite aside from the novel Spam delivery mechanism, evading traditional anti-spam and web filtering technologies, it got me to thinking about the future of information in the Internet of Everything.

The scam Facebook event, I do not recommend visiting any URLs in this image

The scam Facebook event, I do not recommend visiting any URLs in this image

 

IoE relies on a globally connected network of device and services, both consumers and businesses want to connect all of these information sources and we are already beginning to use the information generated to make automated decisions. For example apps such as IFTT (If This Then That) allow us to create smart rules combining discrete events and actions, “If someone tags me in a photo on Facebook, save a copy to my web storage” or “If the sun goes down, turn on the lights in my house”. This trend is set to continue and expand exponentially. With Gartner predicting 30 billion connected devices by 2020 and IDC predicting 212 billion the only thing we can really be sure of is that the growth of this interconnected ecosystem will be huge.

Attackers will continue to search for the weakest link. A compromise at any point in the chain of information will lead to amplified effects in unforeseen areas as devices, processes, people and services become increasingly both interconnected and autonomous. Complexity is the enemy of security, in the interconnected IoE, tracking down the source of misinformation and the point of compromise may become impossible for the average consumer of business.

Unless proper authentication of the integrity, provenance and validity of information can be designed into the processes, devices and decision-making of the future, we’re not just opening up a new attack vector, we’re opening up our lives, our enterprises and our homes.

It’s time to quarantine infected computers

Image credit: Roy Costello used under Creative Commons

Image credit: Roy Costello used under Creative Commons

Quarantine is a word derived from the the 17th century Venetian for 40 (quaranta). The purpose of quarantine is to separate and restrict the movement of otherwise healthy organisms who may have been exposed to disease, to see if they become ill. The 40 day period was designed to identify carriers of the Bubonic plague or Black Death, before they could go ashore and spread the contagion more widely.  Desperate times call for desperate measures, nevertheless the concept was widely adopted and remains with us to this day.

The word quarantine has been thoroughly misused by the well-meaning security industry, where known infected files or systems are moved to a protected area until they can be examined and cleaned-up. More accurately we should be calling this “isolation” as in most cases we already know the subject to be compromised or infected.  Nonetheless, this serves an equally important purpose of containing the spread of compromise and it’s consequences; abuse of compromised systems for sending Spam, theft of sensitive information and spread of infection just for example.
Continue reading