Tag Archives: celebrity

Naked celebrities revealed by “iCloud hack”

I was young and I really wanted the job.

I was young and I needed the money!.

We awoke this morning to the entirely unnecessary sight of the personal photos of several celebrities, the pictures range from the fully clothed “mirror selfie” to the far more explicit. Victims include Jennifer Lawrence, Ariana Grande, Kate Upton and Victoria Justice. For obvious reasons, clicking on links to “naked celebrity” photos, or opening email attachments would be a *very* bad idea right now, expect criminals to ride this bandwagon immediately.

The images first surfaced on the infamous 4chan image board where the author is claiming to have much more photographic and even video material, stolen from iCloud accounts and for sale to the highest bidder. Of course the release of the photos has also prompted a rash of fake images but the reality of many of these images, confirmed in some cases by the victim’s agents, poses an uncomfortable question for anyone using iCloud and indeed anyone who has anything they would rather keep private… Is my cloud storage safe?

A wide scale “hack’ of Apple’s iCloud is unlikely, even the original poster is not claiming that. The fact that certain celebrities are involved and the nature of the stolen material makes this seem far more targeted. So how could it have happened?

1- (Least likely) All the celebrities affected had weak, easy to guess, passwords. The hacker simply worked them out and logged in.

2 – If the attacker already knew the email address which the victim is using for iCloud, then they could have used the “I forgot my password” link, assuming that the victim had not enabled two-factor authentication for iCloud. Without two factor authentication, the password reset uses the traditional “security question” method. The peril in this for celebrities is that much of their personal information is already online and a security question such as “Name of my first pet” may be a lot less “secret” for a celebrity that it is for you and I?

3 – The attacker broke into another connected account with weaker security or password, perhaps a webmail account that is used to receive password reset emails sent by iCloud.

4 – Password reuse. Too many people are happy to reuse the same password across multiple services. With so many people affected by recent high-profile mega-breaches, simple lookup services for stolen credentials and the number of details for sale online have skyrocketed, while at the same time the price of stolen data has tumbled, through oversupply. Of course if the victim is using the same password for iCloud as for another, already compromised or easily compromised, service the doors to iCloud are opened.

5 – Phishing. It’s old school but it still works. A targeted phishing mail sent to a number of celebrities, enticing them to enter their iCloud credentials onto a fake login page would do the job just as well as any more complex hack.

What are the lessons here for all of us?

If any online service is offering you options that increase your security, enable them. Even if you feel that turning on two-factor authentication may be slightly more inconvenient for you when logging in, I’m willing to bet that a compromise of a service at the heart of your digital life will be considerably more so.

Do not reuse passwords. It is never a good idea to use the same password across multiple web sites, so try to have a unique one for every site you use or better yet, use a Password Manager which offers you the convenience of only having to remember a single password with the security of unique passwords for every service.

As for those security or password reset questions, consider whether the answers are really secure. Secure means that you are the only person who can answer the question. If the possibility exists to create your own questions, use it. If you are obliged to answer more standard questions such as “First school” or “First pet” remember the answer doesn’t have to be the truth, it only has to be something you can remember.

Deleted may not always mean deleted, as some of these victims are discovering. Familiarise yourself with the online services you use, find out if backups or shadow copies are taken and how they can be managed. In this case it seems that some of the victims may have believed that deleting the photos from their phones was enough, perhaps forgetting about Apple’s Photo Stream.

Oh and the other thing stop taking naked photos.

China’s got Talent, but no email.

The Shanghai Daily today reports that “the internet mailbox” belonging to the official show “China’s Got Talent” (yes that nonsense gets everywhere) has been compromised.
 

Photo from Julien Lozelli's photostream on Flicker - Creative Commons

Photo from Julien Lozelli's photostream on Flicker - Creative Commons


 
The mailbox contained (note the past tense) about 900 mails detailing the show’s running order, schedules, plans, contestant details and much more. These mails have now all been deleted and the tone of the article and the concern from Dragon TV certainly seem to suggest that there may not have been a backup in place.
 
As well as the show and contestant details, the biggest loss to Dragon TV is the production manual for the series, purchased from Freemantle Media. This document is reportedly worth around US$400,000. Show organisers are extremely worried that this information may have been stolen and will appear posted on public websites. They have requested domestic websites to delete the data should it appear, personally I doubt the effectiveness of such a strategy.
 
For me the most shocking quote from the article is:

The mailbox was for the use of the Dragon TV’s internal employees only so it had simple passwords for easy communication.”

So, an internet-facing, shared mailbox containing highly confidential information with simple passwords? Normally at this point in a blog article I suppose I would begin to point out things that could have been done to limit the possibilities of such an event. It seems almost too incredible that the aforementioned combination of circumstances should even occur, but here you go…
 
If information is sensitive, do not allow access to it from the internet.
 
If information is sensitive do not store it in a shared mailbox, it is impossible to audit effectively
 
Never use simple passwords, for any reason, ever.
 
If you have a document worth almost half a million dollars… Encrypt it.

Searching for news of Kanye West’s Death leads to malware

Demonstrating the speed with with criminals now captialise on internet memes, criminals are using the strength of a prank/rumour to push malware.

Page 1 of the Google search results for "Kanye West Death"

Page 1 of the Google search results for "Kanye West Death"

 

A rumour started this morning that Kanye West had been killed in a “bizarre car accident”, the origin of this rumour has apparently been traced back to the 4chan message boards (although that blog posting appears now to have been removed from Mashable). It didn’t take very long at all for this to be become the top trending topic on Twitter and also the top search on Google as worried fans searched for real confirmation.

 

It’s no surprise that in very short order we are already seeing poisoned search results being returned on page 1 of the results that could lead the unwary to trouble. Just because something didn’t happen, doesn’t mean it won’t be abused for criminal purposes, be careful where you click,