Tag Archives: email

Naked celebrities revealed by “iCloud hack”

I was young and I really wanted the job.

I was young and I needed the money!.

We awoke this morning to the entirely unnecessary sight of the personal photos of several celebrities, the pictures range from the fully clothed “mirror selfie” to the far more explicit. Victims include Jennifer Lawrence, Ariana Grande, Kate Upton and Victoria Justice. For obvious reasons, clicking on links to “naked celebrity” photos, or opening email attachments would be a *very* bad idea right now, expect criminals to ride this bandwagon immediately.

The images first surfaced on the infamous 4chan image board where the author is claiming to have much more photographic and even video material, stolen from iCloud accounts and for sale to the highest bidder. Of course the release of the photos has also prompted a rash of fake images but the reality of many of these images, confirmed in some cases by the victim’s agents, poses an uncomfortable question for anyone using iCloud and indeed anyone who has anything they would rather keep private… Is my cloud storage safe?

A wide scale “hack’ of Apple’s iCloud is unlikely, even the original poster is not claiming that. The fact that certain celebrities are involved and the nature of the stolen material makes this seem far more targeted. So how could it have happened?

1- (Least likely) All the celebrities affected had weak, easy to guess, passwords. The hacker simply worked them out and logged in.

2 – If the attacker already knew the email address which the victim is using for iCloud, then they could have used the “I forgot my password” link, assuming that the victim had not enabled two-factor authentication for iCloud. Without two factor authentication, the password reset uses the traditional “security question” method. The peril in this for celebrities is that much of their personal information is already online and a security question such as “Name of my first pet” may be a lot less “secret” for a celebrity that it is for you and I?

3 – The attacker broke into another connected account with weaker security or password, perhaps a webmail account that is used to receive password reset emails sent by iCloud.

4 – Password reuse. Too many people are happy to reuse the same password across multiple services. With so many people affected by recent high-profile mega-breaches, simple lookup services for stolen credentials and the number of details for sale online have skyrocketed, while at the same time the price of stolen data has tumbled, through oversupply. Of course if the victim is using the same password for iCloud as for another, already compromised or easily compromised, service the doors to iCloud are opened.

5 – Phishing. It’s old school but it still works. A targeted phishing mail sent to a number of celebrities, enticing them to enter their iCloud credentials onto a fake login page would do the job just as well as any more complex hack.

What are the lessons here for all of us?

If any online service is offering you options that increase your security, enable them. Even if you feel that turning on two-factor authentication may be slightly more inconvenient for you when logging in, I’m willing to bet that a compromise of a service at the heart of your digital life will be considerably more so.

Do not reuse passwords. It is never a good idea to use the same password across multiple web sites, so try to have a unique one for every site you use or better yet, use a Password Manager which offers you the convenience of only having to remember a single password with the security of unique passwords for every service.

As for those security or password reset questions, consider whether the answers are really secure. Secure means that you are the only person who can answer the question. If the possibility exists to create your own questions, use it. If you are obliged to answer more standard questions such as “First school” or “First pet” remember the answer doesn’t have to be the truth, it only has to be something you can remember.

Deleted may not always mean deleted, as some of these victims are discovering. Familiarise yourself with the online services you use, find out if backups or shadow copies are taken and how they can be managed. In this case it seems that some of the victims may have believed that deleting the photos from their phones was enough, perhaps forgetting about Apple’s Photo Stream.

Oh and the other thing stop taking naked photos.

GCHQ – General Chit-chat, Hazy Questions?

Photo by Jenny Mealing (jennifrog) used under Creative Commons.

Yesterday’s questioning of intelligence chiefs by Members of Parliament is a first in British history. The momentous occasion was preceded by anticipation that the three big authorities, MI5, MI6 and GCHQ, would offer an open and transparent account of the extent of their surveillance operations, in particular GCHQ. While mass data collection has been suspected, or in a few cases disclosed, for some time by the UK security agencies. However, I was struck by how little new information was actually shared and by the disappointingly weak line of questioning. One important area, for example, which wasn’t clarified at all was how the practice of sifting through who is a ‘threat’ and who isn’t is qualified, neither was the deliberate and systematic undermining of international cryptographic standards. The responses in the areas of “mass data collection” even appeared to give the lie to earlier assurance that only metadata was collected and that content never was, yet that area was never explored,. This assurance has now given way to a somewhat disingenuous assurance that “the people who work in GCHQ” would simply do not loo at the content, unless sufficient justification exists. In fact, they would “leave the building” if they were asked to “ Snoop”… Maybe part of the obvious disconnect is that those earlier assurances came from politicians themselves rather than the intelligence community.

For any commercial entity the Data Protection Act regulates and governs processing of personal information. Intelligence agencies and law enforcement, of course,  benefit from a number of exceptions from those same rules, so it has been left indefinite who in the back rooms is looking out for the interests of the general public. A vague personal assurance that data belonging to “non-threats” are not viewed and that candidates for GCHQ would not be employed if they were the sort to be tempted to do so, is not the same as a bound contract within a legal framework. Besides, somebody must have trusted Edward Snowden in a similar way at some point…

Speaking of Snowden, it would have also been helpful for some questions to have been asked to shed light on the relationships between GCHQ and foreign intelligence agencies; do they accept requests from other nations to surrender their data to UK citizens? A recent report on mass surveillance of personal data that came to light on the same day as the inquiry shows that NSA sent millions of records every day from internal networks to data warehouses at the agency’s headquarters. The US National Security Agency (NSA) is clearly working in collaboration with GCHQ, just how much is UK law helping the NSA to circumvent US law and vice versa and what is the relationship here? Just for example, how does a contractor in the US, to US intelligence services, end up with access to so much highly damaging sensitive information about British spy agencies?

It will be very interesting to see how the requirements of the security agencies, which were voiced in the February 2013 response to the Draft Communications Data Bill, (Intelligence Committee response, “Access to communications data by the intelligence and security Agencies (PDF)“) influence the next draft of that same bill. The somewhat chilling conclusion of that Intelligence Committee response includes the statement that:

“Any move to introduce judicial oversight of the authorisation process could have a significant impact on the Agencies’ operational work. It would also carry a financial cost. We are not convinced that such a move is justified in relation to the Agencies, and believe that retrospective review by the Interception of Communications Commissioner, who provides quasi-judicial oversight, is a sufficient safeguard.”

Of course there will be further sessions both in camera and hopefully more public questioning. While it is clear that, in the interests of national security,  many aspects of surveillance programmes cannot and should not be revealed; the level of public trust in the very people that have been charged with protecting our liberty is at such a low that only unprecedented steps stand any chance of restoring our faith.

It seems we truly do live in Interesting Times, which is more often that not, a curse.

How do I keep the Spooks out of my inbox?

image courtesy of khrawlings under creative commons

Note: The answer to this question is FREE and it’s at the end of this post.

Digitally signing an email is a way of assuring the recipient that the content, while not encrypted, has not been modified in transit, it’s effectively a personal cryptographic certification of the content and attributes of the mail. If the “From:” address is re-written, for example a signed mail is sent to a distribution list and then forwarded on to each of the members of the list with a new “From:” address (usually the address of the list) then the contents will have been modified and the signature will no longer match. The same is true of any content within the mail, if it is intercepted and modified in transit, then the end-user should receive a warning that the signature no longer matches. In a post-PRISM world though, more people are beginning to pay attention to how they can secure their email communication completely from prying eyes. Simply signing will not achieve this, as mails not encrypted – merely “certified” – are still sent in the clear. Full-blown mail encryption is the answer, as Edward Snowden asserted in his recent Q&A, “Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on“.
Continue reading