Don’t blame iCloud yet for hacked celebrity nudes
Over the Labor Day weekend, hackers leaked nude images of a number of celebrities including "Hunger Games" star Jennifer Lawrence. The images appear to have beenacquired from Apple’s iCloud. So, iCloud is obviously insecure and everyone should stop using it—right?
Let's just cool our jets. Yes, iCloud appears to have played a role in at least some of the hacked nude celebrity images, but details are still too sketchy to start connecting dots that indict the entire Apple cloud storage service.
Apple has issued a statement confirming that certain celebrity iCloud accounts were compromised but notes, "None of the cases we have investigated has resulted from any breach in any of Apple's systems including iCloud or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved."
Boris Gorin, head of security engineering at FireLayers, thinks we shouldn’t be throwing stones at iCloud. “The images leaked have been gradually appearing on several boards on the net prior to the post at 4chan—making it reasonable to believe they were not part of a single hack, but of several compromises that occurred over time.”
Gorin shared a theory the celebrities may have been hacked while connected to an open public Wi-Fi network at the Emmy Awards. If they accessed their personal iCloud accounts, attackers connected to that network would have been able to intercept and capture the username and password credentials. That's not a security flaw with iCloud and having a strong or complex password wouldn't offer protection against transmitting that password in clear text on a public Wi-Fi network.
But all we have right now is speculation coupled with security experts and vendors crawling out of the woodwork to preach the same tired advice about complex passwords, password management tools, and two-factor authentication. Granted, all of those things have value and might play a role in providing better protection against getting hacked in general, but we have no idea whether any of those things played a part in this attack or could have helped prevent it.
Don’t get me wrong— I am sure there are security issues in iCloud that savvy attackers can exploit. But no one will be served if we don't take the time to understand what really happened so we can have a rational discussion of tools or techniques that would actually have helped prevent this breach.
Maybe iCloud is to blame. Maybe the celebrities used ridiculously simple passwords. Maybe the accounts were hacked because the victims logged in to sensitive accounts on a public network. Whatever happened, scapegoating iCloud will not solve anything or help avoid similar attacks in the future.
Ref:pcworld.com
Meet the police forensic tool pervs used to steal celebrity iCloud nude photos
Blame for the flood of celebrity nude photos that hit the Internet has been rotating from the pervy hackers that ripped the pics, to Apple, to the creator of iBrute, but while the FBI and Apple continue to investigate the source of the leak, there’s one tool that has gone unmentioned: the police forensic tool that made it all possible.
One of the key elements behind the iCloud nudes leak is a piece of software created by Elcomsoft that allows attackers to impersonate a target’s iPhone and download its entire iCloud backup, and you don’t even have to be a cop to get it.
After digging into the source of the leak, Wired reports that Elcomsoft Phone Password Breaker (EPPB) has become the tool of choice among AnonIB rippers – the 4chan offshoot that may have sourced the leaked nudes – who have honed the process of stealing iPhone pics down to a science. The Russian-based forensic firm Elcomsoft sells the software without proof of government credentials for $1399, but bootleg copies can be easily
torrented for free.
Once an attacker has a user’s AppleID and password, EPPB can access all of the backup’s data “without the consent or knowledge of the device owner,” boasts the company’s website. Security experts pointed to Alexey Troshichev’s iBrute software tool as the culprit of the leaks, by giving attackers access to victim’s iCloud.com accounts. But by using Elcomsoft’s tool, attackers can download the entire iPhone backup as a single folder, giving them much more data (texts, videos, contacts, app data, etc.) than just Jennifer Lawrence’s naughty bits.
Female celebrities have been in the spotlight during the attack, and Apple has already denied that a “breach in any of Apple’s systems including iCloud or Find my iPhone” in the “very targeted attack,” but as Sam Biddle at Valleywag explains , every iCloud user is vulnerable to attack, whether you’re Kate Upton or a regular nobody:
“The idea that only celebrities are being targeted is horseshit. There are people out there ripping the iCloud accounts of ordinary people, right now… It’s absolutely not a “targeted attack”—it’s a casual free-for-all, taking advantage of Apple’s pathetic security system. And this is just one website on a very big internet.”
Biddle points to a group of AnonIB “iCloud rippers” who share stolen photos from girls who aren’t even famous. Anyone is open to being targeting as long as you’ve got their Apple ID and password, and plenty of veteran rippers are on-hand to help wanna-be hackers with any problems they run into along the way.
With the announcement of the iPhone 6 just seven days away, Apple certainly wants to squash the iCloud leak controversy as quickly as possible. For now the company isn’t admitting that iCloud is vulnerable to someone easily guessing your password via password recovery, but in the meantime we recommend turning on two-factor authentication for Apple ID.
Read more at http://www.cultofmac.com/293620/police-forensic-tool-made-iclouds-celebrity-nudes-leak-possible/#idc7cFYxqoZJ2sCp.99
How those nude photos were leaked (and why you should care)
What does the hack mean for your own cloud security? Here are all of your nude selfie-related questions answered.
A number of celebrities were targeted this week inan attack that exposed nude photos -- some said to be real, others fake -- stored in Apple iCloud accounts. Here's what we know and what it means about your own cloud security.
How were the celebrities' accounts hacked?
Celebrities whose iCloud photos were leaked fell victim as a result of targeted attacks, according to the latest reports and information released by Apple. This means the people who hacked into the accounts likely knew the email addresses associated with the celebrity accounts or they were able to answer security questions that granted them access to the accounts.
It's still unclear how the hackers might have known the answers to account security questions and obtained the usernames for the accounts.
What about that security hole?
It was thought hackers may have gained access to the iCloud accounts through a security hole in the online storage service's "Find My iPhone" feature which allowed them to conduct brute-force attacks. With a brute-force attack, hackers use a script to automatically try many different username and password combinations in rapid succession until the correct combination is guessed.
Apple patched this hole Tuesday morning and confirmed that this was not the method used by the hackers to log in to the celebrities' accounts.
I still don't understand. They're celebrities.
Contrary to popular belief, most celebrities use technology the same way as most other not-famous people. Apple, Google, and other major tech players don't necessarily give celebrities access to special security features. If there were security-bolstering features available, we'd hope these companies would distribute them to all users, not just the privileged.
Celebrities have the same security tools we do, so we're technically all equally vulnerable. But, since their faces grace the covers of magazines and theater screens, they end up being targeted more often.
Celebrities also don't always take advantage of security protocols that are available. For example, based on the information currently available, these celebrities might have been protected against the attacks if they were using two-step verification, which adds an extra step to the basic log-in procedure.
Why would they store photos in the cloud in the first place?
Cloud backup services like Apple's iCloud and Google's Instant Upload are often enabled by default, so it's possible the photos were being uploaded to iCloud without the celebrities being aware.
For example, iCloud's Photo Stream service automatically uploads photos you take on your Apple device and stores them in iCloud for 30 days. With Photo Stream uploading enabled, those photos can be accessed from any device, no matter where you are in the world, using your iCloud credentials.
Should I be worried?
Even though you're not Brad Pitt or Cameron Diaz, it's a good time to review your own iCloud security. Photos aren't the only items stored in iCloud -- your contacts, iOS device's location, and notes may also be stored there. Here are some steps you can take:
1. Enable two-step verification. Now.
The greatest defense against brute-force and targeted attacks is still two-step verification. It won't protect you against issues like security holes, but it's still your best shield against targeted hacking, where someone is able to obtain your username or answers to your personal security questions to access an account.
When enabled, two-factor authentication adds a second level of authentication to an account login. One common example, is a code sent to a mobile device that must be used in addition to a username and password to log in to an account. Follow these steps to set up two-step verification for your Apple ID.
Disappointingly, TechCrunch points out that Apple's two-step login is really only designed to protect users against unauthorized credit cards purchases , but it's still important to enable, especially if the company corrects this oversight.
2. Disable any services you don't actually use
If the data doesn't exist in the first place, there's no reason to hack it.
Do you even need Photo Stream or other iCloud services like contact-syncing? If not, disable these services. To do so, go to Settings > iCloud on your iOS device and disable the unnecessary services. Then, sign into iCloud.com and delete any previously-uploaded Photo Streams.
3. Consider using fake answers to security questions
Was your mom born in Chicago? That's great, but you should probably use a different answer. Most recent reports suggest hackers used social engineering to learn answers to the celebrities' security questions, which ultimately gave them access to the accounts. To prevent frenemies or hackers from getting into your account, consider using fake, random answers they'd never be able to discover.
4. Do the same thing for other Web services
While you're at it, consider repeating the same steps for other cloud services, including Dropbox, auto-backup on Android, or even Flickr. The more you minimize data automatically uploaded into the cloud, the greater control you'll have over your private information.
Editor's Note: Story was updated Wednesday at 3:39 PST to reflect most recent reports on two-step verification and how the hackers accessed the accounts.