“A number of personal and private nude images from high profile celebrities started appearing on online image boards and forums – most notably on anon-ib, 4chan and reddit,” Nik Cubrilovic blogs. “At least a dozen celebrities were affected by the photo dumps, with over 400 individual images and videos. A list of celebrity names published anonymously, and serving as something akin to a sales brochure, suggests that over 100 have had their personal data compromised.”
“In reviewing months worth of forum posts, image board posts, private emails, replies for requests for services, etc. nowhere was the FindMyPhone API brute force technique (revealed publicly and exploited in iBrute) mentioned,” Cubrilovic reports. “This doesn’t mean that it wasn’t used privately by the hackers – but judging by the skill levels involved, the mentions and tutorials around other techniques and some of the bragged about success rates with social engineering, recovery, resets, rats and phishing – it appears that such techniques were not necessary or never discovered.”
Much, much more in the full article – recommended – here.
Related articles:
Apple’s iCloud is secure; weak passwords and gullible users are not – September 2, 2014
Apple: No iCloud breach in celebrity nude photos leak – September 2, 2014
FBI, Apple investigating alleged iCloud hack of celebrity nude, sex photos and videos – September 2, 2014
Celebrity or not, Apple isn’t responsible for your nude photos – September 2, 2014
Apple ‘actively investigating’ Jennifer Lawrence, other nude celebrity photos hack – September 1, 2014
Apple’s iCloud not likely the sole source of leaked Jennifer Lawrence, other nude celebrity photos and videos – September 1, 2014
If this ends up being a plan to throw everyone off the trail while the culprits take the time to hide their true routes of entry, that would be quite interesting.
Need a distraction? Blame Apple! (Helps to have a POC exploit ready for release as well)
Misdirection. That’s what I was saying yesterday.
Good thinking!
I read a report that there are some images in the stash posted online as old as 2011. That indicates that this has been going on for years and just now reached a peak by bringing all the hacked photos together to attract attention to what’s being going on.
If there was any exploit of Apple tech, it would have to have been a very old zero day exploit not yet revealed. Meanwhile, social engineering is sadly part of our daily lives on the Internet and on the telephone. It is so incredibly persistent because of course it is incredibly successful. That means user education of social engineering techniques is critically important. Expect to be exploited by scammers. Be prepared to recognize a scam and derail it.
I’d gladly write up, upon request, methods for reporting email scams and how to wreak at least minor vengeance on phone scammers. It’s fun!
Samsung is so desperate they probably hired Russian hackers to do this.
They don’t need Russian hackers, just some not very security minded people.
FBI desperately looks for these hackers to hire them.
What I heard today was that the background connection between the photo app and the iCloud photo server requires authentication every time a photo is sent up to the cloud server. The exploit was that this background pipeline authentication didn’t have a limit on the number of failed logins required before the server locked the account and notified the user of the issue, and required the user to relogin to iCloud to reset the connection. This permitted a remote computer to make continual background requests to the photo server until it got in.
So, the hacker had to know the user’s Apple ID to start the process. And, yes, Apple apparently hadn’t considered the possibility that some hacker could start a direct background pipeline attack on the photo server itself using the user’s credentials, just as if the user’s computer were logging into the photo server to upload photos for the app.
Of course, this required the hacker to also know the names/IP addresses of the photo servers online to run the script attempting to access it.
So, Apple is correct in saying that its security protocols weren’t breached, since real credentials were used to extract the online photos, but is still at fault for the servers not breaking the connection and locking the account once a threshold number of attempts failed.
I’ll bet the Sys Admins are busy now checking all their background pipeline authentication scripts to be sure this doesn’t happen again. Fortunately, it wasn’t a financial server.
I read today they used elcomsoft to crack in and grab backups from icloud.
I wish the reporters out there would pull together all the facts so people aren’t left redoing all the research and almost inevitably leaving out the parts they don’t understand.
Over on MacRumors a commenter posted screenshots of the online dialog between the mentors and the newbies, so a couple of “oopsies” come to light:
1) The celebrities ignored the email from Apple that said their password had been changed. Which is curious because they would have had to go through the iForgot process themselves following the brute-force effort to guess the answers to their security questions that allowed the hackers to change the password!
2) The celebrities weren’t having iTunes encrypt their backups (or, if they were, they were simple passwords that could be brute-force determined).
It’s also noteworthy, and not mentioned in all the blogosphere reports I’ve seen, that this was a dump of photos collected over years by a bunch of individuals.
Nik missed something, I think: In the 9th section he says that two-factor authentication is useless once you have the backup in hand, but since getting to the backup required changing the account password (section 7), two-factor authentication would have prevented the hackers from changing the password on the account, and therefore they never could have gotten the backup.
According to CNN, and I’m sure many more mainstream or popular online news site are probably stating the same thing.
“The hacker apparently took advantage of a security flaw in Apple’s online backup service, iCloud. Many online services lock someone out after several unsuccessful attempts to log in, but not Apple’s “Find My iPhone” app and iCloud. That has been changed by Apple in the aftermath of the nude celebrity photo scandal. But with unlimited guesses, a computer program can generate and test thousands of potential passwords until an account is entered. It is called a “brute force” attack.”
In addition to the article above, security expert Mikko Hypponen also recommended this article by forensics researcher Jonathan Zdziarski about this issue: http://www.zdziarski.com/blog/?p=3783
It’s also a good read.
I’ve read a number of articles on the subject separate from the drive-by trash that got the details wrong. One criticism of Apple that makes sense is to mandate two-factor authentication. I signed up for it as soon as it became available, but my hunch is that most consumers have no clue about what it is. Yes, Apple has instituted two-factor authentication, but unless the company makes it mandatory, many users will continue to follow bad habits of not setting a strong password, and worse, using the same password across multiple accounts.
What pisses me off is that Apple is not the bad guy, but the press falls all over itself to point blame. The bad guys are the basement-dwelling losers who perpetrated the hacks to begin with, likely from multiple sources, not just Apple accounts, and as others stated above, over a lengthy period of time. Personally, I would not be surprised if a competitor to Apple paid some punks to do this.
I feel worst of all for the victims. Some laugh because they’re “only” celebrities, as if that washes their hands of guilt. Celebrity or not, they are human beings with feelings, and they were violated. That they chose to take nude photographs of themselves is not the point. Their privacy was violated, their personal data stolen (and who knows what other data may have been stolen and shared by the hackers). That is illegal, and I can only hope that the FBI eventually finds and applies justice to the full extent the law allows.
Worst of all, each of the victims is a woman. That is sexism plain and simple. That the 4chan punks get their kicks this way shows them to be the miserable losers that they are. I would only hope the media discredits them with the same glee they have with Apple.
This is not fun. If indeed a hack was pulled off, and it appears this may have been in some cases, it took a lot of work and a premeditated attempt at perpetrating a crime, which is exactly what this hack is under the law, especially of photos of at least one celebrity that were taken while she was apparently less than legal age. There may have been a vulnerability in Find My iPhone which was immediately patched. But the big thing is that I hope Apple will mandate two-factor authentication ASAP. And it serves as a reminder to all of us to be vigilant, to use strong passwords/pass phrases and stay ahead of these bastards. It could happen to any of us.
Since most of the mainstream media is lucky if they can turn on their computer, let alone understand anything about what they write when it comes to tech, whatever they report in most cases is not worth the click its printed on.. Specially on CNN
I agree. Unfortunately the masses that are not as saaavy with technology believe mainstream mews media like CNN. There are more of those people than us and they are all potential Apple customers.