Cloud
9/2/2014
05:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Apple Not Hacked In Celebrity Nude Photo Breaches

"Very targeted attack" on celebrities' Apple usernames, passwords, security questions -- iCloud, Find My iPhone not breached, Apple says.

This afternoon, Apple confirmed that stolen and leaked private photos of several celebrities were not due to a breach in its iCloud nor Find My iPhone services. Speculation swirled over just how the attackers accessed the accounts of Jennifer Lawrence, Jenny McCarthy, Rihanna, Kate Upton, Mary E Winstead, and others.

A trove of naked photos and video content stolen from the stars appeared on the 4Chan chatroom site over the weekend. Questions about how the hackers got hold of the celebs' accounts began to center around a possible flaw in Apple's iCloud and Find My iPhone after Apple reportedly issued an update that fixed a hole that would allow a brute-force password attack.

In a statement issued today, Apple said:

When we learned of the theft, we were outraged and immediately mobilized Apple's engineers to discover the source. Our customers’ privacy and security are of utmost importance to us. After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved.

Apple recommends users create strong passwords and use two-factor authentication, which is an option for Apple ID accounts. Apple did not comment on the reported flaw nor did it respond to questions about it via a media inquiry.

One security expert says he tested whether AppleID would lock him out after a certain number of attempts after hearing about the possible patch by Apple: It did. "After ten attempts, it locked me out," says Rik Ferguson, global vice president of security research at Trend Micro. He was unable to confirm whether Apple's authentication service had always done so, or whether this was due to a fix by Apple in the wake of the celeb hacks.

Either way, brute-forcing would require knowing the email address of the target, he says.

It's not surprising that most consumers and celebrities don't opt for the second factor of authentication since it's not required, experts say. And weak passwords most likely played a major role in the attack, they say.

"This breach could have been prevented if iCloud required users to use a two-factor authentication to access their accounts. This will require users to enter a numerical code that is sent to their phone or another device, in addition to using their regular password," says Vijay Basani, CEO of EiQ Networks. "Since numerical code always changes, it makes it difficult for the hackers to gain access [and breach the account], even if they can guess the password."

The plot thickened over the weekend with a brute-force password hacking tool for Find My iPhone posted on GitHub. The creators of the iBrute proof-of-concept tool -- which came out of a presenation by researchers at Chaos Constructions, a hacker conference in Russia -- said the tool used Find My iPhone's service API, which didn't include brute-force protection, was not the culprit behind the celeb breaches. They also posted yesterday that Apple had patched that flaw in Find My iPhone.

"The end of fun, Apple have just patched," they wrote on their GitHub page.

They also later denied that their tool was behind the breach: "In justification I can only mention,  that we only described the way  HOW to hack AppleID. Stealing private 'hot' data is outside of our scope of interests. We discuss such methods of hacks in our's narrow range, just to identify all the ways how privacy can by [sic] abused," the researchers blogged.

Some security experts are also skeptical that the brute-force hacking came via the Russian researchers' iBrute tool.

But that doesn't mean no one tried the tool, of course. "From the comments on GitHub, it looked like people had been successful using [iBrute] to a certain point," Trend Micro's Ferguson says.

Vinny Troia, CEO at Night Lion Security, examined the stolen celebrity files and found DropBox files as well, which he says seems to indicate that reused passwords were part of the problem with some of the victims. "They had a lot of generic Dropbox files in the directory structure. It's very plausible these celebrities were specifically targeted, but if they weren't, it might be like the StubHub [breach] with someone going down the list [of stolen credentials] and saying, why not try Dropbox and see what I can find there?" Troia says.

Phil Lieberman, president and CEO of Lieberman Software, says the attack came in two waves, starting with getting the email addresses of the celebrity targets. "The second part of the attack was understanding that the iCloud service had a flaw that allowed an unlimited number of bad password attempts without lockout or alerting," he says, so the attackers were able to ultimate brute-force the password.

He says Apple should have logs of the IP addresses of the attackers, and should be able to identify them.

"Crunching multiple login/password combinations on Apples infrastructure, in a manner that goes unnoticed, even over time -- perhaps few people were involved in this over few month -- would require either complexity of execution, a lot of luck or significant negligence on Apple’s part, or a combination thereof," says Boris Gorin, head of security engineering at Firelayers.

The FBI reportedly told NBC News that it is investigating the breaches. 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
9/5/2014 | 4:08:44 AM
Re: the responsibility is on the user
Regarding the incident, despite Apple denies any exploitation of the mentioned flaw we must be conscious that the vulnerability was anyway present at the time of the attack.

I afraid the hack is much more extended and may have impacted many other Apple users. Not only celebrities are exposed to such risks. No matter if you are a manager or a common individual, your data are a precious commodity in the cybercrime ecosystem. For this reason, it is important to know the main cyber threats and the principal mitigation practices. This could be just the beginning. 

I think that all principal storage service providers are under attack and need to improve their security implementing further countermeasures.

 

 

 
the5thHorseman
50%
50%
the5thHorseman,
User Rank: Apprentice
9/4/2014 | 6:57:45 PM
Just a thought...
Call me crazy, but here's a thought... DON'T TAKE NAKED PICTURES OF YOURSELF WITH YOUR PHONE! So far, I've read lots of technical explanations for how this dastardly deed could have been perpitrated, yet no one has pointed out the obvious; if you are a celebrity, you are a target. Whether it's the National Enquirer, Russian techno-perverts or horny teenagers in Somalia... accounts owned by celebrities are always going to be ransacked. The real question is, ESPECIALLY in lieu of the terrifying data provided by Eric Snowden proving beyond ANY doubt that cell phones, and almost anything else with a power cord,  are absolutely 150% compromised, "What kind of idiot takes naked pictures of themselves with their cell phones"? It takes a special kind of stupid to do that, and somehow not expect to see yourself on every porn site on the net by sundown. Apple does need to own it's responsibility for its screen door security policies, but lets not lose sight of the fact that if you weren't taking dirty pictures of yourself in the first place, you wouldn't be in the predicament. That's the responsibility to be owned by our celebrity "victims". Maybe they should consult with Bret Favre regarding image damage control related to cellular phone services. I'm sorry, once everybody lawyers up and the lawsuits start flying, I don't think Apple should have to pay damages to celebrity morons participating in questionable behaviors...
TomM234
50%
50%
TomM234,
User Rank: Apprentice
9/4/2014 | 3:29:15 PM
Secure Camera on nCrypted Cloud
Thank you for mentioning us.

 

We do way more than protect naked photos, but since that is the discussion, you can use our "secure camera" to take photos on IOS devices (ANDROID COMING).

The photos do NOT go into the standard camera roill but into an encrypted camera roll.

The photos are encrypted using 256 bit AES zip files as an enveloping technology.

Want to share those naked photos with someone?  No problem we do it seamlessly.

Want to revoke that persons access (even after they sync it to other machines)?   No problem, we take care of it.

 

Try us www.ncryptedcloud.com

 
Robert McDougal
100%
0%
Robert McDougal,
User Rank: Ninja
9/3/2014 | 2:16:45 PM
Re: the responsibility is on the user
Unfortunately, I did not document my efforts.  However, it appears that some people in this reddit thread had the same testing experience that I did myself.

https://www.reddit.com/r/netsec/comments/2f5eyl/appleid_password_unlimited_bruteforce_p0c/
GonzSTL
100%
0%
GonzSTL,
User Rank: Ninja
9/3/2014 | 11:32:33 AM
Re: the responsibility is on the user
That is interesting. Based on your own testing, it is evident that at the time of the breach, there was no lockout provision in a brute force attack mitigation strategy. That in itself violates well known security practices. Also interesting is that Apple claims a two-step verification process, as stated in their media advisory, would protect users from this type of attack. Are they deliberately misleading the public? If you have documented information regarding the test results that you conducted personally, perhaps you should make that more public, to clarify the situation. There has to be transparency somewhere, right?

Although I am not a huge fan of Apple products in the enterprise, I do love their mobile devices. Also, I prefer not to use iCloud because cloud services in general scare the daylights out of me. I suppose this event justifies that reservation.
Robert McDougal
100%
0%
Robert McDougal,
User Rank: Ninja
9/3/2014 | 11:09:47 AM
Re: the responsibility is on the user
A couple of points.

Firstly, I am highly disappointed with Apple's stance on this issue. This IS a breach of their iCloud service. Over the weekend I did testing on my own iCloud account using this python script. I had a word list of 1000 passwords and buried my password at the end of the list. The script was initially able to find my password but later in the day on Sunday, the script was halted after 10 tries. From my testing it appears there was indeed a flaw that Apple quietly patched over the weekend.

Secondly, Apple's two factor authentication does not protect your iCloud backup. Currently, Apple's two factor authentication only protects My Apple ID sign-ins and purchases from the App Store.
GonzSTL
0%
100%
GonzSTL,
User Rank: Ninja
9/3/2014 | 9:00:02 AM
Re: the responsibility is on the user
It never ceases to amaze me how little effort people put into protecting themselves or their privacy. Two Factor Authentication (2FA) is available in Apple's iCloud service, and I believe none of those celebrities took advantage of that security measure. The reason probably lies in their mistaken belief that having a password is enough to secure their accounts. So it comes down to how much they want to protect their privacy, and how they balance that desire with the complexity of a secure configuration. It really is a personal risk analysis. Do they want the "hassle" of remembering a complex password and on top of that, a second authentication factor to protect their privacy, or risk exposure? Well I am willing to bet that a lot more people are opting for that 2FA now! I view this as a microcosm of the security environment of organizations. How many organizations out there are complacent on their security? It usually takes a breach in their industry before they take notice and scramble to enforce rigid security.
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
9/3/2014 | 7:44:43 AM
Re: the responsibility is on the user
@Bkosh I suspect a lot of Hollywood publicists and attorneys are adding internet privacy protection to their resumes and job descriptions. 
bkosh
50%
50%
bkosh,
User Rank: Apprentice
9/2/2014 | 7:35:26 PM
the responsibility is on the user
There is a secure camera feature for iphones that anyone can use and it works with Dropbox free. A company called nCrpyted Cloud developed this it for federal law enforcement and healthcare providers who need to protect photos of patients. But celebrities or anyone who needs privacy in the cloud can access it. Perhaps celebrities need to make privacy not just publicity someone's job and learn about these tools?
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-3304
Published: 2014-10-30
Directory traversal vulnerability in Dell EqualLogic PS4000 with firmware 6.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the default URI.

CVE-2013-7409
Published: 2014-10-30
Buffer overflow in ALLPlayer 5.6.2 through 5.8.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long string in a .m3u (playlist) file.

CVE-2014-3446
Published: 2014-10-30
SQL injection vulnerability in wcm/system/pages/admin/getnode.aspx in BSS Continuity CMS 4.2.22640.0 allows remote attackers to execute arbitrary SQL commands via the nodeid parameter.

CVE-2014-3584
Published: 2014-10-30
The SamlHeaderInHandler in Apache CXF before 2.6.11, 2.7.x before 2.7.8, and 3.0.x before 3.0.1 allows remote attackers to cause a denial of service (infinite loop) via a crafted SAML token in the authorization header of a request to a JAX-RS service.

CVE-2014-3623
Published: 2014-10-30
Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vect...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.