The Fappening 2014 - What to learn about cloud security from leaked nude celebrity photos

[Millard]

What you can learn about "cloud" security from the leaked nude celebrity photos of Ariana Grande, Jennifer Lawrence, Kate Upton, Olivia Munn, Victoria Justice and dozens of other celebrities in what has been called The Fappening 2014:

This breach is different from other recent celebrity "hacks" in that it used a near-zero-day vulnerability in an Apple cloud interface. Instead of using social engineering or some low-tech research to gain control of the victims' cloud accounts, the attacker basically bashed in the front door—and Apple didn't find out until the attack was over. While an unusual, long, convoluted password may have prevented the attack from being successful, the only real defense against this assault was never to put photos in Apple's cloud in the first place. Even Apple's two-factor authentication would not have helped.

[...]

Given how much of what is on smartphones is now automatically backed up to the cloud, anyone should take pause before disrobing before their smartphone camera—regardless of the phone operating system or how that image will be delivered to its intended audience. The security of all of these services is only as secure as the obscurity of the mother’s maiden name of the person you sent that picture to—or of the next zero-day flaw.

Apple’s iOS backs up your photos to iCloud by default if you configure an account. Android’s backup does the same, and Google Plus, Yahoo Flickr, and many other services offer to automatically sync your images to the cloud. Even if you don’t set one of these up for syncing, you never know what the person you send the picture to will do with them. Even “ephemeral” messaging applications like SnapChat, Glimpse, Wickr and the like don’t block people taking screen captures of the image—and if image recipients are using an iPhone, those might automatically get synced to their cloud.

If it’s in the cloud—a public, free cloud service, especially—then chances are good that eventually it will find its way to the Internet. Cloud services are leaky by their nature; things that are supposed to be private get stored alongside things that are shared, and anything from user error to a previously undiscovered vulnerability can make even strong passwords pointless, while exposing all of those things to the world.

And what happens when a cloud store gets breached? If the one doing the breaching is never caught, the answer is “not much”—because the cloud providers are generally covered from the victims’ wrath by terms of service.

In a conversation I had on Twitter this morning with Tal Klein, the vice president of strategy for the cloud security firm Adallom, Klein said there were two things to take away from this latest breach: “1. Don't take pictures of your junk; it will end up on the Internet somehow at some point. 2. Not all security is equal. And all vendors are mostly indemnified. So use the cloud because it's great, but be cognizant of accountability.”

Or, as Ricky Gervais tweeted (and then deleted): “Celebrities, make it harder for hackers to get nude pics of you from your computer by not putting nude pics of yourself on your computer.” It's not that it's celebrities' fault for being hacked; it's just that they should arm themselves with the knowledge that the cloud is fundamentally insecure in the future.

Source: http://arstechnica.com/security/2014/09/what-jennifer-lawrence-can-teach-you-about-cloud-security/

 

[Millard]

Some experts believe that an Apple 'Find My iPhone' exploit may have been responsible for allowing an AppleID bruteforce password cracking hack.

http://thenextweb.com/apple/2014/09...aw-that-led-to-celebrity-photos-being-leaked/

The "iBrute" Apple ID password bruteforce tool proof of concept was posted on August 31, 2014:

"It uses Find My Iphone service API, where bruteforce protection was not implemented. Password list was generated from top 500 RockYou leaked passwords, which satisfy appleID password policy. Before you start, make sure it's not illegal in your country."

Apple patched the flaw on September 1, 2014.

The code exploited a vulnerability with the Find My iPhone sign in page that allowed hackers to flood the site with password attempts without being locked out. By employing bruteforcing techniques, hackers could use this to guess the password used to protect the account.

Hackers using this tool would need to know the username for the account in order to attack it, but an email address is hardly a secret given that any time it is used it is made public.

It does however beg the question as to how a hacker could harvest so many celebrity AppleIDs. To me this seems harder than the password bruteforcing part.

Source: http://www.zdnet.com/apple-patches-find-my-iphone-exploit-7000033171/

Others, including the person who released the iBrute tool poc, don't think the tool was responsible and that the timing of its release and patch with the Fappening leaks was merely a coincidence:

Source: http://mashable.com/2014/09/01/celebrity-photo-leak-weak-technology-or-bad-passwords/

 

[pumpingiron22]

never trust the cloud! I never have and never will. when you have your info in a 3rd party you loose security and contol of your info.

 

[Millard]

Software intended solely for government agencies - Elcomsoft Phone Password Breaker (EPPB) - may have been used in combination with iCloud-cracking software (iBrute) to download backup of entire contents of victims' iPhones according to security expert Jonathan Zdziarski.

“You don’t get the same level of access by logging into someone’s [web] account as you can by emulating a phone that’s doing a restore from an iCloud backup,” says Zdziarski. “If we didn’t have this law enforcement tool, we might not have the leaks we had.”

On the web forum Anon-IB, one of the most popular anonymous image boards for posting stolen nude selfies, hackers openly discuss using a piece of software called EPPB or Elcomsoft Phone Password Breaker to download their victims’ data from iCloud backups. That software is sold by Moscow-based forensics firm Elcomsoft and intended for government agency customers. In combination with iCloud credentials obtained with iBrute, the password-cracking software for iCloudreleased on Github over the weekend, EPPB lets anyone impersonate a victim’s iPhone and download its full backup rather than the more limited data accessible on iCloud.com. And as of Tuesday, it was still being used to steal revealing photos and post them on Anon-IB’s forum.

Source: http://www.wired.com/2014/09/eppb-icloud/

 

[Millard]

Apple says the celebrity photo leak was not it's fault but that of consumer ignornance or, as Apple puts it, "awareness":

"When I step back from this terrible scenario that happened and say what more could we have done, I think about the awareness piece," Apple CEO Tim Cook said. "I think we have a responsibility to ratchet that up. That's not really an engineering thing."

Source: http://online.wsj.com/news/article_email/tim-cook-says-apple-to-add-security-alerts-for-icloud-users-1409880977-lMyQjAxMTA0MDAwNDEwNDQyWj

Nonetheless, Apple will add additional security alerts to prevent such an incident from happening again.

To make such leaks less likely, Mr. Cook said Apple will alert users via email and push notifications when someone tries to change an account password, restore iCloud data to a new device, or when a device logs into an account for the first time.