Over the weekend you’ve probably seen news reports about celebrities being hacked and their private pictures and videos being posted and distributed all over the Internet. Most of the details about what happened are speculative at best, but most reports center around Apple’s iCloud service. While one can question why anyone would take and store naked pictures of yourself on your phone or a cloud service like iCloud…this “hack” is most likely due to a brute force attack on the iCloud service. These are not new attacks contrary to what the mainstream media will tell you. They happen to celebrities and regular people like you every day.
Celebrity Hacking 101
Hacking celebrities for fun an profit is also nothing new. The paparazzi has been doing this for decades via phishing, gaining access to cell phone records and even blatantly stealing laptops and cell phones.
In fact, my team at SecureState demonstrated how celebrities could be targeted byhacking our friend comedian Erik Stolhanske (from the movie Super Troopers) by utilizing public information and his Amazon Wishlist account. We were successful in quickly gaining access to Erik’s personal email, web hosting accounts, Amazon and social media accounts using social engineering techniques. You can download a case study to see all the details on how easy this attack was pulled off. While anyone can be a target for their personal information, celebrities need to be even more vigilant on protecting their personal information, as they will be targeted if they haven’t been already.
What about iCloud Security? Shouldn’t Apple Protect My Data?
Many web and mobile applications are susceptible to what is called a “brute force” attack. This is where an attacker uses an automated program to try hundreds or thousands of common passwords against a user account until the valid password is found. It should be no surprise that the attack vector here is weak passwords. Weak passwords is the number one attack vector that attackers use to break into companies or individuals personal accounts. SecureState recently released our 2014 Attack Vectors Report revealing our own statistics proving this fact. I highly recommend you review this report to see the top five ways that are used in all the major security breaches you hear about in the news.
From a prevention perspective some organizations try to thwart brute force attacks by locking the account after several bad password attempts or throwing up a CAPTCHA (the fuzzy letters you can’t read) to prevent brute force attacks using automated tools. Unfortunately, in the world of APIs and mobile, most of these services do not get this type of protection and can still be brute forced quite easily. This seems to be the case with Apple’s “Find My Phone” login via the mobile app and may have been used in this most recent celebrity attack.
The bottom line is this: Don’t rely on services like iCloud to put in safeguards to protect your information! It simply comes down to how you select your passwords and utilizing two-factor authentication if the service you’re using supports it.
Password Selection and Personal Responsibility
I’m personally sick and tired of everyone blaming Apple and other companies when their data is compromised. Especially when it is due to a weak password that YOU the user selected in the first place. While many services like Twitter and Facebook are implementing two-factor authentication help as an additional layer, at the end of the day the true problem comes down to how you select your passwords. If you use the same password for every site and/or think “Password1″ protects your personal data, think again! If you’re not already you should be using passphrasesat a minimum and a password manager to ensure passwords are unique and harder to brute force than “Password1″. Take this as a lesson from this most recent round of hacked celebrities by not taking naked pictures of yourself, storing naked pictures on your phone or iCloud and choosing better passwords.