We’re all familiar with the recent data hacking scandal that affected a range of celebrities, from A-listers to up-and-comers. While this happens frequently, in this instance, the hackers targeted something far more damaging and lucrative than credit card details and bank codes: private pictures and videos, most of which included nude images.
Although the full extent of the scandal will probably never be known, the evidence we do see has done enough reputational damage to many celebrities to last them a lifetime. Other potentially incriminating and financially valuable information will be traded over the black market on the deep web, and the impact this will have may never be made public by the hackers, the celebrities, or their representatives.
A variety of hacking scenarios
While there are an almost unlimited number of ways for hackers to gain access to personal data if it is stored online, the methods that were most likely used in the celebrity hacking scandal included a simple script called iBrute, a commercial tool called Elcomsoft Phone Password Breaker (EPPB), some social engineering and phishing, and the findings of the most popular passwords hacked from the social games site RockYou in 2009. Many of these passwords are still popular online today.
Scenario 1: In the case of Apple iCloud users, a vulnerability in Apple’s Find My iPhone API was used to match Apple IDs with correct passwords, which was assisted by a very simple script posted on Github called iBrute.
Scenario 2: Another weakness in Apple’s security procedures, which was exploited in the hacking of Mat Honan two years ago, is their laughable security questions like, “What was your first car?” or “Where were you born?” The answers to questions of that kind are frequently available online for discovery by dedicated hackers. Hackers may have used this option to reset a victim’s password from information they phished or discovered online through social media or documents easily purchased online, like credit reports.
Scenario 3: If a password reset failed, then a hacker could attempt to force the account using the list of common passwords hacked from RockYou in 2009. These could potentially shorten the password cracking step, but if it failed to find a correct password then the hacker would resort to an exhaustive key search. This method is sheer guesswork by a software program until it gets lucky and breaks the password – it’s very time consuming.
Scenario 4: Using their victim’s password, the hacker could perform a complete restoration of the targeted user’s full backup: a much more complete set of information than just the user’s backed up iCloud media, including contacts, text messages, app data and videos.
Scenario 5: A cascading flow of information could follow from the data gathered, including other celebrities’ email addresses and phone numbers (to use for phishing).
Unsecured and rogue Wi-Fi hotspots
Another method of hacking users’ data is through unsecured and rogue Wi-Fi hotspots. Most public spots such as malls, restaurants, airports and bars offer free Wi-Fi as a service to their patrons, and most do not take security very seriously, leaving the networks wide open for hackers to exploit users.
Many Wi-Fi hotspots do not require password authentication and data that travels between devices and the router is easily accessible by other users connected to the same network. Even in the case of Wi-Fi networks that are password-secured using WPA, hackers with the password can snoop packets that travel between users and the network router, and discover passwords and data sent from users’ devices.
Wi-Fi hotspots that are encrypted using enterprise encryption are also easily overcome by hackers, who simply set up a man-in-the-middle trap: an access point with the same name as the network they are hoping other users will be connecting to. If a user mistakenly connects to the fake hotspot, the hackers have access to any information sent over their network. This may include login details for any online services that the victims access. Rogue access points set up by corporate employees or university students are also a prime example of a breach in corporate policy, since these allow hackers a back door into the network and the ability to easily exploit users’ data.
Arrow in the Apple
Apple users seemed to be the primary targets of the hacking to date, and a representative from Apple said in a statement on their website that, “After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet.”
We can only take Apple’s word for it, but they say the iCloud accounts that were hacked were not due to a security vulnerability with their system, which seems rather unlikely after the above research. They also make the sweeping statement that this type of practice “has become all too common on the Internet,” and they neglect to mention that their security practices are well behind many other organizations. Apple does not run a rewards or bounty program for people who expose vulnerabilities in their systems, and take the approach of “it’s not our fault that your password got hacked.” And only 40 hours of investigation? That’s all they could spare?
This may be their way of avoiding the topic of their Find My iPhone API bug, which allowed unlimited password guesses, and therefore a brute force approach to hacking users’ passwords.
Security researcher Andreas Lindh said, “I think Apple is lagging way behind on security in general… Apple has invested a lot of efforts in making iOS secure, but all the things around it (like iCloud) are nowhere near that standard.”
Slowly closing the gap
The bug in the Find My iPhone API was supposedly closed in early September 2014, after its public announcement at The Def Con Conference in Russia in late August, but the hacking, or at least the release of previously-hacked celeb pictures, continued. This supports the theory that the pictures were not all hacked recently, but occurred over a significant period of time and were traded in private until someone decided to release them publicly.
Wired received communication from a ripper on Anon-IB, an anonymous image-sharing site, in which he detailed his methods:
“Dunno about others but I am too lazy to look for accounts to hack. This way I just provide a service to someone that wants the data off the iCloud. For all I know they own the iCloud. I am not hacking anything. I simply copy data from the iCloud using the username and password that I am given. Software from elcomsoft does this.”
Further ramifications of hacking celebrities
Many online conversations ask why the hackers have not released further personal details from their victims’ phones, and some speculate the hackers themselves did not release the pictures, but that a third party who purchased the pictures did the leaking.
Either way, the media-hyped celebrity hacking serves as a firm reminder about the importance of online security, especially if you store sensitive information in the cloud. Two-factor authentication is highly recommended, and a strong passphrase for every online account, perhaps managed by Keepass or 1Password, is essential.
Find John on Google+
Photo: Flickr The Internet has made many people famous, who otherwise would have remained unknown. With the boom of the www, anyone has access to the global stage. Tom Anderson, Chris Crocker, and Rebecca Black took advantage of this stage, but they realized the lights turn off pretty quick. Gary Brolsma didn’t exactly want the stage and Lucas Cruikshank is still looking for it.
Everyone’s First MySpace Friend: Tom Anderson
If you remember MySpace, then you certainly remember Tom. Tom was everyone’s first friend when they joined MySpace. He was some guy whose profile picture was taken in front of a whiteboard, who happened to be a cofounder of the of the whole company. No big deal.
Unfortunately in 2008, MySpace began to fall off the map. Facebook began to gain popularity, and soon MySpace became an after thought in the social media landscape. In 2009, Tom left MySpace.
So what is he up to now? Besides making a cameo in the 2009 movie “Funny People,” Tom has continued his web savvy ways. He joined RocketFrog Interactive, a media company that creates gaming apps for Facebook. Tom still even has a MySpace page, with his famous whiteboard photo. In his bio, he writes, “Former first friend; I’m not working for the company now, ya’all 🙂 Just a user like everyone else.”
“Leave Britney Alone!” – Chris Crocker
It is impossible to hear these three words and not think of the Chris Crocker, sobbing and screaming in defense of Brittney Spears. Crocker took the Internet by storm in 2007, when he uploaded a YouTube video begging the media and society to stop making fun of Brittney Spears.
How could Chris Crocker top this? He couldn’t. Since his 15 minutes of fame, Crocker has tried to become relevant by pursuing and acting and singing career, but hasn’t found his way back into the spotlight. He’s released 13 singles, made a documentary, and even made an adult film.
But if you haven’t seen a picture of him since his video, please do.
Chris Crocker – thenChris Crocker – now
I can honestly say my jaw dropped when I saw it.
What Day is Today, Rebecca Black?
Chances are, if you and your friends were going out on a Friday night in 2011, you listened to the worst song ever. Yes, that is the title music critics gave Rebecca Black’s hit song “Friday.” How can a song labeled the “worst song ever,” get over 200 million views on YouTube? It was simply so bad, it was good.
What did Rebecca Black do for an encore? Black released a few new singles after “Friday,” but none were as horribly popular as “Friday.” Her second single “My Moment,” does have 38 million views, but after “Friday” none of her songs were ever bad enough to go viral.
The hilarious thing is that her new singles are significantly better musically. It turns out, the now 16-year-old Black is actually a decent singer. However, her viral popularity will forever be linked to how bad “Friday” was, no matter what she does next.
Numa Numa Yay! – Gary Brolsma
Never has lip-syncing and horrible dancing been so celebrated. That’s what Gary Brolsma found out, when he lip-synced “Dragostea din tei” in 2004, dubbed as the Numa Numa song. According to BBC, the Numa Numa Dance video had over 700 million views as of 2006. VH1 also had him as number one on their “Greatest Internet Superstar” segment.
Brolsma never wanted the spotlight. His only mainstream appearances have been with the television company Vizio. Other then that, the Numa Numa man is exactly what the Internet thought he was. He is a computer nerd, continuously working on videos and Internet projects. He is also in a band called “Nonetheless.” You can follow his work on his website.
Fred Figglehorn was the tallest 6-year-old YouTube has ever seen. The character’s high-pitched voice actually belonged to Lucas Cruikshank, a 15-year-old boy, who created Fred on a whim. In 2009, Lucas became the first YouTube account to get over one million followers, just a year after he opened it. Not too shabby for bored teenager.
The success of Fred launched Lucas into a television career. Lucas has made appearances on shows like iCarly and Hannah Montana. Fred even got his own movie, “Fred: The Movie,” along with two sequels. Nickelodeon then gave him his own TV show in 2012, similar to the content of his YouTube videos, titled, “Marvin Marvin.” The show was short lived, only lasting a year. His YouTube account is still going strong, now with over two million subscribers.
Photo by:Betsy Weber