When nude celebrity selfies start leaking en masse, it certainly gets your attention. Actress Jennifer Lawrence, singer Rihanna and model Kate Upton were among the celebs whose pics, videos and other personal files flooded the Internet on Sunday.
We caught up with Greg Foss, a senior security research engineer at security intelligence firm LogRhythm, to get his take on the fallout, who's to blame and how to protect data in the cloud. He told us according to information released publicly so far, celebrity iCloud accounts were the primary targets.
“If this is indeed the case, the ‘hack’ looks to have been the result of a brute-force attack against using select passwords from the ever-popular RockYou password list in conjunction with the ibrute script written by @hackappcom, which essentially bypasses the AppleID lock feature,” Foss said. The tool used the top 500 passwords from the RockYou breach in 2007 -- still considered the world’s largest leak of plaintext passwords.
Who’s To Blame?
Foss suggested that Apple shares some of the blame because iCloud did not implement adequate brute force . Of course, the celebrities didn’t help by picking weak passwords and failing to implement Apple’s two-factor authentication, he added.
As Foss sees it, another aspect to consider is that the culprits likely gained access to much more than pictures and videos. Specifically, address books and other sensitive data that is all available via iCloud were also probably infiltrated, he noted.
“All things considered, it is unlikely that only one avenue was taken to obtain all of this data,” Foss said. “More importantly, just because everything was dumped on the Internet at the same time does not mean that it was all stolen at the same time or even by the same person.”
Foss is assuming a team with a common goal was behind the leak -- and they used many different means to obtain this data. However, he said that he believed a significant portion was via iCloud brute force.
“Could this all be stolen data from iCloud that was extracted in the same manner? Certainly, but not likely,” he said. “Granted, Apple did respond and fix this specific vulnerability within 24 hours, which is very good, all things considered.”
Protecting Yourself from Hackers
So, what can we learn from this recent leak? According to Foss there are a few lessons we can take away from the embarrassing event that will help us better protect our own data in the cloud. First, he said, whenever possible, implement multifactor authentication. He noted Apple has a two-step verification feature that will harden your iCloud account. Look for the same feature on other services.
“If multifactor authentication is not an option, question the sensitivity of the data you are storing on the service and do not store it in the cloud if you are worried about someone else getting hold of it,” Foss said. "Use strong and unique passwords for every site. Use pass phrases instead of passwords. Use a password manager to store, manage, and create strong, plus unique passwords for each site that you use.”
Most of this advice is not new. The issue is that too few users follow it.
Ulf Mattsson, CTO:
Posted: 2014-09-04 @ 4:50pm PT
I agree that the question “How Can We Protect Cloud Data?” is critical.
I think that the real issue is that there are so many ways to attack these cloud systems and more and more sensitive information will be stored in clouds.
Fixing the password issue is “too little too late”.
I think that we should demand that this data is encrypted since the attackers are trying to steal our sensitive personal data.
Gartner recently reviewed cloud gateways that can protect the data even before it is sent to the cloud. This should keep the bad guys away from our most sensitive data.
It is time to require better data security for cloud based systems.
We cannot trust clouds that are using old school IT security.
Ulf Mattsson, CTO Protegrity
Posted: 2014-09-04 @ 9:06am PT
Been looking at the leaked pictures and most of them are fairly innocent.