Apple on Tuesday issued a statement blaming the posting online of more than 100 celebrities’ photos in various stages of dishabille on a highly targeted hack attack to gain access to their usernames, passwords and answers to security questions.
None of the cases investigated resulted from any breach in the company’s systems, including iCloud or Find my iPhone, Apple maintained.
However, Apple this weekend reportedly fixed a flaw in its Find My iPhone feature that was believed to have allowed hackers to breach those celebrities’ accounts.
Some of the more than 100 celebrities affected, including Jennifer Lawrence, have threatened legal action. Others have issued disclaimers, saying the photos are fakes. Still others tweeted sarcastic remarks.
Many directed their ire toward Apple.
“The concept that it’s Apple so it’s secure has now been thoroughly disabused,” Stu Sjouwerman, CEO of KnowBe4, told TechNewsWorld. “Apple is known to be hackable now.”
Speculation About the Attack
Prior to Apple’s statement, suspicion fell on the GitHub iBrute Web page, which carried code written in Python for a brute force attack against the Apple ID password.
The page states the attack uses the Find My iPhone service API, which at the time did not implement brute force protection.
The password list was generated from the top 500 passwords stolen during a December 2009 breach of social media application-based advertising network RockYou.
The database breached in that hack held about 32 million unencrypted usernames and passwords.
The GitHub iBrute page now leads off with the announcement, “The end of fun, Apple have just patched.”
The code was “not particularly sophisticated” and the hackers who released it said they intended to make a point rather than steal anything, noted Mike Lloyd, CTO at RedSeal Networks.
“What the incident shows is that our infrastructure is fragile,” Lloyd told TechNewsWorld. “We rush in great numbers to new cloud offerings — and as we do that, our information gets easier and easier to attack.”
Some Thoughts on the Attack
The iBrute code on GitHub is “a garden-variety brute-force attack,” said Andrew Jaquith, CTO of SilverSky.
The “fmipmobile.icloud.com” host that the iBrute code authenticated against is found in 76 other GitHub locations, which means the authentication vector “was clearly well-known to the broader programming community,” he explained.
Apple “already has protections against brute force for most of their websites,” Bob Doyle, security consultant at Neohapsis, told TechNewsWorld. “Reports now indicate they’ve restricted the number of incorrect guesses you can send to the “Find My iPhone” API, which should make it resistant to automated brute-forcing attacks like these.”
Let’s Hear It for Fear and Loathing!
“When Scarlett Johansson’s account got hacked, that should have been a massive red flag for any celebrity who had any kind of compromising photographs in their accounts,” KnowBe4’s Sjouwerman said. “If they had nude photos of themselves on the Internet, they should have deleted them.”
Johansson’s account was hacked in 2011 and the hacker, Christopher Chaney, was jailed.
“This entire situation underscores the reality that today’s interconnected universe of networks is extremely complex and the potential access methods for criminals are many and varied,” Steve Hultquist, chief evangelist at RedSeal Networks, told TechNewsWorld.
Protect Yourself at All Times
“Celebrities have, and always will be, easy targets simply due to the amount of information about their lives which can be gleaned from any gossip site,” Evan Keiser, a security analyst at SilverSky, told TechNewsWorld.
Celebrities should hire their own IT security consultants for advice or “they’ll have to go back to the non-digital camera age when they feel like taking some saucy selfies,” Keiser added.
Users who store their photos and videos in the cloud should have a passphrase rather than a password, Sjouwerman suggested. “Use five or six short words, throw in a number or a capital letter now and then. Passphrases are not that hard to enter on a cellphone or iPad.”