Over the weekend, a major news story broke about an iCloud attack in which hackers broke into the accounts of 100 female celebrities to steal compromising nude pictures. Every. single. time there’s a “hacking” incident, the media coverage is awful— and the security advice is even worse. Case in point:
Oh my god on CNN: “Just use really strong passwords that is all you can do. Instead of using ‘password’ replace the s with a $” STOP IT
— Jessy Irwin (@jessysaurusrex) September 1, 2014
I love how media experts are telling everyone to delete photos from their photo stream, and not once mention deleting old iCloud backups.
— Jonathan Zdziarski (@JZdziarski) September 2, 2014
In all of the discussion of the incident,
it’s important to note that:
- Apple’s code for iCloud was not breached, but the security measures they had in place were not sufficient in preventing this type of attack.
- It appears that a group selectively targeted and hoarded private information over time– there is no evidence that they used the iBrute tool that was on Github, rather they had a pirated version of police software.
- The lack of rate limiting (i.e. the thing that only gives you a few attempts to get your password right before locking you out) in the “Find My Phone” API gave thieves endless tries to guess the correct password.
- The methods being used for this particular kind of attack ARE NOT NEW. Look, multiple people who knows more about security than me said so AND AGREED, which is nuts:
iCloud was not hacked. iCloud accounts were hacked by leveraging a weakness in iCloud. It may seem like semantics, but it’s a big difference
— Andreas Lindh (@addelindh) September 3, 2014
There was nothing new in the Apple iCloud account hack. Usernames, security and security questions were guessed/stolen. No 0-day required.
— Nick DePetrillo (@nickdepetrillo) September 2, 2014
iBrute wasn’t a breach but a tool to simplify ‘targeted attacks on usernames, passwords, and security questions’ /cc @KimZetter @kashhill
— ashkan soltani (@ashk4n) September 2, 2014
Computer security’s dirty little secret is how much of the “hacking” people hear about is just brain-dead, color-by-numbers stuff.
— InfoSec Taylor Swift (@SwiftOnSecurity) September 1, 2014
According to Nik Cubrilovic, a security researchers who took a lead in digging around in investigating the photo leak,
After this story broke I spent some time immersed in the crazy, obsessive subculture of celebrity nudes and revenge porn trying to work out what they were doing, how they were doing it and what could be learned from it.
1. What we see in the public with these hacking incidents seems to only be scratching the surface. There are entire communities and trading networks where the data that is stolen remains private and is rarely shared with the public. The networks are broken down horizontally with specific people carrying out specific roles, loosely organized across a large number of sites (both clearnet and darknet) with most organization and communication taking place in private (email, IM).
2. The goal is to steal private media from a targets phone by accessing cloud based backup services that are integrated into iPhone, Android and Windows Phone devices. To access the cloud based backup requires the users ID, password or an authentication token.
Let that sink in for a minute— there are entire communities in the bowels of the internet organized around the activity of violating a woman’s privacy and stealing backups of her data for their own pleasure and gain and they thrive on keeping evidence of the breach quiet.
Gotta love all the dudes ranting about invasion of privacy by the NSA while sharing nude photos of Jennifer Lawrence without her consent.
— Charles Clymer (@cmclymer) August 31, 2014
So wait– how in the hell is the common web user supposed to protect themselves from THAT?
Okay, well, there are a few things :
- Use 2-factor authentication everywhere you can, though in this specific case it wouldn’t have helped
- Use strong, unique, random passwords
- Use passphrases, they are harder to crack than simple words
- Use a password manager like 1Password to help you do this for all 200+ online accounts you use.
Being secure isn’t easy— it’s overwhelming to those who don’t consider themselves to be technologically inclined, and sometimes it is wildly inconvenient. Technologists know that people are suck at security, though, and the security community knows very well that the people who suck at security outnumber the people who don’t suck at security.
We (the techie people) know all of these things about our users, and yet…
You know what’s scary? After 20 years of infosec research, ‘send your phone a text message’ is the best answer we’ve come up with.
— Matthew Green (@matthew_d_green) September 2, 2014
When you look around, there are a bunch of technologists who aren’t building new technologies and new security tools to fit the needs of our users. (The EFF is doing great work in usability research to try to combat this.) But in many, many, many cases — so many cases, so little time— there is so much more that could be done to protect users’ passwords and the data that those passwords guard.
Technologists, take note and get on these things stat:
— End the era of plaintext password storage by hashing, salting and bcrypt-ing the ever-loving hell out of passwords to secure them.
— Let people create longer, more complex passwords — I’m looking at you, consumer sites that tout PCI compliance but only let me have 8-16 characters and ask me easily-Googlable information for security questions.
— Guide users towards using words and phrases, even though this won’t catch on quickly, and even though they won’t like it.
— Build more multi-factor authentication and use it wisely to protect users.
— Stop prioritizing low barrier to entry strategies for user signups, and implement proper security (AND PRIVACY SETTINGS) by default.
Sadly many places limit passwords to 16 char at most, this pass phrases are a no go @jessysaurusrex (which means they aren’t hashing)
— Harold Smith III (@haroldsmith3rd) September 1, 2014
“But wait!” you might be saying– “ugh, the password is SO DEAD, SO OVER.” It doesn’t matter that we think passwords are dead and so, so over, that people use the same one everywhere— the average technology company has neither gotten the memo yet nor created an authentication replacement, and the average web user has little to no idea, even after all of this iCloud screaming that their precious, precious passwords can be cracked in seconds. After all of this time, if we still haven’t gotten to know our users— if we haven’t learned by now that people do things even when we tell them not to, if our best security advice is the equivalent of behavior policing— we’re all doing it wrong.
Don’t take nude selfies. Don’t wear skirts. Don’t drink. Don’t go back to his room. This stupid fucking list gets longer every year.
— Jessica Valenti (@JessicaValenti) September 1, 2014
WE BUILT A SHITTY INTERNET AND YOUR ONLY CONSTRUCTIVE SUGGESTION IS SEXY PEOPLE SHOULDN’T USE IT
— sarah jeong (@sarahjeong) September 2, 2014
Women: Stand PERFECTLY STILL in your house wearing long pants abstaining from booze with no Internet and you’ll probably be okay.
— Jessica Valenti (@JessicaValenti) September 2, 2014
Re “The Fappening” and the leaked private celeb nudes: It’s important to remember that this is what NSA employees do “legally” all the time.
— Rick Falkvinge (@Falkvinge) September 3, 2014
Anyone has the right to take all the pictures they want, naked or otherwise and unless they want me to see them, I have no right to see them
— Penn Jillette (@pennjillette) September 1, 2014
FYI, we shouldn’t be blaming the people who have been hacked for their victimization— we should be pointing fingers at the criminals and the companies who do these things and ship the products that make this. Users and technologists both have to take responsibility for security— but how the hell can we expect the layman to actually figure this out when *this* is the advice that the average layperson is getting?***
We *always* say this, that THIS time is the wakeup call and next time will be different… but it never is.
We have to educate and empower users about security and privacy, we are at a place where a handful of people making decisions can affect millions of people.
We have to teach the media that “hacking” is not a one-size-fits-all occurrence– there is nuance in all of this technology, and not every security issue is a massive code flaw or 0day exploit.
We need to recognize and accept that users are going to do what they want with the tools that we build, and we need to build things that will correct for that. Because if we don’t, the security theater and snake-oil of even more insecure technologies (see: Snapchat) will proliferate and our collective privacy will be even worse off than it is now.
Infosec Twitter Lifecycle: Mild Ranting NSA/Celeb Nudes How did this happen?! OMFG Everythings Broken! Cry/Do nothing Hype dies Mild Ranting
— Fenrir (@semibogan) September 2, 2014
Security is a two way street, even when our users suck at it, even when the job of educating users is difficult, we have to keep up our side of the bargain. Because right now, we are all potential targets of someone, somewhere, whether it is the NSA tracking our metadata, a data broker grabbing every bit of information they can about us, or someone who is hellbent on gaining access to your private information for some god-awful nefarious privacy-violating business. There is much, much more at stake here– companies push vulnerabilities every time they commit code, no matter how stringent their security… and the country we live in does everything in its power to further weaken the technologies we entrust with our personal, private, intimate information.
This is bullshit. We can do better. And until next time, a word of advice:
store ur nudes with viruses attached. weaponize ur nudes. train ur nudes to empty bank accounts when improperly accessed. Teach karate to ur
— Beezus, Darling (@MissObdurate) September 3, 2014
**Heartbleed was NOT a virus created to steal your passwords, it was a code flaw in OpenSSL that could silently leak your information to an attacker through the infrastructure their software created. If you cannot understand the difference between the two, you should not bother reporting about technology.
*** Media people, 4chan is not a hacker— it is not a person at all, it is an online community full of people often referred to as inhabitants the bowels of the internet. Also, is everyone who gets unauthorized access to anything forevermore going to be referred to as a sysadmin because Snowden? Really?