The case

The gossip news of this week is the alleged hack of Apple’s iCloud of many celebrities. Hundreds of naked photos purportedly belonging to more than one hundred actors and singers have been disclosed online.

On Sunday, the pictures of 101 celebrities, including Ariana Grande, Jennifer Lawrence, Victoria Justice, Kate Upton, Kim Kardashian, Rihanna, Kirsten Dunst and Selena Gomez were posted on the online image sharing forum 4chan, and rumors report that the pictures were obtained from the celebrities’ accounts on the Apple iCloud service.

Anonymous users on 4chan claimed to have taken them from the service, and despite that Apple hasn’t commented on the event, the analysis of the image embedded EXIF metadata confirms that the majority were taken using Apple devices. However, actress Mary Elizabeth Winstead claimed that her leaked pictures were taken “years ago.”

A detailed analysis of the metadata of the leaked image is available on Pastebin at the following address:

http://pastebin.com/rHSTg6i8

The anonymous user who first posted the celebrities’ photos claimed to have other pictures and explicit videos of Lawrence and requested donations via PayPal and Bitcoin for posting them.

The incident has raised questions about the level of security offered by online services like cloud storage. The iCloud service allows Apple users to automatically store their data online, including photos, documents and emails. Users can access their documents from anywhere once authenticated to the service. It’s likely that the attackers initially compromisedtheiCloudaccount belonging to one or more celebrities, then by “chaining” between accounts, obtained access to the victim’s address book to gather data for further attacks.

The 4chan user who posted the majority of the photos was soliciting for Bitcoin donations in order to publish more leaked pictures and videos.

The analysis of the transaction records related to the Bitcoin account (18pgUn3BBBdnQjKG8ZGedFvcoVcsv1knWa) used as the collector for the donations reveals that it has received eight donations for a total of 0.26 BTC.

Figure – Bitcoin account used by the hacker who leaked the pictures

It’s unlikely that hackers have compromised the entire Apple iCloud service and its infrastructure. The alleged attacker most likely used some hack to target specific accounts.

We already discussed in the past that there are many ways to violate a user account. An attacker could guess the user’s credentials, steal them with a malware, or simply reset the victim’s account by finding the associated email address and then answering the ‘security questions‘. An attacker could collect necessary information on the victims through various forms of social engineering attacks. The data gathered could help him to execute an emergency procedure (e.g. password reset, backup reset) simply answering a series of questions.

The website The Next Web, after the publication of the photos, has revealed the existence of a code for the hacking of iCloud that was posted to the open-source website GitHub.

The application exploits a vulnerability, already fixed by Apple, in the ‘Find my iPhone‘ service to guess passwords with unlimited attempts without being locked out.

The Find My iPhone feature allows users to locate and protect their Apple devices (iPhone, iPad, iPod touch, or Mac) if they are lost or stolen. The attacker can brute force the victim’s account, an operation that could be improved by choosing the passwords from a dictionary of words and phrases. The choice of these databases of passwords could be driven by the knowledge of the victims, of their habits and their preferences.

One of the celebrity victims of the data leakage, Jennifer Lawrence, has confirmed the authenticity of her pictures. Her spokesperson defined the incident as a “flagrant violation of privacy” and menaced to prosecute anyone who shared the images online.

“The authorities have been contacted and will prosecute anyone who posts the stolen photos of Jennifer Lawrence,” the spokesperson said.

Security experts are speculating that photos may have been stolen from victims’ Dropbox accounts. Someone has hypothesized that insiders “with access to data somewhere made a private stash” and was subsequently hacked by the individual who leaked the pictures online.

I exclude the above hypothesis because iCloud backups, including photos, are encrypted, and even by accessing the account it is not possible to decrypt the information stored in the Apple Cloud.

“Some have also pointed to the presence of a Dropbox tutorial file in one hacked account as suggesting that the third-party cloud storage service was a source of some pictures,” states The Guardian in a post on the incident.

Another popular mobile application was mentioned in numerous articles posted on the data leakage is Snapchat. Several pictures had text overlaid, which indicates that at least some of the pictures were shared with Snapchat. Although Snapchat was affected by major security issues in the last months, it’s unlikely that its violation is the cause of the data breach.

At the time of this writing, Apple has fixed the security vulnerability in the Apple iCloud service that could have been exploited by attackers to violate celebrity accounts and steal their photos. The security patch comes just a few hours after hackers published hundreds of nude celebrity photos on 4chan.

The flaw – Apple’s “Find My iPhone” login vulnerable to brute force attacks

The hackers that leaked the private celebrity photos online may have exploited a flaw in the Apple’s “Find my iPhone” feature, which allows an attacker to brute force the user’s account.

A few hours after the data leakage, on the GitHub online repository was published a Python script that could be used to “brute force” an Apple iCloud account’s password, exploiting the vulnerability in the Find My iPhone service. The attacker could use the script to repeatedly guess passwords in an attempt to discover the right one.

The script was available for anyone, at least for a couple of days, before Apple fixed the vulnerability, blocking the accounts after five failed attempts.

It’s unclear how long this vulnerability was present in the Find my iPhone feature. The only certainty is that the flaw was exploitable by attackers who were aware of the victims’ email address.

The owner of the tool, Hackapp, reported that the fix was applied 3:20am PT. Anyway, he remarked that there is no evidence that ibrute was involved in this incident.

“I’ve not seen any evidence yet, but I admit that someone could use this tool,” he said.

Figure – HackApp Tweet

Figure – GitHub PythonScript Read me file

The script can guess passwords repeatedly without any lockout or alert to the target. Once the password is discovered, it could be used to access the victim’s account.

Figure – Running Python script

Hackapp confirmed that this kind of flaw is very common for authentication service interfaces:

“This bug is common for all services which have many authentication interfaces” and that with “basic knowledge of sniffing and reversing techniques” it is “trivial” to uncover them,” said the expert.

Hackapp also posted the slides which included details on the attack scheme and an analysis of security issues related to the iCloud keychain.

Figure – Slides published by Hackapp

An interesting point of view is that of Christopher Soghoian, principal of technology at the American Civil Liberties Union, on the the flaw in the Apple system and its alleged exploitation:

“If the celebs’ iCloud account passwords were brute forced, the problem seems to be lack of rate limiting by Apple, not lack of crypto,” commented Soghoian via Twitter.

A “movie” already seen

In May 2014, cyber criminals targeted a large number of Australian users of Apple’s iCloud with a sophisticated extortion scheme.

Apple users were targeted by the ransomware-like attack which locked iPhone, Mac and iPads through iCloud and a message originating in Apple’s Find my iPhone service that stated “Device hacked by Oleg Pliss”.

Figure – iCloud hack by Oleg Pliss

Implementing a consolidated extortion scheme, the criminals request to unlock the device by sending up to $100 ransom to a specific Paypal account.

“I went to check my phone and there was a message on the screen (it’s still there) saying that my device(s) had been hacked by ‘Oleg Pliss’ and he/she/they demanded $100 USD/EUR (sent by paypal to lock404(at)hotmail.com) to return them to me,” wrote a victim of the new ransomware on the Apple Support Forum.

In reality, Apple users are not facing a classic infection of their devices by ransomware; the attackers allegedly hijacked Apple’s Find My iPhone feature. In this way criminals remotely lock iOS and Mac devices and send messages demanding ransom money.

The cyber criminals were using compromised iCloud accounts that were likely not using a two-step verification process. For these accounts, hackers are able to gain device access simply by using stolen credentials.

In this attack scenario, the only possibility to recover the device for owners of Apple devices is to reset it in “recovery mode”, but this process will erase all data stored on the device and applications installed.

Who is the culprit?

The hunt for the culprit is open. The developer Bryan Hamade is one of the principal individuals suspected for the data leakage. Reddit and 4chan users speculated on the possibility that Hamade is the culprit because a screenshot posted online appeared to show a series of names connected with a web development company in Georgia.

Figure – Bryan Hamade suspected as culprit of the hack

The man refused the accusation and explained to the media that he only has reported the images.

“I only reposted one thing that was posted elsewhere and stupidly had my network folders visible.”

“I am not the original leaker. The real guy is on 4chan posting intermittently,” “He’s most likely the one behind it but it does seem the photos passed around to multiple people before being leaked, so it may just be someone who has them and didn’t hack to get them. I’d never in a million years know how to hack into any of the accounts listed. 4chan just attacked me because they like to attack anyone in situations such as this,” he said.

Hamade revealed that he his receiving continuous threats from people investigating the alleged iCloud hack:

“It’s been a nightmare and I haven’t slept in 34 hours, now. 4chan users are harassing me with non-stop phone calls and emails. They email me constantly, emailing saying they’ll hack my personal websites and keep calling my phone, calling me a fag and then hanging up. They also said they’ll hack my mom’s site, so I took it down … I regret it so much … I didn’t even get any bitcoin out of it. It’s the stupidest thing I’ve done and I hope it won’t ruin my life, though it probably will since it’s just the biggest news story.”

How to secure your personal cloud

Cloud storage services are very popular. Users and enterprises store an impressive amount of data on the cloud, and it is important to understand how to improve their protection. First of all, let me suggest to activate two factor authentication for the services that implement it, and choose a strong password, especially when it is the only protection that preserves our data.

The Apple Media Advisory
Late Tuesday, Apple released an update to the celebrity photo investigation. The company confirmed that the pictures were stolen from celebrities’ accounts which suffered a “very targeted attack,” but its engineers exclude the possibility that the breach was caused by the exploitation of any flaws in the iCloud architecture or in the Find My iPhone feature:
“After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved. ” states the Apple advisory.

How to chose a strong password?

To compose hard-to-guess passwords, let me recommend:

  • Use long passwords (minimum length of seven characters, preferably more to increase strength)
  • Use a wide range of characters including A-Z, a-z, 0-9, punctuation and symbols, like # $ @, if possible
  • As a rule try to use at least one lower-case and one upper-case character, and at least one digit. If it is technically possible, also use a punctuation mark. This helps increase the total search space.
  • Use numbers in place of letters in some cases. Change “i” by “1”, “E” by “3”, “A” by “4” (or @), “S” by “5”, “G” by “6”, “O” by “0”. Again, this helps increase the search space.

Avoid trivial passwords because they are always included in a password dictionary. Passwords should not include your name or Login/User ID. It is important to create complex but easy-to-remember passwords. For example, suppose you’re a big fan of The Simpsons. A good password for your e-mail might be something along the lines of: Ih4teM0ntg0m3ry#Burn5 (if you do not get it, it means “I hate Montgomery Burns”). And for Facebook maybe you can use B4rT#I5#MY#Fr13nD (“Bart is my friend”, with numbers in place of letters and every word beginning and finishing in uppercase). These are not so easy to guess by brute force attacks because of the length, character range (upper- and lower-case, numbers, and symbols), and because knowing that you like The Simpsons does not mean that is easy to derive what you think about The Simpsons characters.

When you use long expressions or phrases as a password, try to use some simple technique to substitute one letter for a different letter: for example, replacing every letter ‘a’ with the symbol ‘per cent’. This helps prevent against dictionary attacks while keeping it easy to remember your pass phrase.

Another possibility for users is to adopt password managers which allow users also to use complex passwords.

Enable two-factor authentication for the Apple iCloud service

First of all, login to your Apple account with your Apple ID.

  • Select “Manage your Apple ID and sign in”
  • Select “Password and Security”
  • Under “Two-Step Verification,” select “Get Started,” and follow the instructions.

Conclusions

Be aware, because not only celebrities are exposed to such risks. No matter if you are a manager or a common individual, your data are a precious commodity in the cybercrime ecosystem. For this reason, it is important to know the main cyber threats and the principal mitigation practices. This could be just the beginning. At this moment there is a lot of confusion on the event, but InfoSec’s Taylor Swift warned that other celebrities may have been impacted:

“_This is just the beginning._ Folders of images with thumbnails visible have been shown, many celebs yet to be impacted who will.”

Apple told Recode on Monday it was investigating the incident to discover if these iCloud accounts had really been hacked and how.

“We take user privacy very seriously and are actively investigating this report,” said Apple spokeswoman Natalie Kerris.

Stay tuned for more information.

References

http://www.businessinsider.com/4chan-nude-photo-leak-2014-8

http://www.businessinsider.com/icloud-naked-celebrity-photo-leak-2014-9

http://www.slideshare.net/alexeytroshichev/icloud-keychain-38565363

http://thenextweb.com/apple/2014/09/01/this-could-be-the-apple-icloud-flaw-that-led-to-celebrity-photos-being-leaked/

http://www.independent.co.uk/life-style/gadgets-and-tech/is-apples-icloud-safe-after-leak-of-jennifer-lawrence-and-other-celebrities-nude-photos-9703142.html

http://www.businessinsider.com/man-accused-of-leaking-naked-celebrity-icloud-photos-denies-everything-2014-9

http://www.zdnet.com/after-alleged-icloud-breach-heres-how-to-secure-your-personal-cloud-7000033177/

http://www.businessinsider.com/apple-fixes-security-flaw-in-find-my-iphone-software-2014-9

http://securityaffairs.co/wordpress/25288/cyber-crime/ransom-extortion-apple.html

http://www.theguardian.com/technology/2014/sep/01/naked-celebrity-hack-icloud-backup-jennifer-lawrence

http://pastebin.com/rHSTg6i8

http://securityaffairs.co/wordpress/8565/security/part-1-authentication-series-a-world-of-passwords.html