I wrote this in the other thread on the leak before it died:
> Even if the leaks result from one at a time social engineering, it still really calls into question the practical security of the cloud. I doubt it's much harder to steal, e.g. confidential business documents from executives' cloud accounts than it is to steal pictures from celebrities' cloud accounts.
> If I were a big organization with confidential information, I'd really be thinking hard about my cloud policies and my BYOD policies right now. The policy at my previous employer (we handled a lot of extremely sensitive information), was pretty draconian: data never leaves a company desktop, laptop, or blackberry.
The fact that the users may be the biggest security leak is more alarming than it is relieving. Software bugs can be fixed. Getting users to follow proper security practices is much harder. And frankly, it doesn't help that the industry is actively user hostile. I gmail my passwords to myself because every site has different password rules and force me to change my passwords too often.
You are so right on the money. We used to see hacking into celebrities' gmail inboxes, social accounts, dropbox stores - all through social engineering. We now see hacking into icloud. Next we will see hacking into gdrive, onedrive or some samsung cloud - if enough celebrities start using Android or Winphone. The pattern is the same, so is the weakest point - the actual user. Maybe it's time to educate people more instead of writing more security software.
I'd really be thinking hard about my cloud policies
A lot of social engineering attacks involve things like security question password reset, lost second factor reset, lost access to backup e-mail/phone, and things like that.
Don't most enterprise cloud offerings dispense with things like that, because users can visit a helpdesk in person?
> The policy at my previous employer (we handled a lot of extremely sensitive information), was pretty draconian: data never leaves a company desktop, laptop, or blackberry.
Really? And how do these devices inter-communicate if data never leaves from anywhere to anywhere?
Burying a laptop to the ground would make it safe enough to keep out the bad guys.
I think this points to the inherent weaknesses in the concept of "username/password". Why do we still have this paradigm? It worked in the 80s, but I think there needs to be a new paradigm in place today. Ideally you'd want a system like public key authentication, with some bio-marker used for identity management.
While I am complete appalled by the data breach and hope that similar things never happens to anyone again
I would like to propose a purely thought experiment:
The hacker reported sold the nude photos of Jennifer lawrence for a mere sum of $130 using bitcoin.
If we apply game theory here, these kind of data is very difficult to monetize. If you sell one copy of the data, it is then immediately distributed online for free. Although, nude photos of celebs are arguably very valuable.
The question is: What is the ideal path for these people to maximize profits?
I think the better alternative would have been a kick starter type model where the attacker will only release photos if reaches a funding goal (let's say $50k). The attacker might release less revealing photos to build interests in the goal funding.
I often hear about decentralized kickstarter models with bitcoin (mutlsig; or ANYONE_CAN_PAY hash type). But I always thought of them as gimmicky. This is actually a use case for it.
So going beyond, celeb photo breach, this similar model should be applied to many more scenarios. ie.
1. you have a valuable asset,
2. but it loses value immediately after the first distribution
3. so you must capture all of the value at distribution
While I don't actually have any solid grasp of the code that would be required, I imagine it would be possible to release 1 image to show that one does indeed have a collection of "valuable" photos. Once trust has been established that the person probably does indeed have additional photos, people will be more willing to submit bitcoin.
You overwrite each pixel of each photo with black. You assign every photo a bitcoin address and perhaps give a name describing its content (something kinky, obviously). Each photo has a set amount the person is asking for its release. As bitcoin is sent to each photo's address, more and more pixels are revealed, as a percentage of the remaining bitcoin price.
You can go further by making the first few photos far cheaper the next (potentially more sultry) photos, creating an exponential pricing system that will likely benefit the hacker. Trust is increased as a low cost photos are revealed, demand for more revealing photos increases as trust increases.
Only someone who knows the market can maximize the profit. These pictures would make a lot of money at the hand of specific low/high (depend on the view) magazines, on someone would wanna destroy JLaw's reputation or as ransom... How much money would JLaw pay for the original files?
However, how many people do you think can answer the above questions??
It's like when someone steals a huge pile of jewelery. He steals it, but he needs the mob to sell it... Otherwise he can't monetize.
This is exactly what happened though. A BitCoin address was posted, and the leaker was taking "donations" with the promise of delivering more pictures, showing proof that he had more by showing partial screenshots of them.
The thing that bugs me is that you could have good password practices. But if you're having a party, having a fun time (and lets face it, people are going to do shit...), and one of your friends is snapping photos of you, and they have bad password practices, then you are kind of screwed. People don't typically make friends on the basis of: do you have good password practices.
Information my friends have is something I've had to accept letting go.
I once resisted signing up to Viber because it required that I upload my entire address book. However, I found out how many of my friends are already on Viber, which means the likelihood that Viber didn't already have someone's contact information was very low. It also meant Viber already had all of my contact information.
Another scenario is Facebook's tagging. Even if I don't confirm all (or any) of my friends' tags on my face, the fact that they manually tagged the face as mine likely counts a lot for FB, so that battle is already lost.
OTOH, if you're a celebrity at a party, and you "do shit" and someone takes a picture of it, the horse has pretty much already left the barn as to whether that picture is going to show up on reddit and it's just a question of when...
Yup. And that very reason is why many people don't have social networking accounts. You can control what you share, but you can't control what your friends share.
Or: you've got good password practices, but you send content to someone who doesn't. Or they do. Or their friends do ...
When you realize that celebrity nudes are only the tip ("just the tip") of this iceberg, the real implications start sinking in.
The groups trading in info were also targeting exes and other associates, possibly businesspeople, politicians, and others, and the information in question isn't merely skin pics but _anything_ that was on those accounts.
Or you can use two-factor and strong passwords everywhere, but if your spouse is still using "letmein" on every account, you're gonna have a bad day soon.
> Password reset is answering the date of birth and security question challenges (often easy to break using publicly available data – birthdays and favorite sports teams, etc. are often not secrets)
I really dislike this trend of "personal questions" to reset your password. The first car I owned or where I'd like to retire is easily obtained information. When are websites going to stop doing this?
I answer these questions using passwords generated from 1Password. So basically I have 4+ passwords per sites that use these questions. Very annoying.
I'm moving to nonsense and random answers stored in Lastpass but what I had been doing is just answering them as if I were one of my friends. I have a dozen friends where I know most of those answers.
So if I'm understanding this from a technical perspective, the real story is that this is/has been going on for quite some time, and there's an entire ecosystem devoted to it. The general public rarely ever sees behind the curtain, but somebody got greedy in this case and we ended up in a race to the bottom.
If true, interesting that such a layered economic structure can exist without much press or public comment -- until something like this happens.
Fascinating. Makes you wonder what percent of the total activity these 100+ celebrity invasions represent.
This is only half of my password; the first part is a password I can remember easily with numbers and letters, the second is the generated key.
This means that even I don't really know my password and if someone found my Yubikey then it's useless to them without the other half that only I know.
(I do have a printout in a safe place of the key and also a backup Yubikey)
I use this password for my computer as well as my 1password vault which is generally filled with randomly generated keys for each website.
Might sound a bit overkill but if you can; why not?
That sounds secure, but help me understand:
Is it the same password everywhere? How do you manage the different passwords for different services?
How do you enter your password to login on an ipad, or on your phone?
My biggest problem with the Apple's password policy is that I'm required to enter it periodically on an ipad or iphone - meaning I can't keep it lastpass and that complex alphanumeric passwords are even harder to enter.
Isn't showing partially blacked out private photos still a violation of privacy? If the author of this post really wants to be white hat, he should modify the image (above 14) to obscure the non-blacked out part of the photo with a different color. I'm unfamiliar with that celebrity in the picture but if I was familiar with her work, it would feel creepy to look at it.
The average user does not know much about security. They trust Apple's brand more than they trust their friends (with secrets and health apps) and they will now likely stop using many services rather than step up security.
What is interesting is that the perception among normal people I heard speak about this is that all of iCloud has been breached, i.e. everyone's photos are in the hands of hackers and they only released the pics of celebs.
The reality is of course likely that an attacker was able to hack one phone which among photos hosted contacts and mail addresses of other celebs and from there on they got their hand on more accounts to directly target.
Anyway, my point is that to average consumers it does not mean that they need to use stronger security or that they would understand about targeted attacks. They will believe Apple has been breached and they will think more before creating private selfies or putting health data onto their until now so trusted companions.
> 6. iCloud is the most popular target because Picture Roll backups are enabled
> by default and iPhone is a popular platform. Windows Phone backups are
> available on all devices but are disabled by default (it is frequently enabled,
> although I couldn’t find a statistic) while Android backup is provided by
> third party applications (some of which are targets).
Fragmentation, for the (security) win!
</sarcasm>
Not really, of course. The big win (shared by Windows Phone) is simply not turning on the security-sensitive cloud service by default. That being said, it is worth noting that enabling/encouraging third-party service competition can create an extra hurdle by discouraging cloud-service monocultures.
I think the cloud has proven to be untrustable. One must assume that any data on any public cloud service (including email, photo libraries, documents, mobile device backups, etc.) will become public, and use the cloud with that mentality.
Reddit should not be listed among the sites hosting the stolen images, as reddit does not support image uploads. Imgur is the primary site hosting the stolen images in that case.
I'm wondering if simple GeoIP check can prevent lots of intrusion attempts - if the user consistently logs in from one location and then suddenly tries to log in with the wrong password from the distant one, that's the red flag that warrants temporary account lockout at least.
Icloud hacking was mentioned and everyone has jumped on it. Many cell transmissions are unencrypted. MITM attacks should not be thrown out as a possibility. Malware is also a vector, including apps.
[+] [-] rayiner|11 years ago|reply
> Even if the leaks result from one at a time social engineering, it still really calls into question the practical security of the cloud. I doubt it's much harder to steal, e.g. confidential business documents from executives' cloud accounts than it is to steal pictures from celebrities' cloud accounts.
> If I were a big organization with confidential information, I'd really be thinking hard about my cloud policies and my BYOD policies right now. The policy at my previous employer (we handled a lot of extremely sensitive information), was pretty draconian: data never leaves a company desktop, laptop, or blackberry.
The fact that the users may be the biggest security leak is more alarming than it is relieving. Software bugs can be fixed. Getting users to follow proper security practices is much harder. And frankly, it doesn't help that the industry is actively user hostile. I gmail my passwords to myself because every site has different password rules and force me to change my passwords too often.
[+] [-] harryh|11 years ago|reply
I agree with you about the wider industry problem, but for your own personal use just start using a password manager. Just do it.
[+] [-] jacquesm|11 years ago|reply
That's not all that draconian. Data never leaves the servers, full stop. (Other than for back-up purposes and those had better be encrypted.)
[+] [-] Corsariuster|11 years ago|reply
[+] [-] michaelt|11 years ago|reply
Don't most enterprise cloud offerings dispense with things like that, because users can visit a helpdesk in person?
[+] [-] atmosx|11 years ago|reply
Really? And how do these devices inter-communicate if data never leaves from anywhere to anywhere?
Burying a laptop to the ground would make it safe enough to keep out the bad guys.
[+] [-] yarou|11 years ago|reply
[+] [-] karlick88|11 years ago|reply
I would like to propose a purely thought experiment:
The hacker reported sold the nude photos of Jennifer lawrence for a mere sum of $130 using bitcoin.
If we apply game theory here, these kind of data is very difficult to monetize. If you sell one copy of the data, it is then immediately distributed online for free. Although, nude photos of celebs are arguably very valuable.
The question is: What is the ideal path for these people to maximize profits?
I think the better alternative would have been a kick starter type model where the attacker will only release photos if reaches a funding goal (let's say $50k). The attacker might release less revealing photos to build interests in the goal funding.
I often hear about decentralized kickstarter models with bitcoin (mutlsig; or ANYONE_CAN_PAY hash type). But I always thought of them as gimmicky. This is actually a use case for it.
So going beyond, celeb photo breach, this similar model should be applied to many more scenarios. ie.
1. you have a valuable asset,
2. but it loses value immediately after the first distribution
3. so you must capture all of the value at distribution
Note:
Anyone can pay: https://bitcoin.org/en/developer-guide#term-sighash-anyoneca...
[+] [-] MattyRad|11 years ago|reply
You overwrite each pixel of each photo with black. You assign every photo a bitcoin address and perhaps give a name describing its content (something kinky, obviously). Each photo has a set amount the person is asking for its release. As bitcoin is sent to each photo's address, more and more pixels are revealed, as a percentage of the remaining bitcoin price.
You can go further by making the first few photos far cheaper the next (potentially more sultry) photos, creating an exponential pricing system that will likely benefit the hacker. Trust is increased as a low cost photos are revealed, demand for more revealing photos increases as trust increases.
Thoughts?
[+] [-] 33W|11 years ago|reply
1. The asset takes requires a significant amount of resources.
2. The asset will require all resources in order to distribute.
3. No further resources are required after distribution.
Music, books, art, and even software that does not require updates would fall into this category.
[+] [-] pessimizer|11 years ago|reply
[+] [-] thom|11 years ago|reply
[+] [-] atmosx|11 years ago|reply
However, how many people do you think can answer the above questions??
It's like when someone steals a huge pile of jewelery. He steals it, but he needs the mob to sell it... Otherwise he can't monetize.
[+] [-] ______1|11 years ago|reply
[+] [-] greenpresident|11 years ago|reply
http://en.wikipedia.org/wiki/Assurance_contract
[+] [-] foobarqux|11 years ago|reply
[+] [-] unknown|11 years ago|reply
[deleted]
[+] [-] eknkc|11 years ago|reply
Why? Because freaking iPhone asks for that when I want to download something from App Store. How do you guys handle that?
[+] [-] lambdasquirrel|11 years ago|reply
[+] [-] hrabago|11 years ago|reply
I once resisted signing up to Viber because it required that I upload my entire address book. However, I found out how many of my friends are already on Viber, which means the likelihood that Viber didn't already have someone's contact information was very low. It also meant Viber already had all of my contact information.
Another scenario is Facebook's tagging. Even if I don't confirm all (or any) of my friends' tags on my face, the fact that they manually tagged the face as mine likely counts a lot for FB, so that battle is already lost.
[+] [-] sib|11 years ago|reply
[+] [-] ddrmaxgt37|11 years ago|reply
[+] [-] dredmorbius|11 years ago|reply
When you realize that celebrity nudes are only the tip ("just the tip") of this iceberg, the real implications start sinking in.
The groups trading in info were also targeting exes and other associates, possibly businesspeople, politicians, and others, and the information in question isn't merely skin pics but _anything_ that was on those accounts.
[+] [-] ja27|11 years ago|reply
[+] [-] city41|11 years ago|reply
I really dislike this trend of "personal questions" to reset your password. The first car I owned or where I'd like to retire is easily obtained information. When are websites going to stop doing this?
I answer these questions using passwords generated from 1Password. So basically I have 4+ passwords per sites that use these questions. Very annoying.
[+] [-] shampine|11 years ago|reply
Answer could be: Ford
Instead it is Enqc or droF or Gpse
[+] [-] ja27|11 years ago|reply
[+] [-] DanielBMarkham|11 years ago|reply
If true, interesting that such a layered economic structure can exist without much press or public comment -- until something like this happens.
Fascinating. Makes you wonder what percent of the total activity these 100+ celebrity invasions represent.
[+] [-] nodata|11 years ago|reply
[+] [-] abalone|11 years ago|reply
To reiterate what the main bugs are that are being exploited here, roughly in order of popularity / effectiveness:
Password reset (secret questions / answers)
Phishing email
Password recovery (email account hacked)
Social engineering / RAT install / authentication keys
Note: Not weak passwords.
[+] [-] theDustRoom|11 years ago|reply
This is only half of my password; the first part is a password I can remember easily with numbers and letters, the second is the generated key.
This means that even I don't really know my password and if someone found my Yubikey then it's useless to them without the other half that only I know.
(I do have a printout in a safe place of the key and also a backup Yubikey)
I use this password for my computer as well as my 1password vault which is generally filled with randomly generated keys for each website.
Might sound a bit overkill but if you can; why not?
[+] [-] rasengan0|11 years ago|reply
I like 2FA on LastPass but the UX is better on 1Password
For files like my Tiddlywiki http://tiddlywiki.com/, I like Minilock https://minilock.io/ with BTsync https://github.com/tuxpoldo/btsync-deb
i admit i'm lazy and have less secure login creds in my Tiddlywiki but at least it has some crypto https://crypto.stanford.edu/sjcl/
[+] [-] amvp|11 years ago|reply
My biggest problem with the Apple's password policy is that I'm required to enter it periodically on an ipad or iphone - meaning I can't keep it lastpass and that complex alphanumeric passwords are even harder to enter.
[+] [-] coldpie|11 years ago|reply
[+] [-] elwell|11 years ago|reply
[+] [-] nikcub|11 years ago|reply
[+] [-] DonaldH|11 years ago|reply
[+] [-] sundvor|11 years ago|reply
[+] [-] diegomsana|11 years ago|reply
[+] [-] shouldbeworking|11 years ago|reply
[+] [-] julianpye|11 years ago|reply
What is interesting is that the perception among normal people I heard speak about this is that all of iCloud has been breached, i.e. everyone's photos are in the hands of hackers and they only released the pics of celebs.
The reality is of course likely that an attacker was able to hack one phone which among photos hosted contacts and mail addresses of other celebs and from there on they got their hand on more accounts to directly target.
Anyway, my point is that to average consumers it does not mean that they need to use stronger security or that they would understand about targeted attacks. They will believe Apple has been breached and they will think more before creating private selfies or putting health data onto their until now so trusted companions.
[+] [-] fpgeek|11 years ago|reply
Not really, of course. The big win (shared by Windows Phone) is simply not turning on the security-sensitive cloud service by default. That being said, it is worth noting that enabling/encouraging third-party service competition can create an extra hurdle by discouraging cloud-service monocultures.
[+] [-] ams6110|11 years ago|reply
[+] [-] stevenh|11 years ago|reply
[+] [-] uladzislau|11 years ago|reply
[+] [-] api|11 years ago|reply
[+] [-] brador|11 years ago|reply
[+] [-] unknown|11 years ago|reply
[deleted]
[+] [-] unknown|11 years ago|reply
[deleted]
[+] [-] ksec|11 years ago|reply