What Have We Learned from the Apple-spawned Celebrity Hack?

By Peter Bernstein September 03, 2014

At the risk of seeming like I am morphing into a platform for what can best be described as public service announcements, as with the recent JPMorgan Chase data breach, I heard from a myriad of security experts expressing their views on the nude celebrity photos relating to Apple iCloud being selectively compromised.

I have picked one of my favorites on the topic of the day since it encapsulates the thoughts of almost everyone who contacted me, along with a statement from Apple.  If nothing else, this event, and the spat of others - including a possible breach at Home Deport, should occasion everyone to taking a few deep breathes to see what, if anything, we have learned from all of this. 

An Apple a day can’t keep the bad guys away

We all now know what happened when hackers—who admitted this took “months of hard work” by multiple individuals (now underground)—posted pictures of naked celebrities and in some cases (pardon the play on words) compromised positions. In fact, as possibly an indication of the crazy world we now live in, I have seen postings decrying the lack of easy availability of the content in question.  

From a security professional perspective, there was interestingly a consensus of opinion on this one. The quote that represents the consensus and also adds a bit of granularity to what happened was one I received from Philip Lieberman, President and CEO, Lieberman Software (www.liebsoft.com/):

“The hack was a two part attack.  The first part of the attack was obtaining the email addresses (Apple IDs) of the targets. The second part of the attack was understanding that the iCloud service had a flaw that allowed an unlimited number of bad password attempts without lockout or alerting.  Knowing that the iCloud service did not lock out bad password attempts allowed the attacker to try different lists of works, phrases and character combinations from existing dictionaries of words (dictionary attack) and ultimately use every possible combination of letters, numbers and punctuation via a brute force attack if desired.

Apple should have logs containing IP addresses of all parties connecting to their services and using this information, they should be able to quickly identify attackers executing large numbers of logon attempts.

This does beg the question of Apple’s incompetence in security operations. They should have detected large numbers of logon attempts from a specific address in a short period of time, and their iCloud system should have provided lockout functionality after a fixed number of bad passwords.  The technology to protect their clients from these attacks is trivial to implement and costs little to operate.  One would think that after the previous Find My IPhone hack, Apple would have realized that they needed to clean up their act in security.

To be clear, Apple was not penetrated, they simply were using a lock on their customer’s accounts that was commercially incompetent.  However, since Apple customers agree to an End User License Agreement (EULA) that effectively limits Apple’s liability to effectively zero, Apple has little to no direct financial damage, but reputation damage could be significant. Users should remember that they are using a consumer grade service with Apple and that much more secure systems exist for file storage and should be used for sensitive data.”

It should be noted that Apple happens to agree with Lieberman, except of course with the characterization of their security “incompetence.”  In fact, Apple put out a release that read as follows:

 Update to Celebrity Photo Investigation

We wanted to provide an update to our investigation into the theft of photos of certain celebrities. When we learned of the theft, we were outraged and immediately mobilized Apple’s engineers to discover the source. Our customers’ privacy and security are of utmost importance to us. After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved. 

To protect against this type of attack, we advise all users to always use a strong password and enable two-step verification. Both of these are addressed on our website at http://support.apple.com/kb/ht4232

The juxtaposition of the two statements highlights two important issues.

First, Apple while claiming it takes security seriously and confirming that there was not a massive breach of its systems; none-the-less was the source of the salacious materials. And, while not legally liable, the damage to its reputation, especially in front of it big device announcements that will happen in the next few days, could be substantial. After all the only news Apple likes to make is the news it generates and controls.

Second, the incident reveals what we should all actually know and be sensitive to and that is the stuff on our personal devices gets backed-up to the cloud. Delete does not mean delete unless it is comprehensive. This is not just an Apple challenge but one for all consumer cloud services.

 The problem is that what should be the default that governs our use of such services, i.e., strong passwords and multi-step verification, is not. The burden should not be on us as users to reset the settings, especially when deleting things from the cloud in an era where our cloud services may be replicated on the servers of those our provider relies on as back of their ecosystem means once it is up there getting it down is potentially impossible.

All of this gives urgent and new meaning to the idea that created trust on the Internet needs to be transparent and a real collaboration between the service provider and the user. Unfortunately, most of us are lazy or the steps for protection are cumbersome and confusing. In addition, the lack of liability when these things happen, as they most assuredly will, seems to be an area where law makers need to take a look.

We all understand that there is a price of free services and we assume some responsibility when we agree to the terms and conditions of using such services. However, the problem is that once it is out there it is out there.  Realities are even if content we would rather not have others review is only seeable for an instant in a real-time world there is no accounting for whom might have downloaded such content for ironically “safe keeping”, and after the fact thus, can be of little solace.

It is why while the efforts around the world to provide people the ability to “be forgotten” sounds good in theory and can mitigate certain egregious practices, as security professionals constantly remind us, no solution is perfect.  Transparency and being proactive are our best defenses along with being smart, i.e., if you don’t wish something to be seen, don’t make it easy for those with malicious intent.

Finally, and on a related matter, there could be a ripple effect that will command attention. The hackers say they were just trying to prove a point by showing how this could be done. This rings a bit hollow if as reports say there were extortion attempts to monetize the trove of celebrity images through the use of ransom via bitcoins. It raises another challenge for policy makers as to the emergence of anonymous virtual currencies in extortions of all types.

The 1980s hit TV series Hill Street Blues used to start every episode with the morning police bullpen session.  The character Sergeant Phil Esterhaus (played by the late actor Michael Conrad) used to end the weekly segment with the admonition, “Hey, let’s be careful out there.” He was also often saying, “Let’s do it to them before they do it to us.” It’s still good advice and lessons to be learned.     

Edited by Stefania Viscusi
Related Articles

Pai Makes His Case for Title II Repeal

By: Paula Bernier    11/21/2017

FCC Chairman Ajit Pai today made clear his plans to repeal Title II net neutrality rules. The commission is expected to pass his proposal at its Dec. …

Read More

Mist Applies AI to Improve Wi-Fi

By: Paula Bernier    11/9/2017

Mist has created an AI-driven wireless platform that puts the user and his or mobile device at the heart of the wireless network. Combining machine le…

Read More

International Tech Innovation Growing, Says Consumer Technology Association

By: Doug Mohney    11/8/2017

The Consumer Technology Association (CTA) is best known for the world's largest trade event, but the organization's reach is growing far beyond the CE…

Read More

Broadcom Makes Unsolicited $130B Bid for Qualcomm

By: Paula Bernier    11/6/2017

In what could result in the biggest tech deal in history, semiconductor company Broadcom has made an offer to buy Qualcomm for a whopping $130 billion…

Read More

How Google's 'Moonshot' Could Benefit Industrial Markets

By: Kayla Matthews    10/30/2017

The term "moonshot" encapsulates the spirit of technological achievement: an accomplishment so ambitious, so improbable, that it's equivalent to sendi…

Read More