What Have We Learned from the Apple-spawned Celebrity Hack?

September 03, 2014
By: Peter Bernstein

At the risk of seeming like I am morphing into a platform for what can best be described as public service announcements, as with the recent JPMorgan Chase data breach, I heard from a myriad of security experts expressing their views on the nude celebrity photos relating to Apple (News - Alert) iCloud being selectively compromised.

I have picked one of my favorites on the topic of the day since it encapsulates the thoughts of almost everyone who contacted me, along with a statement from Apple.  If nothing else, this event, and the spat of others - including a possible breach at Home Deport, should occasion everyone to taking a few deep breathes to see what, if anything, we have learned from all of this. 

An Apple a day can’t keep the bad guys away

We all now know what happened when hackers—who admitted this took “months of hard work” by multiple individuals (now underground)—posted pictures of naked celebrities and in some cases (pardon the play on words) compromised positions. In fact, as possibly an indication of the crazy world we now live in, I have seen postings decrying the lack of easy availability of the content in question.  

From a security professional perspective, there was interestingly a consensus of opinion on this one. The quote that represents the consensus and also adds a bit of granularity to what happened was one I received from Philip Lieberman, President and CEO, Lieberman Software (www.liebsoft.com/):

“The hack was a two part attack.  The first part of the attack was obtaining the email addresses (Apple IDs) of the targets. The second part of the attack was understanding that the iCloud service had a flaw that allowed an unlimited number of bad password attempts without lockout or alerting.  Knowing that the iCloud service did not lock out bad password attempts allowed the attacker to try different lists of works, phrases and character combinations from existing dictionaries of words (dictionary attack) and ultimately use every possible combination of letters, numbers and punctuation via a brute force attack if desired.

Apple should have logs containing IP addresses of all parties connecting to their services and using this information, they should be able to quickly identify attackers executing large numbers of logon attempts.

This does beg the question of Apple’s incompetence in security operations. They should have detected large numbers of logon attempts from a specific address in a short period of time, and their iCloud system should have provided lockout functionality after a fixed number of bad passwords.  The technology to protect their clients from these attacks is trivial to implement and costs little to operate.  One would think that after the previous Find My IPhone hack, Apple would have realized that they needed to clean up their act in security.

To be clear, Apple was not penetrated, they simply were using a lock on their customer’s accounts that was commercially incompetent.  However, since Apple customers agree to an End User License Agreement (EULA) that effectively limits Apple’s liability to effectively zero, Apple has little to no direct financial damage, but reputation damage could be significant. Users should remember that they are using a consumer grade service with Apple and that much more secure systems exist for file storage and should be used for sensitive data.”

It should be noted that Apple happens to agree with Lieberman, except of course with the characterization of their security “incompetence.”  In fact, Apple put out a release that read as follows:

 Update to Celebrity Photo Investigation

We wanted to provide an update to our investigation into the theft of photos of certain celebrities. When we learned of the theft, we were outraged and immediately mobilized Apple’s engineers to discover the source. Our customers’ privacy and security are of utmost importance to us. After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone (News - Alert). We are continuing to work with law enforcement to help identify the criminals involved. 

To protect against this type of attack, we advise all users to always use a strong password and enable two-step verification. Both of these are addressed on our website at http://support.apple.com/kb/ht4232

The juxtaposition of the two statements highlights two important issues.

First, Apple while claiming it takes security seriously and confirming that there was not a massive breach of its systems; none-the-less was the source of the salacious materials. And, while not legally liable, the damage to its reputation, especially in front of it big device announcements that will happen in the next few days, could be substantial. After all the only news Apple likes to make is the news it generates and controls.

Second, the incident reveals what we should all actually know and be sensitive to and that is the stuff on our personal devices gets backed-up to the cloud. Delete does not mean delete unless it is comprehensive. This is not just an Apple challenge but one for all consumer cloud services.

 The problem is that what should be the default that governs our use of such services, i.e., strong passwords and multi-step verification, is not. The burden should not be on us as users to reset the settings, especially when deleting things from the cloud in an era where our cloud services may be replicated on the servers of those our provider relies on as back of their ecosystem means once it is up there getting it down is potentially impossible.

All of this gives urgent and new meaning to the idea that created trust on the Internet needs to be transparent and a real collaboration between the service provider and the user. Unfortunately, most of us are lazy or the steps for protection are cumbersome and confusing. In addition, the lack of liability when these things happen, as they most assuredly will, seems to be an area where law makers need to take a look.

We all understand that there is a price of free services and we assume some responsibility when we agree to the terms and conditions of using such services. However, the problem is that once it is out there it is out there.  Realities are even if content we would rather not have others review is only seeable for an instant in a real-time world there is no accounting for whom might have downloaded such content for ironically “safe keeping”, and after the fact thus, can be of little solace.

It is why while the efforts around the world to provide people the ability to “be forgotten” sounds good in theory and can mitigate certain egregious practices, as security professionals constantly remind us, no solution is perfect.  Transparency and being proactive are our best defenses along with being smart, i.e., if you don’t wish something to be seen, don’t make it easy for those with malicious intent.

Finally, and on a related matter, there could be a ripple effect that will command attention. The hackers say they were just trying to prove a point by showing how this could be done. This rings a bit hollow if as reports say there were extortion attempts to monetize the trove of celebrity images through the use of ransom via bitcoins. It raises another challenge for policy makers as to the emergence of anonymous virtual currencies in extortions of all types.

The 1980s hit TV series Hill Street Blues used to start every episode with the morning police bullpen session.  The character Sergeant Phil Esterhaus (played by the late actor Michael Conrad) used to end the weekly segment with the admonition, “Hey, let’s be careful out there.” He was also often saying, “Let’s do it to them before they do it to us.” It’s still good advice and lessons to be learned.     




Edited by Stefania Viscusi