brute force attacks
Everyone has at least heard something about a recent leak of very personal data from a number of Hollywood stars. Somebody, somehow, managed to steal a number of stars’ private photos that were not supposed to be publicized. How this was done and who was behind it is not yet known. The only certain thing is that they were published on 4chan, a notorious imageboard, widely considered to be the “heart” of Anonymous internet subculture. Anonymous, in turn, are spearheading anti-surveillance, pro-privacy activism (on the Web, mostly). Apparently their notion of people’s privacy doesn’t cover private selfies of attractive celebrities. But, well, enough of this. After all there’s much to talk about from the business angle here.
Celebrities’ photos leak: why should businesses care?
Tweet
First of all, nothing goes from nowhere: if someone stole personal data, then there was a vulnerability in the storage locker. The first suspect was iCloud – there was a flaw, discovered as recently as earlier this week, and patched pretty quickly. According to The Next Web, on Monday, a Python script emerged on GitHub that appeared to have allowed malicious users to “brute force” a target account’s password on Apple’s iCloud. To “brute force” in this case means to make an unlimited number of attempts to guess passwords, without any “retaliation” from the system (which is a Gargantuan-sized security hole). Actually, it was a vulnerability in the Find My iPhone service that made it possible. Fortunately, Apple reacted promptly and fixed the problem.
“Find My Phone” flaws have been used before to lock phones and demand ransom. However this time Apple declared that iCloud wasn’t breached in celebrity photo leak, and those were individual accounts targeted:
“After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved,”Apple said. It also advised to use strong password and enable two-step verification. It’s quite logical to assume that in the case of the attacked celebrities strong passwords were not present. Neither was two-step verification, apparently.
In this regard, three things need emphasizing here.
1. Apple’s devices and services may be a bit more secure than the rest (or at least they are considered so), but they are definitely not immune to targeted attacks, and they have flaws too. Also, weak password and lack of two-step verification make any other protective efforts all but futile. This is a reminder for businesses employing BYOD in their networks and people who keep their working data on their personal iPhones.
2. For both individual users and businesses it is true that any sensitive information remains private until there is a more than a hypothetical possibility of an unsanctioned access to it. Or, to put it simple, the data is only private as long as you control the access to it. Be it personal pics or secret business docs, if you have them on your personal mobile devices, someone can crack the weak password, or just steal your device, etc. The data then changes hands or even becomes public. But if it is stored in an encrypted form, hackers will be in a muck of sweat trying to get to your data.
Private data is private as long as you control access to it.
Tweet
3. It’s very common for the phishers to use stolen or mined personal data as leverage for their targeted attacks – mainly to raise credibility of their messages and thus to lure other people to malicious sites or plant malware on their PCs. We have described these scenarios before. The problem is aggravated further by the fact that people often put a lot of personal data online themselves. And it is also used with malicious intent.
We leave it to our readers to draw conclusions.
