GARFIELD: This week hackers exploited security weaknesses, and human frailty, to steal and distribute, nude images of several celebrities, including Oscar-winning actress Jennifer Lawrence. Unauthorized celebrity nudes are themselves not unusual. The sheer volume of stolen images, however, was -- and so was the online backlash branding onlookers not as curious media consumers but as receivers of stolen property and peeping toms. Most significant, perhaps, was the scene of the crime -- namely Apple’s iCloud storage network.
“There’s a new thing – the cloud. They want you to go to the cloud. And they’re selling it as a great idea. Just, you don’t need your stuff, just give it to us, we’ll keep it on the cloud. But you’re like “those are my pictures” We’ll just keep it on the cloud…
As comedian Louis CK anticipated back in 2012, the cloud is vulnerable. Hackers managed to penetrate multiple layers of security to obtain the pictures, but how? Blogger Nic Cubrilovic decided to reverse engineer the crime -- which began, he says, with a private subculture of nudie collectors who amassed and traded these images among themselves like baseball cards. Until one guy decided to start selling off his cards outside the group.
CUBRILOVIC: The person who posted them he was requesting that people in the forum pay him for receiving uncensored versions...the problem that he had was that nobody took him seriously. They resorted to posting the complete nude pictures and it propagated from there. On 4chan, on Twitter, on Reddit and other sites. Other people that had these images saw that this person trying to sell these images and then decided to do the same themselves. It was a like 12 hour frenzy within this group where they went from being a super-secret celebrity image trading network to being the biggest story in the world, all because one member tried to profit from the images that he had.
GARFIELD: The hacks that we witnessed this week are frightening for a number of reasons and right at the top of the list is 'what if that were me?' What are the security measures that are in place and how can we optimize them?
CUBRILOVIC: So the main things that have been used to break into these accounts are the password resetting mechanisms that every account has. And that mechanism is usually protected by a secret question and a secret answer which everybody fills out when they sign up for an account. And then they usually completely forget about it. But Apple and other providers have a mechanism where you forget your password, it will prompt you with these questions to prove who you were and then it will hand the account over to you.
GARFIELD: The name of your first pet. The color of your first car. Your Dad's middle name. That sort of thing?
CUBRILOVIC: Now the problem for celebrities is that this information is very easy to discover. The other way that they find this data is that there are web-based data set that people can pay money to query where they can retrieve a person's credit reports, phonebook information from which you begin to deduce mother's maiden name, favorite sports team. What users can do is go into their Apple accounts in the area where it asks for your secret question change the answers to something that an attacker couldn't easily guess. For instance if it asks what is your favorite sports team, instead of putting in the Yankees, put in a long phrase from Shakespeare or something completely unrelated.
GARFIELD: So if you're not already obscure, make yourself obscure by having security questions address things that are not public and really, really hard to discover. But that's not the only pathway in. What are the others?
CUBRILOVIC: So the other pathways in is to socially engineer or to phish somebody. Phishing is where the attacker would send someone an email pretending to be to be a service that that victim uses. In this case they've crafted an email that looks exactly like it came from Apple, asks the user to enter their username and password. And if the user falls for it, the hacker would have captured that information and then used ti to log into the user account. One of the guys on the forum claims that his success rate with these emails is over 30 percent.
GARFIELD: So I'm a bad guy. Because you're careless I've successfully gotten into your iCloud account. What happens next?
CUBRILOVIC: With a username and password, they have software that pretends to be an iPhone that goes to the Apple servers and says: "I'm an iPhone from this user and they've just lost all of their data. So give me a copy of all of their phone data that you've got on your service so I can restore the phone for them." It's used all the time when people accidentally delete an image on their phone. Or they might drop their phone in the ocean and lose all their data. From Apple's perspective, it's actually very difficult to distinguish between a real phone and this software that is used by the hackers to retrieve this data.
GARFIELD: They said 'Hey, there's no bug, it's not our problem.' First of all, am I paraphrasing it correctly and if so, is that a satisfactory response.
CUBRILOVIC: I believe their response was iCloud wasn't compromised the some users who use iCloud may have been compromised in attacks that were very targeted. I don't believe their response was satisfactory because most users came away blaming the victims and then not learning anything from it. There are very good reasons why Apple accounts made up the fast majority of accounts that were compromised here. And that's because the other cloud providers such as Google and Microsoft have over a decade of experience in defending these types of attacks. So it's very disappointing that they're not using this incident to change some of their practices. And the best thing they could do would be to remove the ability to reset somebody's password using nothing more than a date of birth and two secret questions and answers.
GARFIELD: And replace it with what? Until we have biometrics where you just put your fingerprint on the screen and be recognized, there's gotta be some means of authenticating the user.
CUBRILOVIC: Authenticating the user depends on that value being a secret. It's from an era when knowing someone's mothers maiden name was difficult to find. Or knowing someone's even date of birth was difficult to find. And the way around it is for the provider to give you a code when you sign up that you would print out and store in a safe places.
GARFIELD: I just want to say one final thing Nick and that is: my mother's maiden name: Schmecklemeckledorfer.
GARFIELD: Nick, thank you so much.
CUBRILOVIC: Thank you.
GARFIELD: Nick Cubrilovic is a serial entrepreuneur, a blogger, and a hacker. We spoke with him from Australia.