Even if you take no interest in celebrity gossip, you probably know about last weekend's hacking of the Apple iCloud database to steal nude photographs from the accounts of (mostly female) celebrities.
And of course, there's already at least one phishing scam related to it; if you have an iPhone, ignore any text messages or emails allegedly from the Apple support team, warning of allegedly unauthorized activities on your account and requesting your ID and password to “fix” the problem.
On Sunday afternoon, anonymous posters on 4Chan started discussing a huge cache of nude photos which had recently been stolen from the Apple Cloud; by Sunday evening, news of the photos had spread all over the Internet, especially via Twitter.
Tuaw, the “Unofficial Apple Weblog,” noted on Monday that the hackers were apparently “seeking Bitcoin contributions in exchange for the images.” In other words, trying to blackmail money out of the people whose images were stolen.
Based on the currently available evidence, it appears that the thieves managed to break into the iCloud accounts by using a “brute-force” search to crack the accounts' passwords.
In hacking terms, a brute-force attack entails using software to methodically try every possible character combination until the right one is found. Suppose, for example, a password (such as Apple's) requires eight characters, a combination of numerals and letters, case-sensitive.
There are ten different numerals (0-9), plus 52 different alphabetic characters (26 letters in the alphabet, each with an upper- and lower-case symbol). So that's 62 different character possibilities, times eight spaces in the password, which means the number of different password possibilities is much higher than our cheap four-function calculator can process.
However, some quick online searching suggests the answer is 62^8, which is 2.1834011e+14 => 218,340,105,584,896 … even if that number's wrong, the correct answer is obviously a number far too high for any mere human to try all the different possibilities and crack the password by brute force.
But having a computer try all the different password possibilities is quite easy if you know how. Some password systems are set up to make brute force attempts impossible. Have you ever temporarily forgotten your password for a given account (or only remembered “Okay, I know it's the release date and first-line lyrics to one of my five all-time favorite songs; I just can't remember which specific song I used?”), and then, after a few failed tries, got a message saying you now had to wait a period of some minutes before you'd be allowed to try entering a password again? That was a security measure intended to prevent brute-force attacks.
Apparently Apple had no such limits in place to prevent brute-force hacking of its iCloud passwords -- though as of press time it appears the company has plugged that particular security leak.
What's especially scary is that in at least some instances, the actors didn't know their photos were still in the cloud. One of the victims, Mary E. Winstead, tweeted that “Knowing those photos were deleted long ago, I can only imagine the creepy effort that went into this. Feeling for everyone who got hacked.”
Deleting not enough
Deleting the photos from her own phone, or even iCloud account, apparently wasn't enough.
For that matter, it's possible that photos could end up in the Cloud without their owners even realizing it. CBS spoke to Chester Wisniewski, a senior security adviser at Sophos, who said “Whether it’s an Android or an iPhone, [mobile devices] have a tendency to enable this automatic synchronization to go ‘oh, you’ve taken a photo, we’ll make this available very conveniently in the cloud.’”
(Storing your presumably private photos in the Cloud isn't the only thing your phone might be doing without your knowledge; last June, we warned you about the then-recent discovery that malicious hackers were exploiting a weakness in any mobile device set to connect with certain public wi-fi spots—again, often without their owners' awareness.)
Apple released a statement saying that “We take user privacy very seriously and are actively investigating this report.”
The Wall Street Journal reported that “A posting on online code-sharing site GitHub said a user had discovered a bug in Apple's Find My iPhone service, which tracks the location of a missing phone and allows a user to disable the phone remotely if it is stolen. The bug allowed a hacker to keep trying passwords until identifying the right one. …. The GitHub post was updated on Monday to read: "The end of fun, Apple have just patched."
If you have an iPhone, even if you have no reason to think your own password was stolen in this most recent attack, you probably should change your password just in case. And, of course, remember never to use the same password for more than one account.