Thursday, 18. September 2014

Celebrity Exposures in the Cloud


When I heard that hackers ripped off nude photos of celebrities by hacking into their iCloud accounts then posted them on the dodgy image board AnonIB, I can’t say that I was surprised. Even though storing data this sensitive in the cloud seems like a risky practice, I am sympathetic with the sense of embarrassment these celebrities felt. After all, their personal data was stolen then exposed without their permission. It seems to me the ease of mobile computing and data storage in the cloud should also bear part of the responsibility in this matter. You can create cloud storage accounts very easily with weak password protection. Depending on the mobile app, copying photos, music, documents, whatever to the cloud can happen automatically, sometimes when you aren’t really paying attention.

Once your files are out there, the photo albums on your mobile device can get out of sync with what you have stored in the cloud. I don’t think it is clear to many users what’s happening to their data in the cloud or in some cases how it even got there.

Just Another Day of Hacking in the Cloud It appears that the hacker known as “OriginalGuy” was responsible for breaking into iCloud to steal the celebrity photos. The first step of the hack was to get the email address associated with an intended victim’s iCloud account by entering several possible email addresses at Apple’s “My Apple ID – Create an Apple ID” page.

If an email address is entered that is currently in use, the page tells the user to enter another valid address. At this point the hacker knows he has the email address for an existing account. He can then try to login with this email address by guessing the password or using a password cracker.  If the password is weak, then that makes the job of hacking into the account all the easier.  This technique works on more services than just iCloud.  It can also be used for, DropBox, and any other service that tells the hacker whether or not any given email address is associated with an existing account when a new account is created.

Mobile Sharing of Data Can Be Too Easy Most of the mobile cloud storage apps I’ve seen allow you to automatically upload pictures from your smartphone to your cloud storage account. If you have several such accounts that do this, it’s not hard to lose track of which picture goes to what storage service and when.

Recently I noticed that when I took pictures on my iPhone they would be automatically transferred to my DropBox account either over WiFI or when I plugged my phone into the USB port on my laptop. I don’t remember configuring my DropBox app to do this. It just seemed to start one day. It might have started after I did a DropBox upgrade or maybe I unknowingly enabled this functionality. But whenever it happened, the outcome of my actions or those taken by the software was not clear to me.

That is the salient point: I consider myself a fairly tech savvy person being a software developer who is in contact with computer technology, mobile and otherwise, on a daily basis. Yet somehow I lost track of how automatic photo uploading to DropBox had been enabled on my smartphone.

I had to go into my mobile application settings to manually disable this “feature.”  It’s not hard for me to imagine less knowledgeable, significantly more distracted movie celebrities not realizing their photos are being sent to parts unknown (to them).

iCloud adds an interesting wrinkle to all of this. It turns out that an iPhone synchronizes files to iCloud only when the device is locked, connected to a WiFi network and is charging. If anyone using an iPhone doesn’t realize this – raise of hands those of you (celebrities) who don’t know this – it’s possible to have uploaded photos to iCloud while on WiFi at one point in time, then delete them from the iPhone at a later point in time when not on WiFi. The result, potentially embarrassing photos remaining on iCloud that the celebrity thinks were deleted because they were deleted from the iPhone when one or more of the 3 criteria were not met. This could happen to anyone.

What’s a Mobile User to Do? There are several things users can do to improve their iCloud password security as discussed by Trend Micro Vice President, Security Research, Rik Ferguson in his blog Naked celebrities revealed by “iCloud hack”. This article is recommended reading for anyone using smartphones.

It’s  good to know as much as you can about how to use and configure the mobile storage apps on your smartphone. Make sure you can enable or disable automatic transfer of photos to your cloud storage service.

But most importantly, do like Rik says at the end of his blog – “stop taking naked pictures” – at least with your smartphone.