More data breaches of celebrity photos

September 22, 2014 |

The media has spilt several barrels of ink over the  the unauthorised access of nude and otherwise compromising photographs of various celebrities in icloud, notably Jennifer Lawrence, with Nude photos of Jennifer Lawrence and other celebs posted by hacker  and Jennifer Lawrence nude photo backlash: online community slams privacy breach withthe cybersecurity consequences in Celebrity nude photo theft: How to make sure your phone’s photos stay secure and Andrew Hornery: Jennifer Lawrence pics aren’t the scandal, lack of iCloud security is just to name a few articles. After short pause there is another reported breach of cyber security of celebrity photographs in Stolen nude photos of Rihanna, Kim Kardashian and more female celebrities leaked online.  Photographs of anyone is personal information for the purpose of the Privacy Act.  It is not surprising that photographs of celebrities would be the focus of a hacker’s interest.  The interesting issue for an organisation would be, knowing that, what additional security should be put in place to protect against an attack.

The article provides:

More female celebrities appear to have been targeted by hackers, with explicit images of Rihanna, Kate Bosworth and new images of Jennifer Lawrence being leaked online.

Dozens of personal photos of the stars were uploaded to the online bulletin board 4chan and Reddit on Sunday, US time, in what is thought to be a continuation of the privacy breach that resulted in hundreds of naked photos of actresses being circulated online earlier this month.

Lawrence, one of the most high-profile actresses in the previous leak, appears to have fallen victim again, while nude images of Kim Kardashian and Rihanna were also circulating. 

Actresses including Amber Heard, Hayden Panettiere, Vanessa Hudgens, Gabrielle Union, designer Mary-Kate Olsen, and soccer star Hope Solo also appeared to have been hacked, with new personal photos and videos being posted.

There was discussion on Reddit that Modern Family star Sarah Hyland had been hacked but that the photos did not show her face. 

One topless photo of Heard features a message to her fiance, actor Johnny Depp, TMZ reported.

Union, who has appeared in the films 10 Things I Hate About You and Bring It On, released a statement saying her legal team was contacting the Federal Bureau of Investigation.

“It has come to our attention that our private moments, that were shared and deleted solely between my husband and myself, have been leaked by some vultures,” she and her husband, basketball player Dwyane Wade, wrote in the statement, published by TMZ.

“I can’t help but to be reminded that, since the dawn of time, women and children, specifically women of colour, have been victimised, and the power over their own bodies taken from them. These atrocities against women and children continue worldwide.

“For anyone out there also being affected by these and other hacking and hate crimes – We send our love, support and prayers. We have done nothing wrong.”

Following the first privacy breach this month, Apple released a statement saying it was trying to identify those responsible.

“Our customers’ privacy and security are of utmost importance to us,” the statement said.

“After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the internet.

“None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone.

“We are continuing to work with law enforcement to help identify the criminals involved.”

The FBI and Apple have not responded to requests for a comment on the latest breaches, The Daily Telegraph in London reported.

The Wired in The Police Tool That Pervs Use to Steal Nude Pics From Apple’s iCloud  has an interesting take on the issue, going into the technical detail one normally does not see in the reportage.

As nude celebrity photos spilled onto the web over the weekend, blame for the scandal has rotated from the scumbag hackers who stole the images to a researcher who released a tool used to crack victims’ iCloud passwords to Apple, whose security flaws may have made that cracking exploit possible in the first place. But one step in the hackers’ sext-stealing playbook has been ignored—a piece of software designed to let cops and spies siphon data from iPhones, but is instead being used by pervy criminals themselves.

On the web forum Anon-IB, one of the most popular anonymous image boards for posting stolen nude selfies, hackers openly discuss using a piece of software called EPPB or Elcomsoft Phone Password Breaker to download their victims’ data from iCloud backups. That software is sold by Moscow-based forensics firm Elcomsoft and intended for government agency customers. In combination with iCloud credentials obtained with iBrute, the password-cracking software for iCloud released on Github over the weekend, EPPB lets anyone impersonate a victim’s iPhone and download its full backup rather than the more limited data accessible on iCloud.com. And as of Tuesday, it was still being used to steal revealing photos and post them on Anon-IB’s forum.

“Use the script to hack her passwd…use eppb to download the backup,” wrote one anonymous user on Anon-IB explaining the process to a less-experienced hacker. “Post your wins here ;-)”

Apple’s security nightmare began over the weekend, when hackers began leaking nude photos that included shots of Jennifer Lawrence, Kate Upton, and Kirsten Dunst. The security community quickly pointed fingers at the iBrute software, a tool released by security researcher Alexey Troshichev designed to take advantage of a flaw in Apple’s “Find My iPhone” feature to “brute-force” users’ iCloud passwords, cycling through thousands of guesses to crack the account.

If a hacker can obtain a user’s iCloud username and password with iBrute, he or she can log in to the victim’s iCloud.com account to steal photos. But if attackers instead impersonate the user’s device with Elcomsoft’s tool, the desktop application allows them to download the entire iPhone or iPad backup as a single folder, says Jonathan Zdziarski, a forensics consult and security researcher. That gives the intruders access to far more data, he says, including videos, application data, contacts, and text messages.

On Tuesday afternoon, Apple issued a statement calling the security debacle a “very targeted attack on user names, passwords and security questions.” It added that “none of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone.”

But the conversations on Anon-IB make clear the photo-stealing attacks aren’t limited to a few celebrities. And Zdziarski argues that Apple may be defining a “breach” as not including a password-guessing attack like iBrute. Based on his analysis of the metadata from leaked photos of Kate Upton, he says he’s determined that the photos came from a downloaded backup that would be consistent with the use of iBrute and EPPB. If a full device backup was accessed, he believes the rest of the backup’s data may still be possessed by the hacker and could be used for blackmail or finding other targets. “You don’t get the same level of access by logging into someone’s [web] account as you can by emulating a phone that’s doing a restore from an iCloud backup,” says Zdziarski. “If we didn’t have this law enforcement tool, we might not have the leaks we had.”

Elcomsoft is just one of a number of forensics firms like Oxygen and Cellebrite that reverse engineer smartphone software to allow government investigators to dump the devices’ data. But Elcomsoft’s program seems to be the most popular among Anon-IB’s crowd, where it’s been used for months prior to the most current leaks, likely in cases where the hacker was able to obtain the target’s password through means other than iBrute. Many “rippers” on Anon-IB offer to pull nude photos on behalf of any other user who may know the target’s Apple ID and password. “Always free, fast and discreet. Will make it alot easier if you have the password,” writes one hacker with the email address eppbripper@hush.ai. “Willing to rip anything iclouds – gf/bf/mom/sister/classmate/etc!! Pics, texts, notes etc!”

One of Anon-IB’s rippers who uses the handle cloudprivates wrote in an email to WIRED that he or she doesn’t consider downloading files from an iCloud backup “hacking” if it’s done on behalf of another user who supplies a username and password. “Dunno about others but I am too lazy to look for accounts to hack. This way I just provide a service to someone that wants the data off the iCloud. For all I know they own the iCloud,” cloudprivates writes. “I am not hacking anything. I simply copy data from the iCloud using the user name and password that I am given. Software from elcomsoft does this.”

Elcomsoft’s program doesn’t require proof of law enforcement or other government credentials. It costs as much as $399, but bootleg copies are freely available on bittorrent sites. And the software’s marketing language sounds practically tailor-made for Anon-IB’s rippers.

“All that’s needed to access online backups stored in the cloud service are the original user’s credentials including Apple ID…accompanied with the corresponding password,” the company’s website reads. “Data can be accessed without the consent of knowledge of the device owner, making Elcomsoft Phone Password Breaker an ideal solution for law enforcement and intelligence organizations.”

Elcomsoft didn’t respond to a request for comment.

On Monday, iBrute creator Troshichev noted that Apple had released an update for Find My iPhone designed to fix the flaw exploited by iBrute. “The end of fun, Apple have just patched,” he wrote on Github. But Anon-IB users continued to discuss stealing data with iBrute in combination with EPPB on the forum Tuesday, suggesting that the fix has yet to be applied to all users, or that stolen credentials are still being used with Elcomsoft’s program to siphon new data. Apple didn’t immediately respond to WIRED’s request for further comment, though it says it’s still investigating the hack and working with law enforcement.

For Apple, the use of government forensic tools by criminal hackers raises questions about how cooperative it may be with Elcomsoft. The Russian company’s tool, as Zdziarski describes it, doesn’t depend on any “backdoor” agreement with Apple and instead required Elcomsoft to fully reverse engineer Apple’s protocol for communicating between iCloud and its iOS devices. But Zdziarski argues that Apple could still have done more to make that reverse engineering more difficult or impossible.

“When you have third parties masquerading as hardware. it really opens up a vulnerability in terms of allowing all of these different companies to continue to interface with your system,” he says. “Apple could take steps to close that off, and I think they should.”

The fact that Apple isn’t complicit in law enforcement’s use of Elcomsoft’s for surveillance doesn’t make the tool any less dangerous, argues Matt Blaze, a computer science professor at the University of Pennsylvania and frequent critic of government spying methods. “What this demonstrates is that even without explicit backdoors, law enforcement has powerful tools that might not always stay inside law enforcement,” he says. “You have to ask if you trust law enforcement. But even if you do trust law enforcement, you have to ask whether other people will get access to these tools, and how they’ll use them.”

 

 

One Response to “More data breaches of celebrity photos”

  1. More data breaches of celebrity photos | Australian Law Blogs

    […] More data breaches of celebrity photos […]

Leave a Reply





Verified by MonsterInsights