2014’s celeb leak that bears a lesson on security

Zack Chapepa Avatar

image

There are a lot of topics with regard to security, attempting to paint a picture that everyone is entitled to it. And everyone is. When security is breached, it takes a whole new meaning depending on what has been mined.

On 1 September, an account on the website 4Chan posted hundreds of A-list celebrity photos. These weren’t photos from a camping trip or something, they were revealing photos.  ‘selfies’ probably taken for a loved one or for personal reasons. How these images were obtained was a mystery.

The photos were personal photos of celebrities that included The Hunger Games actress Jennifer Lawrence, actor and singer Ariana Grande and Kate Upton just to mention a few . Some of the images were deemed to be fake but others were confirmed to be real. This led to what is being called  The “Celebgate”

Most of these images went viral(not surprisingly), some even going for sale.

Possibilities leading to this breach have been pointing to Apple’s cloud services iCloud. A cloud service that stores photos and videos from users’ devices. Apple has been tirelessly working with the FBI to bring the perpetrators to justice who have yet to be found.

In a report, Apple has confirmed that some of the images were obtained from the victims’ accounts but this was not a system-wide breach. This was a targeted breach where hacking software was used to obtain passwords and relative security answers.

Accounts and images related to this scandal have already been taken down on Twitter and other online sites. A take-down notice was issued as soon as the next day.

The lesson we draw from this is nothing new. Always remember to use a secure password. If a two-step authentication service is available, use it. Make the most out of the security services available because nothing ever really is as safe as you think it might be. A secure password contains characters and numbers that make it hard to guess your password.

Hackers and phishers don’t always target your credit card details alone. Heartbleed showed a great deal about that. They can steal your Facebook credentials, and post inappropriate or sensitive information on your wall. They could also end up selling your credentials online.

Sensitive content of this nature cannot be equated to the “leaking”  tapes from our local institutions that seem to be churned by the hundreds. These types of leaks can potentially damage their careers from the ground up. For the most part, this serves as a lesson that the internet is broken, the world is broken. Do your part to fix this by securing your information.

Had any experiences where your passwords, credentials or accounts have been compromised? Please leave it in the comments below

,

10 comments

  1. tinm@n

    Two step authentication and secure password use are just one of many ways to safeguard access to your account through THE FORMALLY DEFINED PROCESS!

    It DOES NOT PROTECT YOU from any underlying weaknesses on the system on which that service or product runs.

    Best thing to do when using “the cloud” is to tell yourself your data has a chance of going public. Tell yourself it is public, then upload or sync after resigning to that fact.

    If its so private that you would not want anyone to see it,simply do not upload it. That is the truly 100% security that can be assured. 0% risk.

    1. Zack Chapepa

      Hello, tinm@n

      Thanks for your comment but that’s not necessarily the case here. As stated in the article, this wasn’t a vulnerability in Apple’s iCloud as the investigation points out (sidenote Apple wasn’t affected by Heartbleed if you didn’t know). This hack was a product of what we call social engineering. Unlike a man-in-middle or general hack, the hacker used software that could guess passwords by entering multiple attempts (software called ibrute) and this could easily be averted by a two step authentification process. Also, for celebs being public figures, a security question like “who is your uncle” is not secure per se.

      1. aby

        there’s no such thing as a “secure system” . At some point a vulnerability will be found. I agree that if you want to upload stuff to the cloud, resign yourself to it being public. BTW several accounts were hacked at almost the same time-this could be an icloud issue

      2. tinm@n

        You’re preaching to the choir there. And mixing many things wrongly at the same time.

        I think you also need to revisit what social engineering is. It involves tricking people to divulge details that can “help” breach their security.

        1. Zack Chapepa

          Social engineering was used to obtain more information on “relative security questions” sir, I don’t know what your assertion is but it’s falling on the wrong side of the discussion.

          So again I repeat, no vulnerabilities were found on iCloud, the hackers used different forms of social engineering, software (that has been secured by a patch) to access targeted accounts.

          Please feel free to point out how social engineering could not be used, your definition feels like a twisted result obtained from Google. If you feel you need a better way out of this you could type “social engineering the fappening” on Google and see where that leads you

          1. tinm@n

            This is what you said, ad verbum:

            “This hack was a product of what we call social engineering. Unlike a man-in-middle or general hack, the hacker used software that could guess passwords by entering multiple attempts (software called ibrute) and this could easily be averted by a two step authentification process.”

            Now, may not be a native english speaker but I absolutely comprehend a great part of it.

            That statement and explanation of how they used social engineering is WRONG. It is not my opinion.

            As for the rest of my comment, you cannot assure 100% security. That too is fact. As long as you have a computing system connected to a network, you have lost a great degree of the assurance that your data is safe. Having found no vulnerabilities does not mean they do not exist. It means, as far as THEY KNOW, using the knowledge THEY HAVE, and the tests THEY DEFINED, they are confident that it is secure.

            My main point was that no matter what form of authentication or security you have applied, you are only as secure as:
            1) the underlying system on which the service runs
            2) the finite number security tests & programming best-practices you have applied to safegaurd the integrity of your system, its data and all the underlying layers from OS to hardware level.
            3) the people who applied them

            The ONLY 100% assurance you can ever have is there being no data to steal. No privacy to breach.

            I am not debating

  2. Zack Chapepa

    Hi, tinm@n

    What I’m getting from this is maybe we’re not following the same train of thought. Your point stands to reason that no networked system is entirely secure which I totally agree.

    My response with regard to your comment was to point out that this hack wasn’t a system-wide breach and with social engineering they used the Find My iPhone feature to mine credentials from some accounts.

    Going around in circles but I think it’s best I clear that out.

    1. enne

      “…the hacker used software
      that could guess passwords by entering
      multiple attempts…” I feel giving a user multiple attempts is a security flaw on the part of Apple which hackers took advantage of. Automatically storing images onto icloud by default doesn’t go down well with me.

      1. Zack Chapepa

        Indeed, they have since patched that flaw to a limited number of attempts, which I think is good news. I also think they should have an opt in feature so that people can choose if they want their photos uploaded automatically.

        1. enne

          +1

2023 © Techzim All rights reserved. Hosted By Cloud Unboxed