Sep 042014
 

So apparently a whole bunch of celebrities have had their naked selfies leaked by some “hacker”. As to how this was done, we don’t really know and will probably never know given that Apple is so secretive. But we can guess some possibilities :-

  1. The hacker built up a list of possible account names – jennifer (Jennifer Lawrence) might be a good one to try – and then tried the top 100 dumbest passwords against each one in turn. You would not get every single account this way, and a fair few would turn out to be a fan of Jennifer Lawrence rather than the celebrity herself. But you would get a few that way.
  2. The hacker targeted the celebrities with a phishing attack – basically asking the celebrity what their account password is. This sounds too unlikely to succeed, but with a plausible looking login page it does work surprisingly often. It’s not just the terminally stupid that fall victim to such attacks; the victims are really those who are too trusting and often in too much of a hurry.
  3. The next method a hacker might use is to tackle Apple’s password reset service which uses “memorable information” such as the name of your first school, your mother’s maiden name, etc. There is always a bit of a problem with “memorable information” such as this – it isn’t really that private, and a celebrity is likely to have “leaked” all such private information over time.
  4. Through some unknown vulnerability in Apple’s iCloud service. Given that we suspect that iCloud has certain “issues” with security (apparently Apple has no intruder lock out to make password guessing attacks harder), this isn’t impossible but I would guess that it is less likely that the two more obvious attacks above.

There’s a great deal of hateful “slut-shaming” going on over this celebrity leak which apart from anything else is really missing the point. It may be embarrassing for naked selfies to be leaked, but other personal information could be dangerous if leaked – the celebrity’s home address and alarm codes?

It is not the victim’s fault; it’s the fault of the anonymous (at the moment) hacker.

But the victim can improve their behaviour to make it harder to victimise them :-

  1. First of all if you’re called Jennifer Lawrence, don’t use any permutation of your name as a username; or even enter that as your full name into any cloud service. Make one up.
  2. Make sure you are using a sensible password. It needn’t be excessive, but anything that is just a single word is just not good enough.
  3. Be less trusting with your acount credentials. Make sure you know what the location bar in your browser is and where it is, and check it when you login. And don’t click on links in emails.
  4. If the service you are using offers two-factor authentication, turn it on.
  5. Learn about security; you are a target. Don’t go overboard (but see step 6), but spend an hour a week doing a little reading and taking steps to improve your personal security.
  6. Hire or befriend a geek who can act as your early warning system for threats. And someone you can go to for advice.

Note that I haven’t said “don’t take naked selfies” – it may be a bit foolish, but a life without a bit of foolishness is hardly a life at all.

And of course most of those suggestions work for ordinary people and not just celebrities!