On Tuesday, September 2, Tony Bradley of PC World reported that security experts have been suggesting that hackers were able to steal photos of celebrities by simply using detective work to figure out the passwords used by stars such as Jennifer Lawrence or Kate Upton. Apple is claiming that the security of their iCloud service, which many people use to store photos and personal data, has not been compromised.
According to Bradley, "Apple has issued a statement confirming that certain celebrity iCloud accounts were compromised but notes, 'None of the cases we have investigated has resulted from any breach in any of Apple's systems including iCloud or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved.'
"Boris Gorin, head of security engineering at FireLayers, thinks we shouldn’t be throwing stones at iCloud. 'The images leaked have been gradually appearing on several boards on the net prior to the post at 4chan—making it reasonable to believe they were not part of a single hack, but of several compromises that occurred over time.'
"Gorin shared a theory the celebrities may have been hacked while connected to an open public Wi-Fi network at the Emmy Awards. If they accessed their personal iCloud accounts, attackers connected to that network would have been able to intercept and capture the username and password credentials. That's not a security flaw with iCloud and having a strong or complex password wouldn't offer protection against transmitting that password in clear text on a public Wi-Fi network."
Kyle Alspach of BetaBoston shared the official Apple statement Bradley mentioned in his article. Apple is suggesting that the celebrities who have been targeted by hackers should have used stronger passwords. They also provided a link to their website that explains how someone may improve the security of his or her iPhone or other device.
According to Apple, "We wanted to provide an update to our investigation into the theft of photos of certain celebrities. When we learned of the theft, we were outraged and immediately mobilized Apple’s engineers to discover the source. Our customers’ privacy and security are of utmost importance to us. After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet.
"... To protect against this type of attack, we advise all users to always use a strong password and enable two-step verification. Both of these are addressed on our website at http://support.apple.com/kb/ht4232."
In theory, most people who use the service are safe as long as they take sensible measures such as not logging into their accounts over public Wi-Fi networks or using the same password for everything. However, depending on how much information is available about someone on the Internet and on social media networks such as Facebook and Twitter, it may be easy for determined hackers to figure out some people's passwords and the answers to their security questions.
On Wednesday, September 3, two Guardian Australia reporters named Nick Evershed and Paul Farrell decided to see how easy it would be to hack into each other's iCloud accounts. In a blog entry, they described attempts to change each other's Apple ID passwords using methods similar to the hackers'. Ultimately, they failed to hack each other, but they were able to get surprisingly far using simple methods such as looking at each other's Facebook pages and Twitter feeds.
According to Farrell and Evershed, "Accessing someone’s Apple account requires only three things: their email address, their date of birth, and the answers to two out of three security questions. This is assuming they don’t have two-step verification enabled.
"If you have all these, you’re able to reset their Apple ID password to one that only you know and then access their iTunes and iCloud accounts. You don’t require access to their email. Once you have access to their Apple ID, you can access recent photos and back-ups if they have these features enabled.
"While we don’t know the exact method people used to access celebrities' accounts, Apple did release a statement which appears to confirm that a method similar to that described above was used. The main issue with this setup is that if you're a celebrity, or are someone who has been using social media for a long time and revealed various details about your life, then the answers to the security questions could be available online."
Apple asks people to choose three security questions from a list of 21 that includes things such as, "What was the first name of your first boss?" or "What was the first car you owned?" These questions may be sufficient to stop strangers, but someone who knows the person in question may be able to answer some or all of them correctly. In the case of famous people, Evershed and Farrell came to the conclusion that there may be enough information about them for a hacker to figure out who their favorite teachers were in high school or the makes and models of their first cars.
According to Evershed, "Getting Paul’s date of birth and email address was easy. We’re already friends on Facebook, where his birthday is available, and I already had his personal Gmail address (which is also available online following a quick Google search).
"That got me past the first two steps on the password reset site. So now I just need to know two of the following: the name of the first album he owned, the name of his favorite teacher, or his least favorite job.
"From Facebook I found out which high school he’d attended. I used this to get a list of teachers from this high school from a teacher rating site. I also got a list of artists he’d liked on Facebook and picked the earliest as my first guess.
"This is about as far as I got. After less than a dozen attempts at guessing, I was locked out of his account for eight hours. Paul did confirm that the answer to the teacher question was on my list though, so I would have eventually come to the right one."
Farrell had about the same amount of success than Evershed. He only figured out one of Evershed's answers before being locked out. However, he suggested that someone who is good at using search engines might get farther than he did.
According to Farrell, "While it might seem hard to guess this sort of information for random people, for celebrities who have disclosed massive amounts of personal information in interviews it may actually be quite achievable to find it all through fairly basic web searches."
People in the greater Spokane area who use the iCloud service should be safe from the type of attack Farrell and Evershed attempted as long as they use some common sense and don't use security questions that would be easy for others to figure out by doing things such as finding their Facebook pages with Graph Search. It would probably be wise to enable two-step verification, which requires a user to verify his or her identity on an iPhone or other device before changing any account information.