By now I am sure you have heard the news story about the 90+ celebrities (Hunger Games star Jennifer Lawrence is mentioned the most) that had nude or semi-nude pictures of themselves show up on the Internet. Supposedly a hacker was able to access their Apple iCloud accounts and steal the photos.
Apple says that they did not suffer a data breach of any of their systems including iCloud and Find my iPhone. According to Apple, “After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet.”
I am confused. Apple says that they did not did not suffer a breach, but nude pictures of people are all over the Internet. Where did the pictures come from? Did one or many hackers break into individual iPhones? Not likely. The more I read the more it looks like the hacker(s) used the old brute force password attack. As it turns out, the Apple app called Find my iPhone had no protection against brute force attacks. A brute force attack is when you use a computer and password cracking software to guess thousands of passwords and hour until one finally succeeds. Minimizing the effectiveness of a brute force attack is not that hard. Here are some things that can be done:
Limit the number of incorrect password attempts.
Lock out the account after so many incorrect guesses. You can lock the account out for 30 minutes, an hour or permanently until someone calls the Apple Help Desk.
In order for brute force to work, you at least have to have a valid account name. Some people have a lot of time on their hands and may just be very good at guessing the account names. Who knows, the account name for Jennifer Lawrence could have been JLaw.com, JLaw@me.com, Jennifer.Lawrence@me.com, JLawrence@me.com, etc.
In two weeks here is what Apple plans to do to beef up security and try to keep this from happening again:
Send email alerts and notifications when someone tries to make password changes or try to restore data or login to an account on a new device.
Increase the use of two-factor authentication.
Do a better job of getting the message out to its customers about using stronger passwords.
Here is what you can do today:
Don’t take nude pictures.
If you take nude pictures keep them inside the 4 walls of your house, under lock and key.
Use stronger passwords.
Limit what you backup to any Cloud service.
Encrypt what you save to any Cloud service.
Particularly regarding Apple – Turn iCloud off and backup locally.
Note sure what the cloud is? Click here.
John L. Jones