The Fappening 2014 - What to learn about cloud security from leaked nude celebrity photos

Discussion in 'Security, Privacy & Anonymity' started by Millard Baker, Sep 2, 2014.

  1. Millard Baker

    Millard Baker Member

    What you can learn about "cloud" security from the leaked nude celebrity photos of Ariana Grande, Jennifer Lawrence, Kate Upton, Olivia Munn, Victoria Justice and dozens of other celebrities in what has been called The Fappening 2014:

    Source: http://arstechnica.com/security/2014/09/what-jennifer-lawrence-can-teach-you-about-cloud-security/
     
    Michael Scally MD likes this.
  2. Millard Baker

    Millard Baker Member

    Some experts believe that an Apple 'Find My iPhone' exploit may have been responsible for allowing an AppleID bruteforce password cracking hack.

    http://thenextweb.com/apple/2014/09...aw-that-led-to-celebrity-photos-being-leaked/

    The "iBrute" Apple ID password bruteforce tool proof of concept was posted on August 31, 2014:

    "It uses Find My Iphone service API, where bruteforce protection was not implemented. Password list was generated from top 500 RockYou leaked passwords, which satisfy appleID password policy. Before you start, make sure it's not illegal in your country."

    Apple patched the flaw on September 1, 2014.

    Source: http://www.zdnet.com/apple-patches-find-my-iphone-exploit-7000033171/

    Others, including the person who released the iBrute tool poc, don't think the tool was responsible and that the timing of its release and patch with the Fappening leaks was merely a coincidence:

    Source: http://mashable.com/2014/09/01/celebrity-photo-leak-weak-technology-or-bad-passwords/
     
    Michael Scally MD likes this.
  3. pumpingiron22

    pumpingiron22 Member AnabolicLab.com Supporter

    never trust the cloud! I never have and never will. when you have your info in a 3rd party you loose security and contol of your info.
     
    Millard Baker and FuriousWO like this.
  4. Millard Baker

    Millard Baker Member

    Software intended solely for government agencies - Elcomsoft Phone Password Breaker (EPPB) - may have been used in combination with iCloud-cracking software (iBrute) to download backup of entire contents of victims' iPhones according to security expert Jonathan Zdziarski.

    You don’t get the same level of access by logging into someone’s [web] account as you can by emulating a phone that’s doing a restore from an iCloud backup,” says Zdziarski. “If we didn’t have this law enforcement tool, we might not have the leaks we had.

    Source: http://www.wired.com/2014/09/eppb-icloud/
     
    pumpingiron22 likes this.
  5. Millard Baker

    Millard Baker Member

    Apple says the celebrity photo leak was not it's fault but that of consumer ignornance or, as Apple puts it, "awareness":

    "When I step back from this terrible scenario that happened and say what more could we have done, I think about the awareness piece," Apple CEO Tim Cook said. "I think we have a responsibility to ratchet that up. That's not really an engineering thing."

    Source: http://online.wsj.com/news/article_...ud-users-1409880977-lMyQjAxMTA0MDAwNDEwNDQyWj

    Nonetheless, Apple will add additional security alerts to prevent such an incident from happening again.

     
    Michael Scally MD likes this.