The FBI is investigating the theft of naked celebrity photos on their phones
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!Tweet Share on Twitter.
September 2, 2014
Apple and the FBI said this morning that they are investigating the theft of a large trove of naked celebrity photos that were hacked from their smartphones.
The photos depict Jennifer Lawrence, Kate Upton and around one-hundred others that are thought to have been stolen from Apple iCloud accounts.
FBI spokeswoman Laura Eimiller said in a statement that the Bureau was aware of the hack of "high profile individuals" and was "addressing the matter", but said that "any further comment would be inappropriate for now".
Apple spokeswoman Natalie Kerris said the company was "actively investigating" the hacks.
Some speculation on the picture-pinching pirates' methods has supposed that the newly-released iBrute force password-guessing tool may have been used to break into the celebs' iCloud accounts.
The tool's authors hackappcom wrote that the tool used the Find My iPhone service API, which is not protected against brute force attacks.
Attackers may have used a list of 500 popular passwords that meet Apple requirements, however.
But as Hackappcom pointed out already, the tool was published one day before the hack took place, making the crime "very difficult" to pull off using the tool in such a tight timeframe.
"iBrute was published a day before the incident. It's very difficult to perform this kind of targeted attack in one day, so it's very unlikely that iBrute was used for this attack, but maybe some evil guys found the same bug and used it," the authors wrote in a blog post.
"Anyway, if your accounts were hacked by @hackappcom's method it also means that your passwords are useless but it's not your fault if you are using bad passwords because you are celebrities, not nerds."
As we pointed out in May after an entity called "Oleg Pliss" harvested antipodean iThing credentials, Apple does not limit the number of password entry attempts users could make when attempting to access their iCloud accounts.
Pliss or these new attackers could therefore have worked from a list of iCloud user names and set a script to brute force its way into Apple accounts.
Once Apple applied rate limiters, any "Oleg bot" would be hindered or, with a little more security smarts, struck dead.
We inquired about whether any brute force attempts against any affected celebrity account was detected in logs.
Other rumors suggest that the nude photos may have been stolen from an existing cache of photos acquired over time by other hackers.
Security expert Dan Kaminsky guessed that the photos may have been compiled from hacked computers and collected until a large cache was ready for its release.
Then again, these theories were in part based on an examination of EXIF metadata contained in the photos that suggested many were taken in 2011, while others were captured as recently as last month.
In other internet security news
Over the past several months, NIST (National Institute of Standards and Technology) has taken a long and objective look at how companies use Secure Shell (SSH) and it doesn't like what it sees at all.
In spite of the sheer depth of access generally handed SSH Unix and Linux implementations for a host of different activities (root server management, file transfers, back-ups, software/patch management, disaster recovery, provisioning and database updates) system admins aren't working hard enough to protect those activities, and a lot can be done to change that.
The NIST report says-- “As a whole, management of automated access requires proper provisioning, termination, and monitoring processes, just as interactive access by normal users does. However, the security of SSH-based automated access has been largely ignored to date, even though it is encrypted”.
The report adds, an SSH process running under a patch management system will be given root access to accounts or administrator-level access to Oracle databases, for example. Security is, therefore, critical and needs to be addressed as such.
As always, the most important security considerations fall under the heading of “normal security practice”. NIST points to the security vulnerabilities in older versions of SSH to recommend proper patch management.
User accounts need to be managed and deleted if they're not required. SSH client/server configurations need to be watched, and keys need to be continually monitored and audited.
To be sure, several of the NIST recommendations echo the various concerns expressed last year by the protocol's author Tatu Ylonen when he called for a new version of SSH.
In other internet security news
One of the biggest private parcel carrier and freight forwarder in the U.S., United Parcel Service has discovered a serious computer security breach at 51 of its stores, making the company the latest retailer to lose sensitive customer information.
With annual sales totalling several billions, UPS said that the hacking had escaped detection at stores in 24 U.S. states, or around 1 percent of its locations.
At most stores, the malware attack occurred after March 26, and was eliminated by August 11.
Customer names, postal addresses, email addresses and payment card information were compromised. Tim Davis, president of The UPS Store, apologized in a statement for any anxiety the theft may have caused customers.
He added that UPS had deployed "extensive resources to quickly address and eliminate this issue."
Each UPS Store is franchised and runs separate computer systems, which may have helped limit the extent of the attack.
UPS said the malware was not found at any of its other businesses, however. The UPS security breach is the latest in a long string of incidents in which hackers and miscreants have made off with retail consumer data and sensitive credit card information.
Just last week, Albertson's and SuperValu announced that hackers broke into their credit and debit card payment networks.
Additionally, in December 2013, Target has been hit and hackers stole 40 million credit cards, along with Adobe, Snapchat, Michaels, Neiman Marcus, AOL, and eBay.
All in all, independent research reveal that about half of all American adults were hacked in a recent 12-month period, in one form or another.
In other internet security news
Community Health Systems, which operates 206 hospitals across the United States, confirms that hackers recently broke into its server network and stole sensitive personal data on over 4.5 million patients.
Miscreants managed to gain full access to patients' names, social security numbers, physical addresses, zip codes, birthdays and telephone numbers.
Any patient who received treatment from a network-owned hospital in the last five years or was merely referred there by an outside doctor is directly affected.
The large data breach places these people at heightened risk of identity fraud, among other risks. That allows criminals to easily open bank accounts and credit cards on their behalf, take out loans and ruin personal credit history.
The company's hospitals operate in 28 states but have their most significant presence in Alabama, Florida, Mississippi, Oklahoma, Pennsylvania, Tennessee and Texas.
Community Health Systems (CHS) hired cybersecurity experts at Mandiant to consult on the security breach. They have determined that the hackers were located in China and used high-end, sophisticated malware to launch the attacks sometime between April and June of this year.
The FBI said that it's working closely with the hospital network and committing significant resources and efforts to target, disrupt, dismantle and arrest the perpetrators.
Federal investigators and Mandiant told the hospital network those hackers have previously been spotted conducting corporate espionage and targeting valuable information about various medical devices.
But this time, the hackers stole patient data instead. Hackers did not manage to steal information related to patients' medical histories, clinical operations or credit cards, however.
Nevertheless, the lost personal information is protected by the Health Insurance Portability and Accountability Act, the federal health records protection law.
That means that patients could sue the hospital network for damages and financial compensation.
As for exposed victims protecting themselves? There's little they can do, at least for now anyway. Making matters worse, Community Health Systems said it will provide notification to the 4.5 million patients "as required by federal and state law," which is inconsistent and can vary by region.
There is no federal data breach law that requires timely and transparent disclosure that sensitive personal information was lost.
CHS tried to stem worries about the damages in a filing Monday with the Securities and Exchange Commission, saying that it "carries cyber/privacy liability insurance to protect it against certain losses related to matters of this nature."
The hospital network said that just before Monday's announcement, it managed to wipe the hackers' malware from its computer systems and implemented protections to prevent similar break-ins in the future.
Furthermore, the company plans to offer identity theft protection to the 4.5 million victims of the data breach.
In other internet security news
Oracle’s highly publicized data redaction feature in its Database 12c is very easy to subvert without needing to use exploit code, attendees at Defcon 22 in Las Vegas have witnessed.
Specifically, the so-called redaction features in 12c are designed to automatically protect sensitive database information by either totally obscuring column data or partially masking it.
For example, recalling just the last four digits of a U.S. social security number when a search query is run would provide the complete SSN.
However, according to David Litchfield, security specialist at Datacomm TSS and the author of The Oracle Hacker’s Handbook, the redaction features are so riddled with basic security flaws that you don’t even need to execute native exploit code to defeat the redaction itself. Some clever SQL coding is all that's needed, we're told.
“If Oracle has an acceptable security development lifecycle in place, anyone would have found these flaws and stopped them in their tracks even before they got out of the gate,” Litchfield told conference attendees.
“Anyone with a minimum of SQL knowledge would have found these bugs very easily,” Litchfield added. He also said that within five minutes of investigating the redactions system, he found serious security flaws in more of the coding.
He demonstrated how with some simple keystrokes an evil employee – or someone able to inject SQL queries remotely – could gain sufficient admin privileges to defeat data redaction, and get access to the data in the system.
He joked at Larry Ellison’s assertion last January that no one had hacked an Oracle database in twenty years. Litchfield claimed that the 2011 Sony PlayStation Network hacking attack that took the network offline for nearly two months was traced back to an Oracle database.
As a security researcher, Litchfield said he always reported flaws to vendors as he found them. But he expressed frustration that Oracle was slow to patch, and when it did get around to issuing fixes they were either broken, incomplete or unreliable.
Typically, Oracle engineers will patch against exploit code, rather than fixing the fundamental security issue, he told the Defcon audience on Friday.
Of course, this isn't a good approach since small changes to exploit code may defeat the new protections.
Litchfield pointed to Microsoft as an example of what could be done in database security. In the wake of the Bill Gates security memo, the entire SQL 2005 development team stopped working and went over old code with a complete security review in order to fully assess the problem and provide a permanent fix.
The result down the line was that patching and flaw detection in Microsoft SQL dropped sharply, and the code security of IIS and Exchange has also been much improved as well.
Oracle should take a page out of Microsoft’s book when it comes to security, he suggested, and customers should demand change.
“If you're running Oracle database servers and don't like the way they work on the security aspect of things, then get on the phone to Oracle, because we really need to get this sorted,” he concluded.Tweet Share on Twitter.
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!
You can link to the Internet Security web site as much as you like.