By Jennifer LeClaire / CIO Today. Updated September 03, 2014.
When nude celebrity selfies start leaking en masse, it certainly gets your attention. Actress Jennifer Lawrence, singer Rihanna and model Kate Upton were among the celebs whose pics, videos and other personal files flooded the Internet on Sunday.
We caught up with Greg Foss, a senior security research engineer at security intelligence firm LogRhythm, to get his take on the fallout, who's to blame and how to protect data in the cloud. He told us according to information released publicly so far, celebrity iCloud accounts were the primary targets.
“If this is indeed the case, the ‘hack’ looks to have been the result of a brute-force attack against using select passwords from the ever-popular RockYou password list in conjunction with the ibrute script written by @hackappcom, which essentially bypasses the AppleID lock feature,” Foss said. The tool used the top 500 passwords from the RockYou breach in 2007 -- still considered the world’s largest leak of plaintext passwords.
Who’s To Blame?
Foss suggested that Apple shares some of the blame because iCloud did not implement adequate brute force protection. Of course, the celebrities didn’t help by picking weak passwords and failing to implement Apple’s two-factor authentication, he added.
As Foss sees it, another aspect to consider is that the culprits likely gained access to much more than pictures and videos. Specifically, address books and other sensitive data that is all available via iCloud were also probably infiltrated, he noted.
“All things considered, it is unlikely that only one avenue was taken to obtain all of this data,” Foss said. “More importantly, just because everything was dumped on the Internet at the same time does not mean that it was all stolen at the same time or even by the same person.”
Foss is assuming a team with a common goal was behind the leak -- and they used many different means to obtain this data. However, he said that he believed a significant portion was via iCloud brute force.
“Could this all be stolen data from iCloud that was extracted in the same manner? Certainly, but not likely,” he said. “Granted, Apple did respond and fix this specific vulnerability within 24 hours, which is very good, all things considered.”
Protecting Yourself from Hackers
So, what can we learn from this recent leak? According to Foss there are a few lessons we can take away from the embarrassing event that will help us better protect our own data in the cloud. First, he said, whenever possible, implement multifactor authentication. He noted Apple has a two-step verification feature that will harden your iCloud account. Look for the same feature on other services.
“If multifactor authentication is not an option, question the sensitivity of the data you are storing on the service and do not store it in the cloud if you are worried about someone else getting hold of it,” Foss said. "Use strong and unique passwords for every site. Use pass phrases instead of passwords. Use a password manager to store, manage, and create strong, plus unique passwords for each site that you use.”
Most of this advice is not new. The issue is that too few users follow it.