How Jennifer Lawrence’s account was hacked7 min read . Updated: 03 Sep 2014, 05:52 PM IST
And how you can avoid your private pictures from falling into the wrong hands
And how you can avoid your private pictures from falling into the wrong hands
It was Jennifer Lawrence and Rihanna and Selena Gomez and a hundred other celebs. But it could quite easily have been you and me, for no one is really safe when it comes to a hacking attack. On August 31, the internet was rocked by a celebrity leak scandal with nude pictures of over 101 Hollywood celebrities hitting the world wide web.
The bust involved bitcoins, hackers and celebrities raised a perfect internet storm. It was first posted on a photo board platform 4Chan where users can post anonymously. It is till now not clear who uploaded the pictures or how it happened but one thing common to all the celebrities is that they all are users of iCloud, the Apple cloud service. Apple Inc last night issued an official statement confirming that some celebrities had their accounts compromised by a mass attack on “usernames, passwords, and security questions".
“After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved", Apple Inc said in a statement.
Some of the celebrities like Jennifer Lawrence and model Kate Upton have acknowledged that the leaked photos are real. But others like Victoria Justice and Ariana Grande have issued statements calling the photos fake.
Experts say that hackers were able to get access to the media stored on the cloud either by using Apple’s ‘Find my iPhone’ feature or hacking into the desktops and laptops. Not only photos, hackers would have had access to a lot of other personal data like phonebook details, calendar entries, texts, real-time GPS coordinates and any notes stored on the phone. But for them, celebrity pictures made a better choice to encash.
Here’s a look at how accounts can be hacked:
On 30 August, a day before the mass leak, a code for an AppleID password brute-force proof-o-concept was shared on the code-hosting site GitHub. The code exploits the weak link in Apple’s Find My iPhone features which allowed hackers multiple unlimited attempts at passwords. The iCloud service works only on a password and login ID (which is the email). The photos which get saved in the My Photo Stream of iPhones get backed-up in the iCloud. Hackers may have used the brute-force technique to get access to individual clouds.
Brute-force attack is a method used by hackers to try out all the possible keys or passwords until the correct one is found. It is like using the simplest kind of method to gain access to a site. In short, it is taking advantage of the weakest link in a site: the user.
Most websites lock-out users after a certain number of attempts but till few hours back that was not the case with Apple. After the massive leak, the company has claimed to fix this issue. But for using brute-force technique hackers would have needed emails or usernames to even attempt finding the right password.
Engadget in a report said: “If this was the flaw used, the hackers would have needed email addresses of celebrities. But, it’s possible that only one address is needed, allowing to search inboxes for those of others in a domino effect."
Though it is not confirmed yet if this vulnerability of iCloud and the leaks are connected, it certainly had some role to play.
2. Spear-phishing or phishing
The other speculation is that it could have been a case of good old spear-phishing. It is not necessary that the capturing device for photos was just the iPhone camera, it could also have been the webcam or camera saved on the desktops and laptops. Apple has a feature which lets users back-up their images and other data to iCloud automatically and is available across any Apple device. Chances are that most of the users have enabled the feature without realizing the consequences. It is not just iCloud, even Google Inc has similar feature for Android which lets users back-up files from any device.
For anything other than handheld device, spear-phishing works fine to install a backdoor entry mechanism into the machine. It is a form of phishing an email spoofing fraud attempt. According to Norton, the anti-virus solutions provider, spear phishers rely heavily on familiarity. “He knows your name, your email address and at least a little about you," the company says in a FAQ. It could also be a product company with which you deal on regular basis.
In case of a phishing attempt, the emails are on behalf of well known organizations mostly financial institutions or social networks asking for sensitive information like password or credit card details or such.
3. Hacking emails
In the age of internet, love letters and other amorous correspondence is sent across emails. That makes emails susceptible to a breach. Hackers could have accessed the email addresses by re-setting their passwords. This can be done by answering few simple security questions like what’s the name of your pet or what street do you live on or what’s your mother’s last name. This is one of the most common ways of accessing email accounts without user permission. The fact that such information is not difficult to guess adds to the vulnerability.
PRECAUTIONS TAKEN TO SECURE ACCOUNTS
Technology companies have to tread a fine line between being user-friendly and making the service secure. Adding many layers of security means various kinds of authentication which many users don’t like. But after the scandal, whether you are a celeb or not, you are still vulnerable.
One of the technologies used to secure accounts is two-factor authentication. It requires users to enter a secret number that’s auto-generated and sent to your mobile phone each time they log in. It increases security drastically but not many users are fans of it.
Infact, Apple in the media statement urged users to create strong passwords and enable two-step verification to avoid potential trouble.
The other mechanisms that users take lightly are the security questions while signing up for a service. Most users don’t give much thought before answering these questions. Hence making this the easiest way to gain illegal access. At the max what will happen, you’d be either locked out of your account (a potential clue that it is being hacked) or the hacker gets it right.
HOW CAN YOU SAVE YOURSELF
The best safeguard is not to click any pictures to guarantee such a situation never happens to you. But in the age of internet and a spurt in messaging apps and social networks, this is not the best solution to follow. Moreover it is simply not about celebrities, large number of sexts and nudes are exchanged over the internet every day even by plebians like us.
Here are some tips to help you avoid such situations:
1. Enable two-factor authentication: As explained above, it requires your phone number to enable the authentication. It can be a bit of a hassle but it is one of the best ways to secure your account.
2. Don’t take security questions lightly: Make sure you don’t answer security question honestly. Internet can do with some made up answers in this case. Make up long, random answers and keep a note of it in case of future use.
3. Don’t have the same password for any two services: Avoid using same passwords for more than one account especially in case of banking services and email accounts. Write them down at a safe place for future reference.
4. No face in nudes: In case you still want to exchange nude pictures with your partner, make sure to keep your face or any other prominent identification mark out of it.
5. Don’t open email attachments: To avoid a phishing attack, do not click on the links or attachments in the emails sent by suspicious email ids.
6. Know how cloud services work: Make sure you fiddle around with the settings of the cloud service you plan to use whether Android, iCloud, Dropbox or any other such service. If in doubt, switch off the photo-sync feature.
7. Put a key lock on phone: In case of theft of your device, make sure to put a key lock on the phone or a pass code in case of an iPhone. There are settings which automatically deletes data after a certain number of attempts.
These may not guarantee that it won’t happen with you but it makes you a lot safer from such online threats. In most cases, celebrities give a lot of importance to their physical safety but the digital threat is largely ignored. For them there is only one advice: use security features provided however annoying they are.
Never miss a story! Stay connected and informed with Mint. Download our App Now!!