Euro Security Watch with Mathew J. Schwartz

Apple Attackers Hack Webcams Too Strong Passwords Aren't Enough to Stop Hackers

Following the breach of celebrities' nude photos, there's a widespread misperception that if only victims had used strong passwords and Apple's two-factor authentication system, they would have been protected.

See Also: 2016 State of Threat Intelligence Study

The celebrity photo breach resulted in an estimated 700 nude and other highly personal images from about 25 celebrities being released. In response, Apple issued a statement confirming that it experienced "a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet."

Apple then added: "To protect against this type of attack, we advise all users to always use a strong password and enable two-step verification."

In general, strong passwords are good. They can slow down brute-force password-guessing attacks. But that's not how Apple's celebrity customers appear to have been compromised. Security expert Nik Cubrilovik, for one, has combed through months of posts to image board and community sites favored by celebrity photo hackers, and says the majority of tutorials that members post for each other reference the use of freely available tools that that allow anyone in possession of a valid Apple username and account password to download iCloud backups for that account.

Apple Alerts: A Start

Apple doesn't offer two-factor authentication to restrict access to iCloud backups, nor has the company said it plans to do so, although Apple has promised to implement a warning system when it sees signs of account hijacking.

I've reached out to Apple multiple times, requesting comment on why it isn't addressing the iCloud backup vulnerability being actively exploited by attackers, but have yet to hear back.

Marc Rogers, principal security researcher at mobile anti-virus vendor Lookout Security, says the warning system is a needed step in the right direction. "It's true that alerts alone won't stop attackers, however knowing when accounts have been attacked is an incredibly important step in being able to prosecute the attackers, and that in turn will have an effect on the attacks," Rogers tells me. "It's worth noting that this is much bigger than Apple - it's an industrywide topic - though obviously Apple will always be a target because it's so popular with people, and that then attracts the bad guys."

Better Security Through Lying

Apple hackers have also been exploiting the company's password-reset functionality, which allows users to answer secret questions to change an account password.

But secret questions have limits. The 2012 hack attack against presidential candidate Mitt Romney's Hotmail account, for example, allegedly reset the password after the hacker correctly entered the name of Romney's "favorite pet," which had been recorded in numerous news stories.

The takeaway here is simple, if counterintuitive: "Lying can protect your iCloud account," says independent security expert Graham Cluley. Just keep track of your answers, preferably in a password manager:

Creepy Attackers: Worse Than You Think

Celebrities aren't the only victims of image hackers. Indeed, attackers are also using social engineering attacks, remote-access Trojans, cloud backup-retrieval tools and password resets to harvest photos and videos from a wide variety of devices, be they an iPhone or iPad, Android smart phone or tablet, or a teenage girl's laptop webcam.

"I've researched Facebook/Twitter/etc. spam/ads in the past," Sean Sullivan, security advisor at Helsinki, Finland-based antivirus vendor F-Secure, tells me. "And I've come across the type of subculture responsible for this stuff as a result of reverse-image searches. Sadly, what's been written about in the last week is really just the tip of the iceberg. Webcam RATs, Facebook crawlers ... they all interconnect," and not in a good way.

So, if you're not covering your laptop's webcam with a Band-Aid, consider starting. "It's no wonder that young people like apps such as SnapChat for basic communication," says Sullivan. "Visual ephemeral IM - they try not to leave a footprint if possible."

Tapping ephemeral messaging tools might not be a fit for every business's communication needs. Furthermore, it's difficult to not leave traces of everything we do, especially as Facebook keeps recording it all, and Google indexing it without ever forgetting.

But at least outside work, staying secure might require that we leave fewer traces of ourselves, both on our devices and in the cloud.



About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network