Analysis: Was phishing or brute force responsible for the attack?
Both businesses and consumers are increasingly reliant on services such as Apple’s iCloud, which has been implicated in the celebrity picture attack.
Companies are now using it to store intellectual property as well as information about its customers, and this makes it a prime target for hackers.
For its part Apple has said it is investigating the issue, with iCloud under severe scrutiny on the basis of speculation from 4chan, the internet board where the story originated. Yet even now clues have surfaced over what has happened, which should also lead us to an appropriate response.
Is it a problem with iCloud?
Following the leak Apple quietly issued a security patch to protect its iCloud users from brute force attacks based on a Python script posted on GitHub, a public code repository, that seemingly avoided security features blocking multiple failed login attempts to the company’s Find My iPhone service. Speaking to the Next Web, a tech site, the author confirmed that it could have been used in the leakage of celebrity photos, although he had not seen any evidence that this was the case.
This is not the first time Find My iPhone feature has been called into question, nor the security of iCloud. Earlier this year Australian Apple customers were held to ransom by a hacker thought to have exploited the cloud service, an accusation the company firmly denied after, attributing the breach to an ID and password scam.
At this point nobody is sure whether brute force is responsible for the celebrity photo leak. Another possibility is that the victims were exploited through phishing attacks, inadvertently revealing their details to hackers after being tricked by many of the iCloud scams identified by security firm Symantec.
Satnam Narang, security response manager at Symantec, said: "Whether or not iCloud was the point of compromise in this incident, scammers have been interested in stealing these credentials for some time." He warned that users should be wary of emails purporting to be from trusted companies.
Security’s head is not in the clouds
Some point instead to problems with the way many cloud services operate. Chris Boyd, malware intelligence analyst at Malwarebytes, said: "With today’s devices being very keen to push data to their own respective cloud services, people should be careful that sensitive media isn’t automatically uploaded to the web, or other paired devices."
Like others, Boyd has pointed to the problems that having an "undo" delete button on a cloud service can create for users. This problem was raised on the day the story broke by actress Mary Winstead, who said: "Knowing those photos were deleted long ago, I can only imagine the creepy effort that went into this."
Creepy or not, there is a lack of transparency about cloud in general, according to Raj Samani, EMEA chief technology officer at McAfee. For consumers it is part of a broader pattern in which they use technology rather than seeking to understand it, and the same can often be said of business, with potentially disastrous consequences.