The fact of the cloud Fappening

So, here we are, waking up to a bunch of gossip about how nude pictures came off the Cloud. This time around it was iCloud from Apple, although Apple officially denies any break in to their much popular iCloud service.
I’m sitting here, thinking, yes it happens from time to time… lol What if this was company sensitive data? Like drawings for the next version of Tesla car, next Oil rig, next blueprint for the new revolution in aerospace flight? What if?

Would the regular media blow this thing so much out of proportion if that was the case? Would it just be a little article in today’s wall street journal? We’ve all seen what’s on those pictures, nothing new, it’s perfectly human, neither good nor bad. Cloud Computing has  issues, that’s for sure.

Last Sunday, hundreds of private pictures of famous Hollywood stars leaked online. It is still unclear who is behind the attack, but there are several assumptions about how it was conducted. Most assumptions imply that the pictures are taken from the victims’ iCloud accounts. iCloud is Apple’s cloud service for seamless storage and syncing content across devices tied to one account. In essence this means that iCloud makes your contacts, messages and photos available anytime and anywhere. If you are unfortunate enough to lose your phone, you can easily restore a copy of the entire contents of a new gizmo from the cloud. This sounds sublime right?, until you look at the security: By gaining access to your iCloud account, a hacker get’s access to all your private data.

And that is exactly the scenario that played out for several Hollywood celebrities this weekend. The incident, which has been dubbed “The Fappening”, is the denomination of a leak of hundreds of private celebrity photos online.

But how has anyone got access to so many accounts? The answer is frighteningly simple.The hackers behind the Fappening has probably taken advantage of this: Celebrities when they were exposed to hacking, in all probability not activated multi-factor authentication. Because of this, hackers have managed to clear up until the passwords using specialized programs.

However, a weakness in Apple’s security regime makes it possible to predict one iCloud account’s password countless times a minute. In practice, the program asks Apple’s iCloud service for a username / password combination is correct, and Apple’s servers answer yes or no. If the password is weak enough, the hacker with this method easily access your account.

Last week, let a security company out an application on GitHub. The program demonstrates how easy it is to implement this password attack against Apple’s iCloud service. Apple has of 09/03-2014 denied that the software has been a part of the hack

The combination of the Russian recovery software and security firm kodebrekkingsprogram, making it very easy for anyone with basic programming knowledge to carry out a similar attack. There is no evidence that the current kodebrekkingsprogrammet used here, but the theoretical procedure is similar.

You can’t govern for absolutely everything! Everything’s about risk appetite and balancing the cost of protecting the confidentiality of an asset versus the likelihood of that asset being compromised. It’s always a balancing act to be done; however, I would say that cloud services are inherently more secure than non-cloud alternatives. It’s just as probable that information could have been found on a CD that had been dropped in a bin, or somebody’s laptop that they’d end-of-lifed and put out to be scrapped.

So is it a matter of education for users? Is it a case of knowing the cloud isn’t infallible? I think that for general cloud services, you have to make the assumption that the information could leak one way or another. After more than 40 hours of investigation, several IT security companies have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. One should always think and use some common sense has to apply, and there’ll always be the scaremongers. As technology has evolved, there are always inflection points where technology advances and there are always the naysayers who have something negative to say about it.

I’ve been talking about this at a bounch of seminars, the fact that we have had the problem with floppy disks, usb drives, usb keys, CD’s, VHS,DVD’s, Blue-Ray’s and now the Cloud. Back in the 90s, how many videos leaked? Anybody remember Pamala Anderson and her ex? You should have private stuff tucked away into a safe right? Well, the same applies to the Cloud. You need a VAULT of some sort. 

It has long been a bad idea to use passwords that passord123 and to use the same password on multiple services. Then you are especially vulnerable if a service is experiencing a data breach, since the email address / password combination is also valid elsewhere. But it’s impossible to keep track of complex passwords with numbers, symbols and letters. Fortunately, there are services that do the job for you. One of them is LastPass… In addition, with two-factor authentication you are even safer. Apple introduced this not long ago here in Norway ( in July, actually ). This means that all changes linked to your Apple account can not be done without entering a code sent to you via SMS, so even if someone gets retrieving your password, they will not be able to log in from another device without being in possession of a cell phone too, smart eh?

Well, where does this leave us? Well, start really with your users, if you are a admin! Take controll with solutions like XenMobile and ShareFile from Citrix! Don’t let the users share stuff, put it into the Cloud, without you knowing, especially company stuff! 

Oh, here is how you turn off the photostream in iCloud, in case you put all your photo’s up in the iCloud, like a regular Upton…:)

To disable automatic upload of all pictures you take with your iPhone or iPad, do the following: 

1. From the home screen, press “Settings” -> “iCloud” -> “Pictures”. 

2. Disable “My photostream”, which is the feature that automatically uploads new photos.

Have a Safe Cloudy day!