Altruistic World Online Library

How celebrities' nude photos get leaked
by David Goldman, Jose Pagliery and Laurie Segall
CNNTech
September 2, 2014

NOTICE: THIS WORK MAY BE PROTECTED BY COPYRIGHT

YOU ARE REQUIRED TO READ THE COPYRIGHT NOTICE AT THIS LINK BEFORE YOU READ THE FOLLOWING WORK, THAT IS AVAILABLE SOLELY FOR PRIVATE STUDY, SCHOLARSHIP OR RESEARCH PURSUANT TO 17 U.S.C. SECTION 107 AND 108. IN THE EVENT THAT THE LIBRARY DETERMINES THAT UNLAWFUL COPYING OF THIS WORK HAS OCCURRED, THE LIBRARY HAS THE RIGHT TO BLOCK THE I.P. ADDRESS AT WHICH THE UNLAWFUL COPYING APPEARED TO HAVE OCCURRED. THANK YOU FOR RESPECTING THE RIGHTS OF COPYRIGHT OWNERS.

How did private, nude photos of Jennifer Lawrence and other celebrities get leaked all over the Internet Sunday?

It was a combination of weak passwords, easy-to-guess security questions and a bug in Apple's photo backup service that has since been fixed.

On Tuesday, Apple (AAPL, Tech30) concluded hackers were able to force their way into celebrities' private photo collections by repeatedly guessing passwords -- or answers to their security questions.

This was possible, because of a bug in the system Apple uses to remotely store photos and documents: iCloud.

Well-guarded systems only let users guess passwords a handful of times before blocking access. But until this week, Apple's iCloud service allowed people to guess passwords over and over again. It would never lock out. Eventually, hackers hit it right.

Also a likely culprit: the "forgot my password" feature. If you don't remember your password, the system asks you security questions to grant access. These actresses, models and singers lead public lives, and answers to questions about their past are easily found on Wikipedia and elsewhere.

It's similar to what happened to Alaska's former governor, Sarah Palin. Hackers accessed her personal email account. One of the security questions she had set to retrieve her password was her birthday.

Apple assured the public these hackers did not break into the company's core computer systems, which house all of its users' data. So iCloud itself was not hacked.

"Certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet," Apple said in a statement. "None of the cases we have investigated has resulted from any breach in any of Apple's systems including iCloud or Find my iPhone."

But this is another event that stresses the importance of secure passwords. Celebrities are already prime targets of malicious behavior, so they need to be especially careful online with extra precautions to keep hackers at bay. Strong, hard-to-guess passwords are a must.

Passphrases are especially strong passwords, particularly ones that are easy to remember but are long and hard to guess (example: "1 Day I ate 364 bananas & 13 cherry Pies!!!").

It's also vital to use password-protecting tools like two-factor authentication. That option, available on most email or file-sharing platforms, is a second, temporary password that usually arrives in the form of a text message.

It prevents anyone from accessing your account without also being in possession of your phone. And it would have prevented this.

CNNMoney (New York) September 2, 2014: 4:42 PM ET

Gang of hackers behind nude celebrity photo leak routinely attacked iCloud: 'Months of hard work' behind publication of more than 100 stars' private photos as hackers ask for bitcoin and go underground. Can we learn not to gawp at degrading material online?
by Charles Arthur and Alexandra Topping
September 2, 2014

NOTICE: THIS WORK MAY BE PROTECTED BY COPYRIGHT

YOU ARE REQUIRED TO READ THE COPYRIGHT NOTICE AT THIS LINK BEFORE YOU READ THE FOLLOWING WORK, THAT IS AVAILABLE SOLELY FOR PRIVATE STUDY, SCHOLARSHIP OR RESEARCH PURSUANT TO 17 U.S.C. SECTION 107 AND 108. IN THE EVENT THAT THE LIBRARY DETERMINES THAT UNLAWFUL COPYING OF THIS WORK HAS OCCURRED, THE LIBRARY HAS THE RIGHT TO BLOCK THE I.P. ADDRESS AT WHICH THE UNLAWFUL COPYING APPEARED TO HAVE OCCURRED. THANK YOU FOR RESPECTING THE RIGHTS OF COPYRIGHT OWNERS.

Hackers claimed to have obtained nude pictures of Jennifer Lawrence at the end of August. Photograph: Frederic J. Brown/AFP/Getty Images

A gang of hackers who collected and traded nude pictures of female celebrities by routinely breaking into Apple's iCloud system were the source of private photographs leaked online, new evidence shows.

Private photos and videos of more than 100 mostly female American and British stars were released on the internet on Monday from the 4chan website, sparking condemnation from the Oscar-winner Jennifer Lawrence and other actors including Kirsten Dunst, Kate Upton and Briton Jessica Brown Findlay.

Chatroom transcripts show that "OriginalGuy", a member of the gang who has now gone on the run, boasted that the hacking of accounts belonging to Lawrence and others "is the result of several months of long and hard work" and that "several people were in on it".

Other chatroom transcripts show that the gang had offered nude pictures of female celebrities and athletes for sale, and others offered to "rip" the iCloud backup accounts containing photos for anyone once they were given their user name and password. The iCloud backups come from the stars' iPhones, which automatically store photos online for up to 30 days or until they are downloaded.

The revelation comes as the FBI and Apple started investigating the security breach, the most serious ever to affect the iPhone maker and a serious blow to its efforts to push new devices expected to incorporate mobile payment functions next week.

There are more than 800 million iCloud accounts globally – but the chatroom transcripts suggest there is now a growing semi-professional trade in "ripping" iCloud accounts, posing a serious problem for Apple's security profile.

The FBI said it was "aware" of the hacking allegations and was "addressing the matter". Apple said in a statement that it was outraged by the hack and immediately mobilised engineers to discover the source. "After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the internet," the company said.

"None of the cases we have investigated has resulted from any breach in any of Apple's systems including iCloud or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved."

The gang seems to have been gathering and swapping pictures collected from celebrities' backups for years.

On 26 August, one poster on AnonIB, an anonymous pornographic image sharing site, claimed to have secured a "major win" for hackers looking for nude pictures of Lawrence. He wrote: "I mean explicit vids and pics, see for yourself/don't have it tho, but everyone says its legit."

Now the poster has gone on the run, after posting a brief message asking for bitcoin donations, which are untraceable. The release of the photos appears to have been unplanned and to have thrown the gang into disarray, with some trying to cash in by offering photos for bitcoins on public sites such as 4chan, while others have gone further underground.

Jonathan Zdziarski, an independent security researcher, said he has tracked the Bitcoin address used to solicit donations for some of the celebrity pictures and found it belongs to the owner of a Dutch photo-hosting site – which he says is also distributing an "original version" of the pictures released earlier this week.

The photos fell into the hands of hackers even though Apple encrypts iCloud backups using the four-digit code users create when setting up their device.

The backups can be downloaded and cracked offline once a hacker has gained access to the user's account – which in the current cases was achieved by answering security questions on Apple's password reset system, such as "Where did your parents meet?", using publicly available information.

The gang appears to have operated in a similar way to child abuse rings, which are closed to newcomers unless they can provide "new" photos for the rest to share.

One user on the Reddit website said: "These guys conduct individual attacks on celebs through a mix of social engineering" – whereby hackers pose as support staff or send official-looking emails to gather information – "and, especially for more high-profile targets, straight-up hacking."

The long-running attempts to break into high-profile users' accounts could explain how photos from as long ago as December 2011 – two months after Apple launched iCloud – could appear in the lists of files held by some group members.

Another transcript seen by the Guardian includes a user claiming to "have nudes of possibly the hottest athlete there is", while another user says: "I have a confirmed iCloud email of a celebrity, was wondering if someone could help crack and rip it."

The existence of the group and its obsessive pursuit of stars' personal photos points to the growing risk from the use of "cloud" systems with smartphones.

Martin Garbus, a New York trial lawyer who over the years has represented actors Al Pacino, Sean Connery, Robert Redford and others, said on Tuesday that worried clients had approached him about security issues.

"Nothing is safe on the internet, period," he told Reuters. "Everything on your iPhone, whether it be phone calls, message texts, pictures, is all available." He said he was not surprised by the hacking because he said he has seen it in the past. "There are just so many different ways that one's privacy can be invaded."