Over the weekend, a major news story broke about an iCloud attack in which hackers broke into the accounts of 100 female celebrities to steal compromising nude pictures. Every. single. time there’s a “hacking” incident, the media coverage is awful— and the security advice is even worse. Case in point:
In all of the discussion of the incident,
it’s important to note that:
- Apple’s code for iCloud was not breached, but the security measures they had in place were not sufficient in preventing this type of attack.
- It appears that a group selectively targeted and hoarded private information over time– there is no evidence that they used the iBrute tool that was on Github, rather they had a pirated version of police software.
- The lack of rate limiting (i.e. the thing that only gives you a few attempts to get your password right before locking you out) in the “Find My Phone” API gave thieves endless tries to guess the correct password.
- The methods being used for this particular kind of attack ARE NOT NEW. Look, multiple people who knows more about security than me said so AND AGREED, which is nuts:
According to Nik Cubrilovic, a security researchers who took a lead in digging around in investigating the photo leak,
After this story broke I spent some time immersed in the crazy, obsessive subculture of celebrity nudes and revenge porn trying to work out what they were doing, how they were doing it and what could be learned from it.
1. What we see in the public with these hacking incidents seems to only be scratching the surface. There are entire communities and trading networks where the data that is stolen remains private and is rarely shared with the public. The networks are broken down horizontally with specific people carrying out specific roles, loosely organized across a large number of sites (both clearnet and darknet) with most organization and communication taking place in private (email, IM).
2. The goal is to steal private media from a targets phone by accessing cloud based backup services that are integrated into iPhone, Android and Windows Phone devices. To access the cloud based backup requires the users ID, password or an authentication token.
Let that sink in for a minute— there are entire communities in the bowels of the internet organized around the activity of violating a woman’s privacy and stealing backups of her data for their own pleasure and gain and they thrive on keeping evidence of the breach quiet.
So wait– how in the hell is the common web user supposed to protect themselves from THAT?
Okay, well, there are a few things :
- Use 2-factor authentication everywhere you can, though in this specific case it wouldn’t have helped
- Use strong, unique, random passwords
- Use passphrases, they are harder to crack than simple words
- Use a password manager like 1Password to help you do this for all 200+ online accounts you use.
Being secure isn’t easy— it’s overwhelming to those who don’t consider themselves to be technologically inclined, and sometimes it is wildly inconvenient. Technologists know that people are suck at security, though, and the security community knows very well that the people who suck at security outnumber the people who don’t suck at security.
We (the techie people) know all of these things about our users, and yet…
When you look around, there are a bunch of technologists who aren’t building new technologies and new security tools to fit the needs of our users. (The EFF is doing great work in usability research to try to combat this.) But in many, many, many cases — so many cases, so little time— there is so much more that could be done to protect users’ passwords and the data that those passwords guard.
Technologists, take note and get on these things stat:
— End the era of plaintext password storage by hashing, salting and bcrypt-ing the ever-loving hell out of passwords to secure them.
— Let people create longer, more complex passwords — I’m looking at you, consumer sites that tout PCI compliance but only let me have 8-16 characters and ask me easily-Googlable information for security questions.
— Guide users towards using words and phrases, even though this won’t catch on quickly, and even though they won’t like it.
— Build more multi-factor authentication and use it wisely to protect users.
— Stop prioritizing low barrier to entry strategies for user signups, and implement proper security (AND PRIVACY SETTINGS) by default.
“But wait!” you might be saying– “ugh, the password is SO DEAD, SO OVER.” It doesn’t matter that we think passwords are dead and so, so over, that people use the same one everywhere— the average technology company has neither gotten the memo yet nor created an authentication replacement, and the average web user has little to no idea, even after all of this iCloud screaming that their precious, precious passwords can be cracked in seconds. After all of this time, if we still haven’t gotten to know our users— if we haven’t learned by now that people do things even when we tell them not to, if our best security advice is the equivalent of behavior policing— we’re all doing it wrong.
FYI, we shouldn’t be blaming the people who have been hacked for their victimization— we should be pointing fingers at the criminals and the companies who do these things and ship the products that make this. Users and technologists both have to take responsibility for security— but how the hell can we expect the layman to actually figure this out when *this* is the advice that the average layperson is getting?***
We *always* say this, that THIS time is the wakeup call and next time will be different… but it never is.
We have to educate and empower users about security and privacy, we are at a place where a handful of people making decisions can affect millions of people.
We have to teach the media that “hacking” is not a one-size-fits-all occurrence– there is nuance in all of this technology, and not every security issue is a massive code flaw or 0day exploit.
We need to recognize and accept that users are going to do what they want with the tools that we build, and we need to build things that will correct for that. Because if we don’t, the security theater and snake-oil of even more insecure technologies (see: Snapchat) will proliferate and our collective privacy will be even worse off than it is now.
Security is a two way street, even when our users suck at it, even when the job of educating users is difficult, we have to keep up our side of the bargain. Because right now, we are all potential targets of someone, somewhere, whether it is the NSA tracking our metadata, a data broker grabbing every bit of information they can about us, or someone who is hellbent on gaining access to your private information for some god-awful nefarious privacy-violating business. There is much, much more at stake here– companies push vulnerabilities every time they commit code, no matter how stringent their security… and the country we live in does everything in its power to further weaken the technologies we entrust with our personal, private, intimate information.
This is bullshit. We can do better. And until next time, a word of advice:
**Heartbleed was NOT a virus created to steal your passwords, it was a code flaw in OpenSSL that could silently leak your information to an attacker through the infrastructure their software created. If you cannot understand the difference between the two, you should not bother reporting about technology.
*** Media people, 4chan is not a hacker— it is not a person at all, it is an online community full of people often referred to as inhabitants the bowels of the internet. Also, is everyone who gets unauthorized access to anything forevermore going to be referred to as a sysadmin because Snowden? Really?
Filed under: security