Leaked private photos of celebrities: a detailed investigation of the Australian developer

This week, the Internet was shocked by the story related to the leakage of hundreds of intimate photos of celebrities (articles on Habré on a related topic here and here ). One of the most thorough investigations of this story was conducted by a businessman born in Australia, a blogger, an engineer and a software developer (all in one person) Nic Cubrilovic . Nick is known for being a journalist and consultant for Techcrunch and Crunchpad, editor of TechcrunchIT, founder or co-founder of Omnidrive, Solutionstap, MyVirtualDrive, Webwall, 2web, etc. at different periods of his career. Details - under the cut.

Disclaimer: Working on the callback module on the Witget platform, we are constantly sifting the Internet for new trends or ideas (whoever is interested in our new product, which is most directly related to the topic of the article, can be found in postscript). Studying the topic of privacy, we stumbled upon an article-investigation from Nick. It seemed to us so interesting, reflecting the importance of the trend for privacy and the sheer vulnerability of all of us, that we decided to fully translate it and share it with the audience. They translated as they could, so do not judge strictly (after the article there is a link to the source). The translation is made from the first person.

It is interesting how periodically information security collides with other industries and subcultures. Since now a huge amount of information is stored and distributed on the Internet and through various devices, stories about hacking will surprise no one. It happened on the 1st of September - dozens of celebrities became victims of hackers who managed to steal hundreds of private photos and videos from cloud storage.

The essence of the story is that a huge number of intimate photos of many famous celebrities began to appear on image boards and forums, the most famous of them - anon-ib, 4chan and reddit.
')
The first photos were published almost two weeks ago, but did not attract much attention, as they were put up for sale (only a preview with censorship was offered in the hope that someone would buy these photos). Only after several users acquired them and published them without censorship in public forums, they started talking about this story.

At least a dozen celebrities are involved in this story - they have stolen more than 400 personal photos and videos in the form of dumps. An anonymous list of celebrity names was published, designed in the style of an advertising booklet, which indicated that more than 100 personal data had been compromised.



After this story took place, I plunged into this crazy subculture of kidnappers for intimate photos and indecent celebrity videos for a while, trying to figure out what the hackers did, how they did it, and what can be done out of it all.

1. The part of the personal information that users see after all these hacker incidents is only the tip of the iceberg .


Internet metaphor - visible and invisible parts of it

There are entire communities and retailers where stolen data is sent to private hands and rarely shared with the public. Hackings occur constantly by a special group of people, each of whom has a specific role. This activity is poorly organized, but there are a huge number of sites (both the open Internet segment and the “Darknet” - part of the network hidden from search engines, where all users remain anonymous), where communication takes place between “market participants”, but most of the communication between them e-mail and instant messaging systems.

2. The goal is to steal personal data from the victim's phone using access to cloud-based backup services integrated into the iPhone, as well as Android and Windows Phone. Access to these stores requires a user ID, password, or authentication key — an identifying feature.

3. Burglars can be divided into several categories:

• Users who monitor Facebook and other social networks, looking for suitable "targets" and collecting as much information as possible about them. Data collection includes the study of public data archives and the acquisition of credit history. Collecting information about the victim includes creating fake accounts to add friends or target friends, perseverance in obtaining information that can help answer secret questions, establish closer contacts with friends of the target, etc.
• Users who use the data to "recover" passwords or authenticate . There are several methods for this, for many of them there are even instructions available online. The most common methods are RAT (“remote administration tool”), a utility for unauthorized access to the remote user system, phishing, password recovery and reset. RATs are simple remote access tools that trick users into installing through private messages or email (as a link or attachment) on their phone or computer. In the case of phishing, an email is sent to the victim with a proposal to reset or change the password, which fraudulently causes the user to enter the password on the website or in a form that is controlled by the attacker. A password reminder gives you access to the user's email account (again, using secret questions or other technology), and receiving a link, by clicking on which, the attacker gains access to the cloud-based data storage. In the case of the password reset technique, you need to specify a date of birth and answer a secret question (it is often necessary to specify publicly available data — birthdays, favorite sports teams — so the page can be hacked without much difficulty).
• Users who get a login and password or authentication key, and then hack cloud backup services using software and tools like Elcomsoft EPRB . Of course, this software is pirated and supports the possibility of hacking all backups and dumping, including messages and deleted photos.
• Next, " collectors " collect all the stolen data, and distribute them into folders. As a rule, they use Dropbox and Google Drive. These same people later create a preview for each group of photos, and leave their email to them for communication. E-mail addresses of similar "collectors" or other image sellers can be obtained on the recommendation, usually through someone who is engaged in burglary or illegal copying.

4. A common source of new customers in this area are newbies who want to hack someone , and turn to one of the networks that provide these services, usually finding it on keywords or on forums. A new client must provide a link to his Facebook account, as well as as much information as a hacker would need to crack the page; plus all possible assistance in installing the RAT, if necessary. In exchange, hackers will provide the customer with a copy of the extracted data, which they will also keep for themselves. For me, this is the most unpleasant aspect of such networks - the realization that there are people who tell all about their friends in order to get a dump with all their personal data.

5. I studied a lot of posts on forums and image boards, entered into correspondence, sent requests for services of similar services, etc., and nowhere was the relatively rough FindMyPhone API technique (publicly exposed and used in iBrute ) mentioned . This does not mean that it is not used by hackers in private. However, judging by the required level of skills, references and instructions for the use of other techniques, some bragging about success in social engineering, password recovery and reset, phishing and RAT - it turns out that these techniques are not needed , or are unknown in the circle of hackers.



6. The most popular "target" for hacker attacks is iCloud , because there Picture Roll backups are included by default, except this iPhone is a very popular platform. Windows Phone backups are available on all devices, but are disabled by default (they are often included, although I could not find statistics), while backups on Android are carried out using third-party applications (some of which are also under attack).

Google+ provides a set of features for backing up photos uploaded through the app.

7. Apple accounts seem particularly vulnerable due to the recovery process, password requirements, and the ability to determine if iCloud has an account for this email address. The recovery process is divided into several stages, and the hacker, in principle, can be defeated in each of them. Although Apple does not disclose whether the email address is a valid iCloud address during the recovery process, they will “talk”, whether it is valid or not, if you try to register a new account using the same email, so verify it (or hack) will have no difficulty . The second step is to check the date of birth - and it will be successfully passed if the hacker can guess (and he, most likely, already knows it); as for the last step, it involves two security issues. It would be better for Apple to destroy the registration interface, which shows new users whether their e-mail is available as an account on iCloud or not. It would also be a good idea to fit the entire recovery process in one big step, where all data is checked once and no error message is sent to the user. In addition, it would be wise to impose speed limits and hard blocking of this process for each account.

Ability to post an e-mail address at https://appleid.apple.com/account/validation/appleid (Update: Apple has closed this hole and the link no longer works) and receive a response indicating whether your account is valid or not, as well as practically the complete absence of speed limits is a real bug.

a) To remind once again what are the main equipment that was used in the hacking, I will list them in order of popularity / efficiency:

• Password reset (secret questions / answers)
• Email Phishing
• Password recovery (hacking email account)
• Social engineering / RAT installation / authentication keys

b) Once they have access to the account, consider that they have access to all data - they can locate the phone, intercept SMS and MMS messages, recover deleted files and photos, remotely erase the device’s memory, etc. In our example, hackers were mostly interested in personal photos, but for some time they could completely control the account.

8. Authentication keys can be stolen by a trojan (or using social engineering) from a computer with iTunes installed. Elcomsoft created a tool called atex , which performs this operation. On OS X, this key is installed using a special electronic "key fob". The authentication key is as good as the password.

Keychan work pattern









9. Factor authentication for iCloud is not helpful in preventing the use of a password or authentication keys to retrieve backups. Two-factor authentication is typically used to protect account details and updates.

10. Just a lot of hacks regularly occur. There are dozens of forums and image boards where hackers offer their services. Those who offer to import data, just in exchange for a login and password, and do not ask for it, in fact, fraudsters, they steal data, and then sell it or exchange it.

11. The security level of the average user in such networks is extremely low . 98% of email addresses specified on the forums in ads as ads are served by popular providers (gmail, outlook, yahoo), which do not support Tor and do not allow anonymous actions to be performed. When hacks occur, most users immediately start talking about using a VPN, saying that these technologies are the best, fast, and allow you to keep your privacy. It was also incredibly easy to spread the latest data breaches throughout the Internet (more on this later), find servers with dumps, etc.

12. On the “darknet” forums they write a lot of tips on how to hack them step by step, as well as provide databases of passwords and logins , and various documentation on this topic, but as far as content distribution is concerned, they are usually one step behind public image boards. Of course, the latter are more useful for maintaining the popularity of content after it is published, and users will visit them more often if new leaks of information occur. Overchan and Torchan in the past constantly received requests from new users who wanted to get links to the darknet, and now imageboards have received this traffic.

13. Different formats and file names, informational inconsistencies and residual data, such as Dropbox files found in dumps, can be explained using different recovery software (some of which restores the original file names, and some not), plus, dumpers and distributors often use Dropbox to distribute files. It is not known how many hackers were involved in the data extraction process, but I assume that the list of celebrities was an internal list of one of the retail chains. Timestamps, forum posts and other data indicate that this collection was created over a long period of time.



14. On the topic of information security. It was easy to track down one of the distributors who posted purchased private images on 4chan and reddit. He published a screenshot as part of a presentation that talked about selling 60 or more images and videos of the same celebrity, but did not gloss over the name of his computer, or the names of other computers on his local network.

A reddit user logged this number into Google and tracked down the company in which he worked (although they suspected the wrong employee). In the process of tracking each of these names, one of them led back to the reddit account, where a screenshot with the exact same interface was placed (the guy had a bad habit of taking screenshots from his computer). He denied the fact that he was the source of the image, but this guy is definitely the distributor who bought the photo from the private network, because at that time these images were not yet leaked to the Internet.

15. Personally, I do not distinguish between those who steal data directly and those who “only” buy it in order to sell it to the public at a profit.

16. It seems that in the past few days a lot has gone wrong, and not only with our new friend, but also with other members of this network. They were not going to make these images public, but someone, perhaps, the distributor identified by us earlier, decided that the opportunity to make money was too good to pass by, and decided to sell some images. The first post of this series, which I was able to track down, was made 5 days before the story was made public, that is, on August 26. Each of these posts contained an image with censorship and an offer to pay a certain amount to obtain an uncensored version. After several such posts, to which no one paid attention (thinking it was a divorce), our distributor decided to publish uncensored versions, which quickly spread to anon-ib, 4chan and reddit. My theory is that other members of the network, seeing leaks and offers to buy photos, also decided to make some money, believing that the value of the images would soon be zero, which led to a rapid decline in the price of data from each distributor who had access to the photo .

17. Regarding remaining secure, the most obvious measures are to choose a stronger password, use secret question answers that are long random strings, and the inclusion of two-factor authentication . It is also a good idea to protect your email using one address, which no one will know, for “sensitive” accounts, such as Internet banking, cloud storages, etc., and a separate contact address that you do not hide. The phones do not have a privacy mode, all your data and metadata are stored in one place, in this case, the only solution to save a private or more anonymous profile is to purchase a separate phone where the account will be created in a fictitious name. There is a good reason why drug dealers carry a few telephones with them, hiding their real identity in the “work” process.

18. There is no software that users can install and simply update afterwards in order to always feel completely safe. Responsibility lies both on the developers and on the users themselves. Users must be able to create the correct passwords (unique, long, passwords-phrases), as well as possess the basics of security and anonymity.

Apple has stated the following:

“ After more than 40 hours of investigation, we found that some celebrity accounts were compromised by targeted attacks on usernames, passwords, and secret questions; this practice is now quite common on the Internet. In none of the cases that we investigated, the problems were not caused by the disruption of one of the Apple systems, including iCloud or Find my iPhone. We continue to work with law enforcement agencies to help identify the identities of criminals.
To protect against this type of attack, we recommend that all users use a strong password and enable two-step verification. ”

Source: https://www.nikcub.com/posts/notes-on-the-celebrity-data-theft/ .