Nude Celebrity Photo Dump Has Many Asking What Happened

Hundreds of private photos belonging to several high-profile Hollywood actresses were posted online this past weekend. They are explicit in nature, and were not intended to be seen by the public. But they have been.

The question, now, is how did this happen?

The details of the hackings haven’t been worked out quite yet, but there are two popular theories floating around: the first is that the hacker, or hackers, exploited a vulnerability allowing cybercriminals to make an unlimited number of password guesses on Apple’s cloud service offering, iCloud. This type of attack—repeatedly guessing passwords until the successful password is found—is called a brute force attack, and is typically done with an automated program. Once an iCloud account is breached, or any cloud service for that matter, the hackers can view and retrieve anything saved in that cloud such as contacts, photos, saved notes, and more.

The second theory, one suggested by Apple after it made an official statement on the situation, is that these celebrities may have fallen victim to a social engineering attack. Social engineering attacks are attacks that take advantage of social habits in order to compromise an account or gain access to sensitive information. For example, a “hacker” could pose as someone who works at your company, but in a different department, in order to trick you into giving up sensitive company information. This wouldn’t be the first time that a social engineering attack made headlines. In 2012, digital journalist Mat Honan had his life turned upside down when hackers gained access to nearly all of his online accounts through social engineering techniques.

Regardless of which theory is accurate, the result is fairly predictable: someone involved with the hacking ring, or the single person who accrued all of these photos, wanted to show off on an Internet imaging board and posted stolen photos. Those photos, of course, were shared throughout the Web, and the privacy of these well-known individuals was shattered.

We won’t know what hacking method was used for some time, possibly not until after an F.B.I. investigation. That investigation won’t restore anyone’s lost privacy, but it’ll hopefully result in some much-needed justice. In the meantime, what can people do in order to protect themselves from such attacks?


Of course, with celebrities being in the public eye, the demand for their personal photos is quite high. Still, while you may not be a celebrity, there are a few important steps that you can take to protect your online identity, and your private photos.

• Be wary of uploading to the cloud. By default, iPhones upload photos to iCloud through a feature called “Photo Stream.” This is done to preserve your photos in the event of phone failure, and enable you to access photos from any of your devices. In this context, however, having personal photos in multiple places only increases the likelihood of those photos leaking. If you feel that you need to disable Photo Stream, follow Apple’s instructions here.

• Be careful what photos you take with your mobile device. Even if you’re not sending them to anyone or uploading to the cloud, do remember that your phone or tablet can be lost or stolen. 

• Use strong passwords. Every online service requires the use of a password. These passwords need to be complex in order to ensure your security. A complex password consists of at least eight characters in length and uses a combination of upper and lower case letters, numbers and symbols. These passwords should be unique to each site and should be changed every six months at a minimum.

• Use a password manager. The reason why strong passwords aren’t used enough is largely attributed to the fact that they’re more difficult to remember. Complex passwords can also be a pain to use on mobile devices.

• Enable two-factor authentication wherever possible. Two-factor authentication is a security standard that requires the account holder to possess two things: knowledge (like a password or answer to security questions) and something that only they would have (like a phone number). Two-factor authentication is a great way of preventing hackers from gaining access to sensitive accounts, and would’ve likely prevented this whole situation from taking place if enabled.

Be warned: there is no one silver bullet to digital security. Vulnerabilities exist because of how programs are built and how they interact with one another. The best way to stay secure online to stay knowledgeable of security defense and use the techniques you need to stay safe surfing.

Apple Not Hacked In Celebrity Nude Photo Breaches

"Very targeted attack" on celebrities' Apple usernames, passwords, security questions -- iCloud, Find My iPhone not breached, Apple says.

This afternoon, Apple confirmed that stolen and leaked private photos of several celebrities were not due to a breach in its iCloud nor Find My iPhone services. Speculation swirled over just how the attackers accessed the accounts of Jennifer Lawrence, Jenny McCarthy, Rihanna, Kate Upton, Mary E Winstead, and others.

A trove of naked photos and video content stolen from the stars appeared on the 4Chan chatroom site over the weekend. Questions about how the hackers got hold of the celebs' accounts began to center around a possible flaw in Apple's iCloud and Find My iPhone after Apple reportedly issued an update that fixed a hole that would allow a brute-force password attack.

In a statement issued today, Apple said:

"When we learned of the theft, we were outraged and immediately mobilized Apple's engineers to discover the source. Our customers’ privacy and security are of utmost importance to us. After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved."

Apple recommends users create strong passwords and use two-factor authentication, which is an option for Apple ID accounts. Apple did not comment on the reported flaw nor did it respond to questions about it via a media inquiry.

One security expert says he tested whether AppleID would lock him out after a certain number of attempts after hearing about the possible patch by Apple: It did. "After ten attempts, it locked me out," says Rik Ferguson, global vice president of security research at Trend Micro. He was unable to confirm whether Apple's authentication service had always done so, or whether this was due to a fix by Apple in the wake of the celeb hacks.

Either way, brute-forcing would require knowing the email address of the target, he says.

It's not surprising that most consumers and celebrities don't opt for the second factor of authentication since it's not required, experts say. And weak passwords most likely played a major role in the attack, they say.

"This breach could have been prevented if iCloud required users to use a two-factor authentication to access their accounts. This will require users to enter a numerical code that is sent to their phone or another device, in addition to using their regular password," says Vijay Basani, CEO of EiQ Networks. "Since numerical code always changes, it makes it difficult for the hackers to gain access [and breach the account], even if they can guess the password."

HOWTO Brute Force Android Encryption on Santoku Linux

This HOWTO will guide you through the process of cracking the pin used to encrypt an Android device (Ice Cream Sandwich and Jelly Bean) using brute force on Santoku Linux Community edition.