Securing Lost Data Online: “#TheFappening”

For many months now, a loose knit group of hackers* have been circulating intimate photos of celebrities on AnonIB, a mostly anything-goes imageboard website. These photos, stolen from individual Apple iCloud accounts, were accessed through a combination of brute force attacks and guessing security questions. Pictures were traded between other hackers for new content. Occasionally the hackers would sell individual sets for bitcoins. One such well-connected spectator bought anything he could. For reasons known only to the one called “OriginalGuy” he decided to dump his collection publicly.

In the hours leading up to the dump, the chatter on AnonIB foreshadowed the magnitude of the release. OriginalGuy knew his release would bring the hacker ring down and told people the “bubble is going to burst soon.” Members of the ring who sourced the “wins” (the underground term for explicit stolen photos of women) began to turn on OriginalGuy. But the damage had already been done. For weeks before the dump pieces of the collection had been appearing on more public channels. Later, when OriginalGuy began experiencing severe connectivity and IP issues, he, or someone who had obtained his collection, began dumping most of the wins on 4Chan, the precursor to AnonIB. Those wins were then live-streamed on Reddit to an audience of over 100,000 people.

The floodgates opened on Twitter within minutes of these photos hitting 4Chan and Reddit. As the lives of these victims were being turned upside down, a wildfire ripped through the Twittersphere. Using hashtags like #jenniferlawrence the world’s population saw the softer side of Lawrence. For hours, seemingly every other tweet with this hashtag contained a nude photo that any 8-year-old could access.

The one common denominator with those hacked is they all had iCloud accounts. With one of the biggest product launches in their company’s history only days away, Apple sent a rapid response team to determine what went so humiliatingly wrong. Apple came back with the best news they could offer: iCloud security systems were not hacked. The photos had been obtained through brute force attacks on weak passwords or the resetting of passwords through iCloud security questions whose answers were publicly available. Hackers gained access to iCloud primarily by answering iCloud security questions whose answers they found on social media and news articles. Other more advanced hackers used social engineering to insert a trojan onto computers with iTunes installed. That trojan would then report back the target’s iCloud access token.

Luckily for everyone involved, (as far as we know), only photos were taken. Once a hacker gains access to one part of iCloud, they have access to it all—they can track the phone’s location on a map, recover deleted application files and photos, even remotely wipe the target’s phone. Any documents stored on iCloud, such as contracts and financial statements, could have become public. With only a short time before the public debut of iOS 8, which stores more data in iCloud than ever before, Tim Cook was left dealing with the fallout while he should have been preparing to wow the world. Apple was left with a bruise that makeup could not cover in time for the launch.

While what happened to these celebrities will always make international news, they are not the only people who are at risk. In today’s times, any wife, sister, daughter and increasingly brother or son could be a potential victim of “revenge porn”. According to Wikipedia, the “uploaded formerly-private explicit images are often accompanied by personal information, including the pictured individual’s full name, links to Facebook and social media profiles or addresses.” These photos are released to purposefully impose shame, humiliate and attempt to destroy the reputations and lives of the victim. A recent survey found that 13% of women whose significant other has intimate photos of them will release them online, usually without their consent or knowledge. Another study found that men are threatened with being exposed more often than women (12% vs. 8%) and have those threats carried out more than women (63% vs. 50%).

Once sensitive photos are released into the wild, tracking them down can be nearly impossible. The point of no return happens to be the same as the starting gun. Sharing on social media has an exponential cascade effect that once initiated, is nearly impossible to arrest. Once content has gone viral, it’s impossible to tame.

Simply locating the photos isn’t enough as taking them down isn’t as simple as it seems. Identifying assets among the billions of tweets, videos and other social media posts is nearly impossible to do by human eyes alone. It’s a time consuming process. Every time a request is made to remove a tweet, post or video the request must be reviewed by a human employee of the social media network. Like a game of “whack-a-mole” as soon as one bad post is removed, another two spring up to replace it. Certain high-level organizations can jump the review queue, getting content and imposter accounts killed in minutes. These queue-jumping firms can help dig out the moles en mass and stop data leaks quicker. Moreover, social networking platforms are apt at responding to takedown requests in the instance of copyright infringement, making the task all the easier for corporations. In the case of the hacked celebrities, explicit images exist in a legal grey area.

Technology created by companies like ZeroFox can alert users to the release of offending content quickly. Over 100 celebrities have been named in this data breach, but only 11 have had their photos made public. That leaves a remarkable number of high-profile individuals exposed to blackmail and humiliation. Without proper advanced monitoring they or someone you know may find themselves the next #jenniferlawrence.

ZeroFox has another use when it comes to the spread of these photos. On September 8th, malware was distributed via malicious links claiming to lead to the nude images, ultimately ending in the shutdown of New Zealand’s largest internet provider. The risk to organizations is all too obvious – you’re only as strong as your weakest, or most impulsive, link (pun intended). One employee’s wandering mouse can undermine the entirety of an organization. Watch for attacks of these types to continue capitalizing on the nude photo scandal. In the world of phishing, the nude photos are the juiciest bait the internet has seen in a while. Cyber criminals are casting their lines.

*Hackers typically fit into one of four groups: state-sponsored organizations, organized crime syndicates, hacktivists and independents. Independents may join loosely affiliate rings where content is shared freely between members. These rings are often “pay to play” where the potential new user either brings new content for the group or pays an entry fee. ZeroFox dives deeper into how different groups utilize different types of attacks over on Breaking the law: How legal firms get hacked.