Oscar-winning actress Jennifer Lawrence has contacted authorities to investigate who stole and posted nude images of her online, part of a reported mass hacking of celebrities' intimate photos

commentary

(The RAND Blog)

September 8, 2014

Hackerazzi: How Naked Celebrities Might Make the Cloud Safer

Oscar-winning actress Jennifer Lawrence has contacted authorities to investigate who stole and posted nude images of her online, part of a reported mass hacking of celebrities' intimate photos

Photo by Adrees Latif/Reuters

by Lillian Ablon

Hackerazzis have been around for the better part of the last decade, stealing nude or otherwise private photos of celebrities and circulating them on the Internet for fun and profit. So the news of the theft of yet more intimate pictures of dozens of famous personalities is no surprise. But what is new is where this latest batch of hacked photos resided and the underlying questions about cloud security posed by this hack attack.

The episode highlights the fact that online security is more important than ever, especially when using the cloud as the go-to repository for personal data. Despite data breach after data breach that lays bare the personal information of millions of people, leading to only incremental changes by the hacked company, it seems it only takes a handful of celebrity nude selfies to bring issues like cloud security and multi-factor authentication to the fore causing immediate changes. But if a few celebrities were embarrassed to have the world ogling their natural selves, that might not be too high a price to pay to awaken consumers and the industry to the critical need to take cloud privacy, password creation, and user authentication seriously.

We all have digital exhaust; celebrities have more

Attackers were not necessarily able to access the accounts of celebrities because of some underlying flaw or zero-day vulnerability in the code, but rather because they could take advantage of the reliable weakness of human beings. Consumers often forget how much technology relies on usernames and passwords in securing private moments and personal data.

Gaining access to accounts of celebs via password cracking is potentially easier than it would be for the more humdrum masses. Celebrities are public figures with wiki pages, online profiles, and plenty of press interviews under their belts. The chances are high that they've talked about their pets' names. Their mothers' maiden names are likely public information. In other words, they've got a lot more digital exhaust swirling around the web than does the average consumer, all that exhaust revealing personal information that can be used to access accounts.

Securing online assets is a challenge for celebrities, but all cloud users should be putting more creative energy into crafting passwords and passphrases that even the smartest cracking software will never guess.

Ah, the nebulous cloud

Apple's iCloud is the main storage service in question in the current case, although the attack easily applies to other cloud services (e.g. Dropbox, Google Drive, etc.) A big point of concern was that Apple had not enabled two-factor authentication for iCloud backups or photo streams. Two-factor authentication means that a user must authenticate herself in two distinct steps: she would, for example, use both a password and a one-time code sent to her cell phone. In this case, two-factor authentication could have helped against a brute force password guessing attack, as the victim would have had notification of attempted access to her account by receiving multiple text messages containing access codes. Apple thankfully took note, and has announced that they plan to include two-factor authentication for iCloud.

But whether or not data is kept in the cloud, the main vulnerability stems from using weak passwords and authentication mechanisms. The cloud simply gave attackers more bang for their buck, with all the salacious data located in one centralized location. That said, securing the cloud, in theory, should be straightforward. Defenders only need to secure that one location using all available resources.

Are these photos worth anything?

It boils down to demand.

Most cyber black markets focus on fungible goods like credit card information or other financial data, or private information like usernames, passwords, Social Security numbers or health records. While there is fluctuation, the prices are pretty consistent for this kind of data because demand is relatively consistent.

Stolen celebrity photos fit into the category of non-fungible goods, like intellectual property. The price and value can vary drastically, depending on demand. The goods are worth a lot if buyers are lined up, or worth almost nothing if no one wants them.

This latest batch of naked celebrity pictures was released at no charge. The leakers asked for future support and for bitcoin donations to continue operations. Unfortunately for these hackerazzi, the free rider problem is alive and well on the Internet – and the photos are floating around the dark recesses for anyone to see for free, much to the original leaker's chagrin.

So was this good or bad?

Well, the harm was limited compared to other online security breaches and it is good to have a broader awareness of computer security and the implications of lack of security. In addition to adding two-factor authentication for iCloud, the episode caused Apple to fix another flaw/weakness that made their iCloud service vulnerable to software that keeps guessing possible passwords until it hits the right one.

Who knows, the attention might even prompt fixes to other security gaps like weak operating systems, critical infrastructure, or other data breaches.

And it might make consumers think more seriously about ways to better secure their cloud-stored content with encryption, multi-factor authentication, and thoughtfully devised user names and robust passphrases. In fact, they might think twice about the content they store in the cloud in the first place.


Lillian Ablon is a researcher at the RAND Corporation.

Commentary gives RAND researchers a platform to convey insights based on their professional expertise and often on their peer-reviewed research and analysis.