Feeds

Are you a HOT CELEB? Think your SEXY PICS are safe? Maybe NOT

JLaw, Upton snap blurt may be 'tip of iceberg', experts warn

Protecting against web application threats using SSL

Rather than a single iCloud hack, this week's furore over celebrity nude pics looks more like the work of one or many "secret circles" of hackers whose members mingle on anarchic messageboard 4Chan to share their digital loot from computers and phones they've cracked over a period of years.

The photos were, according to one rumour investigated by The Register, stolen from various cloud backup accounts linked to Apple iPhones, Google Android devices and Windows phones.

Hackers used brute-force password guessing against iCloud accounts which Apple overnight confirmed had occurred on a limited basis, among other techniques, to harvest the data.

The Register has inquired among Google and Microsoft folk regarding evidence of targeted attacks against celebs using their services.

The Register understands the photos would have remained off the public radar, if it weren't for a dump on 4Chan public forums by a new member who bought his way into a secret circle and tried to cash out by offering the photos for sale.

Before this week's exposure, the celeb pics - dubbed 'wins' by members - were quietly traded inside the group, according to this theory.

This version of events explains why some of the nude celeb images were dated as far back as 2011 and others were taken just last month.

Lending further credence to the theory was that a mix of file formats and data remnants from variety of software and cyber lockers like Dropbox were contained in the picture cache.

Unsubstantiated chat logs by anonymous 4Chan users which surfaced online also suggest the existence of a secret smut circle.

Determining whether the rumour was fact or fiction may require the final results of FBI investigations.

Penetration tester Nicholas Cubrilovic, who has investigated similar networks of pic-pinchers, has written that there is lots of illicit pic-swapping going on online.

"What we see in the public with these hacking incidents seems to only be scratching the surface. There are entire communities and trading networks where the data that is stolen remains private and is rarely shared with the public," he writes.

"The goal is to steal private media from a target's phone by accessing cloud based backup services that are integrated into iPhone, Android and Windows Phone devices."

Cubrilovic has examined degenerate nude selfie and revenge porn networks and found communities where users would sell out their Facebook friends in a bid to obtain images on specific people that fellow members hold.

He details such operators' methods as follows:

"The frequent source of new leads for targets seems to be newcomers who know somebody they want to hack .... [they] will offer up a Facebook profile link, plus as much information as is required by the hacker to break [that] account, plus possible assistance in getting a RAT installed if required ... the hacker will supply the [newcomer] with a copy of the extracted data which they will also keep for themselves."

This was one of the most unsettling aspects of these networks to me – knowing there are people out there who are turning over data on friends in their social networks in exchange for getting a dump of their private data."

Work is sometimes delegated to members whose jobs could involve gaining open source intelligence on targets or hacking into their devices using social engineering trickery or password-guessing.

The organisation Cubrilovic checked out was visible across the public and private webs, with coordination through private instant messaging and email.

Cubrilovic advises users to use separate email addresses to separate their most sensitive data from the rest, adding there was "a reason why drug dealers carry multiple phones."

The Register concurs, and reminds everyone to maintain high entropy, non-cliche passwords and consider either encrypting saucy pics or storing them offline. ®

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.