Feeds

Are you a HOT CELEB? Think your SEXY PICS are safe? Maybe NOT

JLaw, Upton snap blurt may be 'tip of iceberg', experts warn

Internet Security Threat Report 2014

Rather than a single iCloud hack, this week's furore over celebrity nude pics looks more like the work of one or many "secret circles" of hackers whose members mingle on anarchic messageboard 4Chan to share their digital loot from computers and phones they've cracked over a period of years.

The photos were, according to one rumour investigated by The Register, stolen from various cloud backup accounts linked to Apple iPhones, Google Android devices and Windows phones.

Hackers used brute-force password guessing against iCloud accounts which Apple overnight confirmed had occurred on a limited basis, among other techniques, to harvest the data.

The Register has inquired among Google and Microsoft folk regarding evidence of targeted attacks against celebs using their services.

The Register understands the photos would have remained off the public radar, if it weren't for a dump on 4Chan public forums by a new member who bought his way into a secret circle and tried to cash out by offering the photos for sale.

Before this week's exposure, the celeb pics - dubbed 'wins' by members - were quietly traded inside the group, according to this theory.

This version of events explains why some of the nude celeb images were dated as far back as 2011 and others were taken just last month.

Lending further credence to the theory was that a mix of file formats and data remnants from variety of software and cyber lockers like Dropbox were contained in the picture cache.

Unsubstantiated chat logs by anonymous 4Chan users which surfaced online also suggest the existence of a secret smut circle.

Determining whether the rumour was fact or fiction may require the final results of FBI investigations.

Penetration tester Nicholas Cubrilovic, who has investigated similar networks of pic-pinchers, has written that there is lots of illicit pic-swapping going on online.

"What we see in the public with these hacking incidents seems to only be scratching the surface. There are entire communities and trading networks where the data that is stolen remains private and is rarely shared with the public," he writes.

"The goal is to steal private media from a target's phone by accessing cloud based backup services that are integrated into iPhone, Android and Windows Phone devices."

Cubrilovic has examined degenerate nude selfie and revenge porn networks and found communities where users would sell out their Facebook friends in a bid to obtain images on specific people that fellow members hold.

He details such operators' methods as follows:

"The frequent source of new leads for targets seems to be newcomers who know somebody they want to hack .... [they] will offer up a Facebook profile link, plus as much information as is required by the hacker to break [that] account, plus possible assistance in getting a RAT installed if required ... the hacker will supply the [newcomer] with a copy of the extracted data which they will also keep for themselves."

This was one of the most unsettling aspects of these networks to me – knowing there are people out there who are turning over data on friends in their social networks in exchange for getting a dump of their private data."

Work is sometimes delegated to members whose jobs could involve gaining open source intelligence on targets or hacking into their devices using social engineering trickery or password-guessing.

The organisation Cubrilovic checked out was visible across the public and private webs, with coordination through private instant messaging and email.

Cubrilovic advises users to use separate email addresses to separate their most sensitive data from the rest, adding there was "a reason why drug dealers carry multiple phones."

The Register concurs, and reminds everyone to maintain high entropy, non-cliche passwords and consider either encrypting saucy pics or storing them offline. ®

Internet Security Threat Report 2014

More from The Register

next story
George Clooney, WikiLeaks' lawyer wife hand out burner phones to wedding guests
Day 4: 'News'-papers STILL rammed with Clooney nuptials
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
PEAK IPV4? Global IPv6 traffic is growing, DDoS dying, says Akamai
First time the cache network has seen drop in use of 32-bit-wide IP addresses
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.