Feeds

Are you a HOT CELEB? Think your SEXY PICS are safe? Maybe NOT

JLaw, Upton snap blurt may be 'tip of iceberg', experts warn

Choosing a cloud hosting partner with confidence

Rather than a single iCloud hack, this week's furore over celebrity nude pics looks more like the work of one or many "secret circles" of hackers whose members mingle on anarchic messageboard 4Chan to share their digital loot from computers and phones they've cracked over a period of years.

The photos were, according to one rumour investigated by The Register, stolen from various cloud backup accounts linked to Apple iPhones, Google Android devices and Windows phones.

Hackers used brute-force password guessing against iCloud accounts which Apple overnight confirmed had occurred on a limited basis, among other techniques, to harvest the data.

The Register has inquired among Google and Microsoft folk regarding evidence of targeted attacks against celebs using their services.

The Register understands the photos would have remained off the public radar, if it weren't for a dump on 4Chan public forums by a new member who bought his way into a secret circle and tried to cash out by offering the photos for sale.

Before this week's exposure, the celeb pics - dubbed 'wins' by members - were quietly traded inside the group, according to this theory.

This version of events explains why some of the nude celeb images were dated as far back as 2011 and others were taken just last month.

Lending further credence to the theory was that a mix of file formats and data remnants from variety of software and cyber lockers like Dropbox were contained in the picture cache.

Unsubstantiated chat logs by anonymous 4Chan users which surfaced online also suggest the existence of a secret smut circle.

Determining whether the rumour was fact or fiction may require the final results of FBI investigations.

Penetration tester Nicholas Cubrilovic, who has investigated similar networks of pic-pinchers, has written that there is lots of illicit pic-swapping going on online.

"What we see in the public with these hacking incidents seems to only be scratching the surface. There are entire communities and trading networks where the data that is stolen remains private and is rarely shared with the public," he writes.

"The goal is to steal private media from a target's phone by accessing cloud based backup services that are integrated into iPhone, Android and Windows Phone devices."

Cubrilovic has examined degenerate nude selfie and revenge porn networks and found communities where users would sell out their Facebook friends in a bid to obtain images on specific people that fellow members hold.

He details such operators' methods as follows:

"The frequent source of new leads for targets seems to be newcomers who know somebody they want to hack .... [they] will offer up a Facebook profile link, plus as much information as is required by the hacker to break [that] account, plus possible assistance in getting a RAT installed if required ... the hacker will supply the [newcomer] with a copy of the extracted data which they will also keep for themselves."

This was one of the most unsettling aspects of these networks to me – knowing there are people out there who are turning over data on friends in their social networks in exchange for getting a dump of their private data."

Work is sometimes delegated to members whose jobs could involve gaining open source intelligence on targets or hacking into their devices using social engineering trickery or password-guessing.

The organisation Cubrilovic checked out was visible across the public and private webs, with coordination through private instant messaging and email.

Cubrilovic advises users to use separate email addresses to separate their most sensitive data from the rest, adding there was "a reason why drug dealers carry multiple phones."

The Register concurs, and reminds everyone to maintain high entropy, non-cliche passwords and consider either encrypting saucy pics or storing them offline. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...
FYI this isn't just going to target Windows, Linux and OS X fans
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
You stupid BRICK! PCs running Avast AV can't handle Windows fixes
Fix issued, fingers pointed, forums in flames
prev story

Whitepapers

Driving business with continuous operational intelligence
Introducing an innovative approach offered by ExtraHop for producing continuous operational intelligence.
Why CIOs should rethink endpoint data protection in the age of mobility
Assessing trends in data protection, specifically with respect to mobile devices, BYOD, and remote employees.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Simplify SSL certificate management across the enterprise
Simple steps to take control of SSL across the enterprise, and recommendations for a management platform for full visibility and single-point of control for these Certificates.