#celebgate, or what 4chan has jokingly labelled “The Fappening”, is the second most commented event of the month after ShellShock, essentially because the target is a long list of high-profile celebrities and because, considering the circumstances, the hacking offence may very well go unpunished.
In mid August, the first wave of private photos depicting famous actresses was posted on 4chan, seemingly hacked from their iCloud accounts. At the time Apple identified a vulnerability that had allowed brute force attacks on accounts. But that didn’t stop a new batch of private photos and videos of female celebrities from being released in mid September.
Despite all of the investigations and complaints, and seeing in 4chan, known for its “anonymous” actions, may be behind the attack, it doesn’t look like the hackers responsible for the photos of Scarlett Johansson and other celebrities will be caught any time soon.
The fact is that to a certain extent we’re no longer surprised by cases of stolen credentials. We know that at any time our passwords can be compromised many different ways:
- Stolen data from service websites, such as the hacked Sega Pass system in 2011, is just one example. And the bar is raised every day with incidents such as Tripadvisor’s partner Viator.
- Specific malware installed to steal email account credentials. This is how, for example, Russian hackers gained access to millions of gmail accounts and Russian email providers.
- Phishing scams that ask you to provide personal information in the name of apparently legitimate organizations or which offer lucrative business schemes are sent indiscriminately to your inbox or are hidden in adware.
The thing is that today our digital identity is spread across a number of online services (google, facebook, linkedin, twitter, iCloud, drive, Outlook, etc.) where, in most cases, the only security measure is a password, and in most cases, we use the same password for a number of these services, not to mention our user accounts for online shopping, forums, etc.). Oh, and let’s not forget our financial services and the services provided for the companies we work for.
We are what we are on the Internet. In the worst case scenario, our entire reputation hangs on a password: if someone manages to retrieve the password for one of your main accounts, he pretty much has control over the rest.
Security depends on second-factor authentication, the much-used trusted third party authorization, the model exploited in the now historic PKIs (now back in fashion; you know what they say: “If you wait long enough, it will come back in style”). So, mechanisms to secure this key part of our digital lives exist even though they’re not implemented.
And like all maladies, prevention is better than studying the symptoms, so what’s keeping us from applying second-factor authentication to our main accounts? Basically, the lack of awareness surrounding security, especially in critical environments. No, Hollywood starlets and their tawdry photos do not constitute critical environments.
The information handled by CEOs, CIOs, CTOs, CISOs and other senior executives does. Not to mention presidents and members of corporate boards of directors, the latter of which often run the greatest risk in their day-to-day online transactions. Whenever we talk about cybersecurity, it is important to understand that awareness must permeate the organization from the top to down, creating and setting an example.
#celebgate, or what 4chan has jokingly labelled “The Fappening”, is the second most commented event of the month after ShellShock, essentially because the target is a long list of high-profile celebrities and because, considering the circumstances, the hacking offence may…
S21sec presents its first ‘Vulnerability Report’ prepared by the Ecrime team integrating the experts of the company in charge of detecting and resolving Internet offences affecting organisations 24 hours a day, 365 days a year. This report gathers the information…
Our team has detected a ZeuS trojan distribution by email campaign that has been running for some days. The malicious emails include a link to a supposed report about a cancelled transaction, which is actually an HTML page that loads…
More than two months ago I talked at Rooted CON (Madrid) about some techniques to obfuscate and hide malicious PDF files. I gave the same speech at CARO 2011 (Prague) last Friday with updated slides and a demo of peepdf.The…
In my last post I talked about a common mistake of IIS administrators consisting in modifications of default directory permissions.Today I’m going to talk about another common mistake. Allow HTTP Basic authentication.The Standard IIS supports 4 kinds of HTTP Authentication:Basic…