Thursday, September 18, 2014


Hass & Associates Online Reviews: The Naked Truth About Internet Security

Posted in ,
At ProgrammableWeb's API conference next week in London (Sept 24-26), my keynote session will identify patterns in some of the recent cybersecurity transgressions, what could have been done to stop them, and why Internet security is currently a trainwreck.

It Will Fappen To You. It's Only a Matter of Time.

It was apparently a wake-up call for the general public when, in what is now being called the "Fappening," headlines revealed that hackers were able to publish nude photos belonging to celebrities like Jennifer Lawrence that were thought to be both private and secure in Apple's iCloud. Though Lawrence very bravely acknowledged that the photos were indeed of her and not Photoshopped fabrications, make no mistake about it; for her and the other impacted celebrities, it was the ultimate digital violation of their privacy.

For Apple, which was on the verge of announcing Apple Pay -- a means by which iPhone 6 users would be able to make NFC-based contactless payments at supporting merchants -- the timing could not have been worse. When it comes to handling personal payments, nothing matters more than trust. Just ask Home Depot and Goodwill; two big national brands suffering an erosion of trust after hackers gained access to the credit card data of hundreds of thousands of their customers.          

Likewise, thanks to the revelation that the so-called hackers gained unauthorized access to celebrity iCloud accounts, Apple's trust took a hit. But, in the scheme of things for Apple, it's really more like a flesh wound. Compared to other vendors of personal technology, Apple has enjoyed a relatively stellar track record when it comes to security. Meanwhile, fearful that it could happen to them, iCloud users everywhere scrambled to change their passwords, remove any sensitive content from their iCloud accounts, and reconfigure their iOS devices so as not to automatically upload newly taken photographs and video to Apple's iCloud.

But for many of us who are closer to the nuances of Internet and digital security, this was not a wake up call. This was just another successful hack in a long line of transgressions that collectively point to (1) the lengths to which hackers with nefarious intent will go to achieve their objectives, (2) the fundamental problems with the way the Internet is secured, and (3) how APIs are increasing the Internet's vulnerable surface area and what API providers must do about it. After all, while Apple will very likley regain the trust of most of its customers, a transgression of this nature could mean death for a smaller brand. The stakes are not to be underestimated.

While Apple has, in its press release regarding the incident, admitted that celebrity iCloud accounts were victimized by a targeted attack, it has also said that the attack was not a result of a breach in the security of its systems and infrastructure. While the meaning of "breach" is like "beauty" (it's in the eyes of the beholder), Apple, for its part, has not disclosed the exact details of the transgression (transparency is still a major problem in our industry) and so much of what is public at this point still falls into the journalistic bucket of speculation. Nevertheless, if true, the currently prevailing non-Apple account of the celebrity iCloud incident offers some very visceral clues as to the lengths that  hackers will go to achieve their objectives.

Not So Fast Sonny!

Allegedly, at the heart of the incident was a missing safeguard (called a rate limiter) that would have prevented the hackers from employing a "brute force attack" whereby an infinite number of passwords are tried for a given iCloud account until one finally works. By now, most Internet users have bumped into a rate limiter. After several incorrect user ID and password attempts, a Web site starts to treat you with suspicion. Some sites like Google's Gmail will start by using technologies like captcha to prove that you're human and that you're not a computer that's automating repeated attempts in rapid succession. Other sites will disable your account for some period of time like 10 minutes or an hour after which you can come back for another limited round of attempts. Still, other sites, particularly financial institutions, will lock the account until a human makes personal contact with a customer service representative.

In Apple's case, part of the issue has to do with how users typically only have one user ID (an "Apple ID") and password -- called a single sign-on (SSO) ---  for accessing the entire constellation of Apple's online services. From iTunes to iCloud, the keys to the kingdom involve one set of credentials. As far as we know, wherever these credentials can be supplied, Apple had rate limiting in place. Well, all except for at least one (allegedly); where the credentials must be supplied in order to interface with the API for Apple's Find My iPhone service. Going back to Apple's press release and depending on your interpretation of the word "breach," exploiting such a vulnerability may not technically constitute a breach. If, for example, the lack of rate limiting through the Find My iPhone API was a deliberate choice by Apple's engineers, then the hackers simply took advantage of Apple's design decision.

With no rate limiting on that one entry point into the kingdom, the hackers only needed to create a bit of software with no other purpose than to try a nearly infinite number of Apple ID/password possibilities through that entry point. Not only did they create that software. They called it iBrute and made the source code for it public on the site so that other hackers could try it out or even worse, improve it. With no safeguard in place, it was only a matter of time before several keys to the kingdom -- each for a different Apple account (one of which was Jennifer Lawrence's) -- would be discovered.

Once hackers discover a vulnerability like this one, it's a race against the clock. Sooner or later, if a company like Apple has its security act together, it will discover such vulnerabilities on its own and close them off. So, with the clock ticking, what's a hacker to do? What else but try the most commonly used passwords? For this, the hackers allegedly turned to what's commonly referred to as the RockYou database. It's a publicly available database containing the passwords for over 14 million user accounts of the RockYou social gaming service that were revealed when that service was hacked back in 2009.

If there was ever a time to say "we're only human," this is it. One of the not so dirty little secrets of digital security is how "Password" and "123456" are the two most common passwords. In fact, there's even a list of the top 25 passwords. But with a list of the passwords to over 14 million accounts (a very projectable sample of humans), coming up with a relatively accurate list of the top 500 or 1000 passwords that people use isn't too difficult either. The hackers apparently did this too. By now, if you've read this far, you're asking "What about the celebrities' email addresses (which is what Apple uses for Apple IDs)? How were they discovered?"  My answer, even if for only a moment in time, this information is relatively discoverable, especially for celebrities.

There's no telling how long the hackers used iBrute to dig for the passwords for targeted Apple IDs. But once they had them, it would have been a mountain of work to login to the celebrities' iCloud accounts and pour through all of their photos looking for anything sensitive. With the clock still ticking, they would need something that off-loaded the photos to local storage before any of those IDs and passwords changed. For that, the hackers allegedly turned to the same software that law enforcement agencies use to download photos in bulk; a product called Elcomsoft Phone Password Breaker (EPPB) that Wired referred to as the Police Tool That Pervs Use to Steal Nude Pics From Apple’s iCloud. According to Wired, "EPPB lets anyone impersonate a victim’s iPhone and download its full backup rather than the more limited data accessible on" Once the hackers had all of the images on their own hard drives, there was nothing standing between them and a very embarrassing event for both the celebrities and Apple.

Circumstancial Evidence

Again, it's important to note that Apple has not confirmed the majority of these details nor has it disclosed a technical account of the matter that refutes them. Since the attack, Apple has apparently applied rate limiting to the Find My iPhone API entry point. In an article published on Sept 1, 2014, reported how various developers, using their own Apple accounts, confirmed iBrute's ability to exercise a brute force attack through the Find My iPhone API. According to the report, Apple introduced rate limiting at 3:20am PT that day, effectively neutralizing iBrute's method of attack. In an interview with the Wall Street Journal, the company's CEO Tim Cook suggested that "celebrities' iCloud accounts were compromised when hackers correctly answered security questions to obtain their passwords, or when they were victimized by a phishing scam to obtain user IDs and passwords."  The WSJ article went on to say that "Apple will broaden its use of an enhanced security system known as two-factor authentication" and also said that Cook claimed that "none of the Apple IDs and passwords leaked from the company's servers."

In its press release, Apple implored users to activate an optional version of the two-factor authentication that it offers to account holders. More specifically, the release said "To protect against this type of attack, we advise all users to always use a strong password and enable two-step verification." As explained in this how to, Apple's, two-step verification (a consumer friendly name for "two factor authentication" or "2FA") prevents everyone but the person in possession of a pre-specified trusted device (the so-called second factor; a phone, an iPad, etc.) from logging into a 2FA-secured account.

But Apple's 2FA advice is problematic for two reasons. First, since API-based interactions are automated interactions that often involve two machines talking to one another, API-based authentications are rarely secured with a second factor. If any forward-looking good comes of the so-called Fappening, perhaps it will be a conversation among API economy stakeholders as to how exactly and when to secure API-based interactions with two-factor authentications.

Second, as noted in an article published by TechCrunch about the Fappening (see Apple’s Two Factor Authentication Doesn’t Protect iCloud Backups Or Photo Streams), several security researchers have long noted how Apple's 2FA scheme doesn't cover all entry points into the Apple kingdom.

In May 2013, Ars Technica published an article (see iCloud users take note: Apple two-step protection won’t protect your data) referring to research done by the developers of EPPB that said "In its current implementation, Apple’s two-factor authentication does not prevent anyone from restoring an iOS backup onto a new (not trusted) device...In addition, and this is much more of an issue, Apple’s implementation does not apply to iCloud backups, allowing anyone and everyone knowing the user’s Apple ID and password to download and access information stored in the iCloud. This is easy to verify; simply log in to your iCloud account, and you’ll have full information to everything stored there without being requested any additional logon information."

Circling back to Apple CEO Cook's references to phishing attacks, the company has yet to offer evidence that such attacks took place in advance of the Fappening nor has evidence of such an attack gone viral on any of the social networks (which most likely would have happened). Phishing is a technique whereby hackers with nefarious intent use email to lure unsuspecting users to enter their user IDs and passwords into Web pages that look official, but that are actually impostors. These emails are a form of social engineering that often preys on current events. After news of the celebrity photos struck fear into millions of Apple's customers, it didn't take long for phishers to strike. The email pictured below, received by my wife on Sept 2, 2014, states that "your Apple/iCloud Account has been momentarily restricted until you can validate your Apple and iCloud information." However, when I moused-over the links in the email and inspected the sender's address, my browser revealed that they pointed to a domain other than Apple's; a domain where my wife's Apple credentials would most certainly have ended up in the wrong hands, had she entered them.