Topless selfie via Wikimedia commons (NSFW)
Over the weekend, Emma Watson got in trouble with the uglier parts of the internet when she spoke at the UN about women's rights. Having commited the crime of being an outspoken women's rights advocate, people now claim to have nude selfies of Watson, which they are prepared to leak—out of vengeance, I guess? It could be a hoax, but on the other hand, there was another such leak a couple days ago, which makes the threat plausible.
Although there are still crotchety columnists blaming singers and movie stars for having nude selfies on their phones in the first place, most of the media noise this time around has a very bored air about it. Maybe the voracious appetites of the crotch-pounders on Reddit and 4chan have given the media grainy-boob-shot fatigue. After all, stealing the dark, badly framed snapshots people take in haste to communicate "I'm horny" to their significant others isn't exactly like stealing their polished boudoir pictures. In fact, it's a step above stealing their chest X-rays and jerking off to the nipple outlines.
In other words, this politically-motivated threat against Emma Watson is like the work of the most ineffectual, small-potatoes terrororist group in the world. But if former hacker and leading internet security blogger Nik Cubrilovic is correct, perhaps the only thing less impressive than the photos themselves is the process we're generously referring to as "hacking."
I talked to Cubrilovic about how these photos get stolen. At first I thought we would be discussing who's to blame when these diabolical photo leaks occur, but during our conversation I learned more than I ever thought I would about cloud storage. While it may have been old-school, penetrating-the-firewall-to-access-the-mainframe hacking, it's very possible that these photo thieves accomplish their heists simply by researching celebrities online for hours at a time, and then telling a bunch of lies to get what they're after—more or less the skillset of Hannah Horvath from Girls.
Authorized selfie of Nik Cubrilovic, courtesy of Nik Cubrilovic
VICE: Hi Nik! Who's to blame for all the nude photo leaks?
Nik Cubrilovic: When you try to convey a story to the general public, they often perceive an issue to be very binary: good guy, bad guy. And this is a case where, outside of the actual hackers who broke into the accounts, the blame—and even “blame” is probably a strong word—but the responsibility can be distributed quite broadly.
Is it right to blame Apple?
Does Apple have a responsibility to secure their data? They do. Because the users are putting trust in them.
But what makes Apple less secure?
The best way to explain their culpability (for lack of a better word), is to think about it in this perspective: there are three major mobile crowd providers—everyone belongs to one of these three ecosystems: you’ve got Apple, which is available on the iPhone, you’ve got Google’s cloud services, which are available on Android devices, then you have the Microsoft cloud services which are available on Nokia and other devices. Of those three, Apple is the only company that still has security questions.
So, they’re doing something different, and it just happens that in this case, one of those things that they’re doing different than the other two major providers, was used to break into these accounts.
You’re anti-security question?
Oh yeah[…]. Security questions are a huge flaw. Google got rid of them four years ago or so. Microsoft abandoned them completely about three years ago. So, the core of this issue—if you want to summarize—is the ability to reset a user's password by simply providing their date of birth and then two security questions.
Those security questions have been making me feel safe. What's wrong with them?
When you hit reset, it will show you two of the three questions from when you signed up, and if you get them right, it lets you into the account. […] The security question scheme is something that used to be used offline in banks and places like that in the 1960s and 1970s to prove your identity. It was adopted online in the 1990s, but companies quickly realized that it was very easy to bypass because on the web today, everybody is just sharing that information. It’s a lot easier to find. It’s a lot easier to go on to Facebook and find out some of these things like date of birth. It’s a lot easier to find what high school they went to, their pet's name, what type of car they drive. And for celebrities it’s even easier to find, because a lot of that information is either on Wikipedia, or on one of the gossip websites.
If I could figure out what Jennifer Lawrence would enter for “favorite city,” and “favorite sports team,” plus I knew her date of birth, then I could get in?
That’s right, yeah. And somebody did do that.
How do you know that's all it took?
It’s not confirmed 100 percent. [However], I knew where these guys hung out. I knew the forums they frequented, and I knew that they were all a part of this sort of subculture of hacking into online backups and stealing pornographic pictures, "revenge porn" or whatever you wanna call it. So [I've been] hanging out in those forums, and speaking to some of those members there. If you read some of their tutorials of how to hack an account—and this is actually the forum where these pictures came from—the number one tutorial is explaining how to answer the security questions.
It's a forum for exchanging tips?
I’ll give you a glimpse of what it looks like on the forum: You’d have somebody post a picture of a car, and it would be like, a maroon Mercedes, mid-1990s model, parked on a beach. Just a car completely in the middle of nowhere, and the question next to it would be, “What type of car is this?” I kept seeing those. There was a picture of a car interior, and some guy was asking what type of car that was. I couldn’t figure out why they were asking that. And it only occurred to me later that one of the security questions on iCloud is “what type of car do you drive?”
So [here's] what these guys were doing: Looking at the public photos of the people they were attempting to hack, and trying to find photos of their cars. Then, when they couldn’t identify them themselves, they were posting those pictures to these forums to get other people to help them out.
They're crowdsourcing their hacking, in a sense?
Yeah. And the penny dropped for me when somebody answered, “Sometimes the girls give their cars a nickname.” The entire forum—90 percent of it—is centered around, first of all, teaching people this method, and then second, helping people—crowdsourcing the answers to the questions. So teaching people techniques like how to stalk somebody online.
To answer some of these questions, you really gotta know your target intimately. You have to spend a lot of time absorbing as much information as you can about them. Then you go back and try and answer their questions. If you go into an Apple account you’ll see there are ten or twelve questions that users can choose from. But all of them, with enough persistence, an attacker can find the answers to.
What about the challenge of finding a person's main email address to begin with?
The way they do it is by paying to access the online people databases such as intelious.com, and there are a couple other providers where you can go in and plug in somebody's name. You pay anywhere from $2 to $60 and you get to get all their public records. So if you know someone’s full, Christian name and where they’re born, you can go and apply for their public database records.
Is there a different method if they're famous?
The second method is social engineering, where you get in touch with an agent or something like that, pretending to be somebody else, and you try and fish out an email address that way. And the third way is that once you’ve hacked one celebrity, you extract their address book, and then you’ve got contacts for a whole lot of other celebrities. That’s what happened in this case. One celebrity getting hacked led to that celebrity having other celebrities in their address book, which then led to the other celebrities.
Should people think of themselves as security vulnerabilities for all of the people they know?
We talk about it being sort of the “weakest link” in the chain. With social networks and address books now, a weak link is often easy to find. An attacker only needs to find one weak link somewhere whereas the [victim] is sort of playing defense. You have to protect and secure everything which involves clues and, everybody that you’ve ever been in contact with, because most modern email clients now will automatically add anybody you’ve emailed into your address book automatically.
I'll have to be more careful then. Thanks Nik!
Follow Mike Pearl on Twitter