Arraya Insights | September 5, 2014
While the rest of us were at the beach or enjoying a picnic over the long holiday weekend, a band of unsavory hackers were hard at work flooding the Internet with a wealth of stolen data.
On Sunday, a massive collection of personal photos alleged to have been swiped from the iCloud accounts of a wide range of celebrities including Jennifer Lawrence and Kate Upton appeared online.
How exactly did hackers manage to get their hands on these images? Well, as of now you’d have better luck trying to get a consensus about what the real purpose is of Area 51. The web is bursting with theories about how the attack went down, but so far little has been confirmed.
Some of the more popular theories include:
- Log-in credential phishing scams
- Guessing password reset questions based on publically available info, and
- Nabbing celebrities’ iCloud passwords and usernames by breaking into a public WiFi system at the Emmy Awards.
Initially, everyone lined up behind reports that hackers used a “brute force attack” to exploit a vulnerability in Apple’s Find My iPhone app. This tactic involves using a tool to guess random passwords over and over until hitting on the right one. Until a patch was quietly issued on Monday morning, Find My iPhone was susceptible to this as it didn’t lock out users after a predetermined number of failed log-in attempts.
However, Apple has come out and done its best to debunk that theory and restore confidence in the security of its iCloud service. Following two days of investigating, the tech giant released a statement which said “Certain celebrity accounts were compromised by a very targeted attack on user names, passwords, and security questions …”
Apple added that: “None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone.”
Then on Tuesday, average Joes became the target. Black market websites began posting what they claimed was customer credit and debit card info stolen from Home Depot. As soon as word got out, Home Depot announced it was investigating the potential breach of its point of sale systems.
The prevailing theory at the moment is that the Home Depot breach may have first occurred way back in May of this year. If that’s proven to be the case, that could put this attack on an even bigger scale than the much publicized Target theft which ran from November through December of last year.
As a result of the Target attack, hackers were able to make off with the credit or debit card information of about 40 million customers and personal information, like email and mailing addresses, from about 70 million.
It’s still too early to say exactly what went wrong in either of these break-ins.
If, when the dust settles on the Apple situation, it does turn out that some type of phishing scam is to blame for the attack, it likely won’t come as too much of a surprise to IT pros. Phishing has proven to be one of the most effective, and as a result most popular, cons that hackers have in their arsenal.
This case in particular could make an excellent jumping off point for a conversation between your security team and front end users about the latest schemes hackers are deploying, what to watch for and the steps they can take to protect themselves and your organization’s data.