Tuesday, September 2, 2014

Celebrity Photo Leaks: Why the security community is not more interested

First of all, my sympathy goes out to the celebrities who have had their privacy compromised this weekend. Having your personal photos taken and plastered all over the internet is not fun or fair. I'm about to comment on things that could've been done to improve their privacy, but I am not placing the blame on them. As with any cyber-bullying typed event, the fault rests with the bully. And shame on them for abusing their knowledge to harm others.

If you keep tabs on both mainstream media and security blogs, you have probably noticed that this event has gotten lots of attention in the former, and almost done in the latter. This may seem odd as it seems this attack has had a fairly high impact, but it makes more sense when you look at the method of attack or "kill chain".



Vulnerability in iCloud

iCloud had a vulnerability that allowed you to try as many passwords as you wanted without either forcing a delay. A more secure system would allow a limited number of password attempts (let's say 3 to 5) before forcing you to wait for a time period (let's say 5 minutes) before trying again. This may not seem like a security hole until you combine it with the next two things.

Brute Forcing a Password

Let's say I know your iCloud email, but not your password. I decide to try and guess you password. iCloud passwords are 8 characters minimum, so my first guess is

"aaaaaaaa"

If that's not right, I try

"aaaaaaab"

then

"aaaaaaac"

and so on until I've tried enough random combinations of letters, numbers, and characters to guess your password. With (very) little programming skill, I can have my computer generate passwords very quickly.

Common Passwords

Apparently, humans who speak the same language tend to think of a lot of the same words to use in passwords. After enough time spent creating, using, and guessing passwords, we start to see common patterns. This makes guessing a password much quicker, because instead of just starting with "aaaaaaaa" I can start with words I already know are common, which speeds things up a lot.

So now I can try to guess you password an unlimited number of times, as fast as I can, and a way to make my guesses more accurate. It was a privacy compromising combination.

These items are all common knowledge in the security industry that have no been applied to high profile targets. So this isn't terribly interesting from a theoretical perspective, but it is a good opportunity to remind everyone to use good password management practices.