Why #TheFappening is about a lot more than some nude photos
It’s been said that 4Chan is the origin of all things on the internet. Once again, that axiom has been proved correct.
Over the last 48 hours an unprecedented series of leaks of private, sexually explicit media from A-list American celebrities has been underway. Called by Reddit and 4Chan “The Fappening,” this campaign has successfully revealed explicit photos and videos of celebrities like Jennifer Lawrence and Kate Upton.
It’s fair to say that things have hit the fan. The FBI has confirmed they’re investigating the breach and have set up scores of honey pot operations across 4Chan and other sites where this media is being shared. Additionally one of the victims, US Olympic gold medalist and gymnist McKayla Maroney, has stated that her photos were taken when she was underage (thereby making everyone who shared them effectively guilty of proliferating child pornography).
But while the American public is rightfully spending a lot of its timelamenting/deploring/indulging/ in the content of the Fappening (whose name is as filthy as the content itself if you’re up on your internet lingo), a disturbingly little amount of time has been spent on the glaring security issues that allowed the Fappening — and untold amounts of other data theft — to occur.
What we know
While the details remain scarce due to how recent all of these events are, a few things are clear:
1.) There is no one single source for all of the photos and content released in the campaign. Instead, multiple “collectors” (who are not necessarily the hackers themselves) opted to reveal this content after one collector first revealed Jennifer Lawrence’s photos.
2.) At least one of the collectors was one of the hackers involved in directly stealing information from the celebrity targets. The hacker solicited targets for other breaches, noting that he was using a brute force hacking tool called EPPB 3.0 to steal images from targets’ iCloud backups.
3.) An additional tool called iBrute was released (and immediately patched) roughly 48 hours before the attacks. iBrute is a brute force system for compromising iCloud accounts by sequentially trying to log in using a “dictionary” of common passwords and phrases. Because Apple apparently didn’t flag or deny multiple failed login attempts, iBrute users could theoretically “guess” infinite password/username combinations until they found a match.
4.) Apple released an update stating that none of the data they invested was the “resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone.”
5.) More celebrity media than those already leaked exist. Instead of freely prolifering this media however, many of the hackers and collectors involved in The Fappening sold or effectively auctioned off the remaining content for payments in bitcoins.
Anonymous is not your personal army
The Fappening is a sobering reminder of just how powerful the internet criminal underground can be. There wasn’t a single, triumphant hacking attack or individual that caused the Fappening to occur. It was instead the un-coordinated efforts of group of collectors, who have gathered their wares largely by purchasing them from a faceless, powerful marketplace of hackers selling illegally exfiltrated data.
While it’s relatively well known that the deep web black market sells things like illegal physical goods and data like personal financial information or social security numbers, the Fappenning clearly shows that large and vibrant marketplaces exist for other types of sensitive information too.
It is not unreasonable to assume that other types of confidential data such as intellectual property or even source code might be for sale. Most of the actual hackers for the Fappening were motivated by money — not the pervy desire to see J-Law’s naughty bits. The 3BTC sale of her can-can video is, after all, a lot less profitable to its seller than a 50 or 150 BTC sale of internal Facebook source code.
Cybercrime isn’t a disease: it’s a symptom. Secondary markets exist because of externalities or inefficiencies associated in meeting their inherent demand. If we want to fight cyber espionage you need to treat the economic problems associated with such espionage’s existence. The first step in doing that is to understand, at a very granular detail, how and why that market exists.
Unfortunately, law enforcement has been slothlike in their haste to understand the deep web. Beyond the fact that they’ve been only reactive to the Fappening, the FBI’s direct involvement Anon-IB, Reddit, and 4chan was clearly perceptible by even casual users.
They cludgingly flamed all of these boards with messages, speaking in language and textual tone very different from the ones used by people who actually converse on these places. Their honey pots they posted were clearly honey pots, and their awkward attempt to solicit the activity from the collectors and hackers associated with the Fappenning was comical.
If you want to catch hackers, don’t act like Axel Foley from Beverly Hills Cop. Act a little more like Fitz from The Wire. Study the deep web. Get to know how these marketplaces work. Speak their language. Even buy their stuff to understand the taxonomy of transactions.
The only way our law enforcement agencies are going to be able to treat the underlying diseases that cause cybercrime is to understand them. And the Fappening has shown that there continues to be a stark cultural and knowledge divide between federal law enforcement and the hacking community.
“Die like the rest”
From a technical point of view, it is extremely disconcerting that vulnerabilities like the ones enabling EPPB and iBrute persist.
Apple’s legalese is technically correct in that there was no “data breach of Apple systems” associated with the exfiltration of celebrity media. There wasn’t a data breach because the attackers successfully logged in with the proper credentials — credentials they were able to harvest because iCloud didn’t deny or halt a gauntlet of successive failed login attempts.
Security is fundamentally about access control. All of your expensive firewalls, all of your encryption, and all of your mystical anomalous intrusion detection systems are irrelevant if the core mechanisms for governing proper access to information are faulty.
Stopping brute force attacks by slowing or denying access to users after logging N-number of failed login attempts is a critically basic piece of access control security. It’s something we as an industry have been implementing since the early days of Unix in the 1960s, and the fact that iCloud didn’t enforce it (and apparently still doesn’t uniformly enforce it — rumors are that forked versions of iBrute still work) is flabbergasting.
Given that these vulnerabilities have apparently existed since the release of Find My iPhone and other iCloud-linked services, it’s likely that a massive amount of information was stolen over the last few months from iCloud users. Again, it would be nearly impossible for Apple to piece together the taxonomy for these data breaches, because these are valid logins with valid credentials.
The Fappening is more than just J-Law nudes. It’s a disturbing reminder that faulty access controls in iCloud and still-unknown vulnerabilities in other mobile and cloud storage suites have allowed hackers free reign in exfiltrating sensitive data.
Given how our mobile devices are increasingly becoming gateways to (or even the device itself becoming) our payment mechanisms, I’m very concerned that the other shoe to drop from these vulnerabilities is going to be very big — and very, very expensive in terms of damages.