The iCloud Hack CMSC 334 Prof Szajda 1
Social Engineering Many of the slide here deal with Social Engineering. Thanks for those slides go to: The late Dr. Yosef Sherif, unknown colleague at UW-Madison, Mathew Sullivan at Iowa State, Tanya L. Crenshaw at U. Portland, various other colleagues and contributors 2
iCloud Hack info Thanks to Nik Cubrilovic https://www.nikcub.com/posts/ notes-on-the-celebrity-data-theft/ 3
The iCloud Hack: What happened? • Personal and private nude photos of celebs started appearing on online image boards and forums – First pics posted a week before the scam became public o Not public because images were being ransomed (only censored images distributed, and then only to entice folks to buy) o Once uncensored images published, scam blew up – Over 400 individual images and vids o Over a dozen celebs, at least 100 individuals had data compromised 4
Apparently... � • This scam only scratches the surface – There are private communities and trading networks where data that is stolen remains private – Horizontally Organized o People carrying out specific tasks o Loosely organized o Communication via private email and IM 5
The Goal � • Steal private media from phones that utilize cloud backup services integrated into iPhones, Android, and Windows phones • Accessing backup requires – User ID and Password OR – Authentication token 6
Scammer Network Roles • Users who troll social networks looking for targets and collecting information – Utilize public record services and buy credit reports – Setup fake profiles – Friending target or friends of target – Extract info that helps answer secret questions 7
Scammer Network Roles • Folks who use the gathered data to determine password of other authentication token. Methods: o (Most with online tutorials!) – RATS (Remote Access Tools) o Target tricked into installing via private message OR o Target receives email link or attachment that installs RAT OR o Friend of target installs RAT on phone or computer via physical access – Phishing: Target receives password reset or other tricks that cause target to enter password into a hacker- controlled site – Password reminder: after gaining control of email, have “reminder link” sent to access cloud storage – Password reset: answering birth and security question challenges (often easily broken with public info) 8
Scammer Network Roles • Folks who use the authentication info to “rip” cloud- based backup services using pirates software specifically engineered to dump entire cloud backup set – Including messages and deleted photos 9
Scammer Network Roles • Collectors: Organize stolen data info folders – Via Dropbox and Google Drive • Create preview images for each set of data, then email potential clients (i.e., their contacts) • Email addresses for collectors or for those willing to trade or sell are typically available by referral, often by someone offering a hacking or ripping service 10
Disturbing... • Frequent source of new leads are folks who know someone they want to hack (e.g., friends of celebs) and who have stumbled onto a scammer network via search terms or forums • Contributor offers up Facebook profile along with enough info to figure out authentication tokens (possibly even offering to install RAT via physical access) • In return, contributor gets access to photos and harvested data 11
FindMyPhone API Brute Force • An attack on the protocol that allows someone to find a lost iPhone, for example. • Given the success rate with the “social engineering” methods mentioned earlier, either this was not necessary, or possibly the hackers were not aware of it. 12
iCloud a Popular Target • because Picture Roll backups are enabled by default and iPhone is a popular platform • Windows Phone backups are available on all devices, but not enabled by default 13
Apple accounts particularly vulnerable • Because of recovery process – Broken into steps that fail at each point! – iCloud doesn’t reveal if an email is a valid iCloud address as part of recovery process o BUT they do indicate whether email is valid if one attempts to open a new account with the same email (thus allowing brute force) – Second step is date of birth o And step succeeds or fails solely on the basis of date of birth, so it can be guessed – Last step is the two security questions o Which can often be guessed based on harvested information 14
Apple accounts particularly vulnerable • Solutions? • Apple should disable interface that indicates whether email is available for iCloud account • Recovery process should be one big step – Where all data is validated at once (so no way to know which step failed) – And user not given specific error message – Should also have rate limits and strict lockout on the recovery process on per-account basis o Ability to post to POST email address to link and getting validity response with little rate limiting is a serious bug 15
OPSEC level of average scammer • Was not impressive • 98% of email addresses provided in forums as part of advertising or promotions are with the popular providers (gmail, outlook, yahoo) – None of these are TOR friendly • Users spoke of using VPNs when breaking into accounts, and suggesting which VPNs are best, fastest, and “most anonymous”. • It was incredibly easy to publicly identify those responsible 16
Tracking one distributor • Posted a screenshot as part of an ad to sell 60 photos and vids for a single celeb, but didn’t black out his machine name or the machine names of the other computers on his local network – A user on one of reddit did a Google search and tracked down the company where the distributor worked. – Tracking each of the macine names lead to reddit account that posted a screen shot of the exact same explorer interface o Dude apparently liked to take screen shots of his own machine – Worse, the pics belonged to gymnast McKayla Maroney, who was a minor when the pics were taken o Thus the screen shot is an admission of possession of child pornography 17
So, How to Stay Secure • Pick a better password • Set security answers to be long random strings • Enable two-factor authentication • Ring-fence email – Two different email addresses, one for public consumption, another for private accounts • If you are a celeb, get a second phone that uses an alias 18
Apple ʼ s Official Statement 19
Social Engineering 20
Social Engineering: Definition � • Social Engineering: “the practice of obtaining confidential information by manipulation of legitimate users.” (from Wikipedia.com) • Attackers “trick” employees into revealing sensitive information, usually to gain access to a computer system: user-ID, password, IP address, etc. 21
Social Engineering: Definition � • A Social Engineer is basically a flavor of “Con- Man” (“Con-Person?) • Historically, Con-Men have been highly successful at convincing victims to give them valuable items (money, jewelry, etc). • Social Engineers employ similar methods aided by modern technology to obtain valuable data from system users. 22
Social Engineering: Definition � • Con-Men and social engineers see their attacks as an art form or a social trade. – The pride themselves on their ability to manipulate a person’s natural tendency to trust others – They are highly skilled and use very effective psychological methods – Some work for personal edification; other work for profit 23
Social Engineering ¨ The end user is usually the weakest link of a system ¤ People are often lazy, ignorant to security, or simply gullible ¨ Social engineering is a journey into social psychology! ¤ Yes I know, that probably doesn’t sound very fun ¤ Well guess what… it is, so deal with it!
But First: Some Examples 25
Case Scenario: Meet Angry Cow � • Angry Cow is a Computer Science student at UW- Madison • Angry Cow just got an eviction notice! 26
Simple Public Information is Found • Angry Cow lives at the Regent • The Regent’s website indicates that it is owned by Steve Brown Properties • Angry Cow wants to “fix” Steve Brown’s record keeping spreadsheet to show that rent has been paid 27
Finding A Way In... • Facebook is Angry Cow’s first weapon of choice because it is an unofficial source of information • Poor controls over data sharing • Lots of important information there that might not seem important, but could be his first step in… • Go to Facebook and search: “Steve Brown Apartments” to find an appropriate unknowing accomplice 28
29
Let ʼ s See -- Danielle Treu • Born July 24, 1988 • Enjoys playing in the rain, drinking coffee, and spending money • Works at Subway and as a Resident Assistant for Steve Brown Apartments 30
Let ʼ s See -- David Klabanoff • Born April 21, 1979 • Likes Star Wars and The Muppet Movie • Is a Concierge for Steve Brown Apartments 31
Let ʼ s See -- Andrew Baldinger (who made these slides?) • Born March 30, 1986 • Likes kayaking, exploring, and getting lost • Lives at the Regent • Works as a Technology Support Specialist for Steve Brown Apartments 32
Recommend
More recommend
