It's kind of funny. When you look into cyber security, the papers are all about controlled rate limiting, advanced anomaly detection, client fingerprinting, the likes, but in practice, very little companies will actually pick out abuse like this.
This creep didn't need advanced tooling, exploits or deep knowledge of the backing system. All he needed was a basic phishing scam to work well enough, and the official iCloud software (either from his browser or his computer).
All the supposedly advanced algorithms that often arbitrarily ban accounts by mistake managed to miss some random dude behind his laptop, shamelessly leaking private pictures.
To be fair, phishing is just the path of least resistance due to overall security improvements getting rid of other low-hanging fruit. If security became worse overall, phishing would fall a bit more out of favor.
It’s not too weird for 306 accounts to be using iCloud from the same IP, considering stadiums, universities, etc. It’s probably highly unusual for that many of them to do an account recovery… unless the IP is an Apple store.
It's not weird for 1000 users to be simultaneously connected via the same IP because of CGNAT. This is where you would have to do something like browser fingerprinting to try to work out if they are the same person.
This is trivial to overcome with a VPN. There's nothing that suggests that he was connecting from the same IP each time. Based on the article, he could have just easily forgot to sign in to a VPN before logging in and that mistake unraveled the whole thing.
> tricked into clicking links or downloading attachments
Is that "phishing"? Those actions should be secure to perform in a browser. The security model of browsers/computers is such that I don't need to establish authenticity/trust in order to click the link or even download something.
Of course, that security model sometimes has holes, but if for example clicking the link enables an XSS attack, I'd call it (primarily) an XSS attack. Same story if downloading an attachment did much more than just creating a file on disk.
Apple makes phishing easier by always prompting the user their apple account password. Do anything including installing free apps and it requires the password.
This was also a common technique used in Runescape back in the day. Takes me back. The much more innocent version was all chatting "Press alt q q for free gold" in Warcraft 3. Alt+q+q was the keyboard shortcut to abandon the match, which I learned the hard way.
Google will alert the account owner (across all channels -- devices they own, and Gmail) when there's a login from a new device. Doesn't Apple do the same?
Yes they do. But don't underestimate how much people don't actually read their emails. They have 20 newsletters coming in every day and quickly check if anything is related to them, they have no idea what that iCloud email says. They just fell victim to a phishing attempt, they are already not that tech savvy.
I had this idea for a service just the other night : a means of overlaying real time messages and alerts direct to any app you are using at the time. Kind of Class 0 "flash" SMS.
EDIT : it chould be a OS graphics layer service capable of drawing alerts on your active window. But I don't see why display manufacturers couldn't make this useful : the number of screens and applications anyone is logged into at any one time is increasing, and the primary screens we're using commonly have Windows Hello and Face ID type of biometric capabilities, which would be very useful for establishing the likelihood of unlawful access elsewhere.
EDIT 2: So Apple has a good position from which to offer this kind of "where are you working from?" heuristic check available to other security system software.
EDIT 3: Biometric presence data as a service to increase security for administration changes and logins hasn't come to my attention as being explored yet. I'm semi retired and extremely interested in this area if anyone is interested in a wider discussion in London - not burdened with any expectations or intentions and able to arrange professional legal cover if desired / necessary - I am interested in derivative applications for services that don't yet exist
Apple makes me authenticate the new login using a six digit code from one of my other Apple devices, which is generated if I hit "Yes" in answer to a push notification asking if it's really me trying to log in. All logged in devices get the notification, and then upon a successful login all devices get notified of the new login.
> Not very sophisticated, but very effective, glad they shut him down but we really need to teach basic internet security in schools.
They could start by following basic security. My kid's school sets everyone's passwords to various forms of "temp123" (same password for every kid) and often talks about them in cleartext. It sets a very bad example, and it occasionally gives me hives just thinking about it.
A friend worked at a UK government site that one week complained about an increase in "Russian" attempted intrusions and literally the next week issued an instruction in an unsigned email to all staff to change their password to a new password given in plaintext in the email.
The instruction, they thought, had to be a poor phishing attempt - but no, it was a genuine email from the IT department and the friend was punished (!!) for questioning the instruction and not immediately complying.
It may not have been the same password across the organisation but their's was reportedly word based and quite short.
I worked at an ed tech company that provided services for schools and this was very common in my experience.
Schools wanted to store the students' passwords in clear text in an excel basically to get less complaints from parents.
Students didn't store their password after logging in. If they needed to log in again they did not know (or did not care) how to reset their passwords. Then the problem would fall unto the parents which would then complain to the school.
I agree that better education around Internet security is needed, especially for basic phishing attacks like this.
OTOH, I believe Apple could be doing more to deter and/or detect this type of broad access, especially with the lack of sophistication behind this scheme! I feel like even Netflix does a better job at alerting me to access from a new device, and they aren't storing any of my personal photos.
If you have two factor enabled, which is required for many iCloud features, every single Apple device you own will receive an alert with the location of login before you can reveal the 2FA code, even for iCloud logins. What more would you like to see?
Not just better education around security practices, but better understanding around control of your content, where it's stored, what happens to content when you press that button in an app. I don't want to victim blame here, and this guy is a total creep, but the victims uploaded their nudes to the Internet. At that point, the cat was out of the bag.
Part safely using the Internet is having the knowledge and being aware of where (in your apps) the boundary is between your local device and the global network that everyone has access to. People need to understand: When you sync to a cloud service, you're sending your content to someone's computer unknown to you. Yes, in this case, it's Apple's computer, but that didn't stop this guy. Once you sync something online, it's out of your hands, and on the Internet now.
I personally treat all cloud services as if they were accessible publicly and anonymously, and will inevitably be printed in my local newspaper, and only upload content to those services where I am comfortable with that level of exposure.
EDIT: To clarify, I wish applications would stop blurring the line between "on my device" and "on the Internet". I've used applications where, to an unsophisticated user, the save dialog looks like it's saving to their computer but it's actually in the cloud. Add to it all these apps that try to be helpful by seamlessly (and invisibly) keeping local content in sync with the cloud versions and you have a recipe for disasters like this. Have an explicit "upload this thing to the Internet" button, please!
Yeah, Netflix is actually annoying with it - I was using my "ultra low security" password which is in... probably every public password dump around for years, got dozens of logins, just ignored them til someone finally tried to change it and I had to reset it.
I can't believe Facebook haven't stopped the "your mother's maiden name and your first pets name is your pornstar name, post yours below" posts on Facebook. These companies clearly don't care their platforms are used to enable scammers so long as they're getting their cut of the money.
I posted this link and I named it the way I did to draw attention to this in context of CSAM enforcement... this man could have easily uploaded any photos to these hacked iCloud accounts, which would've been synced down to end user devices.
Apple didn't catch on to this, despite him not using VPN or Tor... it wasn't until the FBI investigated a public figure's hacked and posted photos that this came to light.
[EDIT]: Not the FBI, but a private company noticed this (h/t codeecan)
The problem with the US statute for CSAM is that possession is illegal, not just intentional creation/collection/distribution. The person being hacked has technically broken the law, even if they don’t get prosecuted.
I don’t know how often unintentional possessors are prosecuted, but the US system of prosecution makes it easy for an innocent to get railroaded by threats of massive charges and comparatively leanient plea deals, combined with punitive sentencing for those who reject the plea bargain. Think Aaron Schwartz, but without any intent to violate the law.
> The person being hacked would still be investigated by the FBI
As someone with family in the FBI (one on a relevant team) and a local LEO that was deputized to do this work for the US Marshals, that doesn’t reassure me. The best forensics employees in the FBI with enough resources can identify that there was a hack and that the account owner is innocent. We live in a world of scarcity where that much effort is not always invested.
I think the client-side versus server side is more about relative trade offs of who owns the client device (and what “ownership” means) and whether the equivalent server side search is technologically feasible (might not be if the client encrypts with a key only the client owns, as some have speculated about Apple’s future plans).
Well Apple differentiates themselves on privacy. I would prefer to do business with a company that never looks at my data for any reason. The problem with on-device scanning is the implicit backdoor.
It's only an attack vector in the minds of people who haven't given it more than 10 seconds of thought.
Apple knows the sync dates of all of the photos that are uploaded. So unless someone has hacked your account and has been directly trickle feeding CSAM for years (without you noticing) then it's going to look suspicious. A big dump of lots of CSAM at one particular timestamp is a pretty easy thing to spot.
And then in this case they aren't hacking the phone but the account which means Apple is going to notice a set of photos coming from an IP address they haven't seen used from that account before.
Edit: No if they use the same algorithm, but they could use other algorithm which are less abusable and no one would know the hashes in the database, so Yes I guess?
If he was specifically going after famous women's accounts, I don't think it was so random, given that he went after hundreds of people and didn't cover his tracks at all. He was after celebrity photos, he was sloppy, people who try to defend against such attacks were going to catch him.
The fact Apple missed logins to hundreds of accounts over time from a single ip registered probably to Spectrum or Verizon ISP is a little suspect. Then again, there are probably public ips with a nat with thousands of iphones behind it at times. This might be a really hard one to detect even though it's sloppy.
Companies regularly NAT many thousands of users behind a single public IP. Additionally non-profits, schools, and others often provide WiFi for their guests/students using a supposedly residential internet account or their ISP doesn't segment basic business IPs from residentials.
In any case flagging multiple accounts logging in from a single public IP is not as useful a signal as you might think.
Apple itself is currently obsoleting IP-based account theft heuristics with their iCloud VPN, so they might have stopped relying on it internally already :)
This Twitter account continues to debase discourse about the child safety proposals with FUD. It posted incorrect information about the proposal before launch and has continued with useless speculation. How many of the hypothesized threat models which don’t pan out has he formally redacted?
If you are worried about the security of iCloud, then that can be read as more reason to prefer client side scanning. Of course the tweets are ambiguous about logical implications so you can’t engage with them directly.
I have been thinking about "nudes" (which I will use as a shorthand to describe digital images of a person sans clothing, almost always taken by that person) in terms of cultural evolution. A couple of years ago I mentioned, on HN, that I knew Jenni, of JenniCam, before the "cam," back when she was just experimenting with this new digital camera device. And then they became more and more available.
For a brief time there was a kind of explosion of said nudes. I could be on Yahoo Chat and women would just send them, unsolicited, and I think that was the era of people not realizing that nudes can get around, like any other secret, once you let go of them. My guess is that probably came to an end roughly ten years ago or so, and people now hold onto them tightly, which is probably much more reasonable.
People still take nudes, and pass them on, but I think there is a level of discretion that has increased, although I know some women who mention being pestered for such by men they know. Still, these images are on cameras and cloud storage and such, and for the life of me I do not get the hunger that drives such a risky behavior as getting into hacked iCloud accounts versus, I don't know, average sources of free nudes? Poor judgment of course abounds in so many reported crimes but ... how does one even trawl more than half a million photos for nudes? Was he planning on going through them individually? Was he going to make a neural net to scan for skin?
I just find the whole thing a little baffling in this day and this age.
>and for the life of me I do not get the hunger that drives such a risky behavior as getting into hacked iCloud accounts versus, I don't know, average sources of free nudes?
I presume the hunger is more about having access to something you are not supposed to have access to, or were not given access to.
"Everything in human life is really about sex, except sex. Sex is about power.”
I get the impression this trend has peaked. For a while, young people stopped going topless on the beach, for example, for fear of photos appearing online. In the last years, it's been making a comeback. I believe it's both a sense that there's so much out there, chances are rather low someone you know will come across any photo. And that it just doesn't matter. I am absolutely certain you wouldn't be able to hurt someone with sending their work colleagues a topless photo you found, but rather risk your own job if you're found.
“I’m remorseful… but I have a family” he says hoping this doesn’t “ruin” his life. Fuck this guy. He knew what he was doing. He should have all the consequences both those from the court and professionally: who’s going to hire him now? Maybe someone in infosec but likely not ever again in tech.
A friend once pointed out that it's likely a majority of "amateur" porn is likely private content from hacked or stolen accounts and wasn't posted by the any of the parties depicted.
He mentioned this when a bunch of stories were coming out about GeekSquad and other IT help as a service companies stealing data or acting as data harvesters for the FBI/DEA etc.
I don't think that's likely at all. It seems like it would be far easier to find women who are willing to take their clothes off for money (something that has been relatively easy to find for centuries) than it would be to hack hundreds of devices in order to steal such pictures - if they happen to exist.
I am no fan of apple but this man used phishing attacks to gain access to just 306 icloud accounts. That hardly seams a significant failing on apples part. He used the credentials of the victims so I'm not really clear how rate limiting should have played a role, you should be limited from accessing your own account?
Apple has made leaps and bounds on security including having 2FA mandatory but none of it matters when the user is convinced they are speaking to someone from apple who is telling them to read out the 2FA code and provide their details.
No warning in the world will help because the attacker will just say "Ok thats ok, that warning is just for untrusted people. Since I am an Apple employee, it is perfectly safe". These victims already trust the attacker so they will just do anything asked.
I think the only solution here is to just block all logins outside of the users own country and to have local law enforcement crack down hard on any in country criminals. Apple can use the find my location to work out if any of the users devices are at or have been at a certain location. I can't imagine many situations where you leave all of your devices at home, leave the country and then try to log in.
Was it really in a short time frame? It sounds like he was choosing some targets based on requests from other people. This sounds like he was doing this over quite a long time.
How does this amount to only four felonies?! Our system is so abysmally bad at understanding crimes of scale, especially when they happen over the internet. If he burgled 4,700 houses, it would be a lot more than four felonies.
Readit News
This creep didn't need advanced tooling, exploits or deep knowledge of the backing system. All he needed was a basic phishing scam to work well enough, and the official iCloud software (either from his browser or his computer).
All the supposedly advanced algorithms that often arbitrarily ban accounts by mistake managed to miss some random dude behind his laptop, shamelessly leaking private pictures.
My heart goes out to this man's victims.
Like Jim Browning, the Youtuber famous for scamming scammers, who recently fell for a phishing scam himself and ended up deleting his Youtube account. (https://news.slashdot.org/story/21/07/28/2023241/youtube-cha...)
Is that "phishing"? Those actions should be secure to perform in a browser. The security model of browsers/computers is such that I don't need to establish authenticity/trust in order to click the link or even download something.
Of course, that security model sometimes has holes, but if for example clicking the link enables an XSS attack, I'd call it (primarily) an XSS attack. Same story if downloading an attachment did much more than just creating a file on disk.
EDIT: DO NOT TRY WHAT FOLLOWS IT IS AN EXAMPLE OF A SCAM.
Wow! XYZ is smart enough to block your password so others can't see it! ╍⡵ⱇ⪞‾╴⧊↧Ⓗ⥔⋾⁅
I can see it, but you can't. Try it!!!!
An unbelievable number of people fell for this on Myspace and Facebook in the early days.
Deleted Comment
(IMHO human was always the weakest part in the security chain and this will not change looking at social engineering)
EDIT : it chould be a OS graphics layer service capable of drawing alerts on your active window. But I don't see why display manufacturers couldn't make this useful : the number of screens and applications anyone is logged into at any one time is increasing, and the primary screens we're using commonly have Windows Hello and Face ID type of biometric capabilities, which would be very useful for establishing the likelihood of unlawful access elsewhere.
EDIT 2: So Apple has a good position from which to offer this kind of "where are you working from?" heuristic check available to other security system software.
EDIT 3: Biometric presence data as a service to increase security for administration changes and logins hasn't come to my attention as being explored yet. I'm semi retired and extremely interested in this area if anyone is interested in a wider discussion in London - not burdened with any expectations or intentions and able to arrange professional legal cover if desired / necessary - I am interested in derivative applications for services that don't yet exist
Deleted Comment
> He gained unauthorized access to photos and videos of at least 306 victims across the nation
> Investigators soon discovered that a log-in to the victim’s iCloud account had come from an internet address at Chi’s house
Not very sophisticated, but very effective, glad they shut him down but we really need to teach basic internet security in schools.
They could start by following basic security. My kid's school sets everyone's passwords to various forms of "temp123" (same password for every kid) and often talks about them in cleartext. It sets a very bad example, and it occasionally gives me hives just thinking about it.
The instruction, they thought, had to be a poor phishing attempt - but no, it was a genuine email from the IT department and the friend was punished (!!) for questioning the instruction and not immediately complying.
It may not have been the same password across the organisation but their's was reportedly word based and quite short.
Schools wanted to store the students' passwords in clear text in an excel basically to get less complaints from parents.
Students didn't store their password after logging in. If they needed to log in again they did not know (or did not care) how to reset their passwords. Then the problem would fall unto the parents which would then complain to the school.
OTOH, I believe Apple could be doing more to deter and/or detect this type of broad access, especially with the lack of sophistication behind this scheme! I feel like even Netflix does a better job at alerting me to access from a new device, and they aren't storing any of my personal photos.
Part safely using the Internet is having the knowledge and being aware of where (in your apps) the boundary is between your local device and the global network that everyone has access to. People need to understand: When you sync to a cloud service, you're sending your content to someone's computer unknown to you. Yes, in this case, it's Apple's computer, but that didn't stop this guy. Once you sync something online, it's out of your hands, and on the Internet now.
I personally treat all cloud services as if they were accessible publicly and anonymously, and will inevitably be printed in my local newspaper, and only upload content to those services where I am comfortable with that level of exposure.
EDIT: To clarify, I wish applications would stop blurring the line between "on my device" and "on the Internet". I've used applications where, to an unsophisticated user, the save dialog looks like it's saving to their computer but it's actually in the cloud. Add to it all these apps that try to be helpful by seamlessly (and invisibly) keeping local content in sync with the cloud versions and you have a recipe for disasters like this. Have an explicit "upload this thing to the Internet" button, please!
The guy probably was the only one in the group doing this and was led to believe by the others that it was completely safe.
Dead Comment
Apple didn't catch on to this, despite him not using VPN or Tor... it wasn't until the FBI investigated a public figure's hacked and posted photos that this came to light.
[EDIT]: Not the FBI, but a private company noticed this (h/t codeecan)
Google, Microsoft etc we know for a fact do server side scanning of photos for CSAM. Apple should be assumed to do the same.
So what exactly is the difference if this is done client or server side. The person being hacked would still be investigated by the FBI.
I don’t know how often unintentional possessors are prosecuted, but the US system of prosecution makes it easy for an innocent to get railroaded by threats of massive charges and comparatively leanient plea deals, combined with punitive sentencing for those who reject the plea bargain. Think Aaron Schwartz, but without any intent to violate the law.
> The person being hacked would still be investigated by the FBI
As someone with family in the FBI (one on a relevant team) and a local LEO that was deputized to do this work for the US Marshals, that doesn’t reassure me. The best forensics employees in the FBI with enough resources can identify that there was a hack and that the account owner is innocent. We live in a world of scarcity where that much effort is not always invested.
I think the client-side versus server side is more about relative trade offs of who owns the client device (and what “ownership” means) and whether the equivalent server side search is technologically feasible (might not be if the client encrypts with a key only the client owns, as some have speculated about Apple’s future plans).
Apple knows the sync dates of all of the photos that are uploaded. So unless someone has hacked your account and has been directly trickle feeding CSAM for years (without you noticing) then it's going to look suspicious. A big dump of lots of CSAM at one particular timestamp is a pretty easy thing to spot.
And then in this case they aren't hacking the phone but the account which means Apple is going to notice a set of photos coming from an IP address they haven't seen used from that account before.
Edit: No if they use the same algorithm, but they could use other algorithm which are less abusable and no one would know the hashes in the database, so Yes I guess?
> A California company that specializes in removing celebrity photos from the internet notified an unnamed public figure ...
He was caught by random chance of this company.
In any case flagging multiple accounts logging in from a single public IP is not as useful a signal as you might think.
From the site guidelines:
> Otherwise please use the original title, unless it is misleading or linkbait; don't editorialize.
Just a reminder because if a mod ends up viewing this they will probably change the title back to the original.
I assume each upload is tagged with device ID which first uploaded it etc. but maybe that can be spoofed as well?
If you are worried about the security of iCloud, then that can be read as more reason to prefer client side scanning. Of course the tweets are ambiguous about logical implications so you can’t engage with them directly.
For a brief time there was a kind of explosion of said nudes. I could be on Yahoo Chat and women would just send them, unsolicited, and I think that was the era of people not realizing that nudes can get around, like any other secret, once you let go of them. My guess is that probably came to an end roughly ten years ago or so, and people now hold onto them tightly, which is probably much more reasonable.
People still take nudes, and pass them on, but I think there is a level of discretion that has increased, although I know some women who mention being pestered for such by men they know. Still, these images are on cameras and cloud storage and such, and for the life of me I do not get the hunger that drives such a risky behavior as getting into hacked iCloud accounts versus, I don't know, average sources of free nudes? Poor judgment of course abounds in so many reported crimes but ... how does one even trawl more than half a million photos for nudes? Was he planning on going through them individually? Was he going to make a neural net to scan for skin?
I just find the whole thing a little baffling in this day and this age.
I presume the hunger is more about having access to something you are not supposed to have access to, or were not given access to.
"Everything in human life is really about sex, except sex. Sex is about power.”
Deleted Comment
He mentioned this when a bunch of stories were coming out about GeekSquad and other IT help as a service companies stealing data or acting as data harvesters for the FBI/DEA etc.
No warning in the world will help because the attacker will just say "Ok thats ok, that warning is just for untrusted people. Since I am an Apple employee, it is perfectly safe". These victims already trust the attacker so they will just do anything asked.
I think the only solution here is to just block all logins outside of the users own country and to have local law enforcement crack down hard on any in country criminals. Apple can use the find my location to work out if any of the users devices are at or have been at a certain location. I can't imagine many situations where you leave all of your devices at home, leave the country and then try to log in.
How does this amount to only four felonies?! Our system is so abysmally bad at understanding crimes of scale, especially when they happen over the internet. If he burgled 4,700 houses, it would be a lot more than four felonies.
(With the latter, strictly speaking, being a subset of the former anyway)