Apple
has confirmed that some celebrities' iCloud accounts were broken into, but says
it has found no evidence that this was caused by a breach of its security systems.
Instead,
the firm suggests perpetrators carried out their thefts by deducing victims'
log-in credentials.
The
statement follows the online publication of intimate pictures of about 20
personalities.
Actress
Jennifer Lawrence has confirmed a leaked topless photo of her was real.
There
had been speculation that the images were obtained due to a vulnerability in
software that allows users to locate missing iPhones, since it had allowed
unlimited password guesses.
But
Apple has indicated that
this was not the case.
"We
wanted to provide an update to our investigation into the theft of photos of
certain celebrities," said the firm in a statement.
"When
we learned of the theft, we were outraged and immediately mobilised Apple's
engineers to discover the source.
"Our
customers' privacy and security are of utmost importance to us.
"After
more than 40 hours of investigation, we have discovered that certain celebrity
accounts were compromised by a very targeted attack on user names, passwords
and security questions, a practice that has become all too common on the
internet.
"None
of the cases we have investigated has resulted from any breach in any of
Apple's systems including iCloud or Find my iPhone. We are continuing to work
with law enforcement to help identify the criminals involved."
The
FBI said earlier that it was looking into the case.
Experts
had highlighted that celebrities could be vulnerable to attacks if their
passwords or security question answers could be guessed from articles written
about them.
But
one academic suggested that it would take more than obscure log-ins to shield
internet accounts from the risk of theft.
"This
isn't the first time photos have been taken off cloud storage and it won't be
the last," said Dr Steven Murdoch, an information security researcher at
University College London.
"And
it's not fair to blame the victims of crime who may have simply been following
the instructions websites are giving to protect their accounts.
"Authentication
is not cheap to do right at large scale.
"If
you contrast what Apple and Dropbox and Google are doing with what banks are
doing, then you can see the banks are taking significantly more steps to
protect their customers. They are sending hardware and letters to customers,
and sometimes requesting they come into branches, which gives better security but
at a cost."
Dr
Murdoch said that users wishing to do more to protect themselves could activate
two-factor authentication - which can involve the user having to type in a
short code sent via text message to their phone number as an extra security
step before they are given access to their uploads.
'Creepy effort'
Images
of the celebrities were leaked on image posting website 4Chan.
The
user posting them - who defined him or herself as a "collector"
rather than "hacker" - said more images of different celebrities
would soon be posted.
Copies
of the images spread to other services, including Reddit, Imgur and Twitter,
from which they were subsequently deleted by administrators.
While
some of the celebrities said the images were fake, others have confirmed their
authenticity.
Actress
Mary Elizabeth Winstead posted on Twitter: "To those of you looking at
photos I took with my husband years ago in the privacy of our home, hope you
feel great about yourselves.
"Knowing
those photos were deleted long ago, I can only imagine the creepy effort that
went into this."
Winstead's
comments would suggest iCloud was not at play, as pictures on Apple's service
are only viewable online for 30 days.
Raj
Samani from Intel Security said: "Almost every service used online requires
a password, and to ensure your passwords are secure, they must be
complex."
But
more often than not, it is human weaknesses that give hackers the simplest
route to compromising accounts.
"Phishing"
people - meaning to trick them into giving up their password - is considered
perhaps the simplest and most targeted way hackers gain access to accounts.
BBC
Business
No comments:
Post a Comment