Ukrainian Hacker Strikes Again. Creepy Hacker Community Compromises Apple iCloud.
A wave of high profile security breaches was recently discovered, potentially affecting millions of people. Each attack had a unique footprint, giving us an interesting glimpse into the scary world of cyber crime.
Somewhere in the PR offices of the Goodwill, the Department of Health and Human Services, and The Home Depot, a crisis-management specialist is enjoying a small moment of thanks. On the one hand, they’ve probably had a pretty terrible week, dealing with the press and trying to explain the causes and impacts of major security breaches within their organizations. On the other hand, they are probably considering themselves lucky. They know that the best way to divert attention away from their own crises is for another, more interesting crisis to hit at the same time. Fortunately for them, their unspoken prayers were answered. At the same time stories broke about their breaches, it was revealed that naked photographs of high profile, female celebrities were stolen from Apple’s iCloud service. Hacking + Apple + celebrities + naked selfies = a four-of-a-kind in the tech news world, and trumps even news about a security breach that might be bigger than Target’s 2013 attack. Let’s face it, Jennifer Lawrence has a lot more charisma than Home Depot credit card numbers.
Although this string of hacks might have been an unexpected deus ex machina for a few lucky PR professionals, for the rest of us, it’s a really scary series of events that forces us to take a step back and ask the question: is anything safe online? Let’s review each of these breaches and see what we can learn from them so we can be better protected ourselves in cyber space.
The Wall Street Journal first reported on September 4 that a Healthcare.gov server was compromised via a malware attack. While this breach may be the most interesting from a political perspective (especially for Republicans, who are using it to excoriate President Obama for his healthcare legislation), it is the least salacious in terms of its impact. The attack was relatively minor and it was well-managed through standard security procedures. It appears as though an unpatched/unhardened test server was accidently connected to the Internet on August 25, making it vulnerable to hackers who scan large IP ranges for hosts who are vulnerable to known attacks. Most likely, the hacker wasn’t targeting Healthcare.gov directly, and he may not have even known he gained access to one of their servers.
Fortunately, the compromised server was detected by HHS using its normal monitoring procedures and it appears that no user information was accessed. So, although its disconcerting to think of a government healthcare website getting compromised, the reality is that this was a garden variety “script kiddie” attack, the kind that happens everyday. I’m just glad to know HHS has daily scanning procedures in place and is closely monitoring the activity of its network.
If you thought the cyber bad guys might spare a non-profit organization dedicated to helping the poor, then you would be giving them far too much credit. Goodwill disclosed on September 2 that a security breach that occurred in July—resulting in 868,000 stolen credit card numbers—was caused by a third party payment card processing vendor, rather than the result of a compromise of their own network. Even if you do everything right as an IT professional, you’re still not safe if your vendors aren’t doing the same.
The Home Depot
From a purely economic standpoint, the Home Depot breach has the potential to be the most serious security breach in the September series. The attack was first reported by security expert Brian Krebs on September 2, when he discovered a credit card list that went up for sale by the same Ukrainian hacker responsible for the Target attack (as well breaches at PF Changes, Sally Beauty and Harbor Freight). By correlating the stolen credit card zip codes with zip codes of Home Depot stores across the country, Krebs later determined that the breach likely affected almost all of Home Depot’s 2,200 stores, potentially making it larger than the 40 million card cards stolen from Target last year.
The Home Depot hasn’t yet confirmed the breach, but its reaction indicates that its for real. It is not yet know how the attack was perpetrated.
A super fascinating sidebar here is the peek behind the curtain offered by Krebs into life of the Ukrainian hacker who has been perpetrating these crimes. Through some pretty cool forensic analysis, Krebs actually tracked down the criminal, posted pictures of him online and contacted him via IM. Ballsy.
What all of this brings to light, however, is the growing threat caused by the economic incentive of hackers in poor but educated countries to hack into American servers. And in the case of Russian and Ukrainian hackers, they are now further incentivized by political motivations. Not coincidently, the batch of Home Depot credit cards offered by the hacker for sale was named “American Sanctions,” presumably in response to U.S.-led sanctions issued against Russia for its backing of Ukrainian separatists.
It was the Apple iCloud breach, however, that took the spot light over the Labor Day weekend. On September 1, it was discovered that a large number iCloud accounts were compromised, giving hackers access to backup data containing explicit pictures of Jennifer Lawrence, Kate Upton and other famous celebrities.
But, unlike the Home Depot breach which was the product of a single hacker, the iCloud breach, it was reveled, was the result of a secret community of hackers who trade stolen pictures like baseball cards. Really creepy stuff.
From messages communicated on their message boards, it appears that these hackers used a combination of techniques to gain access to people’s iCloud accounts, including:
- Correctly guessing answers to security questions as part of Apple’s “forgot your password” functionality, which is not difficult to do given that most of this information is publically available for celebrities
- Cracking passwords via standard brute force techniques, like using iBrute
- Using a piece of law enforcement software called Phone Password Breaker from the Russian company Elcomsoft, to download iCloud backup data
With so many publically available tools out there for cracking iCloud, and a helpful (and creepy) community wiling to offer hacking advice, the victims of the attack never stood a chance. Nonetheless, there was a lot of “blame the victim” going on, which is unfortunate. (TechCrunch’s Alex Tsotsis wrote a nice piece about this kneejerk social reaction.)