Snapchat, your house was not ransacked…

NRK (Norway) recently reported on the Snapchat hack and they started of with the following line (google translated):

If someone breaks into a young girl’s house, stealing nude photos of her and hang them up in the neighborhood, it’s her own fault?

Taking the statement on face value…it’s not like that.

Using the analogy:

  • The house is the phone
  • the package where the photos are kept is the application
  • The delivery method (postal service) is the application sending the file to the cloud service
  • The warehouse is a ‘cloud’/online service (SnapSaved)
  • so… the photos are sent from home to a warehouse and redistributed to other houses and not someone breaking into the house.

So, the intruder is not breaking into the house, they are breaking into the warehouse.

You have very little control over the package once it leaves your house.

In theory, the house is safe as long as the photos are not sent to the warehouse.

As previously mentioned, the warehouse (application cloud/online service) and the delivery method (application) needs to be secured, who’s responsibility is that?

Note:

  • No one broke into anyone’s the phone!
  • It’s not the victims fault but just as any delivery service has a ‘items may be lost in transit policy’ or an ‘insurance’ service for valuable items, the application owners must communicate the equivalent risks to the victims (Snapchat was irresponsible for stating that their service is ‘safe’/’secure’! How can you guarantee a service when other services can ‘access their service’)
  • Yes, another application issue

It is important to get the analogies right to properly understand and appeciate the issue at hand, lawmakers, speak to the professionals!

http://www.nrk.no/ytring/snapchat-i-steinalderen-1.11985369

http://www.theinquirer.net/inquirer/news/2375126/hackers-post-at-least-100-000-intercepted-snapchat-photos-on-4chan

Burn Phones are the new black

It appears that the burn phone idea ‘is catching on’ in the celeb world.

The iPhone scandal, eavesdropping, etc are all catalysts for increased privacy.

Note the use of the burn phone: details are sent directly to the phone and the ‘lack of trust’ with the guest’s phones.

http://www.theregister.co.uk/2014/09/30/clooney_wedding_burner_phones/

Trusting the cloud (Part 2)

A few more observations.

Just to let you know where I stand on the issue:
People have a right to privacy, it is fine to embrace technology, take intimate photos of yourself and distribute it. However, you would expect that photos and personal content would remain secure and accessible only to who you want to allow.

If the app developer and the user is not responsible for the user’s privacy, then who is? One can’t assume that the application developer will provide security and privacy.

I still stand by the fact that the application developer must develop their products with privacy and security in mind.
Think about the automobile industry, if they don’t manufacture cars with safety improvements, people will die. While this is not as extreme, imagine if you had information that does cause major distress?

Let’s examine the core issues in detail.

1. If you are of value, you will be a target.

You might not be famous, successful, etc but to someone on the opposing team and determination, you may be their target. Multiply this if your popular and you become a major target, it is a numbers game.

The Fox News article states the following:

Many high-traffic websites feast on showing every inch of female flesh, preferably belonging to famous females, than they can access.

It is quite obvious that there is a market for this so they were targets!

2. The distribution of data opens opportunities for your enemy

Online technology, not just cloud services allow for more information to be distributed around to different services. Now it is a case of gathering pieces of the puzzle. The ArsTechnica article states that a reporter, Mat Honan was a target:

a “hacker” was able to get access to the last four digits of his credit card number from Amazon and, using that information, gained access to his Gmail account. The attacker then called Apple’s tech support and convinced Apple that he was Honan, getting the password on his account reset.

Little bits of information when matched together will help complete the puzzle. As a potential target, you will need to be conscious of the information you allow to be public. Operation security is the practice of information management.

Samantha Stone sums up the first two points and has directed her blame straight at the victims but let’s put this into perspective, yes, there is some blame there but technology is a tool. Like a car, you have to learn how to use it and be aware of the dangers and safety. By the same token, the application developer must ensure that their product is safe to use, which segway into the third point.

3. Poor application security

It is extremely hard to implement new technologies, it is also hard to implement security safeguards around new technology. However, history does repeat itself so what concepts we know could happen before will most likely happen again.

We take things for granted however, being privy/one step ahead will help stop attacks such as these. A combination of OpSec and application vendor security will help reduce situations like this from happening.

If there is a product out there to break into your systems, wouldn’t you be on it like a rash to fix it up?

The ArsTechica article states:

Because of this weakness, the Find My iPhone service did not lock out access to the account after a number of failed attempts— so the attacker was able to keep hammering away at targeted accounts until access was granted.

Brute force attacks and account lockout is NOT a new idea!

It is an old concept, shouldn’t you avoid making the same mistake twice???

Importantly from an OpSec point of view is that fact that, as celebrities, their personal information is no longer personal, rendering any security related challenge based on personal information useless.

The Dark reading article demonstrates how ‘easy’ it is to break into the accounts.

Further to this, Fort Knox does not have a broken wooden door between the outside world and the gold. Having your entire life (online backups) behind a ‘flimsy’ door (think weak password) is just asking for trouble.

There is more than one way to get valuable information, the Wired article points to the fact that if you have a backup and it is intercepted by your Enemy, they have a fighting chance of obtaining your personal information.

4. Reducing your potential loss.

Well, this is a tricky one. Unless if you are in the know, it is hard to keep up.

Quick thoughts:
1. Any real world threat can be carried out with efficiency and anonymity thanks to technology.
2. OpSec, Identity management is increasingly important in this age.
3. Evolution and rapid change makes it very difficult to keep up. Embrace new technology with a pinch of salt if you believe that you are a target.
4. There are specialists out there to help, go find one!

http://www.foxnews.com/politics/2014/09/04/nude-photo-hacking-why-mainstream-media-are-part-problem/
http://arstechnica.com/security/2014/09/what-jennifer-lawrence-can-teach-you-about-cloud-security/
http://www.reviewjournal.com/opinion/blame-technology-ignorant-victims-photo-hacking
http://www.washingtonpost.com/news/morning-mix/wp/2014/09/05/after-nude-celebrity-hacking-apples-tim-cook-says-company-will-improve-security/
http://www.darkreading.com/attacks-breaches/celeb-hack-is-apple-telling-all-it-knows/a/d-id/1306923
http://www.wired.com/2014/09/eppb-icloud/