Share Tweet Share





(2014 Update here)

I have been telling people for years (both professionally and personally) that anything you put into digital format can be easily stolen from you. Music, pictures, your masters thesis… anything!

In today’s widely connected world, we have more devices and technology to not only be electronic information consumers, but producers as well.

While information security has come a long way in the last 20 years, one key fact remains the same: the weakest link in the chain is the human. Humans aren’t good at securing their stuff – and they certainly aren’t good at picking passwords or security questions.

The incident that I’m about to share with you below is just an example – an important example. Share this posting please.

Dear Chief, I am reaching out to you because I have no where else to turn. One of my friends referred me to you. I am a 19 year old female college student. I’m not sure how, but personal pictures that I took of myself have made their way onto the internet. A friend of mine at school brought this to my attention. These pictures were taken on my iPhone and NEVER sent to ANYONE EVER. They were for my own personal use. I did not email or text them to anyone. I just want to be clear on this because my friends are under the impression that I am some kind of internet floozy now. Please call me at [REDACTED]. I don’t have a lot of money (I’m a college student duh) but I will do what I can. Thanks, Jes

Dear Jes,

As we discussed on the phone, this isn’t normally something that I’d work on – but with your permission and understanding, I am sharing a redacted version of my findings with my blog readers in the hopes that it will educate and prevent this from happening to others. All of what I am about to tell you was easily gleaned from the password reset emails, activity logs, and social media accounts that you provided me.

Your entire ordeal, believe it or not, has to do with your cat and your best friend.

Neither your cat nor your best friend posted your pictures to the Internet, but they both did assist the person that did.

Allow me to explain.

Given the information that you shared with me, including the emails from various service providers, this is what happened:

1) The perpetrator located your Yahoo e-mail address. This could have occurred a variety of ways, but you should know that all 425 of your Facebook “friends” can see your registered e-mail address. Facebook at one time hid this e-mail address and replaced it on your timeline with a [redacted]@facebook.com placeholder. You commented to me that you were one of the people enraged by this and proceeded to change things back. May I recommend that you re-think this decision on a go-forward basis.

2) The perp reset your Yahoo password. He was able to do this because he was able to answer the following two questions that you created yourself:

What color is [redacted]’s car?

My cat’s name is?

I want to point out that the answers to both of these questions are easily found by reading through your Facebook profile.

If you go to Photo Album [redacted] and look at the third picture, you can clearly see [redacted] siting in her new car. She is tagged in that picture. One can see that her car is black.

If you go to Photo Album “Cat”, every single picture has a caption where you share that your cat’s name is [redacted].

3) After taking control of your Yahoo account, the perp attempted to take control of your Apple ID at icloud.com – which happened to be your yahoo email address. To take control of your Apple ID, the perp went through the password reset process and had a reset email sent to your Yahoo e-mail, which he now controlled.

4) After resetting your Apple ID’s password, the perp was then able to get to what he really wanted: the iCloud backup of your iPhone. If you never shared those photos with anyone, and noone else ever had physical access to your phone to remove the pictures, then it is very likely that they used this common technique:

Using a utility called EPPB (Elmsoft Phone Password Breaker), he was able to:

Use your stolen Apple ID and download the iCloud backup of your iPhone.

Use EPPB to break the 4-digit PIN passcode

Have full and unfettered access to all files included in that backup, including the Camera Roll – where your personal pictures were stored.

The perp was able to do what I described in a very short period of time (a matter of an hour or two). Given the timeline of the password reset emails that you sent me (xx:xx AM), the perp was counting on you being asleep and not on your phone or computer. The following morning when you realized that you were locked out of both your Yahoo and Apple accounts, it was far too late. You were already compromised.

As we discussed, there is a high probability that the perp is in fact one of your Facebook friends, based on [REDACTED] and some of the points that I’ve made above.

I want you to know that you’re not the only person that this has happened to. As a matter of fact, this happens more than one could possibly imagine. Entire groups of people who want to steal others’ most private information (especially photos and videos) exist on the Internet. There’s thread upon thread of people asking for help on how to do what happened to you, and people offering up their services to do so.

For example. <- WARNING: Highly NSFW!

A snippet that is not so NSFW:

You had a run in with someone who participates in one of the largest anonymous communities: 4chan (NSFW!). From the links that you provided me from your friend, it appears that the perp uploaded your photos several hours after your information was compromised.

I am not a lawyer, but you might be able to claim copyright infringement and use some DMCA magic to get the pics removed from some of the websites, but the hard reality that I have to sell you is that once an image is thrown to the vastness of cyberspace, there is no way of knowing how many copies have been made, and where they all reside.

I hope that my suggestions on how to prevent this from happening again help. I’ll summarize them again below here:

Use strong passphrases on all of your accounts – phrases that nobody else but you would ever guess.

Create GOOD security questions where the answers can’t be easily located online or through some sort of social engineering.

Do not reuse passphrases – ever. One passphrase per site/account.

Always enable secondary authentication like SMS.

Don’t use cloud-based backup solutions for highly sensitive things unless you accept the risks associated.

Do you really have over 400 friends on Facebook that need to see all of your personal data? Probably not. Liberally remove people from your Facebook account that you don’t know personally. Reduce the amount of personal information shared on social media sites in general.

Don’t take sensitive photos of yourself with your smart phone. 🙂

Best wishes, and be sure to treat your cat well – and certainly don’t leave her alone with your laptop or your smart phone.

Cheers,

Chief