Lessons from The Fappening

In case you missed it, last week's "Hashtag of the Week" was #fappening. It was a response to the hacking or leaking of hundreds of nude pictures of a number of nude celebrities. Early in the piece it was alleged that Apple's iCloud service had been hacked but the reality is far more complex.

Based on the evidence there are several factors in play. Firstly, some of the celebrities had their iCloud accounts hacked through a combination of having weak passwords and secret questions and an introduced weakness in iCloud that allowed users to enter as many incorrect username and password combinations as they could when trying to use Find my iPhone.

There also seems to be a degree of misunderstanding on how some of iCloud's services, in particular Photo Stream, work. It seems that many might have been unaware that opting in to Photo Stream put their photos onto a cloud service.

Some of the photos might have been stolen many months, or potentially years earlier. In the case of actress Mary E Winstead, the photos of her and her husband were taken some years before and had been deleted. But the thieves waited until they could release them for maximum impact and value.

When you put all this together, this theft and distribution of photos is not as straightforward as a simple grab of data from one service.

What can business learn from this?

Cloud services have become incredibly popular over the last few years. If we think back, the first webmail services such as Yahoo! and Hotmail were the first cloud services, soon followed by Gmail. But a few years ago, the market exploded with enterprise software, storage and almost any service you could conceive being delivered via the Internet to your business.

But what is the cloud?

Whenever you're considering a cloud service for your business substitute the word "cloud" for "a stranger's computer". For example, when you're thinking about using a cloud storage provider for your critical business documents, in order to make sharing and collaborating easier, think of it as "storage and collaboration on a stranger's computer".

That will help you put the risks and benefits into some perspective. It also helps to ask some important questions that might be harder to articulate when you see the cloud as an amorphous, impersonal service.

Passwords Matter

With services on smartphones such as photo syncing and backup, think hard about the risks and benefits. Clearly, being able to restore all the data from a lost device to a new one is a huge benefit. But if that service is protected by a weak password - that's outside the controls placed on internally delivered services -then there's a weakness in your security protocols.

All of this means that effective security does mean paying attention to the details. When users in your business want to access an externally provided service, you need to look at the details and understand what that means.

If you're going to use externally hosted services then consider identity and access management solutions that let you apply appropriate rules so that robust passwords are in place and to ensure you know where data is being stored.

Contextualise Security

As a CISO or CSO it's relatively easy to create policies, rules and procedures for users to follow. The trouble is that it's difficult for many users to contextualise these and apply them in their professional lives. When offering security training, present it from the users' context.

For example, rather than say "Having weak passwords and security questions makes the business vulnerable" show them what can happen when their Facebook account is compromised or if their iCloud account is hacked.

Presenting stories such as "How I Hacked My Own iCloud Account, for Just $200" and discussing the merits of putting sensitive personal data on cloud services can make information security a more personal concern rather than a corporate obligation.

Manage the Risks

As we've said before - being attacked or hacked is inevitable. That means you need to have systems in place to reduce the impact and respond quickly. If we look at the recent leak of female celebrity photos there were two immediate reactions.

1. Anger that images had been stolen and circulated

Read more: Cyber crime in financial institutions

2. Blame

While both are understandable human responses, neither was particularly helpful.

Apple's reaction was to close the flaw that allowed the brute force attack to be executed through Find my iPhone and to say that they will be aggressively promote the use of two-factor authentication.

The celebrities mitigated the damage by actively seeking out copies of the images and having them taken down. In effect, they attempted to retrieve the stolen data although this is a limited response as the images will be available on the Internet forever through some channel.

It's a fair bet that almost anyone with sensitive photos hosted on a cloud service or smartphone is reconsidering and removing the images. From a risk perspective, you need to know what data you have, where it is going and whether you're prepared for the impact of losing that data or it falling into the wrong hands.

It should go without saying but having robust passwords and security questions is important. Where two-factor authentication is available you should consider it. But it's important for businesses that you look for ways to fold the security of external services into your internal policies so that you can enforce effective password rules. That might mean considering an identity and access management solution.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Join the CSO newsletter!

Error: Please check your email address.

Tags #fappeningstorage and collaborationdirectors for CSO AustraliaApple's iCloudPhoto Streamhotmailmisunderstandinghacking exposedManage the Risksenterprise softwareMary WinsteadsmartphonesFind my iPhoneContextualise SecurityCISOwebmail servicesCSO Australiahashtagnude celebritiesCSOnude picturessecurity trainingGmailFappeningcorporate obligationYahooEnex TestLabsyncing and backup

More about AppleCSOEnex TestLabFacebookHotmailYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Anthony Caruana

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts