By Ali Sawyer   /   Sep 11th, 2014

Brute Force Attacks Burn Celebrities | LMG Security

Icloud_logo

Always be wary of the cloud (via Wikimedia Commons)

Brute force attacks pose a major threat to companies, regular people, and even celebrities. In these unsophisticated attacks, hackers run a script to guess username/password combinations until they are put to a stop or they gain entry to the account. A group called hackappcom posted a script on Github that uses Apple’s “Find My iPhone” feature to guess iCloud login credentials. Apple did not limit the number of attempts at the time (an issue that was quickly patched), making a brute force attack possible. Private photos gleaned from celebrities’ iCloud accounts began to circulate on 4chan shortly after the script was released.

Apple describes the incident as a “very targeted attack,” denying that an iCloud breach was to blame for the photo leaks. In an interview with the Wall Street Journal on September 4, Apple CEO Tim Cooke announced new iCloud security measures. Apple will now send iCloud users push notifications and email alerts when someone tries to change their password or log on to their account from an unrecognized device.

Scammers Don’t Miss A Beat

As reported by Symantec, cybercriminals have already capitalized on consumers’ worry about their Apple accounts by launching a new phishing attack. Symantec observed these phishing emails with the subject line “Pending Authorisation Notification.” The emails say a purchase was made on the user’s iTunes account from a device not linked to their AppleID, followed by a link to a phony website.

Andrey Belenko and Alexey Troshichev, who wrote the brute force script, premiered it in a talk at a Russian DEFCON Group. Belenko and Troshichev say they released their research for education purposes, and reminded everyone that no data linked to the internet is truly secure.

Bad Password Habits

This isn’t the first time hackers have successfully brute-forced their way into the accounts of high-profile figures. In 2009, a teenage hacker accessed the account of a Twitter employee by running a password-guessing script (the password was “happiness”). Even more dire was a 2013 Adobe breach affecting a shocking 150 million users. Adobe encrypted all passwords with the same key, so if passwords were the same, they had the same cryptographic appearance when encrypted. This made it easy for hackers to recognize patterns of common passwords like “123456”–used by 1.9 million.

Brute force attacks may be easy to set in motion, but it often takes a few days of running the script before a successful username/password combination grants access to an account. One of your best defenses is having a strong password in the first place. Complex passwords are essential to give a network analyst enough time to identify an attack and stop it. Your passwords shouldn’t contain any words found in the dictionary. They should be over 10 characters and feature a mix of lowercase and uppercase letters, special characters, and numbers. Another smart defense is two-factor authentication, which is available for iCloud and many other types of accounts. iCloud’s two-factor authentication sends a code to your phone via SMS to confirm that you’re using your own device, an additional obstacle for a potential hacker.

Past breaches have shed light on consumers’ poor password practices: data from Yahoo’s 2012 email breach revealed that 1,666 users had “123456” as their password, and 780 used “password.” The average password length was just seven characters. A 2013 report by consulting firm Deloitte estimates that over 90% of passwords could be hacked. Making an effort to improve your password habits can help keep you out of that 90% majority.

CONTACT US