Simple passwords 'key' to hacking

Comment on this story
iol scitech june 8 apple icloud pic REUTERS 'Anyone could then hack the iCloud accounts of celebrities and access their content, including photos from their phones.'

Paris - Cyber-security expert Gerome Billois explains how a “targeted attack” on some iCloud accounts Ä the Apple online service that stores all types of content - led to the release of nude celebrity photos.

How were these accounts hacked?

“Last weekend someone posted a message on the site GitHub revealing a security flaw in the iCloud “Find My iphone” function that allows people to locate a missing smartphone.

On the part of the service intended for developers, but accessible to anyone online, Apple had not locked the interface where you have to enter the password for the iCloud account. The number of attempts was not limited, whereas the portal used by the general public normally locks after five failed attempts.

At the same time, the hacker posted software which automatically tests for possible passwords, a tool called (at)Brute force, which it had renamed iBrute. And it explained how to use it very simply. Anyone could then hack the iCloud accounts of celebrities and access their content, including photos from their phones.”

How can such attacks be prevented?

“One can now store all sorts of information in the cloud. iCloud is the service from Apple where one can have access to all one's information from any appliance. For example, if you change telephone you can find and reload all your data - emails, photos et cetera. From a functional point of view it's great. But the key to all these services is the password, which is often weak and the same one used for various services. It's because of this that we will ask you to use long passwords or passwords with numbers. It is even better to use passwords with two elements.

For example, you may also be asked for a code sent by text message to your phone, as certain banks do. As for secret questions (which can replace a password) on the one hand you have to trust people who might know the answers and secondly, if you're a celebrity, it will be easy for someone to find out your place and date of birth or the answers to other common 'secret' questions.”

How frequent are such security lapses?

“The ethics code followed by computer security experts means that they reveal flaws only after they have been corrected. However, whoever discovered this one did not inform Apple and what's more he or she provided an attack tool. They even put out the list of the most common 500 passwords. Apple corrected the problem but it needed time to react, which is normal because you need at least 24 hours to check if vulnerabilities exist.” - Sapa-AFP

* Gerome Billois is a cyber-security expert at management and IT consultants Solucom.

Hungry for more scitech news? Sign up for our daily newsletter

sign up

Comment Guidelines

  1. Please read our comment guidelines.
  2. Login and register, if you haven’ t already.
  3. Write your comment in the block below and click (Post As)
  4. Has a comment offended you? Hover your mouse over the comment and wait until a small triangle appears on the right-hand side. Click triangle () and select "Flag as inappropriate". Our moderators will take action if need be.

  5. Verified email addresses: All users on Independent Media news sites are now required to have a verified email address before being allowed to comment on articles. You are only required to verify your email address once to have full access to commenting on articles. For more information please read our comment guidelines