Last year news of celebrity hacks seemed to be everywhere after Celebgate, the name given by the media to the attack which, according to Celebuzz, compromised up to 600 prominent individuals’ iCloud accounts. The contents included racy personal photos of hacked celebrities that subsequently turned up on the tabloid site 4chan, and soon were all over the Internet.
This year, the high-profile social hack target has been Ashley Madison, the dating site that promoted itself as specializing in extramarital affairs. Its membership list was stolen and published online, prompting an immediate media rush to find celebrity figures among the site’s clients—but the Ashley Madison hack was not just about celebrities. Companies across America are concerned that employees who signed up may be vulnerable to “spear phishing” hacks or other forms of cyberblackmail.
The fate of these celebrities hacks, it turns out, is not only a concern for the famous. In the Internet Age, anyone can become well-known—and in the most unwelcome way—if images or other strictly private content gets hacked and put online. These incidents have important cybersecurity lessons for everyone.
Most technical details about the Celebgate hack have not yet been made public. (This is for a very good reason, as these details could provide a road map for future hackers.) One point worth noting is that images and other data stored on iPhones are automatically copied to iCloud, Apple’s cloud storage service. Android and other mobile operating systems also save copies to a cloud service, again, for a very good reason—so that users can access them from all of their devices. But it does represent a potential vulnerability of which all mobile users should be aware.
The hack may have been as simple as guessing celebrities’ passwords (Apple, which enjoys a generally good reputation for security, has subsequently tightened up its “I forgot my password” safeguards), or it may have involved “social engineering”—tricking someone into revealing their password.
The Ashley Madison hack, in contrast, seems technically similar to other hacks of retail websites. Only its consequences have been different, and they’ve spread far beyond Ashley Madison itself. Retail hacks usually aim at stealing credit card information, which is good as gold to cybercriminals. The Ashley Madison hackers, in contrast, were aiming squarely at embarrassing people, and so the hackers placed millions of Ashley Madison clients’ emails online.
While the member list contained many celebrity email addresses, Ashley Madison did not check or confirm these addresses, and few (if any) seemed to be real. So far, Josh Duggar (of the reality show, 19 Kids and Counting) is the highest profile celebrity to admit to being involved in the scandal, but surely he is not the only person to have felt the consequences. However, as reported at Infoworld, a lack of confirmed hacked celebrities has not kept the hack from becoming a serious worry—not just for individuals whose real emails are on the list, but for companies and organizations whose employees signed up at the site, and who could now be vulnerable to “social engineering” and high-tech blackmail.
“Social engineering” is the term that cybersecurity experts use for attacks that aim for the human factor. An all-too-common example is “spear phishing,” which is when a cybercriminal sends an email (usually one that purports to be from a friend or colleague) that has links to a malicious website or file. The unwary victim clicks the link, allowing malware to infect his or her device, where it can ferret out private data.
The worry for organizations is that any employee whose email was on the Ashley Madison list could now be vulnerable to spear phishing emails purporting to be from lawyers or private investigators. In this scenario, attackers don’t have to go through the hassle of coming up with a friendly, personal touch to hook their victims. The victim’s fear of exposure and desperation for protection could be enough to make them click a link—allowing the attackers to break in and look for passwords or other data that can then be exploited in turn.
In the mobility era, any device with an Internet connection is potentially hackable, and strong random passwords really do matter.
Be aware of social engineering, and think twice about clicking on unexpected or unusual links in emails. The rich and famous are not the only targets in the new age of celebrity hacks.