On the 31st of August an unknown hacker posted sexual images of famous actresses and celebrities on the anonymous forum 4Chan. The hacker allegedly used a flaw in a popular cloud-based service to obtain the photos.
Popular online forum Reddit spawned the name ‘The Fappenning’ to describe the hack, which was then followed up with another hack and a third in September. This incident is another obvious example of people’s privacy rights being aggressively broken by those with some IT knowledge, strong malicious intentions and a lot of time on their hands. Far from over, these hacks were all related to groups specifically targeting celebrity photos, but the tools and techniques they used are being used by attackers targeting companies and their employees.
How does it happen?
It appears that this most recent attack targeting celebrities used a combination of techniques to obtain passwords against the iCloud backup service. Once the password was successfully obtained, commercially available law enforcement software was used to download iOS backups for examination offline. This made it possible to obtain the contents of backups and photo streams, including historical items that the users believed had long since been deleted.
Online groups have organised to carry out targeted attacks on the famous in order to obtain this information, but the same techniques are being used by professional hackers to gain access to individuals working for targeted organisations as the line between work and home systems becomes increasingly blurred. Whilst in August and September the leaks were that of naked pictures, it would be foolish to suggest that the same peoples’ business information wouldn’t have been resident on at least some of the iphone backups compromised.
With the increased need for working on the move, Bring Your Own Device (BYOD) is almost expected by staff in many modern-day working environments. Unfortunately this infrastructure carries new risks which are not always considered when designing and rolling them out. Questions that are often overlooked include:
- Where does the network perimeter start and end?
- Where does the data go once it’s on a personal device?
- How can we be sure that data stored in cloud-based services used in BYOD is secure?
- What is the impact of jailbreaking or rooting devices accessing company data?
- What happens if a BYOD device is lost or stolen?
There’s usually at least one aspect that isn’t taken into account when designing BYOD infrastructures (which have to be as robust as required to stop those trying to get in) and then breaches can occur.
Mobile Device Management (MDM) software goes some of the way towards solving this, but it’s not a silver bullet and when incorrectly deployed can open your organisation up to some frankly horrific scenarios. At Mandalorian we have extensive experience in testing BYOD deployments across a range of industries and risk appetites and have seen all kinds of things from the ability to forensically cover sensitive data from supposedly wiped devices to being able to tunnel into corporate networks via supposedly ‘secure’ compromised mobile apps.
3 Ways to minimise professional impact
Many organisations overlook the changes needed to incident response plans and procedures when deploying BYOD. Steve Lord, director at Mandalorian notes, “the first thing to look at how to detect and respond to incidents where BYOD is involved and devices are partially or fully outside of your control”.
Others forget that many MDM solutions use tunnels from the end-user infrastructure back to their own, and that they have no control over that infrastructure nor any applications at the MDM solution end. “We’ve seen lots of instances where companies permit application access through MDM without realising they’re opening up their entire internal networks”, said Jason Kalwa, Senior consultant at Mandalorian.
Gill Chalmers, penetration tester at Mandalorian had this to say about testing MDM, “In every MDM test we’ve done over the past 5 years we’ve always found things that have raised eyebrows. Putting MDM in without kicking the tires is always going to be a high risk approach.”
How can Mandalorian help?
At Mandalorian we’ve been testing mobile devices and deployments since we were founded back in 2005. From mobile device security testing to testing MDM and BYOD deployments, our proven track record as mobile security experts speaks for itself. Thinking about mobile security? Contact us for a no obligation chat.