An enormous mass leak of celebrity nudes took place on August 31^st and September 1^st. The leak initially appeared on a website called 4Chan but spread rapidly. Subsequent leaks occurred on both September 20^th and September 26^th. When the dust settled, countless private (and many explicit) photographs and videos of over one hundred celebrities had now been released for the whole of the internet to see. It was initially believed that a security exploit in Apple’s “Find My iPhone” feature had given the hacker(s) unlimited attempts to crack the security passwords of the various celebrities and this led to unauthorized access of their iCloud accounts. In fact, Apple was aware of the exploit six months before the initial attack! Following the initial attack, Apple released a statement and determined that it was not the “Find My iPhone” flaw that had resulted in the leaks, but rather an attack on usernames, passwords, and security questions.

These leaks of private celebrity photos became known by some as ‘Celebgate,’ an homage to the Watergate Scandal. Others, thanks to anonymous social media websites such as Reddit and 4Chan, refer to this event as “The Fappening,” a crude compound of ‘fap’ (to masturbate) and ‘happening’. The waves of leaks were dubbed ‘cummings’ in reference to sexual climaxes. These leaks captured media attention almost immediately and this has helped to shed some light on some privacy problems the ordinary internet user might be oblivious to as it is not just celebrities who are at risk for these attacks. They can target anyone, and it was only the fame and sheer amount of people affected that brought the even into the public spotlight.

Accusations of group membership can be damaging, even if they are untrue. The above video is from a group claiming the mantle of the hacktivist group Anonymous. In it, they announce their intent to release the names and addresses of reported members of the Ku Klux Klan (KKK) on November 5 that they seized from webservers and Twitter accounts belonging to the KKK.

“You are legally free to live and be any which way you choose to live and be. Keep in mind, it is not illegal nor oppressive to hurt your feelings. With that said – We are stripping you of your anonymity. Again. This is our protected speech.” (Emphasis added)

This is not the first time a group claiming to be Anonymous has targeted the KKK. Previously, a group hijacked the KKK’s Twitter account and released personal information of a leading member of the KKK. This time, in a press release dubbing the release Operation KKK, the group claims the KKK’s threats to use lethal force during the Ferguson protests in 2014 as its motivation behind the data release.

In a twist of the story, there has been an early release on Pastebin (which we will not link to) that purportedly names mayors, members of Congress and police officers. However the accuracy of this and similar other lists has been called into question. These lists have included information such as phone numbers, email addresses and spousal information of the alleged KKK members.

Among the expected denials by various politicians is that of Knoxville Mayor Madeline Rogero. In a Facebook response, she explained that her inclusion in the list does not make any sense. She is a part of an interracial family, has launched initiatives to reduce racial violence and has pushed for LGBT (Lesbian Gay Bisexual Transsexual) rights.

In fact, the Anonymous group behind Operation KKK has denied the current list on Pastebin as being from them.

Regardless of the authenticity, the publication of this information is problematic. As demonstrated with the recent takeover of CIA Director John Brennan’s Verizon and email accounts, a tiny amount of information made public, such as a phone number, can lead to a severe consequences for the individual. Likewise, accused membership in a white supremacy group creates a situation where it becomes probable that the information will be used for no good.

WIRED recently posted an interview with a “hacker” representing a group who broke into the AOL account of CIA Director John Brennan. Upon examination of his method, we assert that this hacker was in fact a social engineer.

As we have discussed before, social engineering is essentially con-artistry with information technology. It involves the obtainment and violation of trust to achieve a specific goal. In this case, the goal was to obtain access to Director Brennan’s account.

Here is how the hacker claims to have done it:

The group behind the account breach began posting to Twitter screenshots of the documents they obtained. One of those documents appears to be the director’s SF-86 application, which is used for background checks. These applications ask for more personal information, including information on friends and family. They also include:

• criminal history
• psychological records
• past drug use
• interactions with foreign nationals

If true, this account hijacking could lead to serious repercussions for the director, his job, and his friends and family. The cyclical process of social engineering could lead to more breaches, the theft of his identity and the leaking of sensitive government documents.

We remind readers to practice security best practices, such as not using personal email accounts to handle work related information.

The 2014 release of celebrity nude photos, also known as Celebgate, involved several waves of personal data release onto the Internet. Many well-known female, and a few male, celebrities had images they had saved on cloud services, such as iCloud, on social media outlets such as Reddit. The after-effects of this release led to technological changes being made to improve security of personal information, but the reputational damage had already been done. A criminological explanation of Celebgate could be done with several theories, but Routine Activity Theory provides one of the best frameworks.

Routine Activity Theory was developed by Marcus Felson and Lawrence Cohen in 1979 as an attempt to understand crime at a macro level. It was theorized that three aspects must converge in order for crime to occur. They are:

1.  A Suitable Target– This person possesses certain characteristics, such as owning high value items or if they are female, that put them at a greater risk for becoming victimized.
2. A Likely Offender– someone who has a need to commit crime for some level of personal gain.
3. The Absence of a Capable Guardian– wherein a person either cannot defend themselves as or there is some lack of protection against victimization.

This well known diagram depicts the interaction of these three factors

Cohen expanded on his theory a couple of years later, by elaborating on these three tenets of the theory. A suitable target has some level of ‘target attractiveness,’ in which they may have some level of symbolic desirability or possess something of great value. The idea of exposure was also added; some people are more visible either physically, or in this case, on the Internet, to other people.

A Routine Activity explanation of the Celebgate incident is quite effective in helping us understand why such an event occurred. Those that obtained the pictures through hacking/social engineering, our ‘motivated offenders,’ were driven by potential monetary gain, the desire to seek revenge on their targets, and sought the fame that came with the release of these images. The relative anonymity of the offenders played a role as well, as repercussions could potentially be avoided.

The celebrities affected by this incident, our ‘suitable targets,’ constantly have the media’s attention, tended to be female, and had substantial amounts of information online. This made the celebrities relatively easy and desirable targets for exploitation.

The ‘lack of capable guardianship’ parameter also existed. There was an exploit within Apple’s software that allowed perpetrators access to the celebrity’s information. The “forgot my password” feature had issues, including allowing unlimited password retries. The celebrities themselves were mostly unaware of how vulnerable they and their information really were, leading to behaviors that put them at risk, such as automatically uploading pictures to iCloud.

Thus, a diagram of this overlap would look like this

Other theoretical explanations of Celebgate can be developed as well, but Routine Activity Theory serves as one of the best to understand what transgressed during the multiple data and image dumps that comprise the Celebgate incident.

Simply put, there is no way to completely remove an image or video from the Internet. This is true in both the technical sense and a legal sense. This is the tough reality that victims of leaked pornography face.

Technologically speaking, the sheer amount of effort and expense needed to locate every single copy of a piece of information, such as a photo, that has surfaced on the Internet and then remove it to prevent further distribution is simply incomprehensible. This is why companies such as Google, under pressure from European courts, have focused their attentions on trying to de-index objectionable material from their service. However, this is simply a Band-Aid for the issue as those who have saved the material to their hard drives can still spread it through other means.

At the most basic level, an offender who perpetrated a leak by breaking into an account would have violated the Computer Fraud and Abuse Act (18 U.S.C. § 1030). This act is more of an all-encompassing way to prosecute “hackers.” The offenders could also have violated the Electronic Communications Privacy Act of 1986 (18 U.S.C. § 2510-22), which addresses the interception of communication.

The events of a trial would most likely mirror the case of Cristopher Chaney, who “hacked” into the accounts of over fifty people, many of whom were associated with the entertainment industry. Chaney was sentenced to 120 months in federal prison along with $66,179 in restitution for a number of things including wiretapping and unauthorized access to protected computers. However his conviction did not stop the distribution of the pictures.

To stop distribution, copyright laws, such as the Digital Millennium Act, could be used as a way to bar further distribution of an image. Civil courts can be used to get an injunction against hosting websites but this presents problems such as the hurdles facing those trying to enforce injunctions on third parties; one example of this being online defamation cases. The legal precedent in this area can be spotty, with much debate over who owns the copyright to photos, the subject or the photographer. Examples of DMCA letters exist that can be used by victims to force websites to take down images.

Regardless of the charges that are brought forth against perpetrators and the websites that are forced to remove the images, the pictures have already been leaked. Unless the victim has the time and money to invest in finding the websites that have the images, it would be difficult to get all the publically available images taken down. Again, once they are out there, it is very unlikely they will ever go away.

Bypassing security in computers can be as easy as tricking someone into downloading something that they should not. This is especially true of third party apps.

Third party applications are programs written to work within an operating system but were not created by the makers of the operating system. In short, they were not created by one of the big three: Microsoft, Apple, or Linux.

These applications can be standalone, like the Youtube app, or they can be plugins that add functionality to another program, such as AdBlock for the Chrome web-browser. This means that the majority of programs, including most anti-virus programs, firewalls and multimedia programs, are third party.

Theoretically speaking, using third party applications can lessen the number and extent of potential vulnerabilities in a system when used to isolate certain functions, such as email, from other applications in the system. The problem is that many third party apps do not isolate themselves. Instead, many want access to other parts of the system.

Many applications are transparent and innocuous in their requests for access, like a photo-alteration program wanting access to your camera and photos. These requests are necessary for the program to work. Other applications are not. On example is ransomware, a malicious program that gains administrative access to the system to “lock” your keyboard or computer and prevent you from accessing your data until you pay a ransom.

One such ransomware is an app called Porn Droid. Porn Droid masquerades as an app for viewing adult videos. The underlying malicious code is known as a LockerPin Trojan that activates the devices administrator privileges in a hidden underlying window. The malicious code uses this access to take a picture of user, lock the system and display a message directing the user to send money in the form of Bitcoin to the maker.

Similar applications can be found in application download centers such as the Google Play store, which does not investigate all apps that is makes available for download. Even companies that have strict guidelines on what can enter the marketplace on their devicesre susceptible. This has been demonstrated by the release of malware on the Chinese iOS store.

What we learn from these examples is that users must be wary of what they download onto their devices. Every application has the potential to harm the system for which it was downloaded. Good questions to ask before and after downloading an application include:

• Do I really need this app?
• Are there any negative stories about this app online?
• Does this app really need these system privileges to properly run?

In mid-September, a man who went under the Twitter handle “Australi Witness” was charged with illegally distributing information relating to the creation of explosives in a plot to bomb a 9/11 memorial ceremony in Kansas City, Missouri, in violation of Title 18, United States Code, Section 842(p). This arrest was the result of a FBI joint investigation with the Australian Federal Police.

However, all is not what it seems. Australi Witness was an atypical Australian jihadist. In fact, Australi Witness turned out to be neither Australian nor a jihadist. He was instead 20-year old Joshua Goldberg, a U.S. citizen from Florida. Goldberg was an Internet troll who delighted in creating controversy and upsetting his fellow Internet users.

Read More

It is not just the criminals and terrorists who use social media to perform social engineering. Law enforcement agencies have been known to use social media for investigative purposes as well, with varying results.

Private investigators use social engineering techniques to trick people into giving up personal and financial information all of the time. In fact, Kevin Mitnick, the infamous social engineer, worked as a private investigator for several years. It appears as though the police and federal authorities are beginning to adapt these practices as well.

Social media is already a well-established tool of Real-time Crime Centers for police departments in places such as New York, Houston and Cincinnati. However, there is a difference in passively analyzing social media data to detect crimes and actively using it to investigate. One of those active means involves creating fake social media accounts and using them to gain and exploit the trust of the “bad guys.”

The U.S. Federal Bureau of Investigation has used Facebook to go undercover with false online profiles to communicate with suspects. They have also gathered private information such as the identity of a target’s friends or relatives, postings, photographs and videos through these means.

These methods have not always been viewed as proper by the courts. The U.S. Drug Enforcement Agency was recently sued in civil court by a woman whose likeness in the form of pictures was used in an undercover sting. They ended up settling for 134,000 USD.

This trend appears to indicate that investigative techniques using social media will only grow in the future. Whether or not those techniques will involve social engineering remains unanswered.