April 7th – today. That’s the deadline that looms like a dark cloud over Apple and its customers based on the claims of a group calling themselves The Turkish Crime Family. The group claimed publicly a couple of weeks ago they have hacked Apple’s iCloud and have threatened they will erase hundreds of millions of iPhone’s if their demands aren’t met by this deadline.
At the time of this writing, however, that dark cloud is starting to become more and more opaque as most experts have concluded the hacking claim is almost undoubtedly false and represents nothing more than a bluff poker hand. What this situation does likely represent instead is a specialized attack based on consolidation of stolen credentials procured from the Dark Web.
From our perspective, deep understanding of this kind of attack allows us to realistically assess what the value of these types of stolen credentials can mean to companies in safeguarding their customer’s credentials and access before public events like this occur.
So rather than re-iterate in yet another article what a number of media outlets, journalists and even security experts have already stated, let’s communicate a little bit about what the analysts haven’t said regarding this particular incident.
Slightly More Insight into How This Attack Likely Took Shape
Realistically, anyone with an average technical acumen can pretty much pull together how this attack likely took shape. And at a very high level, most of the articles on this attack (again, it’s really hard to call this a “breach” at this point) have already done so. But regrettably from our perspective, they have done so in an almost dismissive, out-of-hand way.
Yes, this database of credentials (which some who have investigated deeper are stating seems so far to be 99.9% accurate!) was likely pulled from data lakes of leaked credentials for sale on the Dark Web originated by massive industry hacks. What isn’t being stated and pointed out however is the growing relevancy and enormity these hacked and leaked credential sets have.
To understand what these enormous data lakes of leaked credentials mean, let’s take a step back into how each credential stolen was probably created. Surveys completed by companies like TeleSign, Sophos and a number of others indicate startling statistics about how passwords are created.
Roughly 20% of users use the same passwords that they did ten years ago. Almost half use the same passwords that they invented five years ago. And almost 60% use the same password across multiple service providers. Those are pretty scary percentages.
Imagine for a moment if you had the power to set the locks and cut your own physical keys for everything you owned in the physical world – your house, your cars, your locker at the gym… everything.
That would mean, using simplified math and probability, if everyone created their keys in the same way as passwords, an attacker with theoretical access to all those keys from masses of “leaked real-life key sources,” could essentially walk into any public parking lot and try all the keys belonging to the victim on each car. When a car is started, then the chances would be about 60% that using that same key, he could also open the door to that same car owner’s house, gym locker, bank safety deposit box, and everything else that car owner owned.
When you combine those statistics with the size and types of credential breaches that have taken place even recently, the enormity of the present situation with Apple just isn’t being pressed home enough.
So, yes, based on these statistics, these particular attackers likely have a very well-groomed and targeted list of iCloud credentials that do in fact work and match actual iCloud accounts, according to work done to validate this claim on the part of ZDnet and others.
But how was this actually accomplished?
These iCloud credentials, as already reported by analysts, were almost definitely derived from past breach sources such as Yahoo!, LinkedIn, AshleyMadison, FriendFinder, MySpace, DropBox or potentially any number of other well-known breaches. These breaches, combined, represent hundreds of millions, and likely billions of credentials. (Yahoo! alone was hacked twice and gave up over one billion credentials between both hacks.)
Whatever data lakes these particular attackers have at their disposal, from those sources, credentials were likely culled, cross-analyzed (if more than one source was used), cleaned and scrubbed, automatically validated (very easy to do!) and then dumped into a new credential data lake to be aimed solely at Apple as a target and made to seem as if that information was exfiltrated from Apple’s own iCloud-specific data-stores. And realistically, given the size of some of these recent breaches, only one of the larger breached data sets would likely be necessary in order to formulate this specific attack.
By using something similar to the above approach, this is likely why (and how) the credentials spot-tested by others who more thoroughly investigated the attackers’’ claims (like ZDnet) do in fact seem to prove quite accurate across even a decent sampling of iCloud accounts.
Forecasting Some Possible Future Implications
So what does this mean? What are some of the possible future implications here?
One of the things we are observing is the “one and done” approach companies and even media outlets are taking in reporting these types of credential attacks. For this particular incident, the recommendations have been almost the same across the board: “Nothing to see here. Not a real breach. Change your password, enable two-factor authentication (2FA) and move on!”
Really?! That’s it?! Again, what analysts aren’t saying in this case really speaks volumes at least to us.
Let’s go back to the hypothetical cars, houses and lockers we mentioned before. People are people. And people work at companies. Those same people think pretty much the same way at work as they do at home, especially when it comes to passwords. Passwords are still created based on their favorite sports team or pet or ex’s name or street name and maybe combined with some significant number, if you’re lucky at all. Reference again some of the hair-raising statistics mentioned above in terms of password creation. Consumer thought injected into corporate employee password reality.
So at least a few implications can be considered as we look forward.
First of all, for this immediate incident, April 7th will likely pass without incident. Maybe at the very worst, users who did not take heed and change their iCloud passwords will have their phones erased (though even that remains fairly unlikely for a number of reasons we won’t get into here). That will probably be the that and this particular incident will simply blow over.
But more than likely, this won’t be the last time this kind of attack is instigated. Someone else will iterate on this type of attack, tighten it up and make it more real. Attacks based on large data lakes of hacked credentials will likely continue to iterate. And any future attacks of this type will almost assuredly carry more sophistication and automation that will in fact do some kind of damage in order to curry the demands, prove the potency of the attack, and hasten a payout.
So Apple likely won’t be the last service provider hit with this kind of threat and attack. Again, consider the cross-pollination of leaked credentials, from the massive sources we’ve already named here, aimed at Amazon, Target, Wal-Mart, Best Buy and other big name internet retailers who have massive customer bases? Or Amazon Web Services, Azure, Google, Google Mail and Google Cloud, Rackspace, Virtustream and other large cloud providers? Although the latter scenarios seem somewhat less likely.
Finally, even more provocative to consider is this: More than likely, somewhere out there in those piles and piles of hundreds of million breached and leaked credentials is a back door into your company that allows a real breach to occur. Someone, somewhere in your company has more than likely, in “cutting the same key” for their Twitter or LinkedIn or Facebook or Yahoo! or Dropbox account has cut the exact same key in the form of at least a matching password for a corporate account, somewhere.
That’s practically a guarantee, even in the face of better technical governance and controls around password creation, which even consumer outlets have been enforcing for a while. A better constructed password used in multiple places is still the same password used in multiple places and still exists in these data lakes of hijacked credentials.
In conclusion, attacks based on now massive leaked credential data lakes are far more significant than what the analysts in this situation are saying and could be aimed at other consumer-heavy entities or even your own company’s front (or back!) door in the very, very near future.
Attacks presently portrayed as an opaque cloud but a cloud that suddenly becomes a little darker once again.