The Vulnerability of Snapchat

The year 2011 marked the creation of the popular smartphone application Snapchat. The app allows users to send and recieve photographs and videos to and from other users.  Once a picture or video on the app has been opened, it will expire after a designated amount time from the phone of the recipient and the Snapchat server itself; a picture can be set to last from one to ten seconds and a video expires after it is played. The app also contains a chat feature; chats from user to user disappear over time, usually after the app is closed and reopened. If a user wants to reopen one of the pictures or videos they receive, they have the option of replaying it within a few seconds of opening it for the first time. This can only be done once every twenty-four hours. The app sends about 700 million photos and videos a day, with over half of the users being between the ages thirteen and seventeen.

In 2012, apps begin to appear on smartphone marketplaces under various names such as SnapSave and Snap Spy. These apps not only offered a user with a Snapchat account the ability to save the photos and videos they received on Snapchat, but it allowed them to do so without alerting the sender. Photos or videos saved through this method could then be stored and distributed by the recipient for whatever purposes they desired.

In October of 2014, an event brought this problem to light in the form of a huge collection of data from Snapchat (stored on a third-party apps website) being released. This mass leak of data from Snapchat, was dubbed the Snappening (a conjunction of the words Snapchat and Happening). An exploit in the website, known as SnapSaved led to a data breach that resulted in the release of around 12.7 Gigabytes of data, roughly translating to around 88,521 images and 9,173 videos. While it is unknown what percentage of this data contained pornographic or suggestive material, the sheer amount of data released is overwhelming.

Alarming rumors soon spread on 4Chan that databases were under construction to link the information to individuals. Security experts proved these rumors false, finding it close to impossible to link the files to specific Snapchat usernames, with the exception of 320 usernames for which files had been saved in an alternative naming format.

Snapchat would later comment on the leak by blaming third party apps that bypassed the Snapchats security features:

“We can confirm that Snapchat’s servers were never breached and were not the source of these leaks. Snapchatters were victimized by their use of third-party apps to send and receive Snaps, a practice that we expressly prohibit in our Terms of Use precisely because they compromise our users’ security. We vigilantly monitor the App Store and Google Play for illegal third-party apps and have succeeded in getting many of these removed.”

Owners of the third-party app SnapSaved disputed that it was the source of the leak. In a post on its Facebook account the company announced that only 500 mb of information had been stolen from its servers. Regardless of how much information was gathered and from where, the fact that many users of Snapchat are underage qualifies some of the contents of the leak as child pornography. This led to Reddit banning many of the discussion boards that featured the file containing images from the Snappening.

A Brief Historical Timeline of Leaked Pornography

Leaked Pornography has come into the public eye recently with the Celebgate events, but has been in the public eye around for a couple of decades now at least. While there is much more that could potentially be covered, by examining recent examples that feature famous individuals, a general understanding of the evolution of leaked pornography can be gained.

1988- Footage of Rob Lowe engaging in sexual acts with two women was released to the public.

1995-  VHS videotape was stolen from the home of actress Pamela Anderson and musician Tommy Lee (the tape contained explicit video of the couple) during a renovation and was subsequently distributed.

2003-  A distinct change in how leaked pornography is collected occured. Nicholas Jacobson, aka “Myth,” exploited T-Mobile’s network security to steal the personal photos of celebrity customers, such as Paris Hilton by accessing their Sidekick PDAs rather than physically stealing the photographs.

2007- Liz Lee, an underage celebrity, had nude photographs leaked online by her boyfriend. This is also the year in which the term ‘sexting’ was first used in reference to the sharing of sexually explicit content through a texting based medium.

2008- Explicit photos of Edison Chen, an actor from Hong Kong, are released. Chris Chaney exploited the Gmail by guessing usernames and then passwords, via the “forgot my password” feature, to gain access to accounts of various celebrities including Scarlett Johansson. This, along with the “Myth” exploit, can be seen as precursors to the CelebGate event.

2010- Porn Wikileaks is released, which contained the real and stage names as well as names of more than 15,000 porn actors. The actors were justifiably concerned that their sexually transmitted disease histories might be leaked as well. An explicit video of Nazril Irham (AKA Ariel), an Indonesian rock star, is leaked.

2011- Snapchat is created. The app allowed users to send photos, videos, and instant messages that would delete after a set amount of time.

2012- Apps, like Snapsave and Snapspy, appear on app stores. These apps allowed users to exploit Snapchat. Also, Matt Honan, a security expert, was hacked.

2014- Celebgate occurs. The Snappening occurs.

In the last two decades, we have seen a distinct change in how leaked pornography has been gathered over the years. At first, one had to physically collect the photos or videos in order to distribute the pornography. Now, we live in an internet based age where everyone is online and connected. Chris Chaney was able to highlight this effectively. He did not know or even have proximity to the celebrities he hacked. Now, with the Celebgate event and the subsequent Snappening event, the vulnerability of everyone is further highlighted; in a day where everything you do can be exposed online, there is a good chance it will.

What Was The Fappening?

An enormous mass leak of celebrity nudes took place on August 31st and September 1st. The leak initially appeared on a website called 4Chan but spread rapidly. Subsequent leaks occurred on both September 20th and September 26th. When the dust settled, countless private (and many explicit) photographs and videos of over one hundred celebrities had now been released for the whole of the internet to see. It was initially believed that a security exploit in Apple’s “Find My iPhone” feature had given the hacker(s) unlimited attempts to crack the security passwords of the various celebrities and this led to unauthorized access of their iCloud accounts. In fact, Apple was aware of the exploit six months before the initial attack! Following the initial attack, Apple released a statement and determined that it was not the “Find My iPhone” flaw that had resulted in the leaks, but rather an attack on usernames, passwords, and security questions.

These leaks of private celebrity photos became known by some as ‘Celebgate,’ an homage to the Watergate Scandal. Others, thanks to anonymous social media websites such as Reddit and 4Chan, refer to this event as “The Fappening,” a crude compound of ‘fap’ (to masturbate) and ‘happening’. The waves of leaks were dubbed ‘cummings’ in reference to sexual climaxes. These leaks captured media attention almost immediately and this has helped to shed some light on some privacy problems the ordinary internet user might be oblivious to as it is not just celebrities who are at risk for these attacks. They can target anyone, and it was only the fame and sheer amount of people affected that brought the even into the public spotlight.

Threat Analysis: Operation KKK

Accusations of group membership can be damaging, even if they are untrue. The above video is from a group claiming the mantle of the hacktivist group Anonymous. In it, they announce their intent to release the names and addresses of reported members of the Ku Klux Klan (KKK) on November 5 that they seized from webservers and Twitter accounts belonging to the KKK.

“You are legally free to live and be any which way you choose to live and be. Keep in mind, it is not illegal nor oppressive to hurt your feelings. With that said – We are stripping you of your anonymity. Again. This is our protected speech.” (Emphasis added)

This is not the first time a group claiming to be Anonymous has targeted the KKK. Previously, a group hijacked the KKK’s Twitter account and released personal information of a leading member of the KKK. This time, in a press release dubbing the release Operation KKK, the group claims the KKK’s threats to use lethal force during the Ferguson protests in 2014 as its motivation behind the data release.

In a twist of the story, there has been an early release on Pastebin (which we will not link to) that purportedly names mayors, members of Congress and police officers. However the accuracy of this and similar other lists has been called into question. These lists have included information such as phone numbers, email addresses and spousal information of the alleged KKK members.

Among the expected denials by various politicians is that of Knoxville Mayor Madeline Rogero. In a Facebook response, she explained that her inclusion in the list does not make any sense. She is a part of an interracial family, has launched initiatives to reduce racial violence and has pushed for LGBT (Lesbian Gay Bisexual Transsexual) rights.

In fact, the Anonymous group behind Operation KKK has denied the current list on Pastebin as being from them.

anontweet

Regardless of the authenticity, the publication of this information is problematic. As demonstrated with the recent takeover of CIA Director John Brennan’s Verizon and email accounts, a tiny amount of information made public, such as a phone number, can lead to a severe consequences for the individual. Likewise, accused membership in a white supremacy group creates a situation where it becomes probable that the information will be used for no good.

Con-Artistry 2.0: Social Engineering CIA Director John Brennan

WIRED recently posted an interview with a “hacker” representing a group who broke into the AOL account of CIA Director John Brennan. Upon examination of his method, we assert that this hacker was in fact a social engineer.

As we have discussed before, social engineering is essentially con-artistry with information technology. It involves the obtainment and violation of trust to achieve a specific goal. In this case, the goal was to obtain access to Director Brennan’s account.

Here is how the hacker claims to have done it:

BrennanSEChart

The group behind the account breach began posting to Twitter screenshots of the documents they obtained. One of those documents appears to be the director’s SF-86 application, which is used for background checks. These applications ask for more personal information, including information on friends and family. They also include:

  • criminal history
  • psychological records
  • past drug use
  • interactions with foreign nationals

If true, this account hijacking could lead to serious repercussions for the director, his job, and his friends and family. The cyclical process of social engineering could lead to more breaches, the theft of his identity and the leaking of sensitive government documents.

We remind readers to practice security best practices, such as not using personal email accounts to handle work related information.

A Routine Activity Approach to Celebgate

The 2014 release of celebrity nude photos, also known as Celebgate, involved several waves of personal data release onto the Internet. Many well-known female, and a few male, celebrities had images they had saved on cloud services, such as iCloud, on social media outlets such as Reddit. The after-effects of this release led to technological changes being made to improve security of personal information, but the reputational damage had already been done. A criminological explanation of Celebgate could be done with several theories, but Routine Activity Theory provides one of the best frameworks.

Routine Activity Theory was developed by Marcus Felson and Lawrence Cohen in 1979 as an attempt to understand crime at a macro level. It was theorized that three aspects must converge in order for crime to occur. They are:

  1.  A Suitable Target– This person possesses certain characteristics, such as owning high value items or if they are female, that put them at a greater risk for becoming victimized.
  2. A Likely Offender– someone who has a need to commit crime for some level of personal gain.
  3. The Absence of a Capable Guardian– wherein a person either cannot defend themselves as or there is some lack of protection against victimization.
Routine Activity Chart

This well known diagram depicts the interaction of these three factors

Cohen expanded on his theory a couple of years later, by elaborating on these three tenets of the theory. A suitable target has some level of ‘target attractiveness,’ in which they may have some level of symbolic desirability or possess something of great value. The idea of exposure was also added; some people are more visible either physically, or in this case, on the Internet, to other people.

A Routine Activity explanation of the Celebgate incident is quite effective in helping us understand why such an event occurred. Those that obtained the pictures through hacking/social engineering, our ‘motivated offenders,’ were driven by potential monetary gain, the desire to seek revenge on their targets, and sought the fame that came with the release of these images. The relative anonymity of the offenders played a role as well, as repercussions could potentially be avoided.

The celebrities affected by this incident, our ‘suitable targets,’ constantly have the media’s attention, tended to be female, and had substantial amounts of information online. This made the celebrities relatively easy and desirable targets for exploitation.

The ‘lack of capable guardianship’ parameter also existed. There was an exploit within Apple’s software that allowed perpetrators access to the celebrity’s information. The “forgot my password” feature had issues, including allowing unlimited password retries. The celebrities themselves were mostly unaware of how vulnerable they and their information really were, leading to behaviors that put them at risk, such as automatically uploading pictures to iCloud.

Thus, a diagram of this overlap would look like this

Thus, a diagram of this overlap would look like this

Other theoretical explanations of Celebgate can be developed as well, but Routine Activity Theory serves as one of the best to understand what transgressed during the multiple data and image dumps that comprise the Celebgate incident.

Lost to the Web: Legal Recourse for Leaked Pornography

Simply put, there is no way to completely remove an image or video from the Internet. This is true in both the technical sense and a legal sense. This is the tough reality that victims of leaked pornography face.

Technologically speaking, the sheer amount of effort and expense needed to locate every single copy of a piece of information, such as a photo, that has surfaced on the Internet and then remove it to prevent further distribution is simply incomprehensible. This is why companies such as Google, under pressure from European courts, have focused their attentions on trying to de-index objectionable material from their service. However, this is simply a Band-Aid for the issue as those who have saved the material to their hard drives can still spread it through other means.

At the most basic level, an offender who perpetrated a leak by breaking into an account would have violated the Computer Fraud and Abuse Act (18 U.S.C. § 1030). This act is more of an all-encompassing way to prosecute “hackers.” The offenders could also have violated the Electronic Communications Privacy Act of 1986 (18 U.S.C. § 2510-22), which addresses the interception of communication.

The events of a trial would most likely mirror the case of Cristopher Chaney, who “hacked” into the accounts of over fifty people, many of whom were associated with the entertainment industry. Chaney was sentenced to 120 months in federal prison along with $66,179 in restitution for a number of things including wiretapping and unauthorized access to protected computers. However his conviction did not stop the distribution of the pictures.

To stop distribution, copyright laws, such as the Digital Millennium Act, could be used as a way to bar further distribution of an image. Civil courts can be used to get an injunction against hosting websites but this presents problems such as the hurdles facing those trying to enforce injunctions on third parties; one example of this being online defamation cases. The legal precedent in this area can be spotty, with much debate over who owns the copyright to photos, the subject or the photographer. Examples of DMCA letters exist that can be used by victims to force websites to take down images.

Regardless of the charges that are brought forth against perpetrators and the websites that are forced to remove the images, the pictures have already been leaked. Unless the victim has the time and money to invest in finding the websites that have the images, it would be difficult to get all the publically available images taken down. Again, once they are out there, it is very unlikely they will ever go away.