Elcomsoft Phone Password Breaker – or EPBB – was designed for cops and spies siphoning data from iPhones.But it is thought to have been used by crooks who leaked images of celebs including Jennifer Lawrence, Rihanna, Kim Kardashian, Cara Delevingne, Cat Deeley, and Kirsten Dunst.
On web forums 4Chan and Anon-IB – which has been off line since last week – hackers openly discussed using EPPB to download victims’ data from iCloud backups.Last week we revealed more than a hundred Welsh women – including former Miss Wales runner-up Sophie Hall – had private pictures stolen and posted on AnonIB. The site was where the nude celeb pics first emerged.
Read: Celebrity nude picture leaks show we can sink no lower
“There are legitimate uses for software like that,” said University of South Wales computer expert Dr Mike Reddy.
“If you have a hard to crack password and realise you have forgotten it then using it to get into that device and extract the data could be legitimate.“But if you are trying to hack a device without permission that is the evil and negative side.
“The recent pictures of Jennifer Lawrence and others put on 4Chan were the result of them cracking passwords for iCloud. They were high visibility targets.”
Internet chatter on 4Chan revealed the stolen pictures were the result of more than one theft.
An anonymous poster wrote: “There wasn’t just one hack, there isn’t just one leaker.
“There’s been a small underground celeb n00d-trading ring that’s existed for years.
“Why wasn’t it revealed earlier? The only way to join the ring is by buying in with original pics.”
These were called ‘wins’ by thieves. That term was littered all over AnonIB.
The 4Chan poster claimed word of the ring only emerged because snaps were spread by a “rich kid” who shared them with outsiders.
“Most people in the street, hackers are not going to be interested in,” Dr Reddy said.
“But that does not mean you can rely on simple passwords.”
Andrew Williams at the UK Safer Internet Centre claimed the Welsh language could help people be secure.
“One of the great things for people in Wales is they can use a misspelt Welsh word as a password,” Mr Williams said.
“They are naturally difficult words to remember and crack.
“If you misspell it then you’re sorted.
“Bung some numbers in it and a special character and you have strengthened the security of your password. That’s simple stuff.”
Dr Reddy urged police to act when password crackers were used illegally.
“When we discover illegal use we should use laws and penalties to deal with these offenders,” he said.
The legal situation “can always be improved”.
“When new technology comes along the law is always 10 or 15 years behind,” Dr Reddy said.
Internet lawyer John Spyrou believed Elcomsoft would state on products they were not to be used illegally.
Claims against the firm would be difficult to bring but hackers themselves could be targeted.
“You’d have a robust claim for breach of privacy,” he said.
“The Jennifer Lawrence photos were plainly private photos never intended to go anywhere but to the people that were supposed to see them.
“There was a reasonable expectation of privacy and that is the test.”
And stealing pictures is “no different to someone hacking into my computer and taking my bank details”.
At Aberystwyth University, internet guru Dr Madeline Carr urged web users to ensure they had anti-virus software on computers, phones and iPads.
“Another thing people should consider, because passwords are such a clumsy mechanism for security, is a password manager.
“That will generate passwords for all applications so they only need to remember one password for the manager.”
But people don’t bother because it “seems like too much effort for no assured gain”.
“People say, ‘No-one would ever want my pictures,’ or, ‘No-one would want to get in my bank account, there’s no money in there anyway,’” Dr Carr said.
“They say they have nothing to hide or protect because they don’t have a sense of themselves being vulnerable.
“If you really just have e-mails to your family and a Facebook account with nothing on there, and you’re happy to have it shared around, then maybe it is not worth the effort,” Dr Carr said.
“But people have to ask the question, ‘Do I have anything I would like to keep in any way private?’
“If people are confident in their minds that they have nothing that needs to be private then, sure, they do not need to secure their presence on line.”
At the UK Safer Internet Centre, Mr Williams warned putting things on the internet meant they were “no longer in your possession, no matter whether you trust the site or not”.
He added: “That server has a copy and you no longer own the information.
“Even with tried and ‘trusted’ services like Flickr and Google you have given that data to someone else.
“You need to be aware you have taken a conscious decision to pass that data onto someone else.”
People are “too honest” and “too trusting” online.
“We use passwords that are easy to crack based on similar words that are easy to remember,” Mr Williams said.
“The longer and more random they are the harder it is for cracking software to unpick it.”
Passwords should be at least eight characters long. Other steps can be taken too.
“If I know your mother’s maiden name then I might be able to get into your system,” Mr Williams said.
“Stop using your mother’s actual maiden name.”
Alter your date of birth.
“You could take away 10 or add 10 from your day of birth or your birth year. You’re not breaking the law by doing that, although when it comes to banking things are slightly different.”
Celebrities have lots of personal information about them on Wikipedia.
Internet searches can quickly reveal more about targets. So can following them on Twitter.
“There is a generation growing up that are never going to know Google not being there,” Mr Williams said.
“The longer a company is there the more society looks at it and says, ‘There is a company I can trust.’
“When things go wrong with these companies we forgive them and go back to them.
“Things like this iCloud situation, where we suddenly become aware of vulnerability, we need to take a good long hard look at what we are doing.”
By James Mcarthy