Data Security

“Google’s ‘Don’t be evil’ motto’ is a sham.”

Updated 2:54 p.m. ET Thursday

A lawyer representing more than a dozen celebrities whose personal and sometimes nude photos were stolen and shared on the Internet issued a scathing letter to Google that accuses the tech giant of helping the images spread and threatens a $100 million lawsuit.

The letter, written by lawyer Marty Singer and obtained by The Hollywood Reporter, calls Google’s conduct “despicable” for what it says is Google’s failure to remove the images and its “facilitating and perpetuating the unlawful conduct.”

A Google spokesperson said via email Thursday afternoon that “We’ve removed tens of thousands of pictures — within hours of the requests being made — and we have closed hundreds of accounts. The Internet is used for many good things. Stealing people’s private photos is not one of them.”

Indeed, the firm has removed some images from its sites and links to the images from its search engine. Still, the letter says lawyers have asked Google more than a dozen times to remove the images from Google sites like BlogSpot and YouTube, but some of the images are still available several weeks after the initial breach.

Google “has acted dishonorably by allowing and perpetuating unlawful activity that exemplifies an utter lack of respect for women and privacy,” the letter says. “Google’s ‘Don’t be evil’ motto’ is a sham.”

[THR]

Cybersecurity experts explain why the Bash bug might actually not be as risky as the Heartbleed bug discovered earlier this year

When the Heartbleed software bug was disclosed in April, there was no shortage of publicizing its risks and defensive measures—and for good reason. And the Bash bug, discovered Wednesday, is prompting similar widespread fear. The security flaw is named after a vulnerable piece of software, Bash, that’s built into several ubiquitous operating systems, including Apple’s Mac OS X.

“People were taking Heartbleed very seriously,” said Jim Reavis, CEO of cybersecurity firm Cloud Security Alliance. “If people don’t take Bash seriously, it’ll become a self-fulfilling prophecy.”

Cybersecurity experts like Reavis don’t doubt that the Bash bug is dangerous: it is, and it needs urgent attention. The afflicted Bash software, released in 1989, is an open source software that was built-in to Linux and Mac OS operating systems and then widely integrated into many corporate and personal computer programs, experts said. Preliminary estimates say it could impact up to 50 percent of Internet-connected servers, according to Darien Kindlund, director of threat research at FireEye, a network security company.

“Bash is yet another type of open source software that has been reused, repurposed,” Kindlund said.

But the threat posed by the Bash bug—it could theoretically remotely command computers and extract private information—is overblown, cybersecurity experts told TIME. Average computer users aren’t likely to be directly targeted by hackers, experts said. And for the vulnerability to be triggered, the attacker would need to deliver content to the user, and then get the user to execute Bash with that content, according to Kindlund. Normal web browsing, emailing or other common activities do not involve calling Bash. What average users should be worried about are more traditional hacking techniques, like phishing emails and links to malicious websites, said John Gunn of VASCO Data Security.

“There are so many other methods that have a high degree of success that would take priority over [Bash as a hacking tool],” Gunn said. “The vulnerability really exists for large organizations that may have servers running Linux.”

Companies who have web servers that aren’t updated internally on a frequent basis may be most at risk because they continue to use old technology, according to Kindlund. Some companies who still store private data on Internet-facing servers—an outdated practice, as it makes sensitive information more vulnerable—or do not have strong security may vulnerable as well, but they can take precautions by inspecting each and every of their Linux-based servers, said Tanuj Gulati, CTO of Securonix, a security intelligence firm.

“The Apples or the Amazons or the Googles of the world aren’t the ones I’m worried about the most,” Reavis said. “But it could be some big companies that use this technology, but simply don’t have an awareness budget, or not taking this seriously.”

Still, many companies already have protection mechanisms in place that would prevent Bash from inflicting significant harm. Most servers can detect anomalous traffic and behavior, and many already take precautionary efforts by keeping records offline where they are inaccessible, Gunn said.

“What this Bash vulnerability depends on is a lot of other failures,” Gunn added. “This isn’t a single point of failure, whereas in Heartbleed, it was.”

Numerous patches for the Bash bug have already flooded the market. While security researchers have claimed the patches are incomplete, experts agree that fully fixing the vulnerability would take years. Additionally, that there have not been any known major breaches using Bash has also boosted security experts’ confidence that the bug may not pose a widespread threat.

“Most vulnerabilities of value are either shared or sold in the hacking community,” Gunn said. “If this had been a viable hacking method, it would’ve been exchanged in the hacking community, and it has not.”

But fact that Bash may not pose a major threat to individuals or companies doesn’t mean its danger should be understated, experts agreed.

“You saw a lot of worry about [Heartbleed], and there really wasn’t much that happened. The economy didn’t grind to a halt. Cities didn’t black out,” said James Lewis, director of the Strategic Technologies Program at the Center for Strategic and International Studies. “It’s a vulnerability. A flaw.”

And what we don't

More explicit photos were posted on the website 4chan Saturday, this time purportedly showing Kim Kardashian, Vanessa Hudgens, Mary-Kate Olsen, Hayden Panettiere, Kaley Cuoco, Hope Solo and an underage Disney star, among other female celebrities.

Previously unseen photos purportedly showing Jennifer Lawrence, who became the face of the last major celebrity photo hack, were posted, too. The photos quickly spread from 4chan to Reddit, following the same pattern as the previous hack, which leaked private photos of Lawrence, Kate Upton, Ariana Grande and almost 100 other female celebrities.

Here’s what we do and don’t know about the latest nude celebrity photo hack:

Are the photos real?

At least two of the hack’s victims have confirmed their leaked photos are, in fact, real.

Actress Gabrielle Union told TMZ on Saturday that her photos were intended for only her husband’s eyes, and slammed the hackers’ insensitivity. “It has come to our attention that our private moments, that were shared and deleted solely between my husband and myself, have been leaked by some vultures,” Union said.

On Sunday, Actress Meagan Good released a statement on Instagram, saying “I’m definitely in shock… Saddened for everyone who is experiencing this… But I ‘choose’ not to give the persons responsible my power.. At the end of the day—We all know these pictures were for my husband.”

In the last celebrity hack, many victims confirmed that the photos were indeed authentic. Cuoco, whose photos were also released in the previous hack, said Thursday on Jimmey Kimmel Live! that she was disturbed to realize the photos were real, but ended up making a “joke about it,” because “you have to make fun of yourself.” Other reactions were less lighthearted: Lawrence’s rep called it a “flagrant violation of privacy.”

What about the other celebrities?

Most have not released statements, or have declined to speak. A rep for Kardashian has declined to comment about the leaked photos to multiple publications. There’s also no word from Panettiere, Olsen, Solo or Hudgens.

But many are wondering about Hudgens, and what approach she’ll take now that she’s not the young Disney starlet of the High School Musical franchise. In 2007, after being shamed for a leaked nude photo, the 18-year-old actress apologized to fans, while Disney followed up and told People that “We hope she’s learned a valuable lesson.”

How did it happen?

No one knows yet, but experts told TIME they believe it’s similar to the last celebrity photo leak, when Apple confirmed that it was a “very targeted attack on user names, passwords and security questions,” and a not system-wide breach of iCloud or Find my iPhone, as was first widely believed. (TIME has reached out to Apple for comment regarding the most recent hack.)

Bob Stasio, Vice President of Threat Intelligence at CyberIQ Services, said the most probable cause is that hackers obtained access to photos by answering security questions to recover or reset passwords—a common tactic and the one apparently used last time. Last year, Michelle Obama’s and other celebrities’ financial records were accessed by hackers who knew enough personal identifying information to impersonate them, according to CNBC.

“The problem with celebrities is that a lot of their information is publicly available,” Stasio said.

Once the passwords have been reset, the hackers can access the celebrities’ e-mail accounts to obtain the passwords to enter iCloud. Hackers will have previously gained access to the stars’ computer servers, thus their e-mails, either physically or remotely through backdoors planted in their systems, Stasio said. These backdoors may have been planted through targeted emails that tempt the users to click on a link or download an attachment.

“That’s really how hacking works,” Stasio said. “It’s all very iterative. You get to one spot, and you have to get to the next spot.”

Can the hackers be found?

They haven’t been found yet, and security experts believe it will be difficult, but not impossible, to track down the hackers. If iCloud accounts were accessed, then Apple can use a record of logins to determine the IP address, Stasio said. But hackers would likely hide their IP address by routing through a different one in another country, which complicates the process. Another method would be to track who had originally posted the pictures on 4chan.

In fact, experts say photo-leaking culprits are often caught, and the fact that both Apple and law enforcement are already involved make the investigation even more likely to turn up results. In 2011, for example, a hacker used the “forgot my password” function to access and leak nude photos and other personal information of Scarlett Johansson, Mila Kunis and Christina Aguilera. An FBI investigation resulted months later in a Florida man being sentenced to 10 years in federal prison, according to CNN.

“The success rate is very high. People doing this are very foolish, thinking they’re going to get away with it,” said Phil Lieberman, President of Lieberman Software Corporation. “For a period of time, they’re the hero. Once they’re caught, they’ll become the zero.”

So why haven’t we found the hackers yet?

In short, it takes time.

“If someone’s life is in danger, law enforcement moves very quickly,” Lieberman said. “But pictures of celebrities don’t rise to the level of kidnapping, murders or serious violent crimes. They’re seen more as economic crimes or invasions of privacy, which are serious, but go on a little slower track.”

Moreover, the fact that Apple’s weak iCloud security was patched only recently means that several intruders may have been in the system for quite a while, experts said, which would add additional layers to the investigation.

Will it happen again?

Experts say yes: This is the second major celebrity photo hack in one month, and it’s part of a rising trend. When Target was hacked last year, Stasio said, a group of hackers sent e-mails to other companies saying they’d detected a similar vulnerability, offering help through a clickable link, which, if opened, would’ve infected the company’s system.

“Not only have the trends of the actual hacks spread, but people use the awareness of the hack itself to try to use it as an infection,” Stasio said.

And there’s likely more photos that have been accessed but not yet shared. Lieberman said that for hackings in the commercial world, the average time the hacker or hackers have spent in the system is 200 days. This suggests the intruders could’ve had months to amass a large collection of explicit photos.

“This may not even be different than the first one,” Lieberman said. “This may in fact be the same group of people with the same set of data, just simply taking another bite of the apple.”

Cyber thieves pulled off a massive attack

Hackers had access to 56 million credit and debit cards when they breached Home Depot’s security system this year, the company said Thursday. The breach was even larger than the attack on Target last year, when 40 million cards were compromised.

The company said that thieves had placed malware software on cash registers in Home Depots throughout the U.S. and Canada from April to September. The malware has since been eliminated. The breach will cost the company at least $62 million.

“We apologize to our customers for the inconvenience and anxiety this has caused and want to reassure them that they will not be liable for fraudulent charges,” Chief Executive Frank Blake said in a statement.

"We don’t build a profile based on your email content or web browsing habits to sell to advertisers."

After dozens of celebrities had their most intimate photos stored on Apple’s iCloud service stolen by hackers and released online, the company used Wednesday’s iOS 8 update launch to defend its concern for privacy and introduce new security measures.

In an open letter posted on Apple’s website, CEO Tim Cook stressed the company’s efforts to keep consumers’ information private and sought to distinguish Apple from how its competitors use personal data.

“A few years ago, users of Internet services began to realize that when an online service is free, you’re not the customer. You’re the product,” Cook wrote, referring to how major websites, such as Google and Facebook, use personal information and personal activity online to tailor advertisements to their users. “But at Apple, we believe a great customer experience shouldn’t come at the expense of your privacy.”

The statement is particularly pertinent after the Sept. 8 announcement of a smartwatch and new apps on the upcoming iPhone 6 and iPhone 6 Plus that represent Apple’s most significant foray into health tracking and mobile payments.

“Our business model is very straightforward: We sell great products. We don’t build a profile based on your email content or web browsing habits to sell to advertisers.”

Apple does have a service that tailors ads based on some of what Apple knows about users, but Cook wrote that the service doesn’t pull data from products like Apple’s health apps or the Mail app.

Cook also addressed allegations that the U.S. government has collaborated with major Internet firms to gather data on users, saying Apple has not allowed access to its servers and has “never worked with any government agency from any country” to allow exclusive access to personal information retained by Apple.

Apple also said that iOS 8, the newest iPhone operating system, would automatically encrypt data stored on iPhones and protected by your passcode, making it impossible for even Apple to share that information with the government or law enforcement. That encryption rule, however, doesn’t apply to data stored on Apple’s iCloud storage service.

“Unlike our competitors, Apple cannot bypass your passcode and therefore cannot access this data,” said Apple. “So it’s not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS 8.”

The unofficial Google Operating System site writes about a little gem found under the security section of everyone’s Google account settings page.

Head over to your account’s security section, and click the “Get started” button located under the “Secure your Account” heading.

It’ll step you through the various lock-downs available for your Google account, including setting a recovery phone number, a recovery email address and the ability to revoke access for apps, websites and gadgets you no longer use. You’ll also be able to check out your recent activity to make sure nobody’s been using your account without your knowledge.

It’s a good idea to run through a security audit such as this every once in a while, especially after a high-profile data breach.

[Google Operating System]

Yahoo tried to fight the government's requests for user information

The U.S. government threatened Yahoo with a $250,000-a-day fine in 2008 if the tech company did not comply with requests for user information, according to roughly 1,500 pages of newly released legal documents.

“We refused to comply with what we viewed as unconstitutional and overbroad surveillance and challenged the U.S. Government’s authority,” Yahoo’s General Counsel Ron Bell wrote in a Tumblr post published on Thursday. “The released documents underscore how we had to fight every step of the way to challenge the U.S. Government’s surveillance efforts.”

Yahoo’s multiple challenges against the government were unsuccessful however, and the company started providing user data to PRISM, the controversial National Security Agency program that was shut down in 2011 and revealed to the public by Edward Snowden in 2013, the Washington Post reports.

Yahoo felt these government requests, which asked for data about whom and when users outside of the U.S. emailed (though not email content itself), bypassed required court reviews of each surveillance target.

Federal Judge William C. Bryson of the Foreign Intelligence Surveillance Court of Review ordered the unsealing of the documents as part of a move to declassify cases and documents that established the legal basis for the PRISM program.

The usernames and passwords of 4.93 million users were posted in a Russian Bitcoin security forum

Almost 5 million usernames and passwords purportedly for Google accounts were uploaded to a Russian online forum by hackers late Tuesday.

The International Business Times reports that data for 4.93 million Google accounts of English-, Spanish- and Russian-speaking users was leaked and published on a Russian-language Bitcoin security online forum. The posters said about 60% of the accounts were active.

In a statement sent to TIME, Google said it had “no evidence that our systems have been compromised.”

“The security of our users’ information is a top priority for us,” the statement reads. The company said that whenever it is alerted that accounts may have been compromised, “we take steps to help those users secure their accounts.” Email users are encouraged to utilize two-step verification when logging into accounts, as well as to create strong passwords.

According to Russian news service RIA Novosti, this leak followed another large hack of Russian email accounts. Several million accounts of Russia-based email services were also posted in a Bitcoin security forum.

The construction-equipment retailer says anyone who shopped there since April could be a victim

Hackers infiltrated Home Depot’s payment system and stole an untold amount of shopper information, perhaps including credit-card numbers, the construction-equipment retail giant confirmed in a statement Monday.

The hack “could potentially impact any customer that has used their payment card at our U.S. and Canadian stores, from April forward,” Home Depot said in a statement, adding that shoppers online or at stores locations in Mexico do not appear to have been affected.

The firm joins the ranks of other major stores, like Target and others, that have been the victims of successful, large-scale cyberattacks.

Home Depot disclosed it was looking into reports of “unusual activity” on Sept. 2 and has offered free identity-theft protection and credit-monitoring services to anyone who shopped at a Home Depot store during the months in question.

“We apologize for the frustration and anxiety this causes our customers,” Home Depot said.