Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

The Real Story Behind the Kate Upton Nude DDoS Attack

I collect distributed denial of service (DDoS) stories. Part of my job is to explain to audiences and customers how a particular defensive technology can mitigate new attacks. While engineers might be drawn in by the technological talk, laymen and managers are more likely to get engaged when they are introduced to the actors in the drama.

I collect distributed denial of service (DDoS) stories. Part of my job is to explain to audiences and customers how a particular defensive technology can mitigate new attacks. While engineers might be drawn in by the technological talk, laymen and managers are more likely to get engaged when they are introduced to the actors in the drama.

Fortunately, the DDoS world is populated with very colorful characters, the anonymous (yet famous) patriot-hacker The Jester being a prime example. When he disrupts a Jihadist website, he tweets a “Tango Down” notification. However, The Jester doesn’t typically attack the websites of SecurityWeek readers. So even though he is fun to talk about, I’m always on the lookout for new DDoS stories relating to enterprises or service providers to add to my collection.

I recently heard about an interesting DDoS story in New Zealand involving the nude selfies of cover girl Kate Upton and Hunger Games star Jennifer Lawrence. The photos were stolen from Apple’s iCloud service. The story seemed like the perfect, illustrative fable about everything that is wrong with Internet security today. It had all the classic buzzwords: cloud security, malware, DDoS, Apple, 4chan, and lazy, lustful Internet users.

Kate Upton Photos Crash the InternetBut while parts of the story were true, others…not so much. The original story went like this:

 1. Attackers breached the security of Apple’s iCloud services and exfiltrated the personal data of dozens of celebrities, including nude photos of Kate Upton, Jennifer Lawrence, and others.

2. They posted the photos to the 4chan message board and called the event “The Fappening.” The 4chan photos were quickly taken down but had already spread to lesser-known sites.

3. Public demand to see the photos was so high that millions of people turned off the SafeSearch features of their browsers and went looking for the photos.

4. Malicious sites used the photos as bait to get people to download free “image viewers” for their PCs and iPads. These programs were actually malware.

5. The malware then launched a distributed denial of service attack that disrupted service across New Zealand’s major Internet service providers.

Advertisement. Scroll to continue reading.

I happened to be on my way to New Zealand when the story broke, so when I arrived there I met with representatives of the ISPs, and they gave me the real story behind the DDoS attacks.

The first third of the story is more or less true; the personal data of the celebrities was indeed ex-filtrated from iCloud. Apple claims that it was due to the weak iCloud passwords used by the celebs themselves, but that explanation is just semantics. If you read an EULA carefully (many of them 25 pages or more), you will find that you personally are responsible for the security of your data in the cloud. That’s the state of cloud security today. The middle part of the story is true as well: nearly every site hosting the celebrity photos was also hosting some kind of malware.

The last part is where the story goes off track. While there was an ISP outage in New Zealand in the days after the iCloud breach, the two events were not correlated. The ISP outage was caused by a more arcane (and therefore less sexy) security issue: bring your own modem (BYOM). As in the U.S., in New Zealand, some customers are allowed to bring their own cable modems (often from their previous service provider) when they sign up for Internet service. Approximately 5-10,000 customers had brought with them an old cable modem that was susceptible to a recently found vulnerability.

The cable modems could easily be reset to factory settings, whereupon they offered an open name resolving service on their external interfaces. The devices were then coaxed into participating in a DNS amplification attack. DNS amplification attacks have become a critical problem across the Internet in the last 18 months. They are very easy to trigger and can cause massive disruption. Several of the largest DDoS attacks in the last two years have been DNS amplification attacks. The Open Resolver project tracks millions of devices that are vulnerable to this exploitation.

It is very difficult to trace the origin of DNS amplification attacks. In this case, the perpetrators of the attack were never identified. Even more interestingly, beyond knowing that the target addresses were somewhere in Eastern Europe, the victims of the attack were never identified, either.

No one patches their cable modems (honestly, I have no idea how to do that, and I’m a network security professional), so it took days for the service providers to track down enough of these customers to unclog the networks.

In a way, it’s strange that an unknown party would leverage thousands of cable modems in New Zealand to attack another unknown party in Eastern Europe, but honestly, this is the kind of thing that goes on all the time across the Internet these days. Someone sneezes in Auckland and someone in Poland catches a cold.

Ultimately, it turned out to be sheer coincidence that the attack happened in the days just after the iCloud breach. The media was so taken with the idea that Kate Upton nude photos had caused a DDoS attack that they just took the story and ran with it. It’s not difficult to understand why; it is basically a modern fable of Helen of Troy, whose face launched a thousand ships in the Peloponnesian war. But this is the “boobs that launched a thousand bots.”

So, as far as DDoS stories go, this was a pretty good one. Even if it wasn’t entirely true the way it was presented. If there is a teachable moment in any of this, perhaps it is to pose this question: what kind of infrastructure have we built that allows a private skirmish between unknown parties to disable Internet access for large segments of an entire country?

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.