A cloud of uncertainty

Rory Cellan-Jones
Technology correspondent
@BBCRoryCJon Twitter

image copyrightGetty Images

Two days after stolen celebrity photos started leaking onto the 4Chan website, one thing is clear. And that is that virtually nothing is clear.

Despite all the speculation about Apple's iCloud or other cloud services being hacked, there is still no evidence about exactly how the photos were obtained.

All we know is that some - but not all - of the photos are genuine, and that they have now been spread widely across the web, with some individuals trying to turn a quick profit by offering access in exchange for payment in Bitcoin. At least one of these people has been "identified" as the leaker, but has insisted he was just trying to make a quick buck rather than being the original source.

Apple has not exactly sprung from the starting gate to deal with what are worrying questions about its security. They finally released a statement last night saying "We take user privacy very seriously and are actively investigating this report".

Meanwhile my inbox has filled up with emails from PR people offering "security experts" to comment on the "iCloud hack". When I challenge them on how they know it was an iCloud hack, they explain that they read this in the media. So much for expertise.

One expert, though, was prepared to give a sober analysis of what might have happened without jumping to instant conclusions. Rik Ferguson of Trend Micro told me that as this was a targeted attack on the photos - rather than any other documents - of a distinct group of people, this was unlikely to be a widescale assault on Apple's infrastructure.

Yesterday he came up with a number possible methods used by the hackers - from a phishing attack, to the hacker breaking into another connected account with weaker security. He said that the least likely explanation was that all the celebrities had weak passwords allowing the hacker simply to guess them and log in.

This morning he says that possibility has now moved to the top of his list after news emerged of a potential vulnerability in Apple's systems which would have allowed a so-called brute force attack. This involves bombarding a log-in page with thousands of potential passwords until one works out - and is usually rendered ineffective by that message informing a user their account has been locked after three unsuccessful attempts.

Now it seems that hole has been patched - but it might have been behind the celebrity hack. Or, as Rik Ferguson, admits, this might be a case of correlation not equalling causation. We now need to hear from Apple on whether its engineers think that theory holds water.

The other key question that needs answering, says Ferguson, is how the hackers obtained the email addresses they would have needed to gain access to the victims' accounts. It seems unlikely that they would have got them all in a hurry, making it perhaps more likely that this material has been collected over a long period, perhaps by a group of hackers, and then released all in one go.

For the moment though we are all wandering around in clouds of uncertainty. But one thing is pretty obvious - putting photos online that you do not want the world to see may not be a very safe thing to do.