Scam of the day – October 14, 2016 – 1.5 million dollar bounty offered for iPhone hacking

I have reported to you many times about the “bug bounty” programs used by private companies such as Google and Facebook as well as, more recently, the Department of Defense which offer a “bug bounty” to vetted hackers who are able to identify vulnerabilities in their web pages and computer networks. Private companies, such as Google and Facebook have long made cash payments to independent hackers, sometimes called white hat hackers to distinguish them from the criminal, black hat hackers, who identify vulnerabilities in their computer code.  Generally, these bounties are between $500 and $15,000, however, Google has doubled the reward that it will pay anyone who finds a flaw in the security of its Chromebook to $100,000.   Google has paid out more than six million dollars in bug bounties since the program was started in 2010.  Apple, which had long resisted paying bounties to people finding the worms in their Apples announced  last summer that it will pay $25,000 to people who find vulnerabilities in its digital compartments and into its customers’ data, $50,000 for identifying bugs enabling hackers to gain access into iCloud data and a whopping $100,000 to anyone who finds vulnerabilities in Apple’s firmware.

Private security companies also pay bounties for discovering software flaws in the products we use.  Recently, Zerodium tripled the amount it had previously been offering for hackers who can identify previously undiscovered vulnerabilities in iPhones and iPads to 1.5 million dollars.  Companies like Zerodium make their money by selling their information to governments as well as private companies.  Earlier this year, the FBI paid a million dollar bounty to a security company that provided them with a way to hack into the encrypted iPhone of one of the San Bernadino terrorists.


Bug bounties are a positive strategy for businesses and  government to enhance cybersecurity.  Facebook even paid a bounty to a ten year old Finnish boy.  Although the ten year old white hat hacker used his talents for good, the fact that a ten year old boy has the technological sophistication to identify and exploit vulnerabilities in commonly used software programs should give us all a bit of  concern.  As for us as individuals, the best things we can do to protect our own cybersecurity is to keep our anti-virus and anti-malware software up to date on all of our electronic devices and refrain from clicking on links or downloading attachments in all forms of electronic communication until we have absolutely confirmed that the communications are legitimate.  Otherwise, the risk of downloading malware is too great.

Scam of the day – September 20, 2014 – New nude photo scam

On September 2nd I told you about stolen nude photos and videos of more than a hundred celebrities including Jennifer Lawrence, Kate Upton, Jenny McCarthy, Cat Deeley, Kayley Cuoco, Scarlet Johansson and others being posted on the Internet on websites such as 4Chan.  Now nude photos of Kim Kardashian, Vanessa Hudgens and Hope Solo were again put up on 4Chan and Reddit and becoming a prominent topic on Twitter.  In response to the tremendous amount of criticism that 4Chan received over the Labor Day posting of the celebrity nude photos, 4Chan changed its policy on copyright infringement and consistent with its new policy promptly had the new nude photos removed from the website.   Reddit has also removed the photos.  These new photos were probably obtained in the same manner and even, perhaps by the same hacker involved in the massive Labor Day release of celebrity nude photos.  Although the exact manner by which these photographs and videos were hacked and stolen has still not been definitively determined, Apple has strongly indicated that the problem was not a flaw in iCloud security and that is probably accurate.   Anyone who is able to get someone’s email address and password would find it easy to gain access to that person’s iCloud account and download the photographs and videos.  Obtaining an email address is a relatively easy task for any hacker and passwords can be obtained either from other hacked devices or by, as often is the case, by using the “forgot password” link on Apple’s iCloud, as with other accounts.  The answers to the security questions used to obtain the password through the “forgot password” function are generally easy to find for celebrities whose personal information, such as where they went to high school or other information used in security questions is easily found online.

So, I will again ask the question that I asked first on September 2nd, what does all of this mean to you?

This hacking presents two separate problems.  The first is that identity thieves will be taking advantage of the public’s interest in these photos and videos.  You will be receiving emails, text messages or social media postings with links that promise to bring you to these stolen photographs that will download keystroke logging malware when you click on the links.  Once this malware is installed on your computer, smartphone or other portable device, your personal information will be stolen and the information will be used to make you a victim of identity theft.

The second problem is the same problem faced by the celebrities whose accounts were hacked.  How do you keep your accounts secure?


Don’t give in to the temptation to view these photos and videos online.  Ethically, it is the wrong thing to do.  However, it also is too risky an activity.  You cannot trust any email, text message or social media posting that promises access to these photos and videos.  Many of these will be laced with malware and you cannot know which one’s to trust.  Trust me, you can’t trust anyone.  In addition, identity thieves will be setting up phony websites that promise to provide these photos and videos, but again will only end up installing malware on your computer when you click on links in these websites.  Identity thieves are often adept at search engine optimizing so a phony website might appear high in a search from your web browser.  As for Kim Kardashian, if you believe you need to see nude photos of her, you can easily find photos she took for a Playboy Magazine spread a few years ago on the official Playboy website.

As for securing your own account, you should use a unique password for all of your accounts so if any of your accounts are hacked, all of your other accounts are not in jeopardy.  Make sure the password is a complex password that is not able to be guessed through a brute force attack.  Check out my book “Identity Theft Alert” for advice as to how to pick a secure and easy to remember password.    Also, even if you are not a celebrity, you would be surprised how much information is online about you that can be used to come up with the answer to your security questions.  It is for this reason that I advise you to use a nonsensical answer to your security question, such as the answer “Grapefruit” for the question of  what is your mother’s maiden name.  Also, take advantage of the two-factor identification protocols offered by Apple and many others.  With two-factor identification, your password is only the starting point for accessing your account.  After you have inputted your password, the site you are attempting to access will send a special one-time code to your smartphone for you to use to be able to access your account.  It is also important to note that merely because you think you have deleted a photograph or video from your smartphone, that may not be the truth.  Smartphones save deleted photographs and videos on their cloud servers such as the Google+service for Android phones and the iCloud for iPhones.  However, you can change the settings on your smartphone to prevent your photos from automatically being preserved in the cloud.