The latest scandal to rock the tabloids has gone a whole lot further than even that. Naked photos allegedly of high-profile celebrities have emerged online in an amazing breach of privacy and at some level a huge breach of security. Just what does this mean for you, and what can we all learn?
First and foremost, to those calling this an “iCloud Hack” – calm down. There is no evidence that the entire “iCloud” was hacked – could a vulnerability have been used by these hackers to gain access to specific user accounts? Seems possible.
iCloud is Apples cloud storage and device backup system which allows users to share photos across multiple devices and backup their devices remotely. Google has a similar system in place on many Android phones, particularly with photos via an auto-backup option which, like Apple’s iCloud is on by default once you sign in.
Cloud backups are excellent, they allow you to restore your phone and data if you lose or break your phone, they also allow remote and multiple device access to your data which is great for families and for busy people who use multiple devices.
So, what went wrong here?
Short answer. We don’t know (Update: we now have a statement from Apple – which indicates the scenario is as below). It’s pure speculation, however, here’s a likely scenario. After obtaining these celebrities email addresses (let’s say that came from a stolen laptop which had a spreadsheet of celebs on it, common in Hollywood among agents and TV booking people) the hackers either use software or perseverance to enter password after password until they cracked the code. Similarly, it’s not uncommon for the “forgotten password” feature of sites like Google, iCloud or Facebook to be used to try to obtain access to an account either.
Whatever the case, we sincerely doubt that this is a large-scale “attack”. More likely a targeted hit on these celebrities.
Making matters worse, if it was iCloud, there are reports that until recently the iCloud system allowed multiple login attempts continuously (the aforementioned “vulnerability”). That has since been secured to restrict it to a small number of attempts, preventing what’s known as a “brute force” attack.
So. What can you do? Are your “cloud” files vulnerable.?
Hey, maybe re-think taking the photos in the first place.
Plenty of people are quick to attack me for suggesting people don’t take these photos in the first place, some take that statement out of context (missing the broader advice on security that comes with it), others suggest that we should have a “right to privacy” so should be free to take as many of these photos as we like.
Freedom is great, but for some reason people think we have some sense of security and freedom on the internet that differs to the real world, where you probably wouldn’t keep nudie pics lying around if you were worried about being robbed.
If you want to take the pics, sure, go for it. But, just like your family photos in a box or album at home have always been vulnerable to a criminal breaking into your home, your cloud based photos are too. At home, we have deadlocks on our doors, keylocks on our windows, and perhaps an alarm.
Your insurance company will frown on you if you don’t have window locks, on the internet, having a single password for your cloud storage is about as safe as just having a deadlock on the door.
The hackers will find a way round it. What you need is Two-Step authentication.
Two Step or Two Factor Authentication
Here’s the thing, that password you use for Facebook – I know you use it on Twitter too. Perhaps even on your email.
But, that’s a lot of passwords to remember, so – make the password secure. Strong, include some weird characters ( # % etc) as well as capital letters and numbers in random places along the way.
Then there’s two-step authentication. This is great. But – it’s also a bit of a drag – until you get use to it.
Once enabled, if you enter your password correctly, you are then prompted for a second password – a code number.
Google has a thing called Google Authenticator, Facebook calls it “Code Generator”, others simply send an SMS message. Whatever the system, even if you successfully enter a password, you need to have a verified source of that second “factor” of authentication.
Here’s how it works, you login to a site. Enter your username. Enter your password, then instead of getting into the site, an SMS arrives on your mobile advising you of your “code” – that code is entered on the site and hey presto you are in.
Of course, if the hacker has your phone – your data is open to them – but what are the chances of them a/trying to hack you and b/also having direct access to your phone. Very very slim.
Enabling two-step authentication is an excellent way to secure your online life.
This applies to Facebook, Twitter, Gmail, iCloud and most other good quality internet services. Frankly, if a site doesn’t offer it, they aren’t worth their salt when it comes to security.
You can enable it now, and we recommend you do. Here are the links to enable, or instructions to enable on some of the popular sites
Unfortunately, we live in a world where criminals exist, and people are doing things that we all think are deplorable, so stay safe online, keep yourself and your data safe.
A Statement from Apple
Apple have issued a statement regarding the “celebrity hack” which indicates that Apple is working with Authorities, and encourages all users to have a strong password and use two-stop authentication.
Feature Image credit: Flickr
