Yes, Celebs Had Their iCloud Accounts Hacked. No, You Shouldn’t Shut Yours Off


Caveat The following article tries to make the case that you are “relatively safe”  and therefore you should NOT stop using the service. That may be true however, the ONLY TRUE WAY TO BE SAFE is to do exactly that,  remove all your data and cancel the service. If you have information you don’t want or can’t afford to get out or be stolen, then you should not be storing it in the public cloud or ANYWHERE OTHER THAN YOUR OWN PRIVATE NETWORK OR PC,  PERIOD. As someone who designs and builds Cloud infrastructure for a living, I can tell you without hesitation, the public cloud or any public hosted service, is the least secure place for ANY DATA. Disregard what the market hype is telling you,  or don’t complain when your compromised.… “ – JNR

The release of numerous nude photos of celebrities over the past several days was apparently made possible by a group of determined hackers who broke into the iCloud accounts of Jennifer Lawrence, Kate Upton and others. Because photos are backed up to iCloud automatically from iPhones — and to Google+ on Android — there has been a spate of articles explaining how you can shut off this functionality to “protect” yourself from being similarly victimized. The Mirror, in typical tabloid fashion: “Celebrity nude photo hacking: How to disable iPhone iCloud backups and keep your pictures safe” you’d expect. But the normally sober Will Oremus at Slate: “How to Not Back Up Your Naked Selfies to the Cloud” seems to have gotten caught in the frenzy too. Ignore them both. And everyone else who tells you it’s better not to use cloud backup. Instead, take some simple steps to get safer and smarter.

Why not just turn it all off?

Simple, it’s about relative risk. You need to consider the chance that someone is going to hack your cloud account against the chance you’re going to lose your phone. While there’s no doubt that the group responsible for revealing more of Selena Gomez than she hoped was determined, the odds anyone is interested in you aren’t particularly great. But the chance your phone will be damaged beyond repair, lost, or stolen is pretty good. When that happens, you won’t just lose the photos on it, but also your contact info, calendar and possibly even some e-mail, depending on how things are configured there.

Oh, and if someone has your phone, there’s a good chance they can get into it and access your pictures anyway. Yes, you can wipe that all out remotely on both iOS (with Find My iPhone) and Android (using this technique). Both of those use cloud services, by the way. So you could turn off the photo backup and use them anyway, but why not just secure your cloud account instead?

OK, how do I do that?

The answer turns out to be pretty simple and slightly complex at the same time. The first thing you need to do is use a good password for iCloud or for your basic Google/Gmail account. Hackers love it when you make their life easy by using “password” or “1234″ so you’ll obviously want to go above and beyond. Throw in punctuation, use miXed capS and lowercase, add in s0m3 numb3rs. Sure, you want it to be easy enough to type, so play around with this on your smartphone. But remember that complexity is your friend. (Google has some good advice.)

Also remember that your password can be reset by having a link sent to the e-mail address associated with your account. That’s a huge vulnerability if that account has a lousy password. The complexity of maintaining different, elaborate passwords is frustrating. I can’t keep track of the different variations I use, so I got myself LastPass a few years ago. Others swear by 1Password. Neither works very well on the iPhone itself because of limitations in the way Apple supports browser add-ons, but those should be fixed in iOS 8. Even now, though, LastPass is on my phone, secured by a master password that protects a list of my other passwords called the “vault”. When I forget one, I can look it up. Your Notes file or Word document with a list of passwords, backed up to your Dropbox, is a hackers dream. Print a copy, delete it from the cloud and your device, and get a password manager.

A lot of this stuff seems like it shouldn’t be my job?

That’s an entirely fair point. The second most egregious part of the celebrity hacking (after the unconscionable privacy violation) has been blaming the victims, as if they did something wrong. What’s wrong is that security is too damn hard and the way all of this works is beyond incomprehensible. I defy anyone to accurately explain how iCloud photo backup currently works.

Apple left a big hole in iCloud that allowed hackers to try an unlimited number of guesses at passwords without being locked out (since fixed). And far too many apps on both iOS and Android manage to lose your login info over and over, which encourages the use of short, lousy passwords. Things should get better when you can secure login information with TouchID, Apple’s fingerprint sensor, in iOS8. That ostensibly would allow people to choose nearly uncrackable passwords (LastPass can generate them automatically) but login with just their finger.

But I need better security now, there’s something I can do, right?

Yes, in the meantime, both iOS and Android allow you to use 2-factor authentication and you should borrow a page from Nike and “just do it.” In 2-factor, you have to not only enter a password, but also a code that you receive through another means to ensure it’s really you. With Apple, the process involves text messages sent to “trusted devices” and the process is laid out in a pretty clear FAQ. It may sound inconvenient, but once you’ve established that a device is trusted, you won’t constantly be nagged to reconfirm that fact. This kind of security can be very effective against the kind of hack the celebrities fell victim to because it can block account access from a computer that isn’t already verified.

That said, Apple’s implementation of 2-factor security is incomplete right now, as TechCrunch reports. It’s still possible to grab a PhotoStream from iCloud without using the second factor, which is another hole Apple needs to plug in a hurry. Google, incidentally, has a more comprehensive 2-step offering. In addition to sending codes via text message, it can use a special app called an authenticator (which works even if you have no cell coverage) or can call you and read you a code. Apple didn’t respond to TechCrunch’s inquiry about expanding 2-factor to do more, but it seems certain to do so in the near future.

Is there more I can do?

There’s a lot more, which generally falls into two categories. On the one hand, you want to make sure you don’t fall into traps that compromise your information in the first place. So be careful clicking on suspicious e-mails or websites, don’t download things from untrusted sources and stay off of WiFi networks you can’t be sure are reputable. All of those are rapid paths to malware or exploits designed to get hold of your passwords or other credentials.

On the other hand, if you’re really interested in security, you can encrypt your data. That’s hard with automatic backup function like PhotoStream on iCloud. But it’s possible for sensitive files or important e-mails. Forbes privacy guru Kashmir Hill posted an explainer on sending and receiving encrypted e-mail, for example. Online backup services like CrashPlan use strong encryption that renders your files a bunch of digital gibberish if the servers are accessed without your keys. A tool like CloudFogger can add a layer of encryption to your files on Dropbox, Microsoft’s OneDrive or Google Drive. The use of VPN software can help keep you secure on public WiFi.

Last thoughts?

Yes, the weakest link in most security turns out to be the human element, not the technology per se. A lot of sites let you engage in password resets using security questions. iCloud is one of those. When you’re famous — or just semi-open on Facebook — it’s often really easy to guess the answers to those without being the person about whom they’re being asked. This presents a problem for which the solution is again easy and hard. The easy part is to use absurd security questions like “What is the last name of your favorite elementary school teacher?” instead of “What was the name of your first pet?” There’s a good chance the former isn’t on Facebook while the latter might well be. Or maybe you told David Letterman about Scruffles once. (With 2-factor, the security questions aren’t a vulnerability by the way.)

The fact is your data is a tempting target, even if you aren’t the world’s most famous actress at the moment. And it’s very much up to Apple, Google and Microsoft (along with Dropbox, et al.) to do a better job of making it easier to protect that data from prying eyes. But at the same time, services like automatic cloud backup are hugely valuable. What was the once the catastrophic loss of possibly years worth of photos is now a mere inconvenience thanks to the cloud. Phone upgrades are routine as you pull all your information from an automatic backup you don’t even need to manage.

The last thing you want to do is stop using all those features just because things went wrong. You didn’t stop using your credit cards after the Target hack (nor will you if this Home Depot situation turns out to be worse). Don’t become a cloud Luddite just because security there isn’t perfect. Treat it like driving, which is inherently dangerous, but usually works out for the best: Make it as safe as you can, know that innovation will make in better over time, and be careful.

Jarrett Neil Ridlinghafer
Founder & CEO/CTO
Synapse Synergy Group, Inc.