photo by Flickr user Janitor
Note, this is Part 2 of a two part article. Part 1 covers what happened, Part 2 focuses on steps people can take to limit their vulnerability to this type of attack.
Now that we have a better idea of how the iCloud photos were hacked and stolen, what steps can we take to protect ourselves? First of all, I recommend changing your password. I’ve heard a couple of strong-password theories. My favorite ideas are using a password generator (Your Mac has one built in! Here’s how to access it.), which can generate a string of characters randomly, or using several unrelated words in a string, jumboorangedeathlydino for example.
Once you have a strong password, another great step to take is changing your security questions. Remember, it’s widely believed that some of the celebrities who were hacked had their passwords reset by hackers being able to look up answers to questions like “Mother’s maiden name” or “City you were born in.” The goal of security questions is to verify identity through specific knowledge that only the password-maker knows.
Instead of answering the questions the way Apple suggests, I use two different ways to set security questions. One way is to answer as a character from a movie I enjoy. For example, “In what city did your parents meet?” for me actually might be my hometown, or a town near there, but for Jeff Lebowski, a character in one of my favorite films, I’d imagine the city is Los Angeles. So I just incorrectly answer the security question using information from films. The second way to “game” the security questions is to arbitrarily answer the questions with strings of text like passwords, but store the passwords securely somewhere physically, like a locked file drawer at home.
An even better way to manage your iCloud security is to enable two-factor authentication. Two-factor authentication is a security measure that requires you to have both your password AND access to your phone in order to sign in. When you sign up for two-factor authentication, you enroll your phone as a “trusted device” which will receive the codes from Apple. I personally have enabled iCloud’s two-factor authentication, so whenever I try to sign in to my iCloud account from a new device or computer, I can’t get in until I enter the four digit code that Apple sends to my phone. Enabling two-factor authentication will cause your iCloud account to no longer use security questions, which is safer as well.
It’s important to note that the method reportedly used by the celebrity photo hackers would work EVEN IF YOU HAD TWO-FACTOR AUTHENTICATION ENABLED. They reportedly used EPPB, which for now, skirts Apple’s two-factor authentication (you can let Apple know how you feel about that by writing firstname.lastname@example.org). So, if using two-factor authentication can’t even protect me, how do I keep my data 100% safe?
To make this sort of breach impossible, you can follow the list below. Remember that additional security almost always comes at the cost of convenience. I think of convenience and security as a sliding scale, and I have to decide which side of that scale I want to tip towards. The following list tends completely toward security, which moves the scale away from convenience.
• Turn off iCloud backups. iCloud backups are unbelievably convenient, but as this labor-day-leak has proven, they can be hacked. To backup your phone without iCloud backups, you simply plug the phone into your computer and use iTunes to back up your phone.
• Delete any old iCloud backups. Simply turning off iCloud backups will not delete your old device backups from your iCloud. Here’s a step by step guide to deleting old backups.
• Turn off Photo Stream. Photo stream can automatically sync photos you take with your iPhone to your Mac. And vice versa, it can sync photos you import to your computer to your phone. To do this, Apple stores your photos on their servers, which we know have been hacked.
• Make sure you encrypt your device backups in iTunes. If someone were to gain access to your computer, and you had backed up your iPhone using iTunes, they could use easily available tools online to create a copy of all your data from your phone in an easy to read format. By checking the little “Encrypt iPhone Backup” button in iTunes, you are securely protecting the full backup of the iPhone. Here’s Apple’s guide on iPhone backup encryption.
It’s important to think of your data as infinitely copy-able and transferable. If you have data that is sensitive, be particularly careful where you store it, how you send it, and the people to whom you send your data. The steps outlined above will make your data safer, but where there’s sensitive data, there will be people trying to find a way to access it. Be careful!