Celebrity iCloud Photo Leak – How Do I Protect Myself?

photo by Flickr user Janitor used under Creative Commons license

photo by Flickr user Janitor

Note, this is Part 2 of a two part article. Part 1 covers what happened, Part 2 focuses on steps people can take to limit their vulnerability to this type of attack.

Now that we have a better idea of how the iCloud photos were hacked and stolen, what steps can we take to protect ourselves? First of all, I recommend changing your password. I’ve heard a couple of strong-password theories. My favorite ideas are using a password generator (Your Mac has one built in! Here’s how to access it.), which can generate a string of characters randomly, or using several unrelated words in a string, jumboorangedeathlydino for example.

Once you have a strong password, another great step to take is changing your security questions. Remember, it’s widely believed that some of the celebrities who were hacked had their passwords reset by hackers being able to look up answers to questions like “Mother’s maiden name” or “City you were born in.” The goal of security questions is to verify identity through specific knowledge that only the password-maker knows.

Instead of answering the questions the way Apple suggests, I use two different ways to set security questions. One way is to answer as a character from a movie I enjoy. For example, “In what city did your parents meet?” for me actually might be my hometown, or a town near there, but for Jeff Lebowski, a character in one of my favorite films, I’d imagine the city is Los Angeles. So I just incorrectly answer the security question using information from films. The second way to “game” the security questions is to arbitrarily answer the questions with strings of text like passwords, but store the passwords securely somewhere physically, like a locked file drawer at home.

An even better way to manage your iCloud security is to enable two-factor authentication. Two-factor authentication is a security measure that requires you to have both your password AND access to your phone in order to sign in. When you sign up for two-factor authentication, you enroll your phone as a “trusted device” which will receive the codes from Apple. I personally have enabled iCloud’s two-factor authentication, so whenever I try to sign in to my iCloud account from a new device or computer, I can’t get in until I enter the four digit code that Apple sends to my phone. Enabling two-factor authentication will cause your iCloud account to no longer use security questions, which is safer as well.

It’s important to note that the method reportedly used by the celebrity photo hackers would work EVEN IF YOU HAD TWO-FACTOR AUTHENTICATION ENABLED. They reportedly used EPPB, which for now, skirts Apple’s two-factor authentication (you can let Apple know how you feel about that by writing feedback@apple.com). So, if using two-factor authentication can’t even protect me, how do I keep my data 100% safe?

To make this sort of breach impossible, you can follow the list below. Remember that additional security almost always comes at the cost of convenience. I think of convenience and security as a sliding scale, and I have to decide which side of that scale I want to tip towards. The following list tends completely toward security, which moves the scale away from convenience.

Turn off iCloud backups. iCloud backups are unbelievably convenient, but as this labor-day-leak has proven, they can be hacked. To backup your phone without iCloud backups, you simply plug the phone into your computer and use iTunes to back up your phone.

Delete any old iCloud backups. Simply turning off iCloud backups will not delete your old device backups from your iCloud. Here’s a step by step guide to deleting old backups.

• Turn off Photo Stream. Photo stream can automatically sync photos you take with your iPhone to your Mac. And vice versa, it can sync photos you import to your computer to your phone. To do this, Apple stores your photos on their servers, which we know have been hacked.

• Make sure you encrypt your device backups in iTunes. If someone were to gain access to your computer, and you had backed up your iPhone using iTunes, they could use easily available tools online to create a copy of all your data from your phone in an easy to read format. By checking the little “Encrypt iPhone Backup” button in iTunes, you are securely protecting the full backup of the iPhone. Here’s Apple’s guide on iPhone backup encryption.

It’s important to think of your data as infinitely copy-able and transferable. If you have data that is sensitive, be particularly careful where you store it, how you send it, and the people to whom you send your data. The steps outlined above will make your data safer, but where there’s sensitive data, there will be people trying to find a way to access it. Be careful!

Celebrity iCloud Photo Leak – What Happened?

Note, this is Part 1 of a two part article. Part 1 covers what happened, Part 2 focuses on steps people can take to limit their vulnerability to this type of attack.

 

The leak of hundreds of celebrity nude photos Labor Day weekend has many people pointing the finger at Apple’s iCloud. Many of the celebrities who’s photos leaked used iCloud to backup their phones. Apple claims the leak was the result of “a very targeted attack on user names, passwords and security questions.”

What does this mean?

As new information comes to light, the depth and age of the hacks is shocking. Gawker reports that “As far back as “a few weeks ago,” a Deadspin reader tipped the sports site to the alleged existence of a large collection of private photographs stolen from celebrities.” All investigations are circling to an unorganized online club of people who specifically tried to gain access to celebrities private images.

One of the victims of the hack, Mary E. Winstead said

This online club of illicit photo traders has reportedly been dealing in these photos for years. Again, most of this info is pieced together from many reports, but supposedly someone decided to try to sell the cache of photos, and other traders caught wind and also decided to try to cash in, leading to the hundred or so photos to be leaked over the course of Sunday, August 31 throughout the day.

There are several possible ways that the hackers gained access to the sensitive pictures. Once the hackers knew the celebrity’s iCloud email address, they could either use a brute-force password cracking program (Apple closed the security hole that allowed this to be possible by Tuesday, September 2), or they could use information from articles and interviews with the celebrities to guess the password to their iCloud accounts, OR use that same info to reset the passwords by answering the security questions.

Once the hackers had the iCloud password, it is widely believe that they used law-enforcement tool Elcomsoft Phone Password Breaker (or EPPB as it’s commonly known as) to download and peruse iPhone backups from the Cloud. This tool is legal. If someone knows your iCloud username/email and your password, they can then download a backup of your entire phone to their computer, and peruse whatever they’d like, including texts, photos, and emails.

This is the short version of “how it happened.” For longer, deeper-reads, I recommend the Washington Post’s piece, Deadspin’s original piece, and Gawker’s piece. Also, check out Part 2 of this article, which focuses on what you can do to protect yourself.

Quick Tip: Bring Back Buttons in iOS 7

Starting with iOS 7 Apple changed many of the default buttons to remove the outline; now you just tap the word to press the button. There’s a setting hidden in the Accessibility settings that brings back the actual outline of the buttons.

To activate this great feature go to Settings, General, Accessibility, then scroll down to Button Shapes, and turn it on. Now you should see a gray outline where all the buttons are.

iOS 7 Button Outlines

In the image above, the left is what Calendar looks like BEFORE turning on Button Shapes, the right side is AFTER. Note the gray boxes.

How to Have the Best Umbrella – Using on-site and cloud-based backups to prepare the for the worst rainy day

Office worker slumped on his desk

As computers become a bigger part of our lives, our pictures, documents, movies, and other data are increasingly stored on our computers or devices. Those hard drives and gadgets are susceptible to being dropped, stolen, damaged, or lost, not to mention the fact that they fail on their own once in a while. The need to be confident in our backup has never been greater.

On Site Backup

Having a local hard drive that backs up everything on your computer is a necessity. With a Mac, Time Machine makes backing up your entire computer a no-brainer. All you need for Time Machine is a hard drive that can connect to your Mac. You can find good deals on the kinds of hard drives needed at amazon.com. Configuring Time Machine is as simple as:

Open System Preferences, select Time Machine, turn Time Machine on and select your new hard drive. The Mac operating system will take care of the rest.

You should set this up immediately if you’re not already backing your computer up somehow.

Off-Site Backup

A local Time Machine backup is fast, inexpensive, and comprehensive. But it does no good in the case of theft, fire, or hurricanes, any one of which could damage all the electronics in your home. Because of this danger, I strongly suggest to have an off-site backup in addition to a local Time Machine backup. My personal favorite is CrashPlan from Code 42. CrashPlan is a free program that runs on your computer. It can back up to another computer, a server in your network, or, as we’re discussing in this case, the CrashPlan cloud. For a reasonable price (there are cheaper alternatives out there. If you know what you’re doing, by all means, save a bit of money here– I think CrashPlan is the easiest and best offsite backup for the price), CrashPlan will backup all the most important files from your computer to their data center.

Once you install CrashPlan, you need to create an account. Here’s where you would sign up for the paid account, which is what you’ll need for off-site backup to CrashPlan. Configure CrashPlan for backing up to CrashPlan Central, which is their data center. Once its configure, CrashPlan will take care of the rest in the background. CrashPlan even throttles its own speed so your internet browsing is not negatively affected.

 

Having a complete local backup, and a secondary, cloud-based backup should help you rest easier.  As Jimmy Fallon’s character says in Almost Famous, “I didn’t invent the rainy day, man. I just own the best umbrella.”