Internet Guide

What Jennifer Lawrence can teach you about security

What Jennifer Lawrence can teach you about security

iCloud under fire

Following the leak of private photos and videos of multiple well-known actresses this weekend, Apple has been accused of an alleged breach of security in its iCloud service. Apple is said to be investigating, with Apple spokeswoman Natalie Kerris saying “We take user privacy very seriously and are actively investigating this report."

But this isn't the first time Apple has come under fire for a celebrity-related security issue. In 2011, a number of celebrities, including Christina Aguilera and Scarlett Johansson were hacked by a Florida man who basically guessed their iCloud passwords or recovered them using publicly known personal details. He then set up forwarding addresses in their e-mail accounts to an account he controlled, which allowing him to answer security confirmation e-mails and take control of their devices.

Rik Ferguson, vice-president of security research at Trend Micro, has suggested that weak passwords and a lack of two-factor authentication may have led to the most recent security breach if iCloud is found to be the source of the leaked images. Two-factor authentication combines your password with a pin number either sent to your phone in a text, or created by an app on your phone. It has been available on iCloud since March 2013, but apparently very few people make use of it.

The Next Web also reported that a Python script shared on Github a few days ago may have allowed hackers to exploit a vulnerability in Find My iPhone. The tool allowed hackers to repeatedly guess passwords without being locked out of an iCloud/Apple ID account, brute forcing their way into accounts. Though it is unclear if the tool was responsible for any hacked celebrity accounts, Apple did fix the vulnerability earlier today. Attempting to use the tool now locks an Apple ID after five attempts to guess a password.

But what if iCloud isn't to blame? It's worth noting that in many of the photos, the celebrities pictured are clearly using Android smartphones to take selfies. The range of devices used may mean that another backup service like Dropbox or Google Drive could be the actual source of the leaked photos, as both services also offer automatic backup tools for photos and videos from your smartphone, just like iCloud.

Or it could be something completely different. One of the strangest theories surrounding the hack is that a group of celebrities who attended the recent Emmy Awards were somehow hacked using the venue’s Wi-Fi connection. The Black Hat USA conference is often touted as an example of the dangers of using venue Wi-Fi for awards or conferences, with the conference operating a “Wall of Sheep” to showcase the various attendees who have been hacked.

Whatever the actual source, UK comedian Ricky Gervais probably summed it up the best when he tweeted:

While it's not J-Law's fault that she got hacked - she's definitely a victim here - she, as well as the rest of us, should be more aware in future that anything stored in the cloud, no matter what service you're using, is fundamentally insecure.

How to keep your photos safe

Start with a good password. Long complicated passwords that are a jumble of letters and numbers aren't actually that secure - and you'll probably have to write them down to remember them yourself, which means it isn't safe. Instead, make use of two-factor authentication, which is offered by Apple, Google and Dropbox, as well as a number of other cloud hosting services. Two-factor authentication combines your password with a pin number either sent to your phone in a text, or created by an app on your phone. It means that anyone wanting to steal your password would have to steal your phone as well as guess or crack your password. It can be inconvenient, but it's definitely worth doing if you want to use cloud storage safely.

Better yet, as Ricky Gervais suggests, don't even put your photos on the cloud in the first place. Here's how to turn off the automatic backup services offered by the three main providers.

iCloud

In all of your iOS devices - and your Mac if you have one - you can disable Photostream. In iOS, it's in Settings under iCloud . On a Mac it's in System Preferences, again in the iCloud window. If you turn Photostream off on all of your Apple devices, it will delete any automatically stored pictures from iCloud. You might also have to delete any manually shared photostreams to ensure everything is removed.

Google, Android or Picasa

Google's automatic photo backup can be disabled by opening the Photos app on your Android device. Open the Settings menu, then go to Auto-Backup and uncheck the Back up local folders option.

You can also delete the photos stored in the cloud individually, by tapping them and pressing the trashcan icon, or by pressing the menu button, then Select, and choosing multiple files. Press the trashcan icon to delete the files.

Dropbox

The Dropbox app for iOS and Android can be set to upload every photo or video you take into the cloud. You can turn this off in the Settings window of the app, by selecting "Turn off Camera Upload." Unfortunately, doing this won't automatically delete anything already uploaded to Dropbox.

To do that, you'll need to go into the Camera Uploads folder in your Dropbox and delete them manually. Premium Dropbox users should also log in to the Dropbox Website, check their file storage and manually delete anything they don't want in there. Do this by selecting the file, clicking the More button, then selecting delete. This will get rid of it permanently.

Source: Re/code, The Next Web, The Guardian, PCMag