What the iCloud 'hack' can teach us

We awoke yesterday morning to the entirely unnecessary sight of the presumed personal photos of several celebrities, the pictures ranging from the fully clothed "mirror selfie" to the far more explicit.

Victims included Jennifer Lawrence, Ariana Grande, Kate Upton and Victoria Justice.

For obvious reasons, clicking on links to "naked celebrity" photos or opening e-mail attachments related to this would be a very bad idea right now - expect criminals to ride this bandwagon immediately.

The images first surfaced on the infamous 4chan image board, where the author is claiming to have much more photographic and even video material, stolen from Apple iCloud accounts and for sale to the highest bidder.

The reality of many of these images poses an uncomfortable question for anyone using iCloud and, indeed, anyone who has anything they would rather keep private: Is my cloud storage safe?

A wide-scale "hack" of iCloud is unlikely - even the original poster is not claiming that. The fact that certain celebrities are involved and the nature of the stolen material make this seem far more targeted. So, how could it have happened?

Possible scenarios

» (Least likely) All the celebrities affected had weak, easy-to-guess passwords. The hacker simply worked them out and logged in.

» If the attacker already knew the e-mail address which a victim is using for iCloud, then he could have used the "I forgot my password" link, assuming that the victim had not enabled two-factor authentication for iCloud.

Without two-factor authentication, the password reset uses the traditional "security question" method.

The peril in this for celebrities is that much of their personal information is already online. A security question such as "Name of my first pet" may be a lot less "secret" for a celebrity than it is for you and me.

» The attacker broke into another connected account with a weaker password or security, perhaps a webmail account that is used to receive password reset e-mail messages sent by iCloud.

» Password reuse. Too many people are happy to use the same password across multiple services.

With so many people affected by recent high-profile mega-breaches, the number of simple lookup services for stolen credentials and the amount of details for sale online have skyrocketed.

At the same time, the price of stolen data has tumbled, thanks to oversupply.

Of course, if the victim is using the same password for iCloud as for another already compromised or easily compromised service, the doors to iCloud are open.

» Phishing. It's old school, but it still works. A targeted phishing mail sent to a number of celebrities, enticing them to enter their iCloud credentials onto a fake login page, would do the job just as well as any more complex hack.

Next: What are the lessons here?

What are the lessons here for all of us?

If an online service is offering you options that increase your security, enable them.

Even if you feel that turning on two-factor authentication may be slightly more inconvenient for you when logging in, I'm willing to bet that a compromise of a service at the heart of your digital life will be considerably more so.

Do not reuse passwords. 

It is never a good idea to use the same password across multiple websites, so try to have a unique one for every site you use.

Better yet, use a password manager which offers you the convenience of having to remember only a single password with the security of unique passwords for every service.

As for those security or password reset questions, consider whether the answers are really secure.

Secure means that you are the only person who can answer the question.

If the possibility exists to create your own questions, use it. If you are obliged to answer more standard questions, such as "First school" or "First pet", remember that the answer doesn't have to be the truth, it only has to be something you can remember.

"Deleted" may not always mean deleted, as some of these victims are discovering.

Familiarise yourself with the online services you use, find out if backups or shadow copies are taken and how they can be managed. In this case, it seems that some of the victims may have believed that deleting the photos from their phones was enough, forgetting about Apple's Photo Stream.

Oh, and another thing. Stop taking naked photos.

myp@sph.com.sg

The writer is Trend Micro's global vice-president for security research.

Get MyPaper for more stories.