By now, just about everyone with a functioning television, radio or router has become aware of the latest celebrity hacking scandal to sweep Hollywood. Upwards of a dozen celebrities have come forward in the last few days to confirm the theft of their private photos, though some leaked lists found online suggest that over 100 celebrities may have been victims of the data theft.
This developing story is so far turning from a standard celebrity phone hack to a large data leak with quite far-reaching implications, most particularly for Apple and its highly popular iCloud backup and storage service.
At this stage, it’s difficult to sort the rumours from the hard facts. At BreachAlarm, we’ve been working hard to bring you what’s actually known about the hack, as well as what it means for the average user with an iCloud account.
So, here’s what we do know: overnight, Apple has issued a press release in response to the incident, stating that the compromise was a targeted attack and not an indictment of the security of its iCloud or Find My iPhone services. It also offers some words of advice for its users: namely, having a strong password and enabling two-factor authentication.
However, according to a new article by security expert Nic Cubrilovic, there is little that the celebrities involved could likely have done to stop the attacks, with a few security bugs lurking within Apple’s authentication system possibly at fault. Amongst these bugs, experts have identified that allowing users to make unlimited checks for email account validity and password correctness might have facilitated a so-called ‘brute force’ attack, allowing the attacker to flood the server trial-and-error style until a target was identified and a password match found.
What’s more, TechCrunch reports that Apple’s current two-factor authentication (2FA) doesn’t protect iCloud backups or Photo Streams, meaning that once the attacker was inside, all information within the account would have been easily accessible. Security researchers were sounding alarm bells about this weakness in Apple’s 2FA feature way back in May 2013.
A quick word of warning to loyal Android and Windows Phone users: don’t be complacent. At least some of the celebrities speculated to be hacked were using these platforms as well. Google Backup is Android’s answer to Photo Stream, automatically backing up all your photos and videos to its cloud service. This means that your Google account is a juicy mark for would-be hackers, so make sure you secure it as best you can.
If you’re a smartphone user with cloud backups enabled, keep these security ‘best practices’ in mind. There are indeed some proactive steps you can take to stay safe:
-
We know you hear this a lot, but it bears repeating: pick out a strong password. Include numbers, symbols, upper and lowercase letters, and make it long: 16 characters keeps your password safer from automated ‘brute force’ attacks.
-
Enable two-factor authentication. Take a look at our guide to what it is, how it works and how to make it work for you. This alone won’t protect your data in services like Apple’s iCloud, but it will prevent your super-strong password from being reset and bypassed without your knowledge.
-
Create a special, secret email address for password recovery (we’ll show you how). This way, if your regular email is breached, hackers won’t be able to carry out total devastation on your accounts.
Finally, one of the best things you can do for your cloud account is to pick out some great security questions. Tune in next week for BreachAlarm’s guide to creating security questions that work to your advantage.