Tuesday, September 02, 2014

The celebrity photo leak/hack: lessons for securing devices and cloud accounts

Over the weekend, a deluge of intimate photos of celebrities appeared on the internet, first on 4Chan and then on Reddit (CBC report). Surely, they are other places now. What is unclear at the moment is how the images were obtained in the first place. There's been speculation that the photos came from the iCloud accounts that were either compromised by a brute-force password attack or even a suggestion that the WiFi at the Emmy Awards was somehow compromised. Other discussions online suggest that the photos have been traded for years among avid collectors. It will be very interesting -- from a privacy and security point of view -- to learn how it actually happened.

In the meantime, this serves as a reminder about what steps most people should take to secure their sensitive personal information on their devices and in the cloud.

Increasingly, people are carrying more and more sophisticated devices with onboard cameras that automatically sync data to remote servers. I am not at all interested in blaming the victims. Increasingly, people are taking photos from the most banal moments in their lives to the most intimate. Like it or not, it's simply a fact. While celebrity images are the most sought-out, images of ordinary people have been scraped from unsecured image hosting sites with traumatic results.

Most smartphones are mostly secure out of the box, and responsible vendors update vulnerabilities as they are discovered. However, they rely on humans who may not be as technically-minded as the first line of defence. All of these devices and services are protected by passwords. People tend to choose very weak, easily guessed passwords. That can be fixed. And people can take additional steps to protect their information.

  1. Try to learn the basics of how your device works, particularly about what is synchronised and backed up to online services; check your default settings;
  2. Secure your device with a PIN or password (How to: Android and iOs);
  3. Add encryption to your device, if possible (How to: Android);
  4. Add remote management to kill your device if it is lost (How to: Android (I also like Cerberus Anti Theft) and iOs);
  5. Use a strong password for all your accounts. The longer the better. (Read this XKCD comic. Read it, learn it, live it.)
  6. Consider a password manager like LastPass to generate complicated passwords for your accounts and to keep them safe. But protect your password vault with the most complicated and longest password you can reliably remember.
  7. Use two-factor authentication for your cloud accounts. While not particularly intuitive, two-factor authentication protects your account even if your password is compromised. This is critical. (How to: Google Accounts, DropBox, and most other places.) Any account to which you sync your personal images and video should be protected by two factor authentication.

With these measures in place, you're much more secure than most people. But there is no such thing as perfect security. Knowing that there are malevolent people out there looking for this kind of content and other sensitive personal information, the next question needs to be "am I satisfied that this is as secure as it needs to be in light of the nature of the information and the consequences of a 'leak'"?

UPDATE: According to TechCrunch, Apple's two-factor authentication DOES NOT PROTECT iCloud or Photostreams. This is a major shortcoming. I would recommend not using iCloud for anything personal or sensitive until Apple fixes this gaping omission.

No comments: