Apple is in the news for all the wrong reasons just before a major ‘event’. You may have heard that some celebrities have had compromising images of themselves published online. Bad enough, maybe, but the real shock seems to be that the images came via hacked-into iCloud accounts.
Quelle horreur! This is iCloud? Isn’t Apple’s iCloud super-secure?
Well, yes and no. iCloud is super secure, but no matter how secure it might be, I can access all my data, images, settings, mail, schedule etc by entering in my Apple ID email address and my Apple ID password. Which means that if you have those two things, so can you, no matter how many layers, encryptions, secure servers, double-entry security, firewalls and protection levels there might be. After all, that’s the point – to give you access, with your Apple ID and password, to your stuff.
Unfortunately, we live in a veritable snowstorm of passwords these days. We need increasingly complex and different ones for everything. Most people don’t have a hope of remembering them. I have three main ones and the passwords based on these all vary. Some combine two in different ways. some just add more characters or capitals or … you know the drill. So how to remember? Write them down … yeah, right. That’s a massive security risk right there. (My password document is hidden on an invisible volume … behind yet another password!)
Of course it’s easier to use the one password you easily remember, perhaps with an appended 1, 2 etc for different things. But if you use the same password for everything, someone gaining that one password has the key to the gates of your informational kingdom.
Social mining — Also, if it was easy for you to come up with in the first place, chances are it’s not that hard for someone else to guess too, particularly if they do a little ‘social mining’. It’s not exactly difficult to get someone’s email address. We pass them around like we used to pass around business cards. On Facebook, you mention you still miss your first dog Boodle and you were born in 1970 … Boodle1970 becomes an obvious password for someone maleficent to try. Now they have your Apple ID email address and your password. And you thought you were safe …
So if you’re one of those people who accepts every Facebook friend request, even from people you don’t know, you should probably rethink that strategy.
But back to iCloud – yes, it is very secure. Its users, unfortunately … not so much. Apple released a statement on Tuesday (pictures, in part, above) claiming that stolen celebrity photos released over the US holiday weekend were the result of targeted attacks on individual accounts, rather than a breach of iCloud security or, significantly, Find My iPhone, which was another potential hack-avenue posited by some. Apple said, in an Apple Media Advisory, it was continuing to investigate.
There was, by the way, a Find my iPhone exploit, but Apple patched that really fast and reckons it wasn’t involved.
Boris Gorin, head of security engineering at FireLayers, agrees that iCloud security probably wasn’t the culprit. “The images leaked have been gradually appearing on several boards on the net prior to the post at 4chan – making it reasonable to believe they were not part of a single hack, but of several compromises that occurred over time.” In fact, he thinks the celebrities may have been hacked while connected to an open public Wi-Fi network at the Emmy Awards. If they accessed their personal iCloud accounts, attackers connected to that network would have been able to intercept and capture the username and password credentials.
But the bigger picture is the cloud. I met someone just this week with a little MacBook Air – they don’t have much storage space – and all her documents were in a 1TB Dropbox account. This means they’re accessible anywhere, sure, but it also means she doesn’t have a personal backup of them.
If someone stole her laptop, they’d also have access to all those documents.
As for nudie photos, you’re more than welcome to have nudie pix of yourself wherever you like – but in the cloud? At least you are responsible for the security of your own devices. You have to hope whichever vendor handles your cloud services is at least as secure, in practice, as you are, although preferably a whole lot safer still. When I trained people at the ASB, the only two apps people weren’t allowed on their company iPads were Dropbox and Google Drive, thanks to breaches they’d already suffered and/or other security concerns.
Of course, for many things, the cloud (aka a folder on a hard drive somewhere you access over the internet) is very convenient – but just remember, you don’t actually know who’s looking after them, or where those files actually are. And yes – cloud services make an extremely attractive target for the ever-eager hackers. I’m not saying it’s your fault if it happens to you, I’m saying ‘be careful and think about what you put where and why’.
But just to show you how serious this is being treated, the FBI is currently ‘addressing’ the stolen photos, and Apple says that it’s working with law enforcement to help identify the culprits.
I wish them success.