Back in May, Jennifer Lawrence joked to MTV: "My iCloud keeps telling me
to back it up, and I'm like, I don't know how to back you up. Do it
yourself."
The release of
numerous nude photos of celebrities over
the past several days was apparently made possible by a group of
determined hackers who broke into the iCloud accounts of Jennifer
Lawrence, Kate Upton and others. Because photos are backed up to iCloud
automatically from iPhones — and to Google+ on Android — there has been a
spate of articles explaining how you can shut off this functionality to
“protect” yourself from being similarly victimized. The
Mirror,
in typical tabloid fashion: “Celebrity nude photo hacking: How to
disable iPhone iCloud backups and keep your pictures safe” you’d expect.
But the normally sober Will Oremus at
Slate:
“How to Not Back Up Your Naked Selfies to the Cloud” seems to have
gotten caught in the frenzy too. Ignore them both. And everyone else who
tells you it’s better
not to use cloud backup. Instead, take some simple steps to get safer and smarter.
Why not just turn it all off?
Simple, it’s about relative risk. You need to consider the chance
that someone is going to hack your cloud account against the chance
you’re going to lose your phone. While there’s no doubt that the group
responsible for revealing more of Selena Gomez than she hoped was
determined, the odds anyone is interested in you aren’t particularly
great. But the chance your phone will be damaged beyond repair, lost, or
stolen is pretty good. When that happens, you won’t just lose the
photos on it, but also your contact info, calendar and possibly even
some e-mail, depending on how things are configured there.
Oh, and if someone has your phone, there’s a good chance they can get
into it and access your pictures anyway. Yes, you can wipe that all out
remotely on both iOS (with
Find My iPhone) and Android (using
this technique).
Both of those use cloud services, by the way. So you could turn off the
photo backup and use them anyway, but why not just secure your cloud
account instead?
The answer turns out to be pretty simple and slightly complex at the
same time. The first thing you need to do is use a good password for
iCloud or for your basic Google/Gmail account. Hackers love it when you
make their life easy by using “password” or “1234″ so you’ll obviously
want to go above and beyond. Throw in punctuation, use miXed capS and
lowercase, add in s0m3 numb3rs. Sure, you want it to be easy enough to
type, so play around with this on your smartphone. But remember that
complexity is your friend. (Google has some
good advice.)
Also remember that your password can be reset by having a link sent
to the e-mail address associated with your account. That’s a huge
vulnerability if
that account has a lousy password. The
complexity of maintaining different, elaborate passwords is frustrating.
I can’t keep track of the different variations I use, so I got myself
LastPass a few years ago. Others swear by
1Password.
Neither works very well on the iPhone itself because of limitations in
the way Apple supports browser add-ons, but those should be fixed in iOS
8. Even now, though, LastPass is on my phone, secured by a master
password that protects a list of my other passwords called the “vault”.
When I forget one, I can look it up. Your Notes file or Word document
with a list of passwords, backed up to your Dropbox, is a hackers dream.
Print a copy, delete it from the cloud and your device, and get a
password manager.
A lot of this stuff seems like it shouldn’t be my job?
That’s an entirely fair point. The second most egregious part of the
celebrity hacking (after the unconscionable privacy violation) has been
blaming the victims, as if they did something wrong. What’s wrong is
that security is too damn hard and the way all of this works is beyond
incomprehensible. I defy anyone to accurately explain how iCloud photo
backup currently works.
Apple left a big hole in iCloud that allowed hackers to try an
unlimited number of guesses at passwords without being locked out (since
fixed). And far too many apps on both iOS and Android manage to lose
your login info over and over, which encourages the use of short, lousy
passwords. Things should get better when you can secure login
information with TouchID, Apple’s fingerprint sensor, in iOS8. That
ostensibly would allow people to choose nearly uncrackable passwords
(LastPass can generate them automatically) but login with just their
finger.
But I need better security now, there’s something I can do, right?
Yes, in the meantime, both iOS and Android allow you to use 2-factor
authentication and you should borrow a page from Nike and “just do it.”
In 2-factor, you have to not only enter a password, but also a code that
you receive through
another means to ensure it’s really you.
With Apple, the process involves text messages sent to “trusted devices”
and the process is laid out in a
pretty clear FAQ.
It may sound inconvenient, but once you’ve established that a device is
trusted, you won’t constantly be nagged to reconfirm that fact. This
kind of security can be very effective against the kind of hack the
celebrities fell victim to because it can block account access from a
computer that isn’t already verified.
That said, Apple’s implementation of 2-factor security is incomplete right now, as
TechCrunch reports.
It’s still possible to grab a PhotoStream from iCloud without using the
second factor, which is another hole Apple needs to plug in a hurry.
Google, incidentally, has a
more comprehensive 2-step offering.
In addition to sending codes via text message, it can use a special app
called an authenticator (which works even if you have no cell coverage)
or can call you and read you a code. Apple didn’t respond to
TechCrunch’s inquiry about expanding 2-factor to do more, but it seems certain to do so in the near future.
Is there more I can do?
There’s a lot more, which generally falls into two categories. On the
one hand, you want to make sure you don’t fall into traps that
compromise your information in the first place. So be careful clicking
on suspicious e-mails or websites, don’t download things from untrusted
sources and stay off of WiFi networks you can’t be sure are reputable.
All of those are rapid paths to malware or exploits designed to get hold of your passwords or other credentials.
On the other hand, if you’re really interested in security, you can
encrypt your data. That’s hard with automatic backup function like
PhotoStream on iCloud. But it’s possible for sensitive files or
important e-mails.
Forbes privacy guru Kashmir Hill
posted an explainer on sending and receiving encrypted e-mail, for example. Online backup services like
CrashPlan use
strong encryption that renders your files a bunch of digital gibberish
if the servers are accessed without your keys. A tool like
CloudFogger can add a layer of encryption to your files on Dropbox, Microsoft’s OneDrive or Google Drive. The use of
VPN software can help keep you secure on public WiFi.
Last thoughts?
Yes, the weakest link in most security turns out to be the human element, not the technology
per se. A
lot of sites let you engage in password resets using security
questions. iCloud is one of those. When you’re famous — or just
semi-open on Facebook — it’s often really easy to guess the answers to
those without being the person about whom they’re being asked. This
presents a problem for which the solution is again easy and hard. The
easy part is to use absurd security questions like “What is the last
name of your favorite elementary school teacher?” instead of “What was
the name of your first pet?” There’s a good chance the former isn’t on
Facebook while the latter might well be. Or maybe you told David
Letterman about Scruffles once. (With 2-factor, the security questions
aren’t a vulnerability by the way.)
The fact is your data is a tempting target, even if you aren’t the
world’s most famous actress at the moment. And it’s very much up to
Apple, Google and Microsoft (along with Dropbox, et al.) to do a better
job of making it easier to protect that data from prying eyes. But at
the same time, services like automatic cloud backup are hugely valuable.
What was the once the catastrophic loss of possibly years worth of
photos is now a mere inconvenience thanks to the cloud. Phone upgrades
are routine as you pull all your information from an automatic backup
you don’t even need to manage.
The last thing you want to do is stop using all those features just
because things went wrong. You didn’t stop using your credit cards after
the Target hack (nor will you if this
Home Depot situation
turns out to be worse). Don’t become a cloud Luddite just because
security there isn’t perfect. Treat it like driving, which is inherently
dangerous, but usually works out for the best: Make it as safe as you
can, know that innovation will make in better over time, and be careful.
http://www.forbes.com/sites/markrogowsky/2014/09/03/the-celeb-hack-has-people-telling-you-to-turn-off-cloud-backup-ignore-them/