Don’t let the Cloud rain out your privacy

Kaspersky Lab

If you’ve been on the internet the past couple of days, you’ve probably heard of a hacker leaking private and explicit pictures of dozens of Hollywood celebrities. Dubbed as “The Fappening” (a self-pleasure reference because the web’s made up of teenagers in heat), the event brought about uncertainty towards cloud storage services, specifically how our uploaded data can be protected from those with malicious intent.

Kaspersky Lab, a frontrunner of data security and threat management solutions, commented that while such privacy leaks are not new, this was the first on such a massive level and one that involved many public personalities.

From the very first instance the news of the leak broke out, it’s been speculated that some of the photos were taken directly from the celebrities’ Apple iCloud accounts. Was the cloud service of undoubtedly one of the world’s best tech giants compromised? Were there holes in their security system? Kaspersky theorized a possible leak scenario detailed below.

First off, as opposed to some sites which lock your account after a certain number of failed log-in attempts, the iCloud’s Find My iPhone interface allowed unlimited account password tries. This exploit enabled the attackers to constantly and systematically try various overused passwords until they give up or become successful. This method is called bruteforcing.

To help bruteforce the accounts, the hackers may have enlisted the help of an open source application which came from GitHub, a popular programmers’ online hangout.

Second, the celebrities MAY have ignored strong password reminders and settled with very basic account details which may have taken hackers just a few minutes to crack.

Third, the victims MAY have also forgone two-factor authentication, Apple’s protection against such attacks.

Apple has reportedly fixed the above flaws, with bruteforcing no longer possible as of writing. There was no guarantee though that other loopholes did not exist.

This wasn’t the first case of people exploiting iCloud and Find My iPhone. There were reports of cyber-extortion filed by victims who all of a sudden had their Apple devices locked via the anti-theft feature of Find My iPhone. The hackers left a message at the lock screen demanding money in exchange for the device’s functionality.KL_iCloud-hijacked-accounts

How can we avoid such violations of privacy? The cloud’s one of the most convenient forms of data management available, yet it carries some steep risks. Christian Funk, senior security researcher at Kaspersky Lab recommends the following to protect your data against unwanted access:

  • Use strong and complicated passwords. Have a distinct one for every account you have.
  • Take advantage of endpoint security solutions to safeguard your devices as they’re how you access cloud services.
  • Always enable and use two-factor authentication if it’s provided by the service.
  • Decide which of your data should and shouldn’t be uploaded to the cloud. Your personal, sensitive, private, and professional life should stay offline as much as possible.
  • Phones are easy pickings for thieves, especially in the Philippines.  Always make sure that yours has no sensitive information on it. If this can’t be avoided, use all of the security measures you have available, including lock screens, remote lock and wipe applications, and data encryption.
  • Any highly private data, photos, or videos should be double checked as to not be uploaded into the cloud.
  • When sharing information or when allowing another person to take “inappropriate” photos/videos of you, make sure that their device has appropriate security features.