'Cloud' security only as good as users make it
The celebrity photo hack from August 31 brought Apple's iCloud and how it stores personal photos under scrutiny. While the exact process of how these people were able to access the accounts of celebrities such as Jennifer Lawerence and Kate Upton is still under investigation by the FBI and other investigators, Apple has come forward to state that this breach in security was not because of a security flaw in iCloud.
"After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet," reads Apple's press release from Tuesday.
"None of the cases we have investigated has resulted from any breach in any of Apple's systems including iCloud or Find my iPhone."
On Wednesday, sources close to the investigation reported to the Los Angeles Times and other news sources that these hackers were able to gain access to these photos with the help of phishing.
Phishing is a very common hacking practice used to get sensitive information from individuals. A hacker pretends to be a trusted site or point of contact in order to get enough information to access a victim's account.
It's important to remember that they don't necessarily need a person's user name and password to gain access, just enough information to deceive a company into thinking they are the victim.
In the cases of these celebrities, most of their personal information is public already. If a hacker gets their user name, they could reasonably guess their security questions and gain access to their account through Google searches, guessing and blunt force.
These hackers took advantage of iCloud's phone backup feature to restore an iPhone in their possession and all the information on it.
By default, iCloud syncs a user's mail, contacts, calendars, reminders, Safari history and bookmarks, notes, Passbook, Keychain passwords, documents and data, and photos. A simple restore can upload all this information to a new phone as long as a username and password are provided. It's a lifesaving feature for the average user who may lose an iPhone, but in the cases of these celebrities it basically handed these hackers their information gift-wrapped.
It's very unfortunate, and a hack like this might have the clout to destabilize cloud storage's security reputation for many people.
Apple claims that a 2-factor verification and stronger passwords would have prevented these hacks, but that's not necessarily true. Apple's 2-factor verification only secures purchases and account management. It isn't required when retrieving a backup, and it won't protect a user's photos. Apple will have to address this flaw, especially with the iPhone 6 and iOS 8 launching later this month.
Until then, users must stay vigilant with their online account management. Keep passwords hard to guess, use 2-factor verification whenever possible, and make sure security questions are hard to answer (even lie sometimes). Look at your settings in iCloud/whatever-you-upload-to and know what's stored out there. Limit what gets uploaded, especially if you're taking naked selfies.
There's not much you can do otherwise. The more private or privileged your information is, the more time and effort you must take to secure it. If you're a high-value target like these celebrities, a hacker just needs time, skills, and the will to get in.
It's the gamble we take for having all this connectivity.