Ongoing exfiltration of photos from celebrity iCloud accounts brings the idea of personal privacy close to home because celebrities, like most people, have no idea that anyone with a little initiative could invade their personal phone and photographs.
When the most recent iCloud intrusion was made public, the first reaction by security experts was to point to a vulnerability in Apple’s “Find My iPhone” application. It turns out that this app was not the source of the problem, although Apple patched a hole on Tuesday anyway. Now the consensus is that the individual who stole Jennifer Lawrence’s photos used his investigative skills to crack her username and password combination.
Celebrities are in the headlines, but all of us who use cloud backup programs, like Instant Upload by Google and Apple’s iCloud, are vulnerable. While we all believe that a reasonable expectation of privacy is our civil right, we have seen time and time again that criminals do not play by the rules.
Maintaining situational awareness and practicing good cloud hygiene are the foundation of cyber security.
The First Steps
1. Get to know your settings. Most applications automatically enable uploading and sharing. Take the time to go to your settings and disable synchronized services that you don’t need.
If you have your Apple devices synched, chances are your iCloud Photo Options has a check in the My Photo Stream box. This function automatically uploads photos from your iPhone to iCloud and stores them there until you delete them. If you have Photo Sharing enabled, others can add photos, videos and comments. If anyone you share with has been breached, you have too!
Stop this now. Go to Settings -> iCloud -> Photos -> Options, and uncheck the My Photo Stream and Photo Sharing options.
2. Delete unused photos and files from your devices and the cloud services. It is incumbent on YOU to be aware of what YOU are sharing. When an app asks to synchronize or share your contacts, say NO. Be careful and mindful of what you share on social media. Schools you have attended, pet names, hometowns, etc. are common answers to password reset questions – if you use them, you’re giving hackers a head start.
3. Activate two-step authentication. When you log into your cloud account from a new device, you are sent an access code via text message to your phone or tablet. iCloud, Dropbox, and Google Drive offer this, but Amazon’s Cloud Drive does not. Unfortunately there is no guarantee that your photos are protected even by two-step authentication, but it is still an important extra layer.
4. Change your password now and vary passwords among different sites. Remembering your passwords is easy if you use the method I described in my previous blog. If you missed it, click here and bookmark it!
5. Only reset your authentication information from the website of the service you are using. Never reset this information from an unsolicited link (phishing) sent through email.
At EdgeWave, we have the necessary security in place to protect valuable personal information in both private and public environments, with an agile and responsive data security and threat defense. By combining expert human analysis and next generation technology with a Military-Grade operation approach to security, EdgeWave EPIC² advanced threat capability defends against the most sophisticated threats. We are breaking new ground in the cyber security industry by providing this Military-Grade protection for civilian organizations and businesses at a most critical time. Reach out to us today for a free assessment of your current email security with our Vulnerability Evaluation Test™.
Mike Walls is Managing Director, Security and Operations and Analysis at EdgeWave. While on active duty, Mike served as Commander Task Force 1030 reporting directly to the Navy’s Fleet Cyber Command, and was responsible for Cyber readiness of over 400,000 people, 300 ships, and 4,000 aircraft.