It looks like over the past week reports have now confirmed that certain high profile celeb’s iCloud accounts were compromised exposing private photos for the world to see. Apple’s iCloud platform (a service used to backup and sync all of your devices files and photos) was the target of this latest malicious cyber attack and it has many people who use this service on a daily basis very concerned.
To really understand the severity of this threat one must understand how these accounts were compromised in the first place. At this stage, Apple disputes claims that they were “hacked” and for all accounts it does not look like their iCloud security was compromised so it is believed that hackers used a targeted attack on specific high profile celebrities accounts either by using iCloud’s password reset function to gain access to the accounts in question or by just using easy to purchase hacking software to generate, by brute force, the correct username and password.
So keeping in mind that if you are a very busy high profile celebrity, who might not very tech savvy, and who setup their apple user id as their first and last name or some combination there of, with answers to their password reset questions as common information found on Wikipedia (answers to questions like what is the name of my dog or what is my mother’s maiden name) then this could lead to only one bad ending.
Because the hackers had the ability to keep trying username and password combinations for as long as they wanted without getting locked out of that specific account goes to show that they need to beef up their privacy safeguards. And so as of now, that vulnerability has now been patched.
Based on in initial reports, it looks like the iCloud accounts could have been accessed using a brute force attack technique by the malicious people involved. Brute force, also known as ‘brute force cracking’, is a trial-and-error method used to retrieve usernames and passwords. Much like a criminal might break into, or ‘crack’ a safe by trying many possible combinations, a brute-force cracking attempt goes through all possible combinations of characters in sequence. Because it is common practice for people to use their email address as a username along with a short, simple dictionary password it’s entirely possible to guess them using a tool like this, especially if you have it running as a software program on multiple computers for hours, days, or even weeks at a time.
To Apple’s credit, they do notify you when you your password changes, but if this is in the middle of the night while sleeping hackers can brute force your account, login and delete that message before you have a chance to see it – which could have also been the case here.
With all that in mind, I would say iCloud is safe to backup and store your data as long as you follow strong username and password practices. Being a high profile celebrity, using guessable usernames and short dictionary passwords will make your account hackable on any service.
To ensure you digital data stays safe in the cloud below are some steps you can follow:
For starters, you should make sure your password is not a dictionary word. Make sure it is alphanumeric – meaning use a combination of upper and lower case letters, numbers, and punctuation.
Also, if the service gives you the option to answer security questions for your password retrieval, answer the questions incorrectly or even with an alphanumeric password instead.
Next, if the service requires you to use an email address for your username (like Apple’s iCloud) go to Google’s Gmail, create a separate email address for you to use that does not have your name in it, making it much harder for anyone or program to guess your username.
Finally, and most importantly, if the service provides, use two-factor authentication. That is to make any changes to your login (like changing your password) you will need to not only have a username and password but will need to retrieve a special code sent to your cell phone via text message before you can proceed.
If you go to http://support.apple.com/kb/ht5570 you can follow, step-by-step, how to enable two-step verification.
Leave a Reply