After alleged iCloud breach, here's how to secure your personal cloud

After alleged iCloud breach, here's how to secure your personal cloud

Summary: A hacker may have been responsible for leaking explicit photos of celebrities due to a weak link in their Apple iCloud accounts. Here's what you can do to keep your embarrassing selfies (and company secrets) out of the public eye.

SHARE:
59
icloud-hero
(Image: CNET)

In light of the news that an alleged hacker cracked the iCloud accounts of celebrities, such as Jennifer Lawrence and Kate Upton, to reveal their private, intimate photos, there remains a high level of speculation and rumor over exactly what happened.

Since the photos showed up immediately after an Apple "Find My iPhone" exploit was revealed, many are pointing their fingers at Apple's own security situation.

The security exploit in question "ibrute" was published on GitHub on Saturday. It used a security hole in the Find My iPhone service application programming interface (API). The hole allowed hackers to keep trying one password after another until they found one that worked. Once a password was found, it could then be used to access a user's iCloud account. 

Apple told Recode on Monday it was "actively investigating" if these iCloud accounts had been hacked. The iPhone and iPad maker rarely talks to the press, suggesting it is taking the alleged breach very seriously.

While this was an awful security hole, the exploit relies on ordinary account owners using bad passwords. The automated exploit uses a list of just 500 common passwords.

Indeed, with this hacker tool, you can't really call these attacks "hacks" at all. All a would-be attacker needed is the email address you use for your Apple ID. If you had a common and easy-to-guess password, your files could have been in an attacker's hands in less time than it will take you to read this story. 

Some experts believe that this is only the beginning of a flood of iCloud security hacks.

So, if you want to keep your intimate photos private, or your company's industry secrets safe you must start by using something other than "password" or "123456" for your password. 

Rather than lecture you yet again on why you should use good passwords, let me suggest that you use easy-to-remember, but hard to crack passwords that use phrases rather than random characters. So, for example, "Steelers?Win!Cowboys?Lose!" or "Volt!Amp!Tesla!Edison?" won't be cracked by any common password cracker program but you'll be able to recall such phrases much more easily than say "ufc#1310."

Safe passwords don't have to be memory twisters. They just have to be hard for computers to work out, and phrases make great passwords.

If you don't think you can keep track of phrase passwords, password managers are readily available. Such programs as RoboForm and LastPass make it easy to stay on top of your passwords.

But for the sites and services that really care about keeping data safe, two-factor authentication can be the strongest tool ordinary users have to prevent unauthorized access to their data.

With this method, even if someone has your password to change it they must also have access to a device that should only be in your hands such as a phone. Typically, two-factor authentication systems will send you an e-mail or text message, or call you, requiring you to enter a code before your password can be changed. 

Here's how to turn on two-factor authentication on the most popular personal cloud storage services:

Apple iCloud

  1. Login to My Apple ID.
  2. Pick "Manage your Apple ID and sign in"
  3. Select "Password and Security"
  4. Under "Two-Step Verification," select "Get Started," and follow the instructions.

Note: Be aware that when you change your Apple ID to two-factor authentication, it's a one-way journey. You can only change your password afterwards by using the two-factor method.

Dropbox

  1. Sign in to Dropbox.
  2. Click on your name from the upper-right of any page to open your account menu.
  3. Click "Settings" from the account menu and select the "Security" tab.
  4. Under "Two-step verification" section, click "Enable."
  5. Click "Get started" and follow the instructions.

Note: You will need to re-enter your password to enable two-factor verification. Once you do, you'll be given the choice to receive your security code by text or to use a mobile app.

Google Drive

  1. Login to Google from this link.
  2. Enter your phone number.
  3. Enter the code that you'll get from either a text or a voice phone call.
  4. Follow the instructions.

Note: You will need to get a new code for each PC or device that uses any Google services. For some services, such as Gmail when accessed on an Apple device or by a mail client or some instant message clients, you'll also need to set an application specific password

Microsoft OneDrive

  1. Login to your Microsoft Account.
  2. Go to "Security & Password."
  3. Under "Password and security info," tap or click "Edit security info."
  4. Under "Two-step verification," tap or click "Set up two-step verification."
  5. Click "Next," and then follow the instructions.

Note: Microsoft may require you to enter a security code that the company will send to your phone or email before you can turn on two-step verification.

Many other services now offer two-step authentication. Here are ZDNet articles detailing how to set it up on FacebookTwitter, and Google.

Two-factor authentication won't protect you if your photos or data are already out there, but it will help prevent such attacks from succeeding in the future. 

Related stories:

Topics: Security, Networking, Privacy

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

59 comments
Log in or register to join the discussion
  • Best Advise

    Do not store or post anything private in cloud or social sites, period.
    Owl:Net
    • IOs has had a security issue every few months

      For a few years now. Why are there people still using the most insecure OS out there?

      Apple has proven it can't be trusted with your personal data.

      A few years back, someone hacked Amazon's through an Apple device. SSL Goto Fail was Epic! And now two other Apple cloud services.

      Who in their right mind doesn't question Apple's responsibility on this? They charge and arm and a leg for subpar service.
      Uralbas
      • yep

        The last place I was at, first things that got locked out on iOS devices was Siri and iCloud, and local backups where forced to be encrypted.

        Android was banned outright - they were waiting for Knox to get deployed (which of course it has now), and WP they didn't have an issue with.

        All devices had passcodes enforced and auto-wipe if you screwed it up more than 3 times.

        Basically at a corporate level there is no excuse. At a personal level, you just have to choose what you would care about if someone could access the data, and blaming the cloud is in itself flawed because no ones computer ever got hacked did it?
        aesonaus
        • Apple doesn't have Enterrprise Ready Devices!

          Until Apple comes up with an Enterprise Ready Device with GPO, etc. I wouldn't suggest using it. Even at the Consumer level...if you are expected to use Apple's Services - it should be Enterprise Class.

          Don't hold your breath. Enterprise is NOT what Apple Does!!!
          ITMedCEO
          • LOLz

            Mindless Apple Zombies, serves them right !
            gtatransam@...
          • Really?

            "Apple doesn't have Enterrprise Ready Devices!"

            Your logic is flawed as it is contradicted by facts.
            athynz
          • Um...

            Actually, you don't need GPO for this. Client-side encryption before uploading does a far better job at securing your stuff. Of course, iCloud doesn't do this.
            danixdefcon5
      • Dumb Assumption

        It's stupid to think this is iCloud hack. This is account attack that they use scripts to enter random passwords. It's user's fault because they use easy guess password.
        So, if you use the password "123456" and hacker hacks into your iCloud account, you claim Apple for it? You people need to use your brain more instead of your mouth.
        Cun Con
        • corrected

          I mean blame, not claim..
          Cun Con
        • Don't blame the users. This was Apples fault

          Apple left the backdoor open to brute force attacks by not checking and locking the account after so many invalid login attempts.

          You have to be realistic though. This wasn't a case of many people getting hacked on the same day, because just by chance someone found all their easy to guess passwords. They were hacked, because they were allowed to try to guess those passwords countless times until they get it right.

          Given enough time the hackers could have gotten access to ever single account, regardless of password strength.

          Just to be really clear, once Apples flaw allowed the hackers to brute force user accounts it is only a matter of time until those accounts were compromised.
          Emacho
          • Wrong again

            Imagine that - it was a script used to hack the password. Sorry that the facts do not support your rant but then again you've never been much to use facts anyhow.
            athynz
          • Re: Wrong again

            Are you serious? The article clearly states that that the hole in the Find My iPhone API allows for repeated tries and failed attempts without locking the account. That IS an Apple issue, no two ways about it.

            That being said, the biggest issue still remains the fact that the sensitive or compromising data was in the cloud at all. No one should be putting any kind of sensitive or compromising information out in the cloud (Apple's or otherwise) or anywhere that is out of that person's full control.
            AnthemDBA
          • Just what do you think that script did?

            It exploited the vulnerability in Apples systems that was posted on hacking sites just one day before all these hacks occurred. If Apple locked the accounts after a couple of invalid attempts we would not be having a discussion about the issue.

            The facts are that a vulnerability was posted about Apples system. The next day many user accounts of celebrities were compromised and the day after that Apple rushed out a patch to fix the flaw in their system.

            Why is there a need to blame users for "storing their data wrong" or "the script" was somehow to blame?
            Emacho
          • To AnthemDBA and Emacho

            Don't believe everything you read about Apple when it comes from a biased source such as SJVN

            http://www.redmondpie.com/apple-icloud-wasnt-breached-in-recent-celebrity-photos-leak/

            "From the statement, we can glean that most if not all of those afflicted by this incident did not comply with the highly-recommended two-step verification Apple offers to bolster accounts against such events, and as such, the victims in this case perhaps did not protect themselves as well as they might have."

            "Apple does maintain that it is working with the authorities in order to help find those responsible for this whole ordeal, and also recommends that users concerned by this outbreak always opt for a strong password and two-step verification."

            Like anything else it's up to the user to ensure their things are protected - the 2 step verification is there for a reason.
            athynz
          • Stop blaming the user.

            Blaming the victims doesn't absolve apple of their security failures.

            This was apples security failure, not users.
            Emacho
          • SVJN said that

            He's even recommending activation of the 2-factor auth option in iCloud.
            danixdefcon5
          • The Point of Strong Passwords

            If you are forced to use uppercase letters, lowercase letters, numbers and special symbols with a strong minimum password length, it could take a hacker literally YEARS to hack a good password. The problem is that most users cannot handle a decent password because nobody haws ever shown them how easy it is when you think in phrases. Pass phrases can withstand most dictionary attacks. Then there is multi-factor authentication.

            True, given enough time any password can be hacked. However, if it would take a hacker 5-10 years to hack the password that changes every few months.

            On top of that, most good security can detect x number of failed attempts and either lock out the user completely or slow down the request for authentication (or both). Some also can detect too many attempts within x number of minutes. If the attempts are coming at three per second, something isn't correct.

            So, part of the blame is with the user for not supplying a reasonable password. The other part of the blame can be with Apple for not requiring one and for not locking out an account under what appears to be an attack. There is enough blame to go around but I think the biggest blame is with users who want their access simple even if it is not secure and then blame the service because they could not stop a hacker.
            hforman@...
          • but even a simple password would survive if accounts were locked out

            That is why apple accounts were hacked, because they did not lock out after several failed attempts.

            Again, everything relied on unlimited account login attempts which is such a basic element of securing anything that the blame must rest there.
            Emacho
        • ?

          Who gets the blame for apple keeping deleted files on its own servers which then get refound? many of the pictures leaked had been deleted but found on the icloud servers which Apple failed to mention they do.
          Fletchguy
      • I wonder too

        Why so many use Android.
        athynz