After alleged iCloud breach, here's how to secure your personal cloud
A hacker may have been responsible for leaking explicit photos of celebrities due to a weak link in their Apple iCloud accounts. Here's what you can do to keep your embarrassing selfies (and company secrets) out of the public eye.
In light of the news that an alleged hacker cracked the iCloud accounts of celebrities, such as Jennifer Lawrence and Kate Upton, to reveal their private, intimate photos, there remains a high level of speculation and rumor over exactly what happened.
The security exploit in question "ibrute" was published on GitHub on Saturday. It used a security hole in the Find My iPhone service application programming interface (API). The hole allowed hackers to keep trying one password after another until they found one that worked. Once a password was found, it could then be used to access a user's iCloud account.
Apple told Recode on Monday it was "actively investigating" if these iCloud accounts had been hacked. The iPhone and iPad maker rarely talks to the press, suggesting it is taking the alleged breach very seriously.
While this was an awful security hole, the exploit relies on ordinary account owners using bad passwords. The automated exploit uses a list of just 500 common passwords.
Indeed, with this hacker tool, you can't really call these attacks "hacks" at all. All a would-be attacker needed is the email address you use for your Apple ID. If you had a common and easy-to-guess password, your files could have been in an attacker's hands in less time than it will take you to read this story.
Rather than lecture you yet again on why you should use good passwords, let me suggest that you use easy-to-remember, but hard to crack passwords that use phrases rather than random characters. So, for example, "Steelers?Win!Cowboys?Lose!" or "Volt!Amp!Tesla!Edison?" won't be cracked by any common password cracker program but you'll be able to recall such phrases much more easily than say "ufc#1310."
Safe passwords don't have to be memory twisters. They just have to be hard for computers to work out, and phrases make great passwords.
If you don't think you can keep track of phrase passwords, password managers are readily available. Such programs as RoboForm and LastPass make it easy to stay on top of your passwords.
But for the sites and services that really care about keeping data safe, two-factor authentication can be the strongest tool ordinary users have to prevent unauthorized access to their data.
With this method, even if someone has your password to change it they must also have access to a device that should only be in your hands such as a phone. Typically, two-factor authentication systems will send you an e-mail or text message, or call you, requiring you to enter a code before your password can be changed.
Here's how to turn on two-factor authentication on the most popular personal cloud storage services:
Enter the code that you'll get from either a text or a voice phone call.
Follow the instructions.
Note: You will need to get a new code for each PC or device that uses any Google services. For some services, such as Gmail when accessed on an Apple device or by a mail client or some instant message clients, you'll also need to set an application specific password.