Skip to main content

Could your secrets leak like celebrities' selfies?

Cloud computing isn't inherently unsafe, but sloppy security can backfire badly
Audio player loading…

This weekend Apple's iCloud made headlines for all the wrong reasons. It was implicated in an alleged hacking attack that saw celebrities' most private photographs leaked online. If celebrities' data isn't safe in the cloud, many business users will be wondering, is data belonging to companies at risk too?

As with most high-profile hacking stories, there's a bit more to it than the headlines suggest. The likelihood that a hacker has managed to compromise Apple's iCloud is remote - as Apple details on its support pages, iCloud is well protected (opens in new tab), although researchers have identified exploitable flaws - and the photographs may not even be real ones; some of the victims have said that the images of them have been faked.

However, even if the images are real it's likely that the hacker obtained them through relatively simple and low-tech means rather than through compromising an entire cloud storage system.
Hacking is hard. Tricking people is much easier.

Dirty tricks, done dirt cheap

In May, Australian owners of iOS devices found themselves locked out of their hardware. A stranger gained access to their iCloud accounts, remotely locked their devices and demanded payment to unlock them again.

The stranger was described as a hacker, but scammer would be more accurate: it's believed that the users' credentials were obtained through the low-tech method of phishing, where fake emails are sent out in order to obtain people's login information. Once that information had been obtained, the scammer could get into people's iCloud accounts and lock their devices.

The information needn't have come from iCloud. If you can get into somebody's email account you can make use of services' forgot-password links to reset the logins for other online services. If the person whose account you've compromised uses the same password across multiple services - as many people do - then a single password becomes the key to somebody's entire digital life.

If that password provides access to an unprotected cloud storage system, such as shared folders containing unencrypted documents, then it's just a matter of syncing to get perfect copies of everything in those folders.

The major cloud services use SSL and AES encryption to protect their customers' data, but there's not much they can do when user names and passwords are handed out willingly or used on less secure sites which are then compromised. It's rather like having a state-of-the-art alarm system in a mansion and then leaving going out with the alarm switched off and the front door wide open.

As with many security problems, the biggest risks aren't from the technology. They're from the people using it.

Two cheers for 2FA

A frightening number of people's passwords are easily guessable: in its annual survey of online password dumps, SplashData found that the most common password in the year of NSA and Edward Snowden revelations and endless security breaches was "123456". Second was "password", followed by "12345678", "qwerty", "abc123", "123456789", "111111" and "iloveyou".

The data available to SplashData is also available to software writers. Password cracking tools use databases of people's passwords to enable so-called Brute Force Attacks, which automatically try multiple passwords at dizzying speeds. iCloud was vulnerable to such hacks - there was no limit on how many unsuccessful passwords you could try - and while that vulnerability has been fixed, other online sites and services are still vulnerable to such attacks.

Most IT departments mandate more sensible, strong passwords, of course, but many cloud services also offer a second level of protection. That level is known as Two Factor Authentication, or 2FA for short; some services prefer MFA, for Multi-Factor Authentication.

2FA/MFA is simple and effective. Whenever a new device (or even a reset web browser) attempts to access an account, 2FA asks for corroboration. Most commonly that means sending a code to a stored email address or better still, a mobile phone. No code, no access.


Former lion tamer, Girls Aloud backing dancer and habitual liar Carrie Marshall (Twitter, Google+) has been writing about tech since 1998, contributing sage advice and odd opinions to .net, MacFormat, Tap! and Official Windows Magazine as well as co-writing stacks of how-to tech books. "My job is to cut through the crap," she says. "And there's a lot of crap."