You may have heard about the latest celebrity phone hacking scandal involving stars such as Jennifer Lawrence, Ariana Grande and Kate Upton. The photos were stolen from Apple’s iCloud service, and not the phones themselves. Many of the celebs had already deleted the photos and videos from their iPhones, some of them a year or more ago, but they still had those files backed up on iCloud. Hackers use a variety of methods to get into iCloud accounts, from brute force attacks to trying easy to guess passwords, since iCloud would not lock you out if you guessed wrong a certain number of times.
In the case of these particular celebrity photos, they have been floating around on the “dark net” for quite some time before they were finally leaked publicly.
Though it hasn’t yet been confirmed that the pictures came from iCloud accounts, reports have speculated that the hackers used a recent tool called iBrute, which can repeatedly try different combinations of passwords on Apple’s Find My iPhone service until one of them works. Once Find My iPhone is breached, it is possible to access iCloud passwords and view images and other data stored in a user’s iCloud account. Apple had previously allowed an unlimited number of password attempts on the Find My iPhone service, but it has since limited it to five attempts, making the iBrute tool ineffective. [TheVerge]
You may or may not have intimate photos and videos you want to protect from prying eyes. Even if you don’t, think about all the sensitive information you may have in your email and private messages on Facebook and other social media sites. There’s probably some stuff in there you’d rather keep to yourself.
So what can you do to protect your private files and conversations online?
First, accept that virtually everything we do now electronically can be hacked or compromised. It may only be a curious spouse, but it could be an ex, a co-worker, or a professional hacker. The best way to keep someone from gaining access to sensitive data is not to put it online in the first place.
For data that you DO share, the first thing you should do is have a complex password that nobody can guess. “Password”, “123456” or your telephone number are not going to cut it. As this Password Strength cartoon by Randall Munroe demonstrates, substituting numbers and symbols for letters is still easy for a sophisticated software prgram to crack.
For example, Bruins?Win?Habs?Lose! will not be easily cracked by hacking software and is easier to remember than Bru1n5W#nH4B5L0s3. Phrases make a password more complaex without being too hard to remember. And if remembering is an issue, try a free password manager like LastPass.
Another thing you can do is enable two step verification. This means in addition to knowing the password, the person trying to get into the account has to have access to some kind of device like your phone. where a code may be sent to verify your identity.
ZDnet has this great info on how to set up two step verification for some of the most popular services:
- Login to My Apple ID.
- Pick “Manage your Apple ID and sign in”
- Select “Password and Security”
- Under “Two-Step Verification,” select “Get Started,” and follow the instructions.
Note: Be aware that when you change your Apple ID to two-factor authentication, it’s a one-way journey. You can only change your password afterwards by using the two-factor method.
- Sign in to Dropbox.
- Click on your name from the upper-right of any page to open your account menu.
- Click “Settings” from the account menu and select the “Security” tab.
- Under “Two-step verification” section, click “Enable.”
- Click “Get started” and follow the instructions.
Note: You will need to re-enter your password to enable two-factor verification. Once you do, you’ll be given the choice to receive your security code by text or to use a mobile app.
- Login to Google from this link.
- Enter your phone number.
- Enter the code that you’ll get from either a text or a voice phone call.
- Follow the instructions.
Note: You will need to get a new code for each PC or device that uses any Google services. For some services, such as Gmail when accessed on an Apple device or by a mail client or some instant message clients, you’ll also need to set an application specific password.
- Login to your Microsoft Account.
- Go to “Security & Password.”
- Under “Password and security info,” tap or click “Edit security info.”
- Under “Two-step verification,” tap or click “Set up two-step verification.”
- Click “Next,” and then follow the instructions.
Note: Microsoft may require you to enter a security code that the company will send to your phone or email before you can turn on two-step verification.
Many other services now offer two-step authentication. Here are ZDNet articles detailing how to set it up onFacebook, Twitter, and Google.