This week, numerous celebrities, mostly female, had their Apple accounts hacked and intimate photos stolen and leaked. There are several things we all need to learn from this.
We don’t know yet exactly what happened, though I’ve heard several theories. One possibility is that the celebrities’ accounts were hacked recently. Another is that someone who’s been collecting these photos through various means was hacked.
The incident probably was inevitable, but it’s also entirely preventable. I can think of three things that led to it. While this discussion may seem purely academic, there are misconceptions many people, famous and not, have and need to get rid of.
It’s not true that nobody is interested in your account–someone wants to comb through it looking for dirty pictures. No matter who you are and no matter where you store your files, someone wants to go through them. Some people may be looking for financial data or something else to help steal an identity. Others are just collecting dirty pictures. This is why it’s necessary to use good passwords and apply security updates.
Because some of the leaked photos were fake, there has been some speculation that someone else has been collecting these photos via various means and had no intention of leaking them, but then that person got hacked. It’s likely to be a while before we know.
Taking intimate photos is always risky to begin with. This ought to go without saying, but once those photographs are taken, it’s extremely hard to maintain control of them. There is absolutely no way to control what anyone else does with a digital photograph. It’s just a file on a mobile device or a computer that can be freely copied and distributed. If it’s stored on a phone, phones can get stolen and their contents dumped. If it’s stored in the cloud, the cloud service can be hacked, like what appears to have happened this time.
Of course, few people ever mention these dangers. Even engaging in this kind of activity with an old-school digital camera that uses an SD card is risky, but far less risky than using a phone.
You must use a decent password. One theory is that the criminals in this case used a flaw in Apple’s service that allowed them to repeatedly to try to guess account passwords, and that’s how they got in. The problem is that passwords that are easy to remember are increasingly easy for computers to guess. But at the very least, use a decent password based on your own secret formula, whether you’re famous or not and whether you have dirty pictures in your account or not.
Typing passwords on a phone onscreen keyboard is a royal pain, so you’ll have to factor that in to your secret formula. But it’s an exercise you need to do–you don’t want someone combing through your files. It’s not hard to find the sensitive stuff quickly in a large pile of files. Give me 26 million files and I can find the one that has a social security number in it. I can also isolate the images and then quickly find the ones that meet certain criteria, like being taken with a different type of camera.
I’m pretty good, but my skills are in no way unique. Bad guys have the same skills I have, so if someone gets your files, they will find what you don’t want them to find.
Oligopoly strikes again. Or at least bad opsec does. This is partly speculation, because we don’t know yet exactly how this collection came to be put together and leaked. But it seems like every celebrity has an Apple phone, doesn’t it? Who knows whether the attackers figured out which celebrities had Apple phones, or if they just guessed, but it sure seems like if a random celebrity is going to have intimate photos stored in the cloud, it’s probably going to be on Apple’s cloud service. And it’s not too difficult to find out what celebrities use Apple products, since you can see whether a tweet was done with an Apple portable device or not.
The more things an attacker has to guess, the harder it is to get it all right. If your device tags all of your tweets and e-mails saying what it was sent from, turn that feature off–especially if it’s something like an Apple device or a Google Nexus that doesn’t have a lot of onboard storage and relies heavily on the cloud. You’re not impressing anyone worth impressing, but you are telling people where your data is stored to make it easier to steal.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.