5 lessons from the celebrity iCloud hack that we should all think about

With the dust starting to settle after the dreadful hacking and posting of various female celebrities’ nude selfies, we’re finally in a position to consider the implications of what happened.

Most of this information isn’t new as such – the episode brought to the fore circumstances and activities that have been around for a while – but there are lessons in there, and it’s time we gave them serious consideration.

1. Some cloud security is unacceptably poor

[company]Apple[/company] uses two-factor authentication (2FA) as a protection for Apple ID management and iTunes and App Store purchases, but not for iCloud backups, which is where many of these pictures originated. Even where the company does employ 2FA, it doesn’t exactly make it easy. What’s more, as Nik Cubrilovic wrote in his excellent in-depth analysis of underground marketplaces and forums, Apple makes it far too easy to execute so-called brute force attacks on its iCloud login system.

By testing out various email addresses as he tries to set up a new iCloud account, the attacker can easily tell whether or not they’re already associated with an existing account. If he’s already got the target’s email address and date of birth, and has used social engineering or other means to learn likely answers to the target’s security questions, he has everything he needs to reset the password and log into the real account.

So when Apple said the attack wasn’t a “breach” of its iCloud systems, it was really saying the security wasn’t any weaker than the company already knew to be the case. There is clear room for improvement, perhaps using the time-based one-time password algorithm (TOTP) that [company]Google[/company] deploys quite successfully in its Authenticator 2FA app.

That said, security is generally in a bad place right now. We should all use strong passwords and long random strings for our security answers, but they’re a pain to remember and they’re not exactly mobile-friendly. Biometrics may help here, though if you have a very determined attacker they’re not foolproof either.

2. Celebrities aren’t the only targets

It seems to be the case that the hundreds of photos and videos published online came from a compilation of files that people had bought in a more scattered fashion in various marketplaces — hackers show censored previews of hacked pictures on these forums, then send the uncensored versions after their customers pay them.

The thing is, we’re not just talking about actresses, singers and models. Creeps show up on these forums asking people to hack someone they know, giving them the Facebook profile links and other information they know through personal interaction with that person, to help them do this. Both the requester and the hacker end up with copies of the hacked data.

As Cubrilovic wrote: “This was one of the most unsettling aspects of these networks to me – knowing there are people out there who are turning over data on friends in their social networks in exchange for getting a dump of their private data.”

I’ll admit that, when the news of the big celebrity hack broke earlier this week, part of me thought the victims should be taking extra precautions because of their public prominence. This was the wrong approach. Anyone can be a target of these attacks – and they’re no less violated if the stolen material only finds itself in the hands of a few creeps, rather than the wider public. This is everyone’s problem.

3. Cop-grade tools are out there in private hands

Andy Greenberg at Wired wrote a great piece on a software tool called the ElcomSoft Phone Password Breaker (EPPB), which is distributed by a Russian security outfit. It’s supposed to be for law enforcement officials and intelligence agencies, but ElcomSoft happily sells it to individuals as well (bootlegs can be found for free, too.)

EPPB allows a hacker to impersonate the target’s device and download its full backup – an even more dangerous scenario than being able to sneak into someone’s iCloud account. As he told the BBC, even ElcomSoft chief Vladimir Katalov reckons his tool was used to glean some of the celebrities’ nude selfies.

The implications of the free availability of tools like EPPB are very serious. For one thing, the situation shows how the intrusive capabilities of much modern law enforcement may spin out of control – it’s very hard to ensure that this power stays in the “right” hands. By extension, it follows that adequate protection against such techniques, which may be necessary to keep the creeps out, will also stymie law enforcement and intelligence agencies to a degree. Which brings us to the next point…

4. Maybe we need to reconsider our backup mania

The falling cost of storage and bandwidth makes it a no-brainer to back up everything, all the time and forever. Perhaps too much of a no-brainer. Do we really need to store everything in this fashion?

The problem with taking this approach is we forget what we have. Even speaking as someone who doesn’t back up much stuff in the cloud (yeah I’m one of those guys), the falling cost of external hard drive space has led me to have multiple copies of who-knows-what stored in nested directories across multiple devices. In the case of years’ worth of photos, that’s generally a good thing, but even then I know I’m keeping way more than is necessary. I just can’t be bothered to sort through it to establish what’s necessary and what’s not.

This is the modern approach but it may not be a smart one, particularly when it comes to the cloud. Because, even if Apple and all the other providers stick decent 2FA on their login systems, a truly determined attacker with sufficient resources will probably still find his way through. This comes down to simply having less data out there that could be stolen, and I’m not sure of the best way to achieve such a thing – user education may be part of it, but it’s really down to the systems that enable such permanent, indiscriminate memory by default. Perhaps they should encourage a more granular, choosy approach.

Speaking for myself, I know there’s a lot of data I’ve created that I’d rather see disappear than fall into the wrong hands.

5. Decentralization may help

I’m not going to harp on too much about this because I regularly do so anyway, but throwing all your eggs in one basket is generally going to make them less secure. It’s unlikely that Apple’s iCloud was the only place from which all these photos and video were purloined, but it does seem to have been a major source.

A tool like EPPB is only as useful as it is because so many people use the same system with the same front door – if you have a decentralized model with federated systems that plug into one another, but are stored on a mix of providers’ and self-hosted servers, the hacker’s job is made that much harder.

However, while decentralized systems are getting there, they’re not yet ready for mass adoption. In the meantime, as Cubrilovic recommended, people should use a private email address that even friends don’t know about for their sensitive online accounts, such as those for banking or cloud storage, then use a different email address for more social activities. Compartmentalizing your online identities is one protective step you can take today.