The massive iCloud hack that exposed photos of female actresses stored in their personal Apple accounts, has left many—including myself—scrambling to change their passwords.
Some speculated that the hack was due to a vulnerability in Apple’s Find My iPhone feature, with which hackers used a “brute force” attack to guess the passwords on celebrities’ accounts, The Next Web reported.
Apple has since denied those reports, instead claiming it was a “very targeted attack” on usernames, passwords, and security questions—the keys to nearly any online account.
If celebrities can be attacked, so can you. So what can you do?
Understand The Cloud
Strong passwords are just one way Internet users can protect themselves from having their data stolen by malicious attackers. And photos aren’t the only things we have to worry about. Everyone tut-tutting actresses for taking risqué photos should think twice about where their personal data is stored. Oh, that’s right—it’s in the cloud, too.
The thing about “the cloud,” is that no one really understands it. It’s a deliberately vague term for computer servers you access over the Internet.
Remember the scene from Zoolander when Owen Wilson’s character suddenly has an epiphany that “the files are in the computer”—and then tears open the machine looking for them? When it comes to the cloud, our understanding hasn’t improved much.
Even CNN doesn’t know how to explain the cloud to viewers. It ran a story with the lower third “Leaked Nude Pics May Be From The Cloud.”
Cloud servers are like any computer: You can put files on them, and access them later. Since they’re on the cloud, you don’t have to have access to a physical device, or worry about how much space your laptop’s hard drive has, since cloud servers typically have far more space than our own personal machines do.
The tradeoff for this convenience is security. If you can access your files using a username and password, so can anyone else who gets ahold of your credentials. And you have to rely on those companies to implement smart versions of the latest security protocols.
Cloud storage service likes Dropbox, Box and Google Drive make it simple to save and share files. iCloud, Apple’s cloud storage, automatically backs up your information like photos and documents, in case your phone or laptop needs to be replaced.
We have a fundamental expectation of privacy and security when using these services, especially when a company is automatically backing up the information to its servers. But that expectation can fail us.
Find The Right Cloud Storage
It’s hard to completely secure your cloud storage without jumping through a lot of hoops, which we’ll get to shortly. But the first step is figuring out where you want your documents to be stored.
Don’t sign up for new cloud services without researching it. That includes reading the privacy policies of any company you agree to give your data to. Do they have encryption built in? Do they give your data to governments when requested? Do they control their own servers, or do they rent out servers from other companies? (Dropbox and Apple, for example, both use Amazon’s servers for a portion of their online services.)
If security is your top priority, you might consider services like SpiderOak, which automatically encrypts all your data and prevents even the company from knowing what you’re uploading. But that means giving up the ease of sharing files with friends through Dropbox or collaborating with colleagues using Google Drive.
For most of us, convenience usually wins out. You should at least know that you’re making that tradeoff, however.
Use Secure Passwords
According to Apple, the hackers targeted usernames, passwords and security questions, which are the first lines of defense for users.
Simply changing an “S” to a “$” does not make your password secure—especially if you recycle that password from site to site. Hackers attack less secure services and harvest usernames and passwords—and then try them on other services.
Adding unique characters along with letters and numbers is smart, but so is using passwords that are hard, if not impossible, to guess. The best passwords are a collection of random letters, numbers and punctuation, without any words you’d find in the dictionary. And each online account should have a different, complex password.
Does that sound impossible to keep track of? It pretty much is, unless you get some computerized assistance. Password managers like 1Password andLastPass provide a way to save and manage passwords, and you can carry and access your data on multiple devices.
Enable Two-Step Verification
If someone is trying to illegally access your personal information from the cloud by using your password, you might not realize it—unless you have two-step verification enabled.
With two-step verification, it’s necessary for you to input two different pieces of data in order to access your personal information. Typically, that’s your password and a different code sent as a text or generated by an app on your mobile device. The code will change each time you log in.
Two-step verification can be frustrating and time-consuming, which is why many consumers elect to ignore it. But it saves you from having to clean up the potential mess a hacker could make with your credit card information or naked pictures stolen from the cloud.
Google, Dropbox, Apple, Box, Amazon Web Services and Microsoft are just some of the companies that offer two-step authentication.
Encrypt Your Files
If you’re not using a service that automatically encrypts your files, like SpiderOak or Mega, you may want to encrypt them yourself.
Google, Dropbox and Microsoft don’t offer file encryption as a built-in feature. While they may encrypt your transmissions between data centers, once you’re logged in, the files are available in unencrypted form. Most consumers don’t request it, because it can be difficult to use, and encryption can be complicated for companies to enable, according to Wired.
Imagine Google Drive with no search capabilities, or Dropbox with no preview. None of those features would work with encrypted files, because they’d be unreadable by Google and Dropbox’s server software. And if Google doesn’t have the encryption keys it can’t help you out if you lose a password.
Boxcrytor and Viivo both offer DIY cloud encryption, which means you can encrypt all your files before uploading them to the cloud. These companies won’t have access to your secret keys to decrypt files, which means your data is safe from prying eyes that don’t have access to your unique key.
Ultimately, we’ll need better forms of protection. Apple’s TouchID fingerprint sensor is an interesting example of authentication using biometrics, or physical aspects of our bodies. PayPal’s Braintree aims to detect fraud by looking at information about how we’re using our mobile phones at the time we make a transaction. Companies are using sophisticated behavioral modeling to detect hackers on their networks: Perhaps one day, we’ll be protected by similar technology that can tell through the way we tap on our phone’s keyboards or the time of day we access our devices that we are who we say we are.
Until then, we’re left changing our passwords, enabling two-factor verification, and hoping for the best.