Celebrity hacks: How to protect yourself in the cloud
- 2 September 2014
- From the section Technology
The release of hundreds of intimate images of celebrities has raised questions about the security of the online services used to share many of the snaps.
It has also got many people wondering how they can avoid becoming a victim in a similar way. What steps can they take to protect those images and stop them being pilfered and shared?
"Choose better passwords," says Oliver Crofton, a founder of Select Technology Concierge that provides secure tech services for the rich and famous.
"From experience with incidents in the past it typically comes down to weak passwords."
Using a password that is easy to guess or sharing one among different services can give attackers the edge they need to break into someone's many other social media and online accounts.
"They get into the email addresses associated with that individual and then they intercept a re-set request and log in," he said.
Mr Crofton says at least once a month a Select client will call saying they have had a "strange re-set request" that is probably evidence of an attempt to get at their online life.
Such attempts aimed at either the famous or ordinary user can be thwarted by plumping for services that use two-factor authentication, said Ken Munro, a security expert from Pen Test Partners.
These systems use a separate channel, such as a text message sent to a mobile phone, to send a code that must be entered whenever an account is accessed from a new location or device.
"Unless someone has directly compromised your box then it's tough to catch out," says Mr Munro.
Common sense should also be exercised when people are exchanging intimate images, he said.
"It's reasonable to expect to have some degree of privacy online," says Mr Munro. "But if you do not want people to see it then maybe you should think more about the controls you put around it."
Working out a password chosen by a public figure can be straightforward because so much of their life is public, adds Mr Crofton.
Because fame can arrive very quickly, information that was once private by dint of being obscure can suddenly become accessible to the public via gossip sites.
"We do a lot of work with footballers and those guys' lives can be transformed overnight by a transfer deal," he explains.
"Security is one of the last things they think about.
"There are advisors around these people to talk about tax and banking and physical security but they do not worry about data."
By the same token, scrutiny of anyone's online life can give lots of clues about the words they may be using for passwords.
The names of children, pets, sports teams and sports stars are all favourites judging by the words found on lists of top passwords regularly shared online. These can also be the answers to the secret questions many services demand people answer before starting the re-set process.
However, says Mr Crofton, there are cases when attackers go to extraordinary lengths to dig out passwords.
"There was a similar case about 18 months ago involving a password that a hacker had got by scraping the webpages related to their partner's business and managed to get the combination from that," he says.
James Lyne, chief security researcher at Sophos, says a "strong" password contains at least 14 characters. However, he says that getting people to use passwords this long is a challenge.
"It would be nice if we could get most of the population at least as far as eight characters," he acknowledges.
In addition, says Mr Lyne, recycling passwords across sites or using the same one with only minor variations presents little challenge to attackers.
Another step is to regularly review the permissions granted to apps downloaded to a phone.
Many of the celebrities caught out may not have known that their phone was uploading images to the net, suggests Mr Lyne.
Stopping apps from uploading data automatically is a great way to add a layer of defence and prevent inadvertent sharing, he adds.
Chris Boyd, a veteran security researcher from MalwareBytes, says there are further easy steps people can take to stop private data becoming public.
"First and foremost, people need to get into the habit of removing photos from a phone and then, on a regular basis, putting them on an external hard drive," he says.
Encrypting that hard drive would then prevent individual files being accessed even if that drive goes missing.
Checking that the images had been properly deleted on the phone is crucial too, he says,
"It's no good having them secure in your left hand but easy to access in the right."
Wiped but not gone
In addition, he says, it is worth people familiarising themselves with the policies of the cloud-based services they use.
Deleting a file that has been uploaded may not mean that it has gone, he explains, and some even offer the chance to "undelete" supposedly trashed files.
Such a function could be a boon to an attacker.
"That's great if you accidentally deleted something you meant to keep," he states.
"But not if it's something private you want gone."