If you haven’t already heard about the celebrity iCloud breach … you probably aren’t reading this post. But just in case you need a refresher, Jennifer Lawrence and a handful of other female celebrities had compromising photos exposed. Read the full story on Ars Technica if you want true depth.
[av_heading heading=’First question is, who’s fault is it?’ tag=’h2′ color=’meta-heading’ style=’blockquote modern-quote’ padding=’10’]
“After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved.
To protect against this type of attack, we advise all users to always use a strong password and enable two-step verification. Both of these are addressed on our website at http://support.apple.com/kb/ht4232.”
Ars Technica author Sean Gallagher interprets this statement in an interesting way in his write up:
Apple is, in essence, blaming the victims. Or at least, their security questions and passwords.
I could not disagree more. Even though a small number of accounts were compromised millions more were not. The most important thing Apple has to do is put all of it’s other users at ease by letting them know that there is no breach. Then Apple reps use this opportunity to educate everyone on security best practices.
Apple absolving itself of responsibility is not blaming the victim. The “if you don’t want it public, you shouldn’t have put it on the internet” attitude is what blaming the victim looks like. If Apple said iCloud is not intended for sensitive information and this was made clear in the user agreement, that would be blaming the victims.
APPLE DOES NOT REPRESENT OR GUARANTEE THAT THE SERVICE WILL BE FREE FROM LOSS, CORRUPTION, ATTACK, VIRUSES, INTERFERENCE, HACKING, OR OTHER SECURITY INTRUSION, AND APPLE DISCLAIMS ANY LIABILITY RELATING THERETO.
~ APPLE EULA
Apple didn’t say that. That position doesn’t convey the kind of trust that is needed to hold on to millions of customers. Not to mention, it would be in very bad taste. Using this theft as a demonstration of the importance of two-factor authentication and good password habits is exactly the best way to handle it.
[av_heading heading=’Second question is, what should you do?’ tag=’h2′ color=’meta-heading’ style=’blockquote modern-quote’ padding=’10’]
Automatically backing up all of your photos in the cloud is a relatively new concept. You are already putting a considerable amount of trust into Google, Apple, Amazon or whatever it may be, and they are responsible for making sure the storage is secure. This is a fine line though, because you still need access to it. Making sure no one masquerades as you has to be your responsibility.
You could simply opt out and turn off auto backing up your photos. If you are going to make a habit of taking photos you don’t want anyone seeing that might be the best option. However unless you are a high profile celeb, probably no one is after them. Which means your privacy is mostly in your own hands.
Try to remember how many times you have had to use the “Forgot my password” feature on a website. The more of a headache it is the more difficult it is to for a thief to cheat your password. There is a point where it isn’t worth inconveniencing so many people with difficult security measures. Most of the time it is just an email. You need strong passwords for all important services, and the password on your email needs to be impossible.
- Mothers maiden name
- Name of first pet
- Name of elementary school
- City of birth
- Best friend’s name
Forget about those. Anyone with any determination can easily answer all of them, unless you are being deceptive (you should be!).
The answer is two-factor authentication. I cannot stress it enough. if you don’t have this set up on your most important accounts, I strongly encourage you do turn it on right now. Other than not using a service, this is the single strongest precaution you can take against a security breach.