Recent hacking incidents have highlighted the importance of securing your online storage accounts. While many are saying that you shouldn’t host anything sensitive in the cloud, and that you’d be more secure keeping your data on your own computer, few people could claim to have better knowledge and experience in Internet security than the engineers at Google, Dropbox, Microsoft and Apple.
Let’s review the recent cloud storage hacks – and how you can prevent them happening to you.
How the attack likely played out
The talk in the media and on the Internet is that a team of hackers compromised more than 100 celebrities’ cloud storage accounts. If there were a lot of people working on the attack, it’s hard to believe pictures weren’t leaked earlier.
Many in the media have assumed that each celebrity was targeted individually, which is doubtful. Their e-mail addresses are obviously secrets in themselves, and it’s unlikely someone on the ‘outside’ obtained so many of them. In all likelihood, one account was compromised, with a backed up iOS/iCloud phone book leading to more e-mail addresses being discovered and targeted for hacking in a cascading effect.
Apple’s iCloud is copping most of the blame. It’s unclear if all of the compromised accounts were actually using iCloud, as several of the pictures reportedly show Android phones in mirror selfies. It’s also possible that the celebs previously used iPhones and iCloud, and have re-used their password on other cloud storage services, which were then compromised.
Although iCloud wasn’t technically breached, Apple has some explaining to do as to why a hacking tool called iBrute was able to brute force attack iCloud accounts with hundreds or thousands of attempts without the system triggering safeguards such as locking the account after a number of attempts or blocking the IP address of the attacker.
Once iBrute had cracked a password, or individuals were spearphished though a targeted e-mail tricking them to log into a page replicating the look of an Apple ID screen; a Russian tool for “law enforcement purposes”, EPPB or ‘Elcomsoft Phone Password Breaker’ would have been used to download a complete backup from iCloud to the hacker’s iPhone. You can read more about EPPB at: http://www.wired.com/2014/09/eppb-icloud/.
For a more technical analysis of the attack, check out a post by Australian information security consultant Nik Cubrilovic at: https://www.nikcub.com/posts/notes-on-the-celebrity-data-theft/
Security should be thought of as a layered approach. Most people are just one layer away from being compromised – their password.
If all your various cloud accounts are linked to your one main e-mail account, and it’s compromised – it’s game over. Password resets will be run on all your accounts and services, and the hacker will capture everything.
With cloud services, in most cases you just need a username and password to access an account. Most people don’t consider their username to be a secret, and it’s usually just their e-mail address which may be easily found or well known. To add an extra layer of security, you should use a secret e-mail address for each service. This e-mail address should be known only to you, and never told to anyone. With this layer of security through obscurity, your opponents will have a hard time hacking your accounts if they can’t even identify which is yours.
If you own your own Internet domain, it may be convenient to manage by setting up accounts such as ‘dropbox@yourdomain…’ or ‘AppleID@yourdomain…’, although it’s predictable and identifying the owner of each account at the same time. If you use your own domain, use something less service-identifying at the front. Using your own domain could also open up another attack vector, although it probably isn’t the most significant of risks (unless your adversaries are significantly professional).
[Side note: Sadly, neither Google Apps or Outlook.com (Microsoft) provide free e-mail domain hosting anymore.]
As an e-mail address for each account should not identify the service that it is for – and ideally nor who owns it, you should use a webmail account such as GMail. Bonus security if you enable 2 Factor Authentication on those accounts. For your main e-mail account, you really must use 2 Factor Authentication.
You may not have had security as your prime concern when you setup all your cloud services accounts, although you can still fix this and retrospectively add security to your existing accounts.
The following links will give you step-by-step instructions on how to change your e-mail address for some popular cloud services:
Change your Apple ID to a different e-mail address
Change your Dropbox e-mail address:
Change your Box account e-mail address:
ALL of your passwords should be unique and never reused for different services, and should be significantly complex so as not to be brute forced. If you take my advice, you’re going to have a lot of new passwords.
For further advice on how to pick a strong password, Google has published some details at: https://www.google.com.au/goodtoknow/online-safety/passwords/
For most of your services, other than initially entering your password on your devices, you rarely need to enter your password again. The one exception to this is your Apple ID, which you frequently need to enter when you install apps on your iPhone or iPad. You’ll have to come up with a password you’ll still remember without having to go into your password database all the time. If you’re using a secret e-mail address for your Apple ID, as described earlier, this will assist with your security level.
Get a password manager which will store all your passwords in an encrypted database. You want to secure this with a passPHRASE. There are many different programs out there. Make sure you back up your database, and consider using one where you can store your database in cloud storage so you can access your passwords from multiple devices and keep the database current at the same time.
Password reset questions are also fraught with danger. Questions such as your mother’s maiden name and the name of your first pet are not difficult to crack. If you enter random data into these fields, you may want to note it in your password database so you don’t have too much difficulty accessing your accounts.