It's likely that you have heard about the recent celebrity photograph hack incident, where the private photographs of numerous celebrities were stolen and leaked on the Internet. It is reported that the photo hack stemmed from a criminal either breaching the iCloud system or hacking stars' personal account usernames and passwords.
Although the attacker responsible for this crime was clearly targeting celebrities, it is important for parents to know that these kinds of breaches can happen to anyone. Learn about how to secure both account usernames/passwords and the iCloud service.
The Cause of the Celebrity Photo Breach
There is a dispute regarding the source of the hack and this, in itself, is an indicator of how tricky security can be. The photos were obtained from Apple's iCloud service, but the exact nature of the iCloud breach remains in question - Apple maintains that the pictures were obtained through targeting usernames and passwords, but others suggest there was a more fundamental breach of the iCloud.
In reality, for the purposes of many people, the source of the hack is a secondary consideration - both methods are entirely plausible and whichever was used here, either could be used in the future. In consequence, to ensure security of things such as pictures, both factors should be given consideration. Parents seeking to ensure their children's privacy should take steps to ensure both that usernames and passwords are secure and robust, and that a future iCloud breach has only limited information to steal anyway.
It Can Happen to Anyone
Regardless of the way the breach occurred, it is important for parents to know that iCloud or password hackers don't just attack celebrities. Many people of all ages have been victims of similar digital attacks.
About a year ago, SEOSocial Co-Founder Orun Bhuiyan investigated a similar breach in which his sister, who was 17-years-old at the time, had personal photos hacked from her iCloud.
Bhuiyan says of the incident:
The photos were posted on a message board with a lengthy domain. This board essentially consisted of teenagers in rural areas guessing login data of attractive girls in their locale. Urban areas didn't have nearly as much activity as their rural counterparts which I found very unusual.
Based on their communication, I figured out that they weren't compromising passwords at all, they were resetting them using security questions. I always found security questions somewhat insecure, and it makes sense that for small towns, this approach is especially effective because everyone knows a great deal about everyone in small towns—and perhaps even more so in high schools within small towns.
The attackers—who weren't adept at computer security at all—followed a methodology that looked something like this:
1. An attacker identifies a girl from their high school. They post this on the message board and tell others that this person is a good candidate. Usually girls who had been with their boyfriend for an extended period of time (and therefore probably sent a certain genre of photo to their boyfriend) were popular targets.
2. The attacker lists out the iCloud and email accounts of the target and her boyfriend, retrieving security questions from each service. They post the questions on the message board.
3. Message board users collaboratively answer the question: "Oh, yeah, I know that one, his first car was a blue Volkswagen Golf". Eventually, they guess enough passwords to compromise one account.
4. At this point they either directly have access to iCloud or have access to an email service like Gmail which they use to reset the iCloud password. They access the iCloud photostream and download any iPhone/iPad photos they like, posting them on the message board.
Luckily, Bhuiyan was able to track down the perpetrators involved and report the activity to police. The case involving Bhuiyan's 17-year-old sister shows how disturbingly easy it is for people who aren't particularly tech-savvy to access this kind of information.
What Parents Can Do
Securing the iCloud: The iCloud works by storing information somewhere other than the user's phone or computer, and presenting it when desired. This does have advantages, such as requiring a less powerful device on your part, saving your computer memory for other things, and letting you access the desired files from any Internet-connected location.
The big downside, obviously, is the security risk. As these files are kept elsewhere, their security is not entirely within the control of the user. The most secure solution: Ensuring that an iCloud doesn't have anything sensitive to steal.
One possible measure is to add an extra layer of your own encryption to files. Some programs such as Adobe Acrobat and Office have this feature themselves, and there are programs out there like Boxcryptor which can encrypt many kinds of files. Nevertheless it bears mentioning, and should be repeated to your children, that there is no such thing as perfect security, and any measures can eventually be foiled by a determined enough hacker.
Make sure that your kids' phones are set to appropriate options. The most important of these is to ensure that the option to automatically upload pictures to the cloud is turned off. They will still be able to upload things, but as it will not happen automatically, there will be a degree of removal before anything potentially sensitive is put on the iCloud.
Username and Password Security: Another big part of security against an iCloud breach, and indeed a part of all computer security, is to make sure that your kids have usernames they do not share, and passwords which are robust and difficult to guess (and obviously, which are also not shared). Usernames are generally easy to discover, but there is no reason to make things any easier for hackers, so teach your kids not to share their username with others.
Passwords are a different matter because they can be the weak link in the chain or they can be a huge obstacle to unauthorized access. Follow some of these username guidelines and go over them with your children so they understand what sort of thing to think about when coming up with a password:
First avoid anything on a list of most common user passwords - sequences of numbers like 123456, names of family members or pets, or the word "password" itself should all be avoided.
Don't make a password too short. Generally eight characters is considered the minimum for security.
Lowercase and capital letters matter in passwords, so mix both in.
Adding numbers to the password is also a very good way to improve security, though try to avoid things like birthdays.
Ideally you would choose a series of numbers and letters that don't spell out anything - something like "ix5SgB2QEn6".
It's important to use different usernames and passwords on different sites.
Talk with your kids about these guidelines and help them to understand them. Secure passwords can be daunting and many people use just one or two across their entire Internet presence. This is a great way to find yourself compromised by hackers, so do your best to avoid such practices and to teach your children to avoid them too.
Additionally, ensure that the security questions and answers chosen for accounts are difficult and known only to yourself or your child. If the selection of security questions are limited only to questions that others could potentially know the answers to, invent an answer to one of the provided questions (just make sure that it is something you will remember later).
Internet security will likely never be completely perfect, but with proper preparation and obedience to the best security practices, it is possible to make things so difficult that most hackers simply won't bother, and any who do will have a hard time breaching your security.