JUDY WOODRUFF: The latest Internet data breach, this time of intimate celebrity photos, is setting off concerns once again, now involving popular online storage systems known as the cloud.
A cache of nude photos, including of Oscar-winning actress Jennifer Lawrence and others, were posted to online bulletin boards over the weekend. It’s not clear who hacked the photos of the celebrities or who posted them.
Today, Apple said the attacks were not from a general breach of its cloud or phone systems.
Instead — quote — “Celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions.”
So, for more on all this, we turn to Dmitri Alperovitch. He’s co- founder and chief technology officer of CrowdStrike. That is a cyber-security firm. And Sean Gallagher, he is the Internet technology editor at Ars Technica. That’s a Web site for tech news and information.
And we welcome you both to the program.
Dmitri Alperovitch, to you first. What do you think happened here, in this instance?
DMITRI ALPEROVITCH, CrowdStrike: Well, we know a couple of things.
We know that those celebrities were taking pictures and videos with their phones, for their iPhones, and they were using iCloud to back up that data through Apple servers. And what we now know is that someone was able to breach those iCloud accounts and download all the intimate photos and other information that was stored on those accounts, which may also include text messages, e-mails, contact information, voice-mails, and lots of other data.
JUDY WOODRUFF: Sean Gallagher, what would you add to that in terms of how this was pulled off?
SEAN GALLAGHER,Ars Technica: Well, this is the same sort of hack that’s happened frequently with celebrities’ devices.
There have been a number of attacks over the last few years, including one in 2011, when Scarlett Johansson’s phone was hacked, where the attacker has used personal information to sort of get access to the security questions that are associated with the account, so that they can take over the account and get access to the contents of it.
JUDY WOODRUFF: And staying with you, Sean Gallagher, so what questions does this raise about the so-called cloud? And, by the way, remind everybody what the cloud is. It’s not actually a cloud. What is it?
SEAN GALLAGHER: Right.
Well, the cloud is computers in a data center attached to the Internet. In this case, they were computers at a data center owned by Apple. Also, there was data stolen from devices that were on Amazon — pardon me — on Google’s cloud.
And they are basically connected to your device through the Internet, shielded from direct access from the Internet, other than through specific application interfaces. So they’re basically just computers sitting in a data center that are accessible from the Internet from your device.
JUDY WOODRUFF: And, Dmitri Alperovitch, are these — so should this — should we have expected that whatever’s in the cloud is secure and can’t be reached by somebody else?
DMITRI ALPEROVITCH: Well, the problem really is the password that you use to protect that data.
So, in the case of those celebrities — and we work with a number of them here at CrowdStrike — we know that the passwords they use sometimes make you wonder what they’re thinking. It’s names of their dogs that they then reveal in their interviews. It’s their birthdays, things that are really easy to guess. Once you have that password, you can access all the data and download it.
JUDY WOODRUFF: So what does that mean for everybody else who — we’re all downloading and putting things, storing things — or not all of this, but many of us — storing things in the cloud. Does this mean that nothing is secure?
DMITRI ALPEROVITCH: Well, again, it depends on how you use it.
And what’s important about this hack is that information that was leaked was about those 100 celebrities. But, in realty, we know that for several months you have individuals on these forums that were trading information about private individuals, ex-wives and girlfriends and other people that stalkers may want to get access to their data.
And we know that, if you’re not using a secret password, someone can get access to that data.
JUDY WOODRUFF: So, Sean Gallagher, what is the — what are some of the lessons for the rest of us?
And I just want to say that, today, there was another data breech announced. Home Depot announced that it has seen…
SEAN GALLAGHER: Right.
JUDY WOODRUFF: … a credit card breach last week. One of the major banks announced a breach. What are we seeing? This is becoming a regular occurrence.
SEAN GALLAGHER: Well, these are two different types of things happening for essentially the same reason.
The attacks on Home Depot and on J.P. Morgan were very sophisticated attacks. They took a very long period of time to carry out, and they were targeting where the money was. In the case of Home Depot, it’s similar to what happened with Target. They went after their point-of-sale systems to get access to credit card information.
What — the similarity between these two things is that both these systems have unexpected connections to the Internet. People who use their cell phones don’t expect necessarily for the data on their cell phones to be replicated up to an Internet-connected device. It’s something that a lot of people don’t think about when they use these things.
With point-of-sale systems, you don’t expect them to be connected to the Internet either, but those networks that those systems hit on, they’re all connected to the Internet.
JUDY WOODRUFF: And this is something I think some of us are learning.
So, Dmitri Alperovitch, Apple says that it’s now fixed this weakness in its security. So, does that mean people should be reassured? And we have talked about Google’s cloud. What are we really dealing with here in terms of how much more conscious all of us need to be about what we put online?
DMITRI ALPEROVITCH: Well, it’s important to understand that what Apple fixed is the ability for someone to try as many passwords as they possibly wanted to for an individual account randomly, and then ultimately guess the right password. So now you can only try a few before you lock down — locked out of the account and can’t find anymore.
But if you use a weak password, and someone can guess it on the first try because it’s going to be your dog’s name or your birthday, that doesn’t necessarily fix the problem. So, you want to use secure passwords. The other thing that you can do with iCloud and a lot of these other systems…
JUDY WOODRUFF: Secure password meaning what?
DMITRI ALPEROVITCH: A long, random password, ideally, that you use a password manager for. You’re not going to remember it, but you store it in a secure location and use a different one for every service.
JUDY WOODRUFF: Where would you store it? What would you consider a secure location to store a password?
DMITRI ALPEROVITCH: So, there are free tools out there, password managers, they’re called, where you can randomly enter a long password, and store it in an encrypted fashion on your machine.
JUDY WOODRUFF: Is that advice you would give, Sean Gallagher?
SEAN GALLAGHER: I would suggest that as an initial step.
I think it’s really important to not use dictionary words, words that are in the dictionary, as part of your password, even when they’re obscured using numbers to substitute for letters. Those things are in databases of passwords that hackers have access to, to try and guess your password.
So, I would go with that first, but I would also recommend using two-factor authentication, which is a service available for most of these cloud services, where you need to have physical access to your device to gain access to your account.
It will send a pass code to you, and you need to enter that to prove that you’re who you claim you are. Or if you use your device, you need to use a recovery key. That’s what Microsoft — that’s — pardon me — that’s what Apple is pushing people to do right now.
JUDY WOODRUFF: So, how would that work? Dmitri, how would that work in…
DMITRI ALPEROVITCH: So, everyone should do that right now. If they’re using iCloud, they should go into their settings for iCloud and turn on two-factor authentication, which just means that…
JUDY WOODRUFF: Factor authentication.
DMITRI ALPEROVITCH: Two-factor authentication.
JUDY WOODRUFF: OK.
DMITRI ALPEROVITCH: Just a setting on iCloud which means that when you try to log in, it’s going to ask you for a password. And then it’s going to text message you a unique code, a one-time code that you also need to enter along with your password. And that code changes every time you log in.
JUDY WOODRUFF: This means people need to plan, Sean Gallagher, to spend more time when they’re putting information away, right?
SEAN GALLAGHER: Right. That’s true.
Another thing that you should do, if you’re not using two-factor authentication right now — and Apple has a three-day delay on activating two-factor authentication to prevent people from taking over your account — what you should do is change your security questions to something that isn’t easily attainable about your personal information.
So, for example, you may want to lie for some of those questions in a way that is easily remembered by you, but not by people you know.
JUDY WOODRUFF: And it has to be something you remember.
DMITRI ALPEROVITCH: That’s right. If it’s your ex-boyfriend who is trying to get access to that information, he probably knows your mother’s maiden name.
JUDY WOODRUFF: Dmitri Alperovitch, Sean Gallagher, we thank you both.
DMITRI ALPEROVITCH: Thank you.
SEAN GALLAGHER: Thank you.