No more nude selfies! (at least not on the cloud)

24643348_s

So there was this nude celebrity photo leak over the weekend. If you’ve been on the Internet lately, you might have heard a thing or two about it. Right now, nobody is certain of how it happened.

Initial reports suggested that the leak was due to a security vulnerability in the Find My iPhone feature, dubbed iBrute, which could have allowed hackers to use automated brute force password guessing on the Find My iPhone sign-in page. Apple quickly dismissed this rumor, while patching the vulnerability in the very same breath. According to Apple, the celebrity account credentials were merely cracked by: “a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet.” Likely, this means a group of hackers simply researched celebrities’ personal lives and guessed credentials until they got them right.

As a means of protection, Apple suggested the use of strong passwords and two-factor authentication (2FA).

Soon after, however, a report from Wired pointed to the existence of a software (and others like it) called Elcomsoft Phone Password Breaker. Elcomsoft et al. allow users to create full backups of iCloud data without a security token, even if 2FA is enabled. A report from The Register has now even published a quote from Elcomsoft stating that the software can access data without login credentials:

But now we have discovered a way to gain access to iCloud information without usually necessary login credentials. The new EPPB version suggests law enforcement and investigators an easy password-free access to iCloud accounts extracting essential information in real time without delay no matter if [a] password is available or not.

All of this points to a truth most everyone knew before this whole celebrity nude selfie scandal even took place: If you put it on the cloud, it might just float away.

How to get your self(ies) off the cloud

Cloud storage is convenient. It is also a profitable business. This is why you won’t find many cloud providers publishing instructions on how to disable cloud auto-sync. If you’re storing sensitive data, however, not storing it on the cloud is the simplest and most effective way to prevent a cloud data leak.

To disable photo uploads to iCloud from your iOS device:
Go to Settings > iCloud > Photos or Photo Stream, and then switch to Off.
To disable iCloud entirely, go to the bottom of the menu and select Delete Account.

To disable photo uploads to the Google+ cloud service from your Android device:
Go to the Photos app > General Settings, and then switch Auto-Backup to Off.
Additionally, Android sync settings can be managed and disabled through Settings > Accounts & sync.

And if you must take them, where to put them instead

Perhaps most importantly, it is crucial to remember that when you put something on the cloud – be it iCloud, Google Drive, Dropbox, or any other service provider – that means it can be accessed from anywhere. This can be extremely convenient for everyday file sharing purposes, but dangerous when sensitive data comes into play.

If you are using a smartphone – or any Internet connected device, for that matter – it is important to find out what exactly is being placed on the cloud when you hit Save. You may actually be sharing much more than you want. Once you figure out what is being stored where, you can then implement alternative storage options, such as an encrypted external hard drive.

As navigating each cloud service is different, we recommend that anyone who needs help check out our Malware and Computer Security forum for assistance. There, you can consult an expert for free, even if you are not an Emsisoft customer yet. For enhanced mobile security, you can also consider adding Emsisoft Mobile Security to your repertoire. It can remotely lock or wipe a lost or stolen phone full of… “sensitive data” in just one swipe.

Have a great ( clothing-free ;) day!