3Qs: Password and cloud security
The recent news that hackers accessed celebrities' cloud accounts and released their intimate photos online has prompted many to question the security of sensitive data stored on people's own smartphones and in the cloud. Here, Wil Robertson, an assistant professor who holds joint appointments in the College of Computer and Information Science and the Department of Electrical and Computer Engineering, discusses this recent hack and provides some advice for people to protect their privacy and online data.
It has been widely reported that hackers were able to access celebrities' private accounts. How were they able to do this?
This story is still developing, and the details behind the attack are still not clear. However, there are several theories, including the targeted attacks against cloud service user names, passwords, and security questions that has been used in similar breaches in the past, as well as the use of malicious wireless access points at the Emmy Awards show. Another theory, which Apple denies was involved in the leak, is the exploitation of a recently discovered iCloud/Find My iPhone vulnerability that allowed non-rate-limited password guessing. Any of these methods could have been used to gain access to an initial set of celebrity cloud accounts, from which an attacker could gain further information (e.g., account details for other celebrities from compromised contact lists) in order to compromise more accounts.
The reason that access to the cloud services provided the attackers access to such sensitive data is because modern mobile devices, including phones, generally upload pictures and other media to the cloud provider. These devices are often configured to perform this automatically, which can be problematic in the case of data such as this.
Is the average smartphone and cloud user vulnerable to such an attack? What precautions can people take to better protect sensitive information that might be stored on mobile devices or in the cloud such as passwords and financial information?
In principle, yes, the average user is vulnerable to similar attacks—that is, if you choose to upload data you wouldn't want the world to see to the cloud. The best way to prevent this sort of leak is to not upload sensitive data in the first place, and to disable automatic synchronization of all documents, pictures, and other media to the cloud. Once someone gains access to your data and copies it away, there is no mechanism available to "unleak" that data. Furthermore, even if users request the cloud provider to delete uploaded data, it often persists regardless (e.g., on content delivery networks and other caches). Finally, cloud providers also create offline backups of data that are difficult to purge, and any entity with a subpoena could potentially gain access to these.
The second avenue to protect yourself is to make it more difficult for attackers to access your account without your permission. This involves using a strong, hard-to-guess password, and enabling two-factor authentication. Two-factor authentication simply requires that you provide two forms of proof that you are who you say you are (e.g., a password and a security code from a mobile application), and is one of the most effective ways of shutting out attackers.
What are some of the most recent cybersecurity advances being made at Northeastern and elsewhere? Will this hack affect future security measures?
There are really too many advances in cybersecurity to list here, but security researchers have long warned about the potential risks of cloud storage. While certainly convenient, one does lose a large degree of control over the uploaded data, and a centralized cloud provider is a juicy target for adversaries. There is a large amount of interest in researching ways to secure the cloud, with approaches varying from making authentication to cloud accounts both stronger and less of a burden on users, to transparent encryption schemes that prevent attackers—and even the cloud provider—from accessing your data, to fully homomorphic encryption, which would allow cloud providers to somewhat counter-intuitively compute or "use" your data without being able to "see" it.
While this hack will no doubt further spur the work of security researchers, one hopes for other outcomes as a result of this attack, including a greater recognition amongst users of the risks associated with the cloud, and the permanence of your data in modern society.