Since the initial emergence of cloud technology, there have always been concerns about the platform’s security. For the most part, these came in connection with giving up a portion of control and allowing a service provider to take care of the system’s physical components, including keeping them up to date and maintained. Recently, however, a high-profile security incident has once again shone the spotlight on cloud security.
At the end of August, a number of celebrities’ personal photographs were posted on a range of websites, including 4Chan and Reddit. Many of these images were nudes, although the legitimacy of many is still in question. According to Mashable, some celebrities, such as actress Jennifer Lawrence, have come forward to confirm that the images splashed across these pages did indeed belong to them. This incident represented a major invasion of privacy for these individuals, and is resulting in a resurgence of cloud security concerns.
While the details are still coming to light, the celebrity photo hack appears to involve iCloud, Apple’s account-based cloud service. According to Time, the tech giant confirmed that the infiltration came as a result of a “very targeted attack on user names, passwords and security questions,” and was not a overarching attack on the system, as many initially thought.
Second celebrity photo hack
Since the first batch of celebrity photos were uncovered, more have surfaced. Toward the end of September, images appearing to show Kim Kardashian, Mary-Kate Olsen, Hayden Panettiere and other female stars appeared on 4Chan, the same website to post the photos gleaned from the first attack, Time reported.
In this case as well, a number of individuals confirmed the images veracity, including actresses Gabrielle Union, Meagan Good and Kaley Cuoco. While the details of this attack are still being uncovered, Time noted that the hack was likely similar to the first. Security expert Bob Stasio told Time that it is very probable that attackers exploited account security settings, leveraging public information about the high-profile individuals to answer protection questions and gain access to their private accounts.
“The problem with celebrities is that a lot of their information is publicly available,” Stasio pointed out.
This means that if one of the breached personalities utilized their dog’s name or the name of their hometown as one of the answers to their account security questions, hackers simply have to look this information up. They can then infiltrate the account and access everything housed there.
“That’s really how hacking works,” Stasio noted. “It’s all very iterative. You get to one spot, and you have to get to the next spot.”
Cloud security concerns: A targeted attack
Although this attack involved the accounts of well-known individuals and their personal images, many are drawing parallels between the instance and general cloud security. If hackers were able to breach these accounts, what’s stopping them from breaking into corporate and individual user clouds?
Even before this event, however, the cloud has always been a target for attackers.
“Cloud services concentrate so much data in one place that they become very attractive targets, justifying a large investment in a hacker’s time and resources,” noted Dark Reading.
However, the celebrity photo hack involved a purposeful attack in which cybercriminals went after specific targets, exploiting weak security credentials. In this way, as long as users and businesses have strong passwords and protection measures in place to safeguard their cloud systems, they are at no higher risk of being breached than any other cloud user.
Best practices for cloud security
One of the first steps to boost cloud security is to re-examine the password attached to the account. Users should leverage long passwords comprised of a mix of numbers, letters and special characters where possible to establish a code that is not easily guessed. In addition, personal information – such as the name of a spouse or pet – should not be used as part of a password. Security expert Robert Sicilliano told CNN that each account a person uses should feature a unique password. Sicilliano himself said he has more than 700 passwords across his various accounts. Using this technique, in conjunction with a password management system, will ensure that accounts stay secure and the user need not worry about forgetting their range of authentication credentials.
Furthermore, where possible, users should include two-factor authentication. This approach calls for the use of a conventional username and password alongside a single-use code sent to a mobile device or separate account. In this way, a hacker would have to have access not only to the regular authentication credentials, but the connected device or account as well to get the one-time key. Graham Cluley, senior technology consultant and blogger, noted that while these services aren’t always offered, they should be leveraged when available.
“[W]hen a site has given you additional security options (like Gmail’s two factor authentication which sends you an SMS when you try to log into your account) – USE THEM!” Cluley advised.
CIO contributor Victoria Ivey also suggested keeping incredibly sensitive information within on-premise systems and utilizing encryption to protect items that are migrated to the cloud. Although some delicate materials can be housed elsewhere, especially within a corporate setting, some sensitive content will have to be placed in the cloud to ensure employee access. In these cases, encryption is essential. This approach makes it impossible to access the system without the proper decryption key.
“Encryption is, so far, the best way you can protect your data,” Ivey wrote.