‘…we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions - a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone.’
An attacker is able to carry out a targeted attack on ‘user names, passwords and security questions’, using a range of different methods. Exactly how the photos were obtained has not been confirmed. Advice being offered across media and other sources covers many possible scenarios.
More information about how this attack was carried out, whether it was avoidable for those targeted, and any implications for the rest of us, is likely to emerge in coming days.
Be aware that scammers have also been quick to try and capitalise on these events. Messages have been circulating on Twitter claiming to link to the stolen photos. Links, of course, can lead anywhere and while they may seem harmless, can take you to sites containing malware, other schemes or ploys for your personal or account information.
Be aware that hoax messages regularly circulate online that mimic security notifications from Apple. Stay Smart Online has warned about these in the past. Many hoaxes claim that unauthorised access to your account has taken place, requiring you to click on a link or respond to confirm your account information.
You can protect your accounts and your personal information by adhering to a few basic security practices.
Use a strong and unique password for each of your online accounts
A strong password is more difficult to guess or crack.
A unique password for each of your accounts means that if one is compromised or the password stolen, your other accounts will still be safe.
Change your passwords regularly
It may seem laborious but there are good reasons to regularly change your passwords.
There have been numerous data breaches reported in recent months which impacted millions of people. In most of these cases, username and password lists were affected. Changing your password renders the stolen password useless.
Unfortunately, some breaches are not discovered by the organisations being targeted, and many are not reported publicly. Those that are reported can often take some time to be disclosed.
In each of these cases, changing your password regularly renders the previous password useless.
Use two factor authentication
If it is available, two factor authentication adds a second, different factor (method of proving your identity) to the log on process. Both factors are required before you can log on, so if your password is stolen, your account should still be secure.
Choose a strong answer to ‘security questions’
Security questions are often used by websites as part of back up processes for verifying your identity, such as resetting a forgotten password.
Even if you are not a celebrity and even if your mother’s maiden name or your first pet’s name is not known publicly, choose a strong answer to the security questions because like passwords, they are a path which offers access to your information.
Store private or sensitive information securely
By managing the amount and types of personal information you store on the internet—or store on devices connected to the internet—you reduce your exposure to these sorts of risks, regardless of what might happen.
There are other advantages and disadvantages to consider here (like backing up your data) but ultimately, if you need to be absolutely certain your private photos stay private, store them on a device which is in a safe, secure place and is disconnected from the internet.
Do not forget, the auto-upload features of most cloud services can be switched off, helping you to control the files you put in the cloud.
Encryption is a practical option for protecting data you store in the cloud (and other places).
Good encryption renders data useless to anyone without the key.
You should encrypt files before they are uploaded to the internet. There are products available that work well with popular cloud services such as iCloud and Dropbox.
There are also products available which address encryption for other places you store data such as your hard drive, removable storage devices, mobile devices and encrypting specific files on your computer.
Watch out for scams and hoaxes
Social engineering is still one of the most effective methods used by hackers.
Be aware that phishing emails and social media messages are used by scammers to target your personal information. They will often send emails mimicking official organisations, such as Apple, asking you to confirm your username, password (or credit card details) by clicking on a link or replying to the message. They can link to convincing copies of websites to try and fool you or take you to sites that host malware or other money making schemes.
If you need to respond to an organisation, manage your account or change your password you should navigate to the legitimate website yourself without using links or addresses provided in the email or message.
Keeping your software and systems up-to-date
Although not directly implicated in this example, it is always important that your operating system, security software and applications are up-to-date.
Malware used by hackers commonly targets old vulnerabilities in software that should have been updated. If you have not downloaded security updates (or patches) to your system, your computer may be vulnerable until you apply the patch.
Keeping your security software up-to-date means your computer system is prepared to defend against the latest malware and vulnerabilities.
Consider setting automatic updates for all of your software and systems which will help you do this easily.
Stay Smart Online advice about setting and using security software.
The information provided here is of a general nature. Everyone's circumstances are different. If you require specific advice you should contact your local technical support provider.
Thank you to those subscribers who have provided feedback to our Alerts and Newsletters. We are very interested in your feedback and where possible take on board your suggestions or requests.
This information has been prepared by Enex TestLab for the Department of Communications ('the Department'). It was accurate and up to date at the time of publishing.
This information is general information only and is intended for use by private individuals and small to medium sized businesses. If you are concerned about a specific cyber security issue you should seek professional advice.
The Commonwealth, Enex TestLab, and all other persons associated with this advisory accept no liability for any damage, loss or expense incurred as a result of the provision of this information, whether by way of negligence or otherwise.
Nothing in this information (including the listing of a person or organisation or links to other web sites) should be taken as an endorsement of a particular product or service.
Please note that third party views or recommendations included in this information do not reflect the views of the Commonwealth, or indicate its commitment to a particular course of action. The Commonwealth also cannot verify the accuracy of any third party material included in this information.