Once Data Leaves Your System You No Longer Have Control

I try not to waste your time talking about celebrity news on this blog. But once in a great while celebrity news can act as a launching point for something that's actually important. The recent breach of several celebrities' iCloud accounts is one of those rare times:

Someone claiming to be the individual responsible for the breach has used 4Chan to offer explicit videos from Lawrence’s phone, as well as more than 60 nude “selfies” of the actress. In fact, it seems multiple "b-tards" claimed they had access to the images, with one providing a Hotmail address associated with a PayPal account, and another seeking contributions to a Bitcoin wallet. Word of the images launched a cascade of Google searches and set Twitter trending. As a result, 4Chan/b—the birthplace of Anonymous—has opened its characteristically hostile arms to a wave of curious onlookers hoping to catch a glimpse of their favorite starlets’ naked bodies. Happy Labor Day!

This breach appears different from other recent celebrity "hacks" in that it used a near-zero-day vulnerability in an Apple cloud interface. Instead of using social engineering or some low-tech research to gain control of the victims' cloud accounts, the attacker basically bashed in the front door—and Apple didn't find out until the attack was over. While an unusual, long, convoluted password may have prevented the attack from being successful, the only real defense against this assault was never to put photos in Apple's cloud in the first place. Even Apple's two-factor authentication would not have helped, if the attack was the one now being investigated.

There is a valuable lesson in this story. Once data leaves your system you no longer have control over it. With the skyrocketing popularity of online data storage services (often referred to as "the cloud") this lesson is more important than ever.

Smartphones are pervasive in our society. Millions of people are walking around with an Android, iOS, or Windows Mobile powered device in their pockets. These devices, by default, upload a lot of personal data to Google, Apple, and Microsoft's online data storage services. While many conspiracy theorists will claim that these services are enabled by default for nefarious purposes the truth of the matter is consumers demanded these services. Automatically uploading data to online storage services helps protect against data loss. Since most computer users are unwilling to take the time to manually backup their data, and bitch an awful lot when they lose data, manufacturers have begun doing backups automatically. But security and convenience seldom go hand in hand. By backing up data to online services users have begun to lose control of their data. Once the data is been uploaded to a third party service that third party now has control over that data.

There are ways to alleviate many of the risks involved with using online storage services. The most effective method of reducing the risks involved is to encrypt data with a strong key known only to you before uploading it. That way the third party only has access to an encrypted blob and not the means of decrypting it. Using a strong password and two factor authentication and also help protect your online accounts but neither of those practices will offer much protection if there is a flaw in the service itself (as was the case with these iCloud breaches). Ultimately the most secure option is not to upload your data to begin with.

As a general rule I don't upload anything to a third party service unless I'm OK with it becoming publicly accessible. While I don't take selfies or record my sexual exploits, if I were to do so I wouldn't upload them to iCloud, Dropbox, Azure Cloud, or any other third party online storage option. The iPhone is pretty good about giving you options to keep your data on your own services, and I utilize those options heavily. It's been ages since I've used Android so I'm not sure if it has the same options (its options were sparse when I used it) and I have no idea what options are made available in Windows Mobile as I've not used that platform. But I highly encourage people to utilize such options when available. Apps, on the other hand, are seldom as flexible since most seemed geared towards getting people to utilize third party services. You may have the automatic upload features disabled in your phones operating system but if an app automatically uploads that data then all of your efforts are for naught. So it's important to not only be familiar with your operating systems but also the applications you utilize.

Keep your shit under your control. If you fail to do so there's no way to regain it.