Reports made over the weekend that intimate photos of celebrities were hacked serve as a vivid reminder about Internet security and the question of whether the vast majority of Internet users are also vulnerable to such an attack.
"Are you any less secure than you were a month ago? The answer is no," Patrick Moorhead, president of technology analytics firm Moor Insights & Strategy, told NBC News on Monday.
You're just as insecure as you always were.
It hasn't been definitively confirmed that all the photos are real, or even that Apple's iCloud online storage service was hacked in the first place, as reports indicate. But they do highlight that our faith in the security of the Internet isn't always answered. Here's what we know and what we don't know.
Who Was Hacked?
Perhaps nobody. "We don't know if they were truly taken from iCloud or, for example, just Photoshopped by someone looking for publicity," said Carl Howe, vice president of data sciences for the Yankee Group, an information technology research company.
If you believe the still-unknown hacker or hackers, more than 100 celebrities had personal photos harvested, some of them explicit — with more photos to come. Jennifer Lawrence's publicity team called the alleged pictures of the Oscar winner "a flagrant violation of privacy" and promised prosecution, while Mary Elizabeth Winstead said on Twitter that photos of her were ones the singer and actress thought she'd deleted herself.
The FBI said Monday it's "aware of the allegations concerning computer intrusions and the unlawful release of material involving high profile individuals, and is addressing the matter." Meanwhile, Apple Inc. — whose cloud storage service many of the photos appeared to have come from — said it's "actively investigating" the claims.
How Was It Done?
That hasn't been nailed down, but there are three main theories. One is what's known as a social engineering attack — the hacker or hackers simply "guessed a celeb's password or got it from a friend," Howe said.
The second theory involves what's called a brute-force attack. Announcement of the leak came very quickly after a team of developers revealed on tech forums that they'd found a bug in Apple's Find My iPhone service allowing anybody who learns your username to simply keep entering hundreds or thousands of passwords until he hits Bingo.
But "I think it's safe to say that this was not done with a brute force hacking tool," Moorhead said as further details of the photos emerged Monday, including data that indicated they were squirreled away not just on iCloud, but also on other popular online storage services.
The theory of Moorhead and several other experts consulted by NBC News is that the alleged hack probably started somewhere else, likely on an e-commerce site — somewhere "where somebody used the same login for another service where other photos were kept," Moorhead said. Once the hacker had an email address and either a username or a password, he or she could have gone to any one of a number of sites and used the "forgot my login" feature to get access to that site — and very likely several other sites, because the painful truth is that most people use the same login information for most of their online activities, security experts said.
How Safe Are You?
Millions of people and companies upload their most sensitive data to services like iCloud and Dropbox in "the cloud" — enormous online servers that you access as though they were your own hard drive. That way, "you can always have a backup if your computer is lost or stolen," said Mark Rasch of Rasch Technology and Cyberlaw, who's a former director of the Justice Department's Computer Crime Unit.
But if you store your data in the cloud, the cloud then becomes "a one-stop shop for hackers," Rasch told NBC News. "Hackers only have to break in one place to get everybody's data." If hackers were able to get the files they claimed over the weekend, they "can get files about anybody," he said.
What Can You Do?
It's not like this is anything new. The attack, if verified, probably exploited a well-known weakness not in the infrastructure of the Internet but in people — our willingness to cut corners in how we use the Internet by relying on the same simple passwords on multiple sites and services. To protect yourself, at least somewhat, experts gave the same advice you've probably heard before:
- Consider whether you really want to store private or potentially incriminating pictures on the Internet in the first place.
- Pick hard-to-guess passwords that aren't based on real words or personal data that a thief might be able to harvest elsewhere, for example from public records, like your birthday. And make sure they include punctuation marks, capital letters and numbers.
- Don't use the same password on any other site.
- If a service provides something called two-factor authentication — a system that sends a special one-time-only code to your phone, which you have to enter every time you try to log in — use it. More and more of the largest sites do.
It's inconvenient — of course it is. But it's simply a fact, Rasch said, that if you take an embarrassing photo and put it on the Web, "it's going to make it places you don't want it to be."
Jacob Rascon of NBC News contributed to this report.