The App Invasion

Recent days have seen an avalanche of private images belonging to celebrities released on to various internet chat boards. The photos claim to show stars such as Jennifer Lawrence, Kate Upton and Victoria Justice in either nude or other compromising positions.

While sites such as Reddit, Imgur, and 4Chan have been working hard to remove the images, the damage has already been done. A lot of the blame has been laid at the door of cloud computing, with users flooding forums to express their disgust at how insecure online storage sites appeared to be, whilst also claiming they would no longer be using services such as iCloud, Google Drive, OneDrive or DropBox.

A look at Reddit’s pages reveal the scale of user dissatisfaction – but also some interesting and reasoned responses from more knowledgeable commentators. What’s the truth behind all the misunderstanding and misinformation? Is the cloud to blame or are apps and users at fault? Is the cloud more or less secure than keeping photos and other data on your own local hard drive?

The situation is complex. A recent report by the University of New Haven’s Cyber Forensics Research and Education Group says that security flaws, breaches of privacy and additional Vulnerabilities in apps as diverse as instant chat services, online dating sites and social media facilities are now putting nearly one billion subscribers as risk of problems. The report has now been released as a series of videos.

Ibrahim Baggili, a Professor of Computer Science at UNH’s Tagliatela College of Engineering says “Anyone who has used or continues to use the tested applications are at risk of confidential breaches involving a variety of data, including their passwords in some instances”. It’s a comment that suggests that the droves of people criticising Apple, SnapChat and Facebook are not being subjective and that poorly designed apps are more responsible for the problems than the cloud. He adds “Although all of the data transmitted through these apps is supposed to go securely from just one person to another, we have found that private communications can be viewed by others because the data is not being encrypted and the original user has no clue”, again putting the emphasis on poor app design.

For their part, Apple said on Tuesday that hackers obtained the nude celebrity photos by stealing images from individual accounts rather than through a wide-ranging attack on the company’s iCloud and Find my iPhone services, adding that it had only released these results after conducting 40 hours of investigation. The company has said they will cooperate fully with a newly-launched FBI investigation into the leak, though urged all users to adopt stronger passwords and enable a two-step authentication feature to prevent data thefts.

The fact they have switched the onus back onto users is telling. They clearly believe that their servers are as secure as they could realistically expect to be and they cannot be held responsible for users mismanaging the technology they are provided with, failing to understand how or when their devices share data, or leaving their accounts vulnerable by having weak passwords or using unsecured networks to access accounts.

They undoubtedly have a point – users who are complaining that the cloud is wholly and solely responsible are missing the point. Data saved on a local hard drive is just as unsafe when saved on a local machine or USB drive if its owner is irresponsible. Viruses and Malware can monitor your keystrokes, steal your personal data, obtain your passwords and pose as legitimate websites, while USB drives can be lost, stolen or corrupted without the owner realising until it is far too late. Ultimately any computer, phone or tablet that accesses the internet is at risk – and the large online storage providers do a much better job of encrypting and securing data than an average home user.

What the future holds for online storage services.

So, does the cloud have a case to answer? Apple’s iCloud service (seemingly the main source of the stolen images) secures data by encrypting it when it is sent over the internet, storing it in an encrypted format on their own servers and using secure tokens for authentication. It means that data is theoretically protected from unauthorised access both while it is being transmitted between devices and while it is stored. Additionally, iCloud – along with most online storage services – uses a minimum of 128-bit AES encryption, the same level of security employed by major financial institutions.

Nonetheless, there are still flaws in the system. Questions such as your mother’s maiden name are often used by companies to improve online security, yet the recent theft shows the ease with which those questions can be hacked. “Personal questions as a password recovery mechanism is flawed”, Chris Morales, Manager of security-testing and analysis firm NSS Labs said. “[If you have to use them] don’t provide the obvious expected answers to questions like mother’s maiden name, pet’s name, or where you were born. If you have a user’s e-mail and know a bit of personal history on that person, it isn’t that hard to get the password”.

As people post increasingly sensitive information to social networks, it has become easier for criminals to obtain the answers to security questions. That means consumers can rarely rely on just one set of defences and have to add more layers, even if it makes online accounts less convenient. It’s especially true for famous people because security questions protecting their online accounts from intruders are often trivial to answer solely based on the publically information available about them. It doesn’t amount to much of a security barrier.

The conclusion is that the cloud isn’t really to blame, but cloud providers are arguably equally as culpable as any other security system by making it too easy to hack and instigate a password reset.

Despite all the encryption security put in place by Apple, online accounts often have unrecognised and unnoticed vulnerabilities. Apple are now facing accusations that they have given people a false sense of security. Technology magazine Wired first reported that software from a Russian firm, ElcomSoft, was being mentioned on a hackers discussion group as a useful tool for infiltrating iCloud accounts, with the software being marketed to police and law enforcement groups as a way to access backups of iCloud content with an iPad or iPhone. It has called into question the security of the much-vaunted ‘two-step verification system’ because it can be easily bypassed using any software that allows access to iCloud backups. Indeed Apple’s own website says the two-step process only protects the ‘My Apple ID’ page, ‘App Store, iTunes or iBooks Store purchases’ and ‘Apple ID Support’. It makes no mention of any protection for photos, contacts or calendar entries, which are all backed up to iCloud – yet in response to the hack on Tuesday, Apple suggested its customers “always use a strong password and enable two-step verification”.

So the truth is somewhere in the middle, and everyone must take a share of the blame. Apple, users, security software designers and device manufacturers all need to improve in order to make the cloud as risk free as possible. Ultimately, the cloud offers too many benefits to both home users and businesses for it to be discarded, and even if usage sees a momentary dip, it will still rebound and grow to levels far in excess of what we see today. The cloud is here to stay, and a naked celebrity won’t change anything.

By Daniel Price