Two years later, a huge back door in iCloud is still wide open

Here we go again: The latest hacks to hit the headlines have everyone cringing at the thought of how shoddy our Internet security really is.

And yet the companies involved can’t seem to fix the problems at their roots.

[aditude-amp id="flyingcarpet" targeting='{"env":"staging","page_type":"article","post_id":1543629,"post_type":"story","post_chan":"none","tags":null,"ai":false,"category":"none","all_categories":"business,security,","session":"C"}']

Hackers break into a host of celebrities’ iCloud accounts and steal naked photos: Horrifying.

Meanwhile, Home Depot reveals — months after the incident actually happens — that its credit card system was breached and millions of customers’ credit cards were taken: Scary.

And just a couple weeks ago, a group of hackers, most likely from China, break into a giant hospital company and steal personal data (including names and Social Security numbers) for millions of patients: Terrifying.

The invasions of privacy are real. The lack of security is a widespread problem. But most of the advice about what to do is frankly pretty weak.

If CNN can barely figure out what 4chan is and advises people to use “Pa$$word” as their password, it’s pretty clear that the mainstream media is completely incapable of providing useful guidance.

Gizmodo’s guide on how to keep naked photos of yourself off the Internet is pretty straightforward, and starts with the obvious: Don’t take naked photos of yourself. But who’s going to follow that advice?

Many people advise switching every possible service to two-factor authentication. That advice is pretty good, in general. Instead of just relying on a password, using a password plus a secret code (generated by an app on your phone or sent to your phone via a text message) is considerably more secure.

But let’s be honest. Two-factor authentication wouldn’t have helped the celebrities whose pictures were stolen. That’s because Apple has left a giant back door open:

[aditude-amp id="medium1" targeting='{"env":"staging","page_type":"article","post_id":1543629,"post_type":"story","post_chan":"none","tags":null,"ai":false,"category":"none","all_categories":"business,security,","session":"C"}']

You don’t need two-factor authentication to recover deleted files from iCloud. All you need is an email address and a password — and to get the password, all you need is to have a good guess about what the answers to the password-recovery questions are. It takes about three minutes.

We don’t know if this is how the celebrity-photo thieves got their hands on the private photos of Jennifer Lawrence and others, but it’s a good bet that this was at least one of their techniques, given how easy it is.

Here’s the thing: That back door has been wide open for at least two years. It’s the same hole that let hackers take over Wired writer Mat Honan’s account in 2012 and destroy all the photos of his child’s first year. It’s the same hole that let hackers get into now-Yahoo writer David Pogue’s account.

It’s been open so long, there’s an entire black market around stealing and selling naked photos of celebrities, as well as “revenge porn” (naked photos of women posted by disgruntled ex-boyfriends).

[aditude-amp id="medium2" targeting='{"env":"staging","page_type":"article","post_id":1543629,"post_type":"story","post_chan":"none","tags":null,"ai":false,"category":"none","all_categories":"business,security,","session":"C"}']

“After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet,” Apple bland media advisory said earlier this week.

Forty hours — really! After two years, forgive me if I’m not too impressed by Apple’s diligence. A practice that has become “all too common” — you don’t say! I wonder if that’s because Apple has enabled this practice for so long?

I asked Apple’s publicists for additional comment and clarification on this back door yesterday. So far, I haven’t received a response.

As long as Apple continues to treat iCloud with this much carelessness, people would be wise not to trust it completely.

[aditude-amp id="medium3" targeting='{"env":"staging","page_type":"article","post_id":1543629,"post_type":"story","post_chan":"none","tags":null,"ai":false,"category":"none","all_categories":"business,security,","session":"C"}']

But if you don’t trust iCloud, by the same token you shouldn’t trust Dropbox, or SkyDrive, or Box.

Yes, people are going to keep taking naked photos. We’re humans, and it’s fun. We’re probably going to keep sharing them with each other, because that’s fun, too. And we would like to be able to save them in the convenient cloud storage accounts that are all around us, which now offer us a terabyte or more of free storage.

So give yourself a little extra protection.

Keep the most sensitive photos offline. If you must upload them, encrypt them first.

[aditude-amp id="medium4" targeting='{"env":"staging","page_type":"article","post_id":1543629,"post_type":"story","post_chan":"none","tags":null,"ai":false,"category":"none","all_categories":"business,security,","session":"C"}']

Use two-factor authentication. Create unique, random passwords, for each service, and make your password-recovery questions and answers impossible to guess. (Q: “What was your first pet?” A: “Chattanooga, Tennessee.”)

Keeping track of all those passwords and Q&As is going to be tricky, and that means you probably want to use a program or service like 1Password or LastPass to store it all. Or write everything down in a paper notebook and keep it offline. This does have one big downside, of course: It gives hackers a single target. The advantage, however, is that this target — if you’re careful — is considerably more secure than most password-protected systems on the Internet.

All of this is an annoying pain in the ass. But it’s a hassle we’re going to have to put up with until Apple — and all the other cloud service providers we use — come up with something better …

… And close those gaping back doors in their services.

[aditude-amp id="medium5" targeting='{"env":"staging","page_type":"article","post_id":1543629,"post_type":"story","post_chan":"none","tags":null,"ai":false,"category":"none","all_categories":"business,security,","session":"C"}']