Security expert warns of danger in using cloud services for personal data
Inbox
x
Recent news stories of the leaking of highly personal photos of a number of celebrities have caught a lot of people by surprise and everyone should be ensuring that their personal data is safe, regardless of what type of data or who they are.
The technical details of the hack has not been made clear, however, it is highly likely that photos were extracted from cloud services.
Creating personal photos can create a certain amount of risk. While you may have already covered the story, here are some tips from Alex Fidgen, Group Director of MWR InfoSecurity on using cloud services to store personal data. (NB It is not MWR's place to dictate whether or not to do so, but if you choose to, here are some things to be aware of to do it more safely):
1. Stop your most sensitive data being on cloud services:
Cloud services are very convenient but can mean that an attacker might be able to get access with only an email address and password. For highly sensitive data, it can be safer to keep it off cloud services.
Users should be aware that many devices will automatically upload photos and received messages to the cloud as a backup service. If the sensitive data is personal photos, people should consider turning backup off, using a different device to take such photos or at the very least, going into the cloud service after the fact and deleting the photos from there. This will mean attackers will need to compromise the phone itself, which can be a lot harder and beyond the skill of many attackers. Many apps exist that claim to send photos securely and these can be an option although you should be aware there are still risks. For instance, it is important to check that the app is not saving the photo on the phone, which is then getting uploaded to a cloud service. There is still a risk that the app service itself may get hacked, however, this is going to be out of your control.
2. Use Two Factor Authentication
Even if you prevent your most sensitive data ending up exposed on the cloud, you should protect these services well, as there will be other data on there and very personal information may accidentally end up there.
Many cloud services such as Google, Apple iCloud and Microsoft Live offer "two factor authentication" which means that when you try and log in, an email or text message is sent to your phone to prove you're you. This means that for an attacker to get into your account, they will likely need your password and your phone.
3. Choose Secure, Unique, Passwords
Don't make an attacker's life easy! On top of removing sensitive photos and data, and having two factor authentication, you should choose strong, unique passwords for each service. This is so that if a service gets hacked, the attackers cannot use your password to log into other services. Password managers can help you store passwords and for cloud services you are unlikely to need to log in regularly so a long and difficult to guess password won't need to be typed in often. Advice on passwords and on cyber security generally can be found at https://www.cyberstreetwise.com/#!/passwords/creating
4. Don't get tricked into giving out your password
MWR will often be asked to try and trick our client's employees into giving out their password by email or over the phone. This is still very successful. You should never give out a password when someone has contacted you. If you have an email from a service trying to get you to log in, never click the link, instead open a new browser, goto the service as you normally access it and log in there to attempt to resolve. It is easy for attackers to create very realistic emails and websites to trick you into logging in
The internet is convenient however can be dangerous, but with a few simple steps it can be possible to make it a lot harder for attackers.