Keeping your secrets to yourself isn't enough to maintain your privacy. In this age, you have to full-out protect it.
Over the weekend, celebrities including Jennifer Lawrence, Allison Brie, Ariana Grande, Mary Elizabeth Winstead, and Kate Upton (with possibly up to a 100 more to come) had nude photos leak on the Internet. The leaker, who hasn't been identified, began uploading the shots on Sunday, just a few days after a list of celebrities who they had personal pictures of was released. Lawrence was hit hardest in terms of the amount of pictures that were obtained, with dozens of photos showing her in various compromising positions being uploaded. This wasn't just one picture that slipped through the cracks. This was an entire collection of pictures that were taken, it seems, over a long period of time. How'd it happen? Was it a jealous ex-boyfriend who sent the pictures to the leaker? Did the leaker find out a way to hack into celebrity phones, or their online accounts? Is this actually the work of a group of hackers? That's my guess. Okay, how easy was it?
Knowing those photos were deleted long ago, I can only imagine the creepy effort that went into this. Feeling for everyone who got hacked.— Mary E. Winstead (@M_E_Winstead) August 31, 2014
This leak is eerily reminiscent to the case of 36-year-old Christopher Chaney, the hacker who obtained naked photos of Scarlett Johansson, Christina Aguilera, Mila Kunis and Renee Olstead. In an interview with a Florida news station, Chaney once said that when he found out how he could access celebrities' information, he became addicted to it. “It just happened and snowballed,” he said. “I didn’t know how to stop doing it myself.” The law didn't let him down easy. Chaney was sentenced to 10 years in prison on nine counts of computer hacking, eight counts of aggravated identify theft, and nine counts of illegal wiretapping.
“It just happened and snowballed,” he said. “I didn’t know how to stop doing it myself.”
Before him, there was Josh Holly, who leaked photos of a 15-year-old Miley Cyrus in 2008 that he first tried to sell to TMZ. He was later arrested, but not for leaking the pictures—instead, this hacker had collected 200 stolen credit card numbers and gained access into celebrity MySpace pages he used for spamming in a nearly $100,000 scheme.
So, what are some of the ways that hackers can gain access to your data?
Holly was reportedly able to access Cyrus' pictures by gaining entry into an email account that she used. In order to do that, he tricked a MySpace employee into giving him access into an administrative panel that stored passwords. It was in the panel where he found the password for Cyrus' account, and used it on her Gmail (firstname.lastname@example.org). From there, he found the images Cyrus had sent to Nick Jonas. If you want an example of a password that's asking for trouble, this is the password she used for multiple accounts: Loco92. It was her dog's name and her year of birth.
This was a pretty complicated method though, right? Well, it's not always that way.
Going Through Social Media Accounts
For Chaney, it all came down to a guessing game. By going through celebrities' social media accounts, he was able to look for clues as to what their passwords might be; or, even easier yet, the answer to the security questions that people use in order to retrieve a forgotten password, such as "What was the name of your first pet?" or "What city did you grow up in?" By scanning their profiles, he was able to use the information to hack into their email account, and then search their contacts list for other celebrity email addresses, and then go after them. Just in case they changed their password for whatever reason, Chaney changed their settings to have any emails the account received to be forwarded to his own account.
Flaws in Security
When it comes to Jennifer Lawrence, signs are pointing to the hacker having gained access to her Apple iCloud account. There's no way to confirm this yet, but hacking into someone's iCloud account doesn't seem farfetched. On the message board AnonIB, some people seem to be offering their services to rip things off of a cloud:
For this, hackers might have used a flaw in Apple's security to swipe what was kept on the server. It let hackers use the Find My iPhone feature to repeatedly guess user passwords without getting locked out until they came across the right one.
But it seems Apple was able to patch it. Remember, this is all speculation: we really don't know what method this hacker(s) exploited to get the pictures. It easily could have been Dropbox or another cloud service.
Keeping your password safe isn't all you can do to throw off a hacker. If a hacker uses "social-engineering," you don't have much control over what happens: it's all in the hands of the customer service reps and employees of the companies that you trusted with your information. Wired writer Mat Honan learned this well in 2012 when hackers attacked his data, and instead of stealing it, they erased it. They deleted his Gmail account, used his Twitter account to tweet out racist messages, and used their access to his iCloud account to delete the data on his iPhone, iPad, and MacBook—which included pictures of the first two years of his daughter's life. When he had the first hint that he'd been hacked (his iPhone shutdown and his MacBook didn't recognize his AppleID), he called Apple customer service:
I later found out that a call had been placed just a little more than a half an hour before my own. But the Apple rep didn’t bother to tell me about the first call concerning my account, despite the 90 minutes I spent on the phone with tech support. Nor would Apple tech support ever tell me about the first call voluntarily — it only shared this information after I asked about it. And I only knew about the first call because a hacker told me he had made the call himself.
Apple tech support gave the hackers access to my iCloud account. Amazon tech support gave them the ability to see a piece of information — a partial credit card number — that Apple used to release information. In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification. The disconnect exposes flaws in data management policies endemic to the entire technology industry, and points to a looming nightmare as we enter the era of cloud computing and connected devices.
You can read his story here. Yet his isn't a unique instance. Hackers recently took over a valuable Twitter account by using some of the same tactics, and held it for ransom. In that instance, it was PayPal and GoDaddy customer service reps who were fooled into giving up information by hackers. If you see a theme here, it's about exploiting the gobs of information that people willingly put out into the digital ether.
Recovering Data on Physical Drives
Even if you keep your data safe on the Internet, there's the problem of the data that lived on physical hard drives. How many phones have you gone through in the past few years? What did you do with them? If you sold your phone, you likely did a factory reset on it before you handed it over, which wiped all of the data off of it. Not exactly. Security firm Avast bought 20 used Android phones online, and put them through a test to see if it was possible to recover their data. Each phone had been reset before they were delivered. By using forensic software (which any hacker or the like can purchase), the company was able to recover 40,000 photos, many of which were of nude women. Outside of pictures, they recovered texts and Internet searches, and were able to identify some of the previous owners from the information they gathered. If this fell into the hands of a hacker looking to do damage, they may be able to blackmail the previous owner or steal their identity.
During Avast's research, it seemed Android phones were more open to data recovery than iPhones.
In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification.
How many times have you seen this: you're surfing the net, and all of the sudden a sidebar advertisement shows a beautiful single woman who's in your area that totally wants to meet you. You click on it. Or, an email that tempts you with money appears in your inbox—all you have to do is send your information to a kidnapped prince and you'll be bathing in wealth. Phishing scams are as old as the modern Internet itself. And they work, to a certain degree. Some phishing emails are disguised as being sent from a real place, like your bank, social network, or school. A phishing email from a fake bank, for example, could say that someone tried depositing money into your account but there was a problem. They've attached a document with more information that you can look at—and as soon as you open it, a Trojan virus is released onto your computer that can collect your data.
Phishing can also come in the form of malicious links on Facebook that entice users to click by advertising exclusive x-rated video or pictures. Similar to this:
As long as you keep an eye out before you click, phishing scams are easy to avoid.
Remote Administration Tools
One of the most frightening ways a hacker can collect information is by way of a remote administration tool. There's an underground network of hackers, who are mostly men, who infect computers belonging to women with a RAT program, which gives them access to their webcam, files, and their microphone. These hackers are able to control the computer remotely, and can turn on a webcam and watch their victim—all without them knowing. Until the hacker makes himself known by leaving the women messages, that is.
Here's one that you could be victim to right now: An easy method for hackers to steal information is over unencrypted public Wi-Fi. If your phone is set to log onto public Wi-Fi connections, say, at parks, schools, airports, or Starbucks, hackers can enter your network and record your name, address, passwords, and keystrokes. Many public Wi-Fi connections aren't encrypted and have no password, so hackers can devise ways to record your info, which is often referred to as "sniffer software." Sometimes, they'll set up a dark Wi-Fi spot: because some phones are set to automatically connect to a Wi-Fi hotspot around them, a hacker could set up a malicious hotspot that will record what ever information your phone relays to it once it connects. This could include your email, Facebook, or Twitter passwords.
How can you protect yourself?
- Enable two-factor authentication for your social media and email accounts (or any accounts that offer it). You can do this for Facebook, Gmail, Yahoo!, AppleID and a slew of different services, and is one of the things that Mat Honan says would have saved him from having his data deleted by the hackers.
- When you're ready to sell off your old phone, perform a factory reset on it. Then, go back and fill up the phone as much as you can with music, and then reset it again. The music will rewrite over your old "erased" memory, so if hackers are able to see your old info, they'll likely only see your 90s collection.
- Make sure you use different passwords for different accounts. But how will I ever remember all of those passwords? Relax. Go to the App Store and you'll find dozens of secure apps that will store your passwords, and even generate ones for you. Check out KeePass and LastPass.
- Turn off your Android phone or iPhone settings so that it doesn't automatically connect to public hotspots. And if you are on a public hotspot, don't make financial transactions and try not to log into an email or Facebook account that might store important information.
- If your computer is doing things out of the ordinary, like its disk tray is popping in and out or the webcam light is lit though you didn't turn it on, you might have a RAT infection. Don't just brush it off as your computer just being "buggy." Disconnect from your Wi-Fi and get it checked out.
- If you must have nudes or other important information on your computer, save them on an encrypted folder. This isn't a sure-fire way to keep your things hack-proof, because where there's a will there's a way, as the saying goes. But it's sure better than not having it encrypted. And if it doesn't stop hackers, it will stop anyone who uses your computer (like friends or family.)
- When it comes to sending nudes, be aware of the risks. You can still use some Polaroids if you really have to take a picture of yourself naked.
Hackers will be around as long as we have a network like the Internet, and they'll adapt as it evolves. But "hacking" was around before things like email and Facebook—in the past, it was just old-fashioned espionage. As it was back then, and as it is now, protect what's valuable to you regardless of whether it's digital or physical. And do it smartly.
Jason Duaine Hahn is a News Editor at Complex. He tweets here.