Oct 152014

dropbox hacked imageOn Monday, hackers claimed to have stolen 7 million Dropbox logins, anonymously posting ‘teasers’ of the supposedly-stolen credentials on Pastebin – the teasers accompanied by the promise of more credentials in return for a Bitcoin donation. Dropbox have since poured cold water on the boasts, with senior Dropbox engineer, Anton Mityagin, claiming that “Recent news articles claiming that Dropbox was hacked aren’t true. Your stuff is safe.”

Mityagin went on to say “The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the internet, including Dropbox. We have measures in place to detect suspicious login activity and we automatically reset passwords when it happens.”

A lesson in semantics?

It appears that, technically, Dropbox were not hacked in that its service was not exploited to gain access. However, it is likely that Dropbox user accounts could have been compromised due to credentials being stolen from elsewhere and then used to gain access on the service. The reason Dropbox credentials can be found in places other than Dropbox of course is because most internet users re-use the same login credentials across multiple sites and services.

It’s unlikely that anyone reading this article won’t have, at least at some point, re-used the same login credentials for different services. After all, the most important thing for most is convenience, not security.

This isn’t the first time Dropbox has hit the headlines due to password re-use. In 2012, when 6.5 million LinkedIn usernames and passwords were stolen by Russian cybercriminals, one of those accounts happened to belong to a Dropbox employee. Unfortunately for Dropbox, the employee had used the same username and password for his Dropbox administrator account as he had to access his personal LinkedIn account. Once stolen, hackers used the LinkedIn credentials to access the Dropbox admin account and harvest thousands of customer records.

Lessons to be learned

It all sounds rather obvious, but the lesson for employers is to enforce the use of strong, unique passwords for business accounts – and crucially, do not allow employees to re-use personal passwords for business. If you are concerned about employees doing this, then one additional security precaution is to ensure that employees switch on 2-Factor authentication for services where this is available. This adds an additional layer of security for services, meaning a hacker not only has to know the username and password, but also have access to the second authentication factor in order to access the service.

 Posted by at 10:29 am
Oct 142014

Wordpress hackStatistics for hacking incidents are pretty staggering; with over 30,000 websites hacked every day. But your blog’s not on a hacker’s radar, surely? Well… with WordPress being used by 22% of the top 10 million websites, it’s a prime target for hackers due to huge impact a single exploit can have. As recently as a couple of months ago 50,000 WordPress websites were hacked after just one hole in a plugin was exploited.

Why a hacker would target your company blog

Everyone knows that hackers like to target networks where they can steal financial data, or customer details, or company secrets, or just cause mayhem, but there are other reasons too.

Forget the notion of a lone wolf with a penchant for late nights and strong coffee. Yes, they exist (Hollywood knows!), but most hackers have programs to do all the hard graft. These so-called bots are set to work 24/7 scanning for exploitable areas on websites, and your blog is just another address in the search list.

There are the hackers who do it just because they can – they do it for fun and crow about it to their friends. They will deface your webpage, post political statements, advertise their hacking group, causing not only raised eyebrows from your customers, but long-lasting reputational damage.

Then there are the ones who want to edit your pages by adding links to their own site in order to boost their own or affiliated website traffic – irritating for both you and your genuine website visitors.

There are those who want to upload malware to your website in order to infect visitors and harness their devices into their ‘botnet’. These computers can then be used en masse to, for example, flood a particular website with so much traffic it creates a denial of service (DOS). By using other people’s computers, these mischief makers hide their own location and put you in the firing line instead.

You can avoid a hack if you take some simple preventive measures.

5 essential tips to protect your WordPress blog

  1. Apply updates. Hackers pay great attention to security holes, so plug them asap by keeping abreast of updates. Apart from applying automatic WordPress updates, make sure you are using the latest versions of plugins and themes and delete old or unused ones. Avoid showing version numbers on your blog as this is useful information to the hacker – they’ll know which vulnerabilities apply to each version.
  2. Create more than one admin user login. If a bot finds your blog and gains access, you will be locked out. Create at least one other admin account with a different user name and password, then either delete or rename the default admin account.
  3. Do regular backups. Don’t leave long gaps between backups, and keep multiple generations of them – it could be days before you realise you’ve been hacked and you may have to go back further than you think. To be kept informed of possible hack attempts, use a malware scanning product which will alert you to changes in the WordPress core, plugins and themes.
  4. Limit login attempts. To avoid a brute-force attack, where a bot tests millions of combinations of usernames and passwords at high speed, install a plugin that limits the number of login attempts per hour.
  5. Use strong passwords. Length equals strength, so use a long password which includes upper and lower case letters, numbers and special characters. Avoid using words that appear in dictionaries and definitely don’t use the names of family members or pets as these are easily found on third party sites. Test the strength of passwords and keep them all in a password manager. Use different passwords for different blogs, and for each access point – admin and web server – and password protect your wp-admin directory.

Prevention is better than cure

If your company blog site is hacked, you may have only a short-lived setback offering just minor irritation to you and your audience. If you’re lucky, that is. At the other end of the scale is permanent loss of reputation and the long-haul prospect of rebuilding it.

But the damaging effects of a hack can be avoided by recognising the threat and responding to it proactively. Don’t become a statistic. Remember, you set up your company blog to offer dynamic content – you need to be just as dynamic about protecting it.

 Posted by at 5:37 am
Oct 062014

Padlocks-Red-Blue400pxA cursor with a life of its own, a new and unexpected toolbar, a redirected browser search, random popups, a series of calls from concerned colleagues who have been asked to send you money in Moscow…

If these sound familiar, your computer or network has probably been hacked. It’s not something you’d wish on your worst enemy, so why take the risk of inflicting it upon your own business?

The stuff of nightmares

The inventory of malicious programs – malware – in a hacker’s 24/7 armoury reads like the script of a Wes Craven movie – things you may never have heard of and certainly don’t want to wake up to: viruses, worms, Trojans, key loggers, rootkits, botnets, adware, spyware, ransomware, phishing, social engineering, malicious LSPs and BHOs…the list goes on.

What’s the fix, you ask? Of course…an anti-IT-nightmare software package!

Sadly, there’s no such product. Just as hackers can inflict a multi-pronged attack to a system, your business needs a multi-pronged defence.

The 5 products your business needs to stay secure

Anti Virus software. As the name suggests, these programs are used to detect, prevent, and remove viruses and malware from infected email, files and websites. AV software uses anything from lists of known malware ‘signatures’ to complex detection algorithms to determine whether a piece of code is legitimate or not. They come in varying degrees of sophistication, from simple virus detection to protection against a full, broad spectrum of attack vectors. Choose one that offers real-time monitoring. Recommended: AVG | Free, BitDefender

Anti Spyware. Spyware is software that monitors a user’s internet browsing habits for the purposes of tailored advertising. This may sound harmless, but it is a security threat as it can also monitor key strokes, email addresses, and passwords; indeed, anything on the hard drive. It is typically downloaded unintentionally from free, or trial, software (‘freeware’). Information gleaned is then passed on to any number of third parties, expanding the scope of threat. As spyware cannot usually be removed by standard uninstall methods, you’ll need a fit for purpose anti spyware product. Recommended: Malwarebytes, Lavasoft Ad-Aware

Firewall. This is a piece of software or hardware that prevents unauthorised access. Software programs protect individual computers against malware that has, for example, been picked up by employees from files used at home, or from a USB stick, or after using an unprotected public network. Hardware firewall devices protect the network itself. A combination of these provides a higher level of security and both types are straightforward to install. Recommended: ZoneAlarm, Comodo FirewallWindows Firewall

Password manager. Passwords are first prize for hackers as they provide the quickest access to a system. Most employees have multiple login accounts, all of which should have unique, strong passwords but, being fallible, people tend to use universal or obvious passwords that are easily hacked. A password manager affords an employee safe storage of all their passwords, PINs and telephone pass codes. Ensure that your Password Manager encrypts your data, and that it offers 2-factor authentication for added security. Recommended: This is what we do!

Encryption. This is the final step in the defence plan, the place where the buck stops; even if the other barriers have been bypassed, data encryption leaves hackers scratching their heads. Encryption can be applied to anything from a USB stick, to emails, to a company’s full array of stored information. Recommended: DiskCryptor, VeraCrypt

The second law of thermodynamics

You don’t need to be a physicist to know that nothing stays the same. Like physical walls on physical premises, security measures need ongoing maintenance if their effectiveness is not to degrade.

Software will need upgrading or patching from time to time, so keep abreast of any changes required. Do this by signing up for notifications from the product or service suppliers.

Choose automation over manual intervention. If possible, make sure that any updates are done automatically as this not only alleviates the effort involved in program maintenance, but makes the system less prone to attack.

Sleep tight

There is no stand-alone solution for IT security, no one product that can perfectly detect all possible threats, no magic wand that can singlehandedly fulfil all the requirements to prevent a breach, but by building a comprehensive, layered defence with this five point plan, you can come as close as it gets to achieving peace of mind.

 Posted by at 4:56 am
Sep 262014

Ever wondered what a hacking incident costs a business? Has your IT team set aside a contingency budget for it? Recovering from a hack unfortunately isn’t a case of just installing a new firewall or updating anti-virus software; with 2014 stats pegging the cost of a business data breach at a staggering $3.5 million (£2.1 million).

Studies over a nine-year period by the US-based Ponemon Institute confirm that – at 44% – malicious attacks are the most common cause of business data breaches.

For the average business, the costs associated with these attacks are nothing short of titanic, and the risk of going under a very real prospect.

Tip of the iceberg

The price tags for a data breach fall into three categories: direct costs (for example, hiring forensic experts and setting up customer hotline support), indirect costs (such as internal investigations and a stream of communications), and opportunity costs (the loss of lifetime value from existing customers and acquiring fewer new customers).

Easy-to-count direct costs are just the start of it: indirect costs are typically double that of the direct costs, and opportunity costs come in at a substantial 38% of the final figure.

In line with the societal trend towards a compensation culture, legal costs are rising year on year as claimants engage in ‘no win, no fee’ arrangements with lawyers, often prolonging management of the fallout for years.

Malicious attacks cost more

If a data breach is defined as one in which an individual’s personal data is potentially put at risk, then the average cost per compromised customer record is $201 (£123), but this rises to $246 (£151) for malicious causes.

Ultimately, what hackers want is passwords, and the methods of choice behind malicious attacks are malware infections, phishing, social engineering, source code injection and having accomplices on the inside.

The statistics on the vulnerability of business passwords suggest that 90% are considered hackable and that over 50% of them are hackable within minutes. Coupled with the known number of new malware strains running into tens of millions per year, the outlook isn’t great.

Small businesses are more vulnerable

Small businesses are prime targets for hackers, who know that even basic security measures such as password protection are sometimes absent.

These businesses tend to spend less on IT security, seeing it as a disproportionately large cost, but this short term strategy could have unexpected long term consequences: a study by the Payment Card Industry (PCI) Security Standards Council (SSC) found that 60% of small businesses close within six months of experiencing a breach.

To be forewarned is to be forearmed

In Ponemon’s year-on-year studies, the steps companies take in the wake of a hack form a familiar pattern: revisions in endpoint security, more training and awareness, greater use of encryption, and better identity and access management.

No matter the size of the business, if it’s passwords that hackers want, the most cost-effective factor which can mitigate against a malicious attack is a formal security policy which requires users to set up robust passwords.

Strong passwords are words or phrases which are – first and foremost – long and, for added security, complex (containing a mix of cases, numbers, and special characters). Whilst this makes them more challenging for users to remember, password management tools with single pass phrase mechanisms are a worthwhile option.

For want of a nail

As the saying goes, for want of a nail the shoe was lost; for want of a shoe the horse was lost; for want of a horse the rider was lost; for want of a rider the message was lost; for want of a message the battle was lost; for want of a battle the kingdom was lost; all for the want of a horseshoe nail…

The message is that small things can have large consequences. Business owners need to know that strong passwords are their horseshoe nails, and that they are key to securing their kingdom.

 Posted by at 9:04 am
Sep 172014

Blissful ignorance by employees is, more often than not, the cause of security breaches

Since the dawn of commerce, business owners have acknowledged that their greatest asset is their employees. Since the dawn of the internet, though, cyber-savvy business owners have acknowledged that they are also their greatest liability.

Studies on IT security have a common denominator when it comes to identifying the singlemost weak link in the cybersecurity chain: human beings.

The easy path

It is a natural habit for individuals to want to take the easy path. Whilst that is often put forward as an undesirable attribute in a person, there are advantages too: if there isn’t an easy path, someone will invent one, and the result may be a step forward in technology.

There are times, though, when taking the easy path can have ruinous outcomes in the business world.

In IT systems, user convenience and tight security don’t always occupy the same space, and when employees take the easy path with passwords they put your business at risk.

The mistakes that employees make with passwords are not typically done with malicious intent, or any degree of wilful negligence; it’s often a simple case of ignorance. Most commonly, though, the motivation is one of convenience.

The 10 password mistakes your employees are making

  1. Writing down passwords on notes which are kept in full view, or under the keyboard, or in a drawer, or saved in their phone’s contact list under – you guessed it – P!
  2. Using the same password for personal accounts and business accounts. If a hacker cracks the password on any of the personal accounts that your employee uses, he or she will try it elsewhere.
  3. Using the same password on all work-related accounts. Employees should use separate passwords for separate business accounts, especially if they have different permissions.
  4. Using their football team, pet’s name or family names for business passwords. Hackers can and do look up employees on social media sites and use what they find there to crack passwords.
  5. Meeting the bare minimum on password requirements. Typical password policies state a minimum of 8 characters, so that’s exactly what employees use. Even with added complexity (numbers, special characters, mixed case letters), shorter passwords are far easier to crack than long ones.
  6. Incrementing a digit on the end when asked to change a password. Hackers are well aware of this tendency, which results in easily predictable password patterns.
  7. Telling other people their password. Once a password is known by anyone else, even if it’s a colleague, the system becomes less secure, as the other person’s approach to security may not be adequately rigorous.
  8. Saving passwords on browsers. By invoking the ‘Save password’ or ‘Remember me’ option on websites, employees leave the door open to hackers.
  9. Emailing passwords to themselves so they can work from home, leaving the information in plain text rather than encrypted. Employees mistakenly think that, because email is a widely used communication tool, it must be safe.
  10. Logging in to business accounts on unsecured networks or devices. Using a coffee shop’s open Wi-Fi network, for example, or using a personal device that hasn’t been secured, leaves the connection open to snooping.

The road less travelled

If the analogy of the easy path is applied to negligent password practices, it is perhaps not surprising that one can draw an interesting clue to its solution from M Scott Peck’s work, ‘The Road Less Travelled’, in which the noted psychiatrist describes the importance of discipline in achieving a state of well-being.

If discipline is the takeaway, business owners need to be proactive in engaging the cooperation of employees to stop risky password habits. A good place to start is with a written policy on what is, and what is not, acceptable.

Arguably, a company’s security is defined by its weakest password, so owners should raise the bar when it comes to rules for password length and complexity, offering tools to test password strength, and using a password manager with a single pass phrase rather than expecting employees to remember several of them.

The consequences of a breach can be devastating: loss of assets, loss of goodwill, loss of public integrity. A disciplined approach to password policies, protocols and practices is key to maintaining a secure network. Call it a path, call it a road, it’s the only way to go.

 Posted by at 8:37 am
Sep 152014

law2014The my1login team are excited to be exhibiting and speaking at Law2014, the UK’s largest Legal Services Exhibition, from 23rd to 25th September 2014.

Jodie and Jo will be at at Stand 23, so be sure to come say hello if you’re attending! Our team will be there to answer your questions on how our legal customers use my1login to improve corporate security and increase billable hours.

If you don’t already have your ticket, you can register to attend for free here or call 01332 613464.

Cloud & BYOD – Practical Tips to Protect Your Law Firm

Mike-Profile600wOur CEO, Mike Newman, will also be speaking at the event. With the trend towards outsourced cloud services and the increasing use of employees’ own devices, there is a growing risk of data breaches in law firms. Mike will explain the risks that law firms face and what steps to take to protect your organisation.

Topics covered:

  • Main causes of data breaches in law firms
  • Poor password practices in use by solicitors
  • Password analysis and how to improve password strength
  • Managing Companies House codes
  • Advice on educating Employees on phishing scams and social engineering
  • Password management and BYOD
  • How my1login can improve corporate security for law firms

If you’re attending Law2014 be sure to catch Mike’s talk at 10.30am to 11am on Thursday 25th September 2014. You’re also very welcome to come by Stand 23 at anytime from Tuesday 23rd Sept to Thursday 25th Sept and say hello to Jodie and Jo!




 Posted by at 6:58 am
Sep 142014

healthcare.govMost hacks don’t hit the headlines, but when it’s the US Government’s HealthCare.gov that’s hacked, you can be sure it’ll make the news. A hacker, still unknown to authorities, recently compromised the HealthCare.gov’s insurance enrolment website. According to the Department of Homeland Security, once the hacker had gained access, they proceeded to upload malicious software to target the site’s visitors.

If it wasn’t such a serious breach, the attack vector would be comical, with the ‘hacker’ gaining access simply by using the default password that hadn’t been changed. The reason for the ‘oversight’ was that the server was in a ‘test environment’ used by the development team.

An investigation was said to have concluded that no personal data was illegally accessed during the attack, but it’s yet another example of organizations being compromised for not taking the most-basic of security measures by simply using strong passwords to protect business critical systems.

No matter how stressful, time-pressured or complex development projects may become, it’s crucial to give proper consideration to the security that underpins them. While it may seem like an acceptable shortcut, cutting corners on security can end up costing more time in the long run and do untold reputational damage should weaknesses be exploited. Neglecting security during a development is a common fault that hackers are only too keen to exploit – the US Government being the latest red-faced victim. If you have a test environment within your business, ensure that your developers take the same precautions that you’d expect them to take with live websites – and protect access with strong passwords.

 Posted by at 9:37 am
Sep 122014

NHSA new patient information sharing system by NHS is causing concern that it may be vulnerable to a hack, exposing millions of sensitive patient records.

The care.data programme, which is currently on hold due to concerns over its opt-out policy, will see patient records from across England stored centrally, with apparently non-identifiable data being used for clinical research and studies. Despite the concern over the security of the data, medical experts are urging patients not to opt out of because of the damaging consequences to their research work set to benefit from it.

Labour MP George Mudie had campaigned in Parliament for the data-sharing scheme to be delayed until the UK public were properly consulted. The intended opt-out system means that patients date of birth, postcode, NHS number and gender will be included in the data sharing system by default.

There will be an eventual breach of security, which is inevitable with the size of the database, the information stored in there. The human cost will be potentially disastrous to a patient whose identity and medical history is made public. Careers could be ended, jobs could be lost, insurance refused, relationships destroyed if sensitive medical facts are made public or are used by private firms or people or indeed the media. A further reason for concern is that the information will not be solely available for analysis and research in the NHS but will be made available to non-NHS organisations. George Mudie MP.

The Weakest Link

Health minister Dan Poulter promised there would be ‘robust procedures’ in place to protect patient confidentiality. However, it’s the human element that is the weakest link in any implemented security. With thousands of healthcare employees having to access the data sharing system, the strength of their authentication will come under scrutiny. Typically when employees need to access business systems to carry out their job, they will adopt practices that maximise their convenience, not maximise security. Using easy-to-guess passwords, writing them down on post-it notes, or storing them on phones are all regular occurrences from employees who need to remember passwords. When those passwords protect extremely sensitive patient data, the consequences of a breach are hugely significant.

When the care.data programme is implemented in the coming months there is no doubt that it will greatly benefit diagnosis and medical research. The counterweight is that should a security breach occur, extremely sensitive patient information will be released into the public domain. While the NHS hack threat may be a high profile example, organizations of all sizes are hacked each day due to weak employee practices, with each hacking incident estimated to cost £35,000 to £65,000.

 Posted by at 6:59 am
Sep 112014

The recent iCloud hack of Jennifer Lawrence and other celebrities exposed just how much trouble can be caused by inadequate security measures.

Apple confirmed that the hacker gained access to the celebrities’ iCloud storage areas by correctly guessing the answers to security questions. Undoubtedly, private individuals sat up and took note, but there’s a chilling lesson to be learnt for business owners too.

Social engineering 101

Social engineering, or the art of getting ordinary individuals – employees included – to give up useful personal details and sensitive security information, is what presents the risk to businesses.

It is human nature to tell the truth when asked questions by people who are perceived to be in a position of authority, and it is this same inclination that applies to password security questions – individuals answer them accurately. There is also a tendency for individuals to use the same passwords and security answers in the workplace as they do in their private lives.

This combination of habits is what hackers aim to exploit: if they can find out the likely answers to security questions, they can hijack an employee’s email account and gain access to a business network.

The trouble for celebrities is, because so many of their detailed personal facts are liberally sprinkled across the public domain, these answers are easy to guess. Unlike with celebrities, hackers have to actively find out facts about the particular individual or employee they want to target. Too hard? Wrong! Too easy…

Admittedly, you can’t read about Ms Smith from Accounts in Rolling Stone, OK! or Vanity Fair, but what if Ms Smith is on LinkedIn, Facebook, Twitter, Pinterest, or any other number of social media or third party sites? Granted, no one’s shouting, “Read all about it!” from the street corner, but they may as well be.

In order to learn more about an individual or employee, hackers do their homework by digging around on social media sites. Armed with personal information – often simple details like a pet’s name, spouse’s name, date of birth – they have paved the way for an easier break-in. And the unwitting individual has helped them.

Tell me lies, tell me sweet little lies

Business owners should increase awareness about the concept of social engineering and share with employees the full extent of what assets could be stripped as a result of a security breach: passwords, customer information, corporate plans and strategies, or data pointing to a financial source. After all, it is in their collective interest that the company they work for isn’t compromised.

There is a simple but effective way to reduce the threat posed by social engineering: employees can protect both themselves and, consequently, their employers, by changing their natural instinct to tell the truth when answering security questions.

The fact is, no one is actually verifying that an answer is true, just that there is an answer, and that it’s the same one each time the question is asked.

This simple fact means that, by telling a white lie, or even a supersize one, users can add extra strength to a potentially weak security measure. No system can check that a first pet really was called Spot – it’s just as happy with HotDiggidyDog. And mother’s maiden name? Why, it’s R2D2N0ne0fY0urBu5ine55, of course…

The downside to disguising the truth, as any experienced dissembler will tell you, is having to keep track of the web of lies: it’s much easier being honest. In this case, as the deception is so clearly worth the effort, using a password manager is an ideal way to store passwords and security answers – you only have to remember one pass phrase.

The celebrity photo hack was a classic case of social engineering and is directly relevant to business owners. Fleetwood Mac’s immortal line, “Tell me lies, tell me sweet little lies”, encapsulates an unusual workaround, which is why you won’t hear any hackers humming it…

Falsehoods, fibs and fabrications are not your average recommendation in the workplace, but business is business, after all.

 Posted by at 6:57 am
Sep 012014

Tinseltown has been hacked: nude or explicit photos of around 100 celebrities have been illegally accessed and posted on the 4Chan anonymous image-sharing platform.

The celebrities include Jennifer Lawrence, Kim Kardashian, Kirsten Dunst as well as Brits Kelly Brook, Michelle Keegan, and Cat Deeley.

How did it happen?

A suitably attired Jennifer Lawrence at the 68th Annual Golden Globes. ©iStock.com/Jennifer Lawrence

A suitably attired Jennifer Lawrence at the 68th Annual Golden Globes. ©iStock.com/Jennifer Lawrence

Jennifer Lawrence is – so far – leading the understandably outraged reaction, saying that she intends to take legal action for invasion of privacy. Whilst Ms Lawrence has confirmed that the photos are genuine, some celebs are dismissing them as fake and/or over two years old. There’s no saying, then, exactly when the first hack took place.

The perpetrator has not confirmed exactly how he or she accessed the photos, but possible hacking routes are phishing, irresponsible sharing of password details, or using the same password on multiple website accounts. Of course, a natural consequence of one celebrity email account being hacked is that it opens up the possibility of hacking further into their network – of friends, that is.

It is emerging, though, that the most likely route was by cracking weak personal passwords on Apple’s iCloud and accessing the celebs’ storage areas. Certainly no one has suggested that iCloud itself has a security flaw, but they have recently issued a patch for a piece of programming code which could help crack user accounts by using the 500 most common passwords approved by Apple’s rules. The script allowed anyone using it to repeatedly guess passwords on Apple’s ‘Find my iPhone’ service without locking them out or issuing an alert. Once in, the hacker would have access to the iCloud storage areas – and any photos there.

Although Apple has said they are aware of the photo hacking scandal, they have not issued any statement other than that they will comment in due course. If nothing else, they are likely to offer advice on how to avoid a personal iCloud security breach.

How to avoid the naked truth

Heading the list of weak links in the security chain is the users themselves: passwords are invariably inadequate when it comes to ensuring privacy from a determined hacker. Passwords can be made stronger by including numbers, upper and lower case letters, and special characters but, if you do nothing else, you should make your passwords longer – long passwords or phrases are hard to crack. ‘D0ntGetCaughtWithY@urPantsD()wn!’ would take over 200 million years to crack – yes, you read it right. No one would be interested in your photos by then. Surely?

Get to know how remote storage systems like iCloud work: many don’t realise that it syncs recorded media from all devices as soon as a WiFi link is established, or any time the device is recharged or rebooted. This means that deleting a photo on one device isn’t enough if you want no record of it; it has to be deleted from the cloud as well. (One very simple solution is to turn off iCloud backups under the iPhone’s Settings, but the downside is that you lose the option to recover records after a device failure.)

Use the security feature on iCloud that is not widely known about: two-factor authentication. In addition to the usual username and password, a one-time password is sent to the device itself and must be entered before access is granted. It’s not a default setting, though, and must be manually enabled.

So, if you don’t want to become a celebrity yourself – even if it’s only down at the local pub – use a strong password, invoke two-factor authentication and – safest of all – avoid the urge to take nude or risqué selfies. However, if the Devil does make you do it, stick to bathing suits not birthday suits…

 Posted by at 2:53 pm