It seems that celebrities frequently have their phones and computers targeted by hackers intent on stealing photos, many of them highly personal, which are then leaked to the Internet. Although the stories tend to conjure up images of some dark underground movement in which faceless geniuses hack into mainframe computers using sophisticated tools and password cracking programs, the reality is much less glamorous.
Many of the most recent leaks of celebrity nude photos were reported as hacking incidents even though the alleged hackers actually just purchased these images from other sources.
Reporting these infractions as hacking gives the wrong impression of what happened and it also places undue blame the technology instead of the celebrity.
After one highly publicized hacking incident where multiple nude photos were leaked from Jennifer Lawrence’s and other celebrities’ iPhones, Apple CEO Tim Cook stated that the accounts were compromised when the celebrities’ security questions were correctly guessed and then used to reset the passwords on the Apple servers – the same process you’d use if you had to reset your own account. They then restored the latest iPhone backup to their own iPhone. This is something that most people can actually do on their own. Apple even provides written instructions for how to do it; it’s a normal part of the backup & restoration process.
People in the cyber security industry know that there is an inherent risk when it comes to security questions. Information such as your favorite color, your place of birth, or the color of your first car may be widely known or easily guessed by people who are close to you. If you’re a celebrity, it’s even worse; a quick trip to Wikipedia might give a complete stranger all the information they need to reset your passwords.
In general, celebrity hacking incidents end up having little effect on the victims, in fact some celebrities even benefit from the publicity.
Ultimately, saying that you’ve been hacked is sometimes a way of shifting the blame to those nefarious hackers while avoiding your own responsibility to protect yourself.
We think it’s funny when we see a friend of ours post an awkward status on Facebook like, “pooping at work…” or “I like boobies!” and then a few minutes later they post a comment saying they were hacked because they left their phone or their computer unlocked while still signed into Facebook. That’s not really being hacked though, that’s just being neglectful.
But what if that neglectfulness carried dire consequences? What if that neglectfulness came from a large government organization like The Office of Personnel Management (OPM) or a large bank?
For the average person the most dangerous incidents that can really turn their lives upside down occur when sensitive information about them stored by a third party is compromised. It happens so frequently that we pretty much ignore the news these days when a new government agency or large company announces that hackers have broken into their systems. It is in these cases where it needs to be even more important to define what it is to truly be hacked vs. what it is to have not even taken the basic security steps to protect information.
If a large company fails to perform their due diligence and secure their systems adequately, should they be able to hide behind the ‘we were hacked’ excuse when it comes to being held liable for the results?
Although some states have laws on the books that require businesses to notify people who’s personal information was obtained by unauthorized entities, there is no federal law concerning it and the liability for damages associated with hacking or security incidences is completely up to interpretation. Many of the larger hacking incidents that involve stolen identities and credit card numbers from the databases of large corporations end up having more to do with the trustees of that information failing to follow basic security procedures than they do with sophisticated hackers breaking in to protected data.
People who work in the Information Technology field frequently speak about times they’ve discovered that the company they work for uses simple or default manufacturer passwords (or no passwords at all) on their equipment.
It’s alarmingly easy to contact an official at a company pretending to be someone you’re not, and obtain information that wasn’t meant for you. Large companies such as Home Depot and JP Morgan have all been victims of security breaches where the hackers used a combination of social engineering and vulnerabilities in unprotected systems to obtain what they were after. Once they obtained the stolen information there’s no telling where it ends up for sure, but it’s likely that much of it ends up for sale on the Internet’s black market known as ‘the dark web’. The dark web is a place online only accessible through special encrypted web browsers where governments have very little reach – it’s pretty much lawless. It’s popularly used for political movements in countries where human rights or freedom of speech are not respected but it’s also a place where stolen credit cards, illegal pharmaceuticals, even entire identities are sold.
For companies and organizations that fail to do even the most basic of security hardening on their systems, shouldn’t they be held more liable for hacks and data breaches and the affects they have on the people who’ve entrusted their information to them?
So how do you protect yourself?
When it comes to true hacking where a website or company server has been penetrated by sophisticated coders to steal data, there’s not a whole lot you can do as an individual user other than limiting the amount of useful data you allow to be stored in that location. The truth though is that a lot of successful security breaches are facilitated with the use of phishing and social engineering in order to obtain or reset passwords. There’s no sure way to stop a determined and skilled hacker, but you can make their job harder and help limit the damage they can do if you do happen to be targeted by one of them. Here are some ways you can protect yourself:
- Never open emails from people you don’t know especially if they contain attachments. Email attachments are one of the most common methods hackers use to transmit malicious code. They are also one of the most successful methods – many companies and hospitals have succumbed to major ransomware worms because of email attachments that were opened and run by a poorly trained employee.
- Don’t believe anyone who calls or emails you stating that you owe money to a government agency (such as the IRS) or a company you’ve never done business with. We do live in the digital age, but official notices are still carried out by good old-fashioned mail. As long as your address is current, legitimate creditors will find you. Hackers typically use this type of technique to gain information that allows them into a system.
- When you have to create an account on a website for something whether it be shopping, bill payments, or anything else, only provide the bare minimum required information. This will help limit what’s available in case hackers compromise that site.
- Always use secure passwords that either contain a mixture of numbers, letters, and symbols or use passwords that combine at least 4 separate words (greyelephantsfromafrica).
- Use something besides security questions to reset forgotten passwords. If a site allows you to use an alternate method such as dual-factor authentication or password reset via email, take advantage of it. People who know you can guess many of the most common security questions that a site might use to prove your identity.
- Try to select security questions that only you could know the answer to and use different questions for each site. Some security questions store your answers and are case sensitive so for consistency and simplicity, either always capitalize your answer or never capitalize it, but don’t mix the two.
- Never forget that everyone knows your mother’s maiden name and that the name of the town you grew up in is probably in your Facebook profile, which makes these two the least secure questions you could use. Other weak questions to avoid include the names of schools you’ve attended, pet’s names, and the model of your first car.
- Protect your identity with identity protection. There are multiple services you can buy that are relatively inexpensive. They’re like insurance policies for your identity. The services can normally detect attempts to steal or use your identity by hackers and clamp down on them before the damage can be done and before you might even know about it. Some of them also include identity restoration services in the event that their protections fail to stop someone from using your identity.
Always assume that personal information stored on your phone including pictures, videos, music, and text messages are accessible from anywhere by anyone at anytime. If you don’t want the world knowing about it, it’s best that you just keep that information in your head or stuffed under your bed.
Sharif Jameel is a business owner, IT professional, runner, & musician. His professional certifications include CASP, Sec+, Net+, MCSA, & ITIL and others. He's also the guitar player for the Baltimore-based cover band, Liquifaction.