How the Cloud Failed Jennifer Lawrence

The lessons to be learned from security breach

Celebrities including Oscar winner Jennifer Lawrence and model Kate Upton learned the hard way this week that privacy is an illusion in today’s hyper-connected world. A hacker allegedly broke into the Apple iCloud backups of as many as 100 celebrities and downloaded a bevy of nude photos. The images were posted to the “b” forum of 4chan.org, an anonymous imageboard (called by some the “Dark Side of the Internet”).

According to Sean Gallagher on arstechnica.com, initial reports suggested that the breach was made possible by a vulnerability in Apple’s Find My iPhone application programming interface. But Apple has since claimed that it was a “very targeted attack on user names, passwords and security questions … None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone.”

Regardless of how the breach was achieved, the incident underscores the risks inherent in cloud services — and how comfortably ignorant the general public has become about where its “private” content lives, and how easily it can escape into the wild.

“Does anybody really know what’s sitting in Apple’s or Google’s data stores from their phones?” Gallagher wonders, noting how much content Apple and other devices automatically upload to the cloud, including full phone backups. “Ongoing threats like carefully-crafted phishing attacks and large-volume password cracking … make it especially hard to protect mobile data in a world where everything on your phone is already on the Internet, protected only by your login credentials,” he writes.

Ultimately, Gallagher notes, “if it’s in the cloud … then chances are good that eventually it will find its way to the Internet.” Tal Klein, vice president of strategy for the cloud security firm Adallom, confirmed this in a Twitter conversation with Gallagher, stating: “Don’t take pictures of your junk; it will end up on the Internet somehow at some point.”

arstechnica.com