The release of personal photographs and videos of celebrities has made headline news around the world this week. Once again the security of cloud storage services has been called into doubt. As the story has unfolded it has become clear that the vulnerability was not a result of a failure of the iCloud security systems. Instead it appears that the breach was the result of social or people engineering.
How does this happen?
So what exactly is “social or people engineering” and what should we do to make sure we don’t fall victim to the same problems.
To understand this we need to consider the basics of how we prove to a computer system who we are. Most systems require you to prove you are a valid user by asking you for a username and a password. If the values you enter match those in the system then you are given access.
The problem with this approach is that short passwords are guessable given sufficient time. The problem with people is that long passwords are hard to remember. Therefore many people pick common words as their passwords or names of people or places that have meaning to themselves. This is where social engineering comes in. With the increased use of social media sites there is an immense amount of information about people freely available on the internet, Facebook, LinkedIn etc. A little research can often come up with the names of partners, children and pets. Looking at registers of births, and marriages can reveal dates of birth and mothers maiden names. These types of facts are commonly used to secure accounts, especially when following a password reset process.
In the case of celebrities there is even more information in the public domain with fan sites documenting every significant, or insignificant aspect of their lives. It appears that this was the approach used to gain access to the accounts.
Strengthen your protection
Defending yourself against this type of social engineering means you need to select a strong password, ideally one that is random, contains a mixture of letters (both upper and lower case), numbers and symbols. It should be 8 – 10 characters long. This is obviously impossible to remember for more than one site, so Safe4 would recommend the use of a Password management application such as 1Password from AgileBits. These programs will manage your passwords for you and leave you to remember just a single password – just make sure that it is random and long.
Safe4 also implements an optional further factor for authentication using a PIN. We would encourage you to setup a PIN on your account as soon as possible. The system will ask for 6 digits and then every time you log on it will require you to enter 4 out of the 6 numbers using an on screen keyboard.
While Safe4 does not use the approach, many sites ask some additional security questions, like “Make of first car”, “Name of first school” or “Place where parents met” when setting up an account. The reality is that answers to these types of specific questions are even easier to obtain through a combination of social media and logical guesses. Remember some people could have up to 10 years of their lives documented on Facebook. When answering these types of questions, although it might be counter intuitive, pick random answers, write them down and file it away securely at home.
The use of the internet and cloud storage systems can be secure – but they are only as secure as the weakest link. Safe4 would be happy to help you improve your security awareness by running cost effective workshops/training sessions to improve information security awareness amongst your staff. These workshops cover typical weaknesses and use a risk framework to examine vulnerabilities and develop effective mitigations.
Email us at email@example.com or call us on 0845 094 8045 to find out more.