Weekly Buzz – September 12, 2014
The Weekly Buzz is back with your weekly roundup of important IT and business news. It should come out every weekend from now on.
The iCloud debacle
It would have been hard to miss the stories in the media over the last few days about pictures of naked celebrities being stolen after they were uploaded to the Internet. The real culprit was Apple’s iCloud system which allowed what is known as a “brute force” password attack by not limiting the number of unsuccessful attempts to log in (the problem was actually in another Apple feature, but the result was the same). The people whose pictures were released might not have even known that the images were being uploaded to some place outside their control, but I remember those Apple advertisements which showed how things which happen on your iPhone automatically get repeated on your iPad or Mac. Often this sort of activity is turned on by default, and it is not only Apple who do it – my new Acer laptop came with software to backup everything to some cloud somewhere if I chose to allow it, which I didn’t), the Eye-Fi software which transfers pictures from my camera to my computer copies the pictures to some cloud somewhere unless told not to (and how to do that is not clear), and something from Google popped up on my Android tablet recently telling me about how pictures were going to be uploaded (I think I’ve stopped it, but you can never be sure).
It was not only images which were accessible to the hackers, but everything in iTunes, plus all backups of everything on the phone. It was the naked pictures which got the publicity, but there was a lot more information available to anyone with access. There is also the matter of how much data was being transferred. If you only have one or two gigabytes of data allowance each month on your phone plan it doesn’t take a lot of high resolution photographs or videos to use it up.
So what should you do?
- Take pictures of whatever you want. If people want to take photos of themselves naked it is nobody’s business but theirs, as long as they can control who sees them. The people whose pictures were released were victims, not perpetrators.
- Change your iCloud password NOW! The hackers used a list of the 500 most commonly used passwords to get what they wanted – they didn’t have to work their way through the dictionary. (Apple have announced that a fix is on the way to limit the number of unsuccessful password attempts before locking the user out.)
- If you don’t need your pictures and other phone data backed up to iCloud (or any other cloud system), see if you can turn the feature off. There are ways of backing up most phones to your computer. If you only have a phone and all your photographs and memories are on it, see the point immediately above.
The Gmail debacle
Another story going the rounds is that a group of Russian criminals have acquired about five million passwords for Gmail accounts. You might think this only affects people who have chosen Google as their mail system, but Gmail accounts are required for all sorts of things. If you have a YouTube account it seems that Google will only communicate with you through Gmail, and it seems that a Gmail account is required to do anything useful with an Android device. Some corporations have handed responsibility for managing all email over to Gmail (I was at a presentation recently where a representative of a very large Australian company was boasting of the productivity increases to come from moving all its 50,000 employees to Gmail). When I was teaching at TAFE all email accounts for school and TAFE students were transferred to Gmail. Compromising Gmail account details is not a trivial threat.
The difference between this and the iCloud issue is that these account details were not gained by hacking a database or just trying lots of passwords – the login details were freely provided to the criminals by people responding to phishing emails. These are emails that ask you to log in to somewhere to validate your details. They can be very sophisticated, and even lead you to web sites that look like the real thing, but you can be assured that Google is never going to write to you to ask you to click on a link and enter your Gmail account details. The same goes for your bank and companies like PayPal, eBay, Microsoft, Apple, or anyone else you deal with. You might receive a legitimate email asking you to log into your account, but there will NEVER be a link provided. You are supposed to know which web site to go to. Examples are my bank, who email me when statements are available online, or places like eBay who might want you to read changed terms and conditions. (I know eBay send emails with links about progress of transactions, but the emails will always include your customer identifier and details of what it is you have purchased.)
Again, the advice is to immediately change your Gmail password, even if you think that you haven’t been affected.
I’ll have more to say about phishing and password creation and management policies in an upcoming blog post and in the next monthly newsletter.
Update all the things
Microsoft issued a quite large batch of updates to Microsoft Office and both Windows 7 and Windows 8 this week. If you haven’t set your computers to automatically download and install Windows updates you should do a manual check now. At least one of the updates was optional anyway, so a manual check is a good idea even if you have automation enabled. (Control Panel/System/Windows Update) There were also updates issued during the week for iTunes (to incorporate changes that came with the iPhone 6) and Adobe Acrobat and Acrobat Reader, but you will be reminded about all of these by the software itself.