There have been a number of recent stories with celebrities photos being leaked online, including Scarlet Johansson, Christine Hendricks, Olivia Munn and more. I was interviewed by Fox News regarding how celebrities can better protect themselves. The obvious answer is to not take the photos and store them on their devices or in the cloud in the first place.Read More»
Recently Scarlet Johansson has been added to the list of celebrities who have had photos taken on their phone compromised. The media is stating this is an apparent ring of hackers that are stealing the data from celebrities phones and laptops, however this theory seems suspect.
More likely is that the images are being stolen from cloud and backup services, where data sits unencrypted, not directly from the devices themselves. I took a look at the recent alleged images ( research! ) and scanned them for EXIF data to see what information I could find about the images. One of the images had quite a bit of data embedded, I was able to see that the photo was taken with Blackberry Bold 9000 taken on October, 12, 2010 at 8:02PM. It is interesting that these photos are over a year old. Unless the image data and EXIF tags were tampered with the image came directly from the phone and was not modified by any applications like Photoshop, or compressed by any service. The images could have been emailed to another party as an attachment, it is highly likely that an email account or backup service was compromised.
The second photo that shows Johansson’s backside was not taken with the same phone, very little EXIF data was embedded in the image, but it was taken at a much higher resolution of 300 px/inch, the image also uses Progressive DCT encoding vs Baseline DCT like we have on the Blackberry device.
Several celebrities have had images leaked lately Vanessa Hudgens reportedly had nude images leaked after someone hacked her Gmail account. Odds are something similar has happened here, particularly given the age of the images.
Celebrity security needs to be taken as seriously as government security, all data should be encrypted even personal images and data. If celebrities are using cloud services they need to make sure the data is encrypted before it is backed up.
Over the past few months we have seen a number of large scale data breaches from high profile companies such as Sony, RSA, Epsilon and NASDAQ . These are well established companies, some even from the security industry that are falling prey to hackers, showing that even those investing large amounts of money in security are still vulnerable. But what about startups? Unfortunately startups are the first to discount user privacy and security in exchange for being quicker to market with an emphasis on features. As entrepreneurs we are expected to move at break neck speeds to get our products launched and into the market, with pressure from investors, partners and the market as a whole it is tempting to put security in the back burner as a result. However, security is like health insurance, it requires a combination of preventitive care and catastrophic coverage when things go wrong.
Head in the Cloud
Cloud computing has been a huge boon for tech startups, reducing the cost and amount of time spent on IT. The problem is that cloud computing make IT easier should not replace IT altogether. Many non-technical entrepreneurs believe that their developers know everything there is about managing and securing servers since after all they’re the “techies” right? IT are the pit crew and the developers are the drivers, the driver may know the mechanics, but it is faster and more efficient to use an expert who focuses on IT related issues around scaling, redundancy and security.
In some ways the Cloud has made us complacent, as our IT is simply magically taken care of, Amazon Web Services is the “easy button” of IT. The problem is that even though the Cloud makes things easier it is still your problem. With the recent major outage of Amazon Web Services a few weeks ago this was made readily apparent, a lot of sites went down and many startup were at the mercy of Amazon to get things back up before they could restore services. Although Amazon Web Services has a great record of reliability and redundancy, there are still single points of failure.
Consumer Privacy Is A Right Not A Feature
Particularly in the mobile realm privacy is becoming a big topic. The fact that the device people carry in their pockets can track their location, access their contacts, photos and other critical data makes them particularly dangerous to privacy and security. You have a responsponsability to protect your customers privacy, this is not a feature it is a right of your customers, they are putting their trust in you and you should respect this fact. Just because you can access location doesn’t mean you should. If you do you collect location data, you need to be clear regarding why you are doing it and how it is stored. The best way to secure your customers’ data on your servers is not to store it at all, only store what you need to run your service and provide your end users the ability full control of their information.
- Hash any passwords or security questions
- Encrypt any backed up data or log files
- Purge data regularly that is no longer needed
- Avoid ever storing credit card numbers, us a secure payment provider
- All logins must use SSL
Good Security Guys Are Jerks
The security professional has few friends, he is the “bad guy”, the one who says you can’t bring your iPad into work, doesn’t allow you to install Minecraft on company issued laptops and is a general pest about policies and procedure; this is their job. You know you are in the presence of a security professional when they piss you off, when in your discussions you realize that everything you think you know about security is wrong. It can be humbling to say the least, but it is their job to play the Devil’s Advocate, ask questions and think critically about your application and infrastructure.
Early on in a tech startup should have someone outside the day-to-day operations of the company advising the company, this can be a formal contractor, or someone on the advisory board, or a combination of the two. These folks should be in direct communication with your developers and product managers, coaching them as well as reviewing specifications and providing recommendations of industry standards and best practices when it comes to security and privacy.
There have been a rash of data breaches where passwords have been compromised that were stored as plain text and not converted to a one-way hash as they should be. However, most consumers and even many developers particularly in startups don’t know about the best practice of hashing passwords, what it means and how it can help protect users.
The recent Sony Playstation Network hack and data breach is one of the biggest examples to date, putting over 70 million customers at risk, but they are not alone DSL Reports, Gawker and Trapster have also learned this lesson the hard way and losing the trust of their customers.Read More»