Once again, the tabloids are having a field day with stories about nude photos of celebrities stolen by hackers and spread across the Internet. Despite what some B-list celebrities are saying, it isn’t blaming the victim to remind young women that it’s not a good idea to store images that you want to keep private in a public digital archive protected only by weak passwords. That’s just making it easy for a thief to steal them and spread them all over the Internet.
Whether you want to protect nude photos, or guard your reputation from identity thieves and hackers, remember that consumer Cloud storage sites like iCloud, Dropbox, and Google Drive are the most obvious targets for hackers.
If you do use a public Cloud storage site, there are easy-to-use tools and techniques that can keep you from becoming a victim. It starts with selecting the most secure storage system available. There are services like Box that are just as easy and inexpensive to use as less secure sites, but they offer more protection because they encrypt all stored files.
Personally, I store my photos offline on an external drive that cost about $75 and has a terabyte of storage space. It backs up photos, video and music files twice a week freeing up space on my iPad, laptop and desktop and making sure that my media files aren’t lost in a hard drive crash. I use Box for encrypted off-site storage of my documents and other data.
Make Things Harder for Hackers
Many of us make things all too easy for hackers. Public Wi-Fi, for instance, isn’t for private information. Use that free Wi-Fi at Starbucks or the airport to watch funny videos or keep up with your friends on social media — but don’t use it to pay your credit card bill or check your bank balance. It’s much easier for a hacker to get into a public network than a more secure network — and with a public Wi-Fi system, you have no idea how secure it is.
Another simple way to make life harder for hackers is not to save your sign-in details and passwords on your hard drive — especially not on a laptop, smartphone or tablet. Mobile devices are much more likely to be lost or stolen than desktop systems — so why give the thief a free pass to all of your online log-ins as well as your hardware? This means that when one of those pop-ups from your browser asks if you want the system to remember your passwords, click “no”.
Last, but not least, take care when you’re clicking on a link shared by someone you don’t know, or don’t know well. Hackers who get access to someone’s email address usually get access to their address book, too — so if you get an email from someone you weren’t expecting to hear from, or if the subject seems off, think twice before clicking on any links. Even if the link is from a “trusted source”, take a second to look closely at the link before you click. A misspelling, or a link that isn’t formatted correctly is a huge danger sign that you’re being hijacked to a site other than the one you think you’re clicking on.
Your browser will take you to the site named just before a period and one of the common extensions like .com, .biz, .tv, .me, .edu, etc. Sites like Facebook, WordPress, IMDB, and many others allow individuals to create personalized pages, but if you look closely, you’ll see that the actual site you’re being taken to is always the one named just before the period. “Vanity” or personalized URLs aren’t intended to fool users. If you click on http://www.imdb.me/kameronbadgers or https://www.facebook.com/#!/GaylasCleaningService, you aren’t actually going to a site managed by my grandson Kameron Badgers or my friend Gayla Patterson. Those benign links take you the Internet Movie Database (IMDB.com) if you click on my grandson’s link, and to Facebook if you click on Gayla’s link.
Con artists try to mask the real name of the site you’re being taken to by including the name of well-known companies in a URL that is intended to confuse users. So if you see a URL like http://www.amazon.specialoffers.com, or http://www.chase.password.com don’t be fooled into thinking that you’ll wind up on Amazon.com or Chase Bank when you click on the link. Even though you see the name of a well-known, legitimate company, those links take you to spoof sites that aren’t affiliated with Amazon.com or Chase Bank. (Both are made-up links — but nearly every major online company has been victimized by many, many attempts to “hijack” traffic with this kind of fake site.)
If you click on one of these spoof sites and enter the correct password for the site, you may be faced with a page that looks like the Amazon or bank home page. But entering your password on the spoof site gives the con artist access to your account — including any stored credit card information, your home address, and any other private data stored there.
The Hacker You Know
There are well-organized criminal gangs who make millions through identity and data theft, and thrill-seeking hackers who target celebrities for the notoriety that comes with “leaking” (stealing) images or just poking through the private lives behind the public image. But the truth is that most victims know the person who hacks into an account.
In fact, the number of cases where significant others post compromising photos of their exes online is so high that revenge porn is rapidly becoming a common subject of litigation and legislation. Of course, the search for compromising photos is just one reason that exes (former lovers or spouses, friends, employees, or co-workers) attempt to access the accounts of those they are targeting.
One of the most famous cases was when reality TV star Kate Gosselin sued her ex husband Jon Gosselin over data that she said he illegally acquired from her computer and provided to a tabloid reporter named Robert Hoffman who published a book called Kate Gosselin: How She Fooled The World. Dallas Attorney Shawn E. Tuma represented Jon in the resulting litigation, and he says that data breaches are becoming increasingly common in family law situations. (You can read more about the Gosselin case, and what it means to others trying to sue under the Computer Fraud and Abuse Act at this link.)
“One spouse may go looking in a former spouse’s computer files for hidden assets, proof of infidelity, or for any kind of damaging information that might become part of a child custody battle,” Tuma says. “It seems like a no-brainer to change all of your passwords the instant you become aware that there might be a divorce in the works, but many people don’t take even the most basic steps to protect themselves.”
But it isn’t just former spouses or lovers who can use their knowledge of your online habits, accounts, passwords, and security questions to access your files. Chances are that former friends, co-workers, employees, and relatives know more than enough about you to guess your passwords — or access an unprotected device while they’re in your home.
The best protection against the hacker you know is to keep your passwords private, and use the tools and techniques that make it harder for them to guess them. My friend Gayla (and occasional housekeeper, when I’m lucky enough to get onto her busy schedule) is one of the most honest people I know — the kind of housekeeper who would pick up a stack of loose hundred-dollar bills or a diamond necklace, dust underneath it, and then return them to the same spot.
She says that she often encounters lists of passwords taped to the bottom of laptops, or to the side of a router or modem. “I’m not a computer genius,” she added, “But I know better than that!”
Is your housekeeper or babysitter as honest as mine? Is her boyfriend or husband? What about all of your teenager’s friends? Every guest at every party? Maybe — but it’s a very bad idea to record passwords and post them where anyone who walks by can see them. Use a password management tool instead of a sticky note.
You don’t have to be a celebrity to be victimized by a hacker. I know a businesswoman who had an affair with a friend’s husband. Her “friend” hacked into her email using the same technique as the iCloud hacker in the most recent celebrity scandal (guessing an easy security question, and changing the password to get access). Once the “friend” had access to the email account used during the affair, she forwarded compromising messages to the woman’s boss, her family, and the friend’s lawyer (where they became part of the friend’s divorce filing, and subject to review in open court).
It didn’t take much in the way of hacking skills to hijack the accounts where nude celebrity photos were stored, or into Governor Sarah Palin’s personal Yahoo email account, and even less to get into the “other woman’s” account. Here’s how: if you have someone’s “free mail” address (Gmail or any other public email service), use the “forgot your password” prompt, and attempt to answer the security prompts to change the password. (Note: Unlawful access to someone else’s computer or email account can be a felony worth up to 20 years in jail, and prosecutors take it very seriously these days, so I am not suggesting that anyone try it — just repeating published explanations of how the hackers in specific cases gained access to their victim’s accounts.)
In the case of a celebrity or a former friend, it’s not that hard to guess the answer to common security questions like, What’s your father’s middle name?, What is the name of your favorite pet?, or What was your high school football mascot? Instead, create your own obscure security question if that’s allowed, or disguise your answer if the service restricts your choices. For example, if the security question is What was your high school mascot? Don’t simply answer the Eagles, disguise your answer by replacing some of the letters with numbers or special characters (3@GeeLe##) to make it much harder for a hacker to guess.
Can’t remember a bunch of special characters? Lie. It’s not as if anyone is checking your answers for accuracy. You can put in anything you want — as long as you remember it.
So instead of admitting that your high school mascot was the Eagles, or that your mother’s maiden name was Smith, say that your high school mascot was a Badger (mascot of Hufflepuff House at Hogwarts), or that your mother’s maiden name is Windsor, Romanov, or Orange-Nassau. (Obviously, if you’re known to be a Harry Potter fan or royal watcher, those choices fall into the “too easy” category.)
The more outrageous the lie, the better, especially if a “friend”, co-worker, or former significant other attempts to access your accounts.
Proper Passwords Protect Pictures
Hackers use a wide range of cracking tools to guess passwords. So the better your password, the less likely it is that your personal photos, correspondence, financial information, and personal data will be compromised by a hacker. McKayla Maroney, they Olympic gold medalist who was victimized in the recent hacker theft of nude photos from iCloud, is an unfortunate poster child for the need for better passwords.
That’s because, in spite of being the victim of a crime, Newsweek says that she may wind up facing criminal charges herself since the photos that were stolen were taken before her 18th birthday — meaning that they fall under the child pornography laws in her home state. (Note: Child porn is a felony regardless of who took the photos. This means that teens who take nude or topless selfies, or film consensual sex acts can, and sometimes are, charged under the child porn laws. The message here is to warn kids about the real dangers of “sexting” and selfies with “adult” content.”)
The best passwords are (a) long (b) complex, with 3 or 4 different types of characters and (c) made up of words or phrases not found in a standard dictionary. Think about those annoying Captcha widgets you have to use on many websites, with their crazy jumbled up letters and made-up words.
Most systems require you to have a password that is at least 8 characters in length — but longer passwords are better. Some security experts recommend passwords of 16-24 characters in length. Did you know that you can use a complete sentence as a password, since most systems allow spaces or underscores to separate words? A favorite quote or memorable movie line can work if you remember to include special characters. Here are some examples of strong passwords:
- W3_h@ve_N0thing_to_F3@rXc3pT_F3@r_Its3LF! (We have nothing to fear except fear itself! Standard English quote with some letters replaced by special characters.)
- “Veni,_vidi,_VISA” (I came, I saw, I shopped. Words not found in a standard English dictionary because the first two are Latin, divided by underscores and punctuation marks, with other special characters at the beginning and end.)
- I_<3 “la ville des lumières”! (I love the “city of lights”! — a mixture of special characters and French — a language I don’t speak.)
The more unusual and complex your password, the harder it is for a hacker to gain access to your accounts. Also, make sure to use a different password for every online service you use. Yes, I know, it’s hard to remember a dozen passwords — but it’s just asking for trouble if you use the same password for your bank account and your Facebook account, or your work email and your Twitter account.
A password management tool is an effective, simple way to manage multiple passwords. Check out Neil Reubenking’s new article in PC Magazine on the best password management software tools, and pick the one that works for your needs. As Reubenking says, “In these days of hacks, Heartbleed, and endless breaches, a strong, unique, and often-changed password for every site is even more imperative. A password manager can help you attain that goal.”
Add a Single-Purpose Email Account
Something like 60% of adult PC users have an email address that they use only for junk mail — I use my junk mail account for those sites that require a “valid email address” to access content or download something. But having special purpose email addresses can be a good protection against hackers and phishing scams, too.
A phishing scam is when someone sends you an email telling you that your eBay password has been compromised and needs to be changed, or that your bank needs you to call a toll-free number and verify your online password or something like that. Of course, the email isn’t from eBay or your bank — it’s from a criminal who is phishing (fishing) for information that will make you the latest victim in an identity theft ring. One of the easiest ways to avoid these kinds of scams is with special-purpose email addresses used ONLY for communication with a single account.
For instance, use different email addresses for your bank, brokerage, credit card, and online shopping accounts. And, of course, you’ll need one for everyday correspondence with friends and family. You can forward all of them to the same Outlook inbox, but you can tell at a glance which address received any email. That way, if you get a notice at the brokerage or personal email account that purports to be from the bank, it’s easy to spot it as a fraud.
5 Tricks to Beat Hackers
To summarize, the five simple tricks to make life a little harder for hackers include:
- Store sensitive material offline — or, if you use Cloud storage, use a service that encrypts your files.
- Use long (12-24 character), hard-to-crack passwords with 3 or 4 different types of characters (numbers, lower and upper case letters, special characters, and spaces).
- Don’t write down your passwords or store them on your mobile devices or in your computer’s web browser.
- Avoid using common biographical information (like your mother’s maiden name, or the name of your high school’s mascot) to answer security questions designed to allow your online passwords to be reset. If you can’t make up your own security question, lie.
- Use different passwords (and email accounts) for each online site, and use a password management tool to keep track of them and prompt you to change them regularly.
The first four techniques are absolutely free and the fifth (a password management tool) is very affordable compared to the high cost of identity theft or the other potential costs to your reputation of having your private information stolen (and potentially shared) by a hacker.