TIME National Security

State Department Shuts Down Unclassified Email System Over Hacker Attack

The department's classified systems, however, remain unaffected

The U.S. State Department disabled its entire unclassified email system on Friday in the face of a cyberattack, a senior official said.

Technicians are working to repair the potential damage caused to the system by hackers and the State Department is expected to address the closure early this week once those repairs are made, the Associated Press reports.

The official, who spoke on condition of anonymity, said unusual activity was first detected in the system in October, around the same time hackers targeted the White House computer network. The U.S. Postal Service and the National Weather Service are among the agencies that have since reported similar attacks.

The department’s classified systems remained unaffected, and the unclassified email is expected to be operational again by Monday or Tuesday.

[AP]

TIME Security

G20 Conference Gives Hackers High-Profile Targets

AUSTRALIA-G20-SUMMIT
Germany's Chancellor Angela Merkel (C) is welcomed upon her arrival at the airport in Brisbane to take part in the G20 summit on November 14, 2014. Peter Parks—AFP/Getty Images

Cybersecurity experts warn the global conference of world leaders is a prime target for hackers

At 3:10 a.m. on October 27, 2011, a less-than-diplomatic email landed in the inboxes of attendees at the G20 Summit, an annual gathering of heads of government and other representatives from the world’s top economic powers. “Ladies and Gentlemen,” the email began, “First Lady Nude Photos.” It was followed by a link that promised to open a stash of nude photos of France’s then-first lady, Carla Bruni. The link was also spring-loaded with malicious code that could infiltrate the device of a G20 delegate, opening a pathway to a wider network of devices. The sender needed only one hot blooded delegate to potentially infect an entire delegation.

It’s not hard to imagine the hacker or hackers’ motive. The G20 Summit draws leaders from 20 nations that comprise 86% of the world’s wealth. They bring in their wake some 4,000 delegates from various ministries, businesses and NGO’s, all of whom will converge on Brisbane, Australia Saturday for a weekend of handshakes and hobnobbing. They will also carry in their smartphones and laptops reams of sensitive communications, including agendas, talking points and trade secrets — a cornucopia of state interests that could offer rival nations an edge in future negotiations or standoffs.

It might sound a bit amateurish to send global bigwigs the same crudely-written emails that might turn up in the average joe’s spam folder, but security experts say hackers try every trick in the book to infiltrate the summit.

“Some groups that look spammy are the exact same groups that can send out extremely well-crafted emails,” says Nart Villeneuve, a senior researcher at the California-based security firm FireEye. The crude emails are often just the opening shot in a campaign that can extend to tainted memory sticks and emails that are indistinguishable from official G20 correspondence. FireEye researchers made headlines after last year’s G20 Summit in St. Petersburg, Russia when they exposed a concerted attack against five European foreign ministries. In that case, an email attachment labeled “US_military_options_in_Syria” installed malicious code as soon as the recipient opened the official-looking file.

Villeneuve had a front row seat to the St. Petersburg breach. His team traced the malware back to a command-and-control server in China, where they observed a ring of hackers known as “Ke3chang” in action. For a brief, two week window, Villeneuve’s team saw the hackers issue commands to search for files and open backdoors to other computers of interest.

“The attackers don’t have to compromise a high level diplomat first,” Villeneuve said. “It can begin with anyone on that network.”

The St. Petersburg hack wasn’t the first time such a global gathering had been targeted: During the 2012 Olympics, for example, tainted schedules circulated among the attendees. And in the run up to 2011 G20 Summit, malware-ridden files infected roughly 150 computers in the French Ministry of Finance. “It’s probably the first time it’s been as spectacular as this,” said France’s Budget Minister François Baroin at the time.

But the high-profile hacks could very well get more spectacular until all attendees at sensitive events like the G20 collectively shore up their online security. Each delegation crafts its own security plan, but in an ideal world, says FireEye Threat Intelligence Manager Jen Weedon, attendees would use disposable phones and laptops that can be wiped clean of all content before and after the conference. Still, many attendees come from countries that may not have the interest or resources to take such measures, which many may view as extreme or unwarranted. “You can’t expect them to become security experts overnight,” Weedon says. But G20 delegations ignore the security risks at their own peril: already, Weedon says, Tibetan activists at this year’s conference have been targeted by a malware-infected document related to protest information.

Ultimately, the problem of hackers running amok at global gatherings runs deeper than technology alone. All hacking scams exploit human vulnerabilities — lust, credulity, curiosity — that can’t always be solved with a smarter spam filter. “It takes a human to click on something,” observes Weedon, a warning that this weekend’s assemblage of power players may or may not heed when the promise of official correspondence or other tempting links land in their inboxes. They’re only flesh and blood, after all.

MONEY identity theft

10 Easy Ways to Protect Your Data in the Cloud

Step up the security around data you upload to the cloud with these 10 useful tips.

While movies have portrayed hackers as both good (The Girl with the Dragon Tattoo) and evil (Live Free or Die Hard), the one thing that is clear is that they can do a good deal of damage.

Several female celebrities, such as Kate Upton, Jennifer Lawrence, and Hayden Panettiere, became victims of malicious hackers, who nabbed several intimate pictures from the celebrities’ cloud storage accounts.

And if you think that this just happens to celebrities, think again. Even common folks like you and me are being exploited by malicious hackers. It is time to step up the security of your data on the cloud with these 10 useful tips.

1. Create a Stronger Password

A strong password is your very first line of defense against anybody trying to hack your account. Unfortunately, your password is usually the weakest link. In fact, 76% of cyber attacks on corporate networks are due to weak passwords.

Strengthen your password using these security tips from Microsoft:

  1. Make the length of your password at least eight characters. If you want to make it absolutely uncrackable use 15 characters or more.
  2. Skip using your real name, last name, or company name.
  3. Don’t build entire words with only letters.
  4. Use a combination of numbers, uppercase and lowercase letters, and symbols (@, #, $, and %), if applicable.
  5. Update passwords regularly and make them significantly different from previous ones.

Using these guidelines, you can create a strong password like this one: ILuv2PlayB@dm1nt()n. By picking characters from the full set of allowed printable characters, you force hackers to guess from 645 trillion possible combinations.

2. Store Your Passwords Securely

That’s not a typo. Yes, you need several passwords. Hackers exploit the fact that about 55% of Internet users use the same password for several services. The last thing that you want is that after your Dropbox account gets hacked, your online banking account becomes the next target.

It goes without saying, keep your password to yourself. Don’t store it on visible places, such as taped to the back of your keyboard or smartphone.

In a perfect world, you would just memorize them. However, a more realistic approach is to keep an offline notebook in a secure place or use a password management application, such as KeePass Password Safe, LastPass, 1Password, or Password Safe.

3. Activate Two-Factor Authentication

On top of your password, you can often add an extra layer of security by activating two-factor authorization (also known as 2FA). Without 2FA, hackers only need your username and password to access your data.

Several cloud-based services, such as Dropbox and Office 365, offer 2FA by sending you a code via text or phone call that you need to access your account. It’s an extra step, but once you’ve set it up on all of your devices, you are good to go.

4. Keep Your Birth Date Private

But don’t just stop there.

  • The name of your first pet
  • Mom’s maiden name
  • Last four digits of your social security number
  • Name of the street that you grew up in

What do these have in common? They’re all potential answers to security questions to retrieve your password or access to your account. When selecting your security questions, make sure that their answers are not a simple Google search away.

Hide your birth date and any other private information from your bio section from any social media sites, online forums, or websites. The more private your personal information is, the less likely that a hacker can find it through search engines.

5. Learn the Process to Report Hackers

Almost every service has a way to submit a report when you think somebody else is using your account. Here is an example from Microsoft.

By investing the time in becoming familiar with the process of recovering access to your account, you are better prepared for the day that you have to rely on this process. This will help you keep some sanity during that stressful time and know what information is necessary.

6. Be Wary of Public Wi-Fi

Over 95% of American commuters use free public Wi-Fi to complete work on the go.

The problem is that about 60% of them admit they will utilize any free Wi-Fi source they can find. Data transfers happening over public Wi-Fi networks aren’t encrypted, so hackers can exploit these public networks to tap into tablets and smartphones.

By setting up “hot spot honeypots,” digital thieves tempt people with the offer of free Internet, and gain access to all kinds of private data. And they’re not doing anything too high tech: hackers just need a $100 device and can be up to 100 feet away from their victims.

Use these strategies when attempting to connect to a public Wi-Fi:

  • Verify the official name of the network with the place offering it. Don’t assume that every business or public space offers free Wi-Fi.
  • Only activate the Wi-Fi feature of your device, when you are about to access a Wi-Fi network that you have verified.
  • If planning to review work files, use your company Virtual Private Network (VPN) network, if one is available. VPN encrypts all your data during your session and and hides the identity of the servers to which you are connected. Depending on the nature of your industry, you may never want to risk viewing company files without a VPN connection.
  • Keep your device’s operating system up to date. For example, Apple is constantly releasing security updates to address system vulnerabilities for iPhones and iPads.

7. Prevent Automatic Upload of Media

If you keep the default settings from cloud storage services, such as iCloud or Dropbox, then all of your photos and videos may be automatically uploaded to the cloud.

If you’re planning to take some photos and videos that are meant for your eyes only, make sure to update the settings of your cloud storage accounts. Nobody can hack for intimate photos or videos if there are none available online in the first place.

  • iPhone Users: To prevent photos from automatically uploading from your iPhone or iPod to your iCloud account, you can go to Settings > iCloud > Photo Stream, and turn off My Photo Stream.
  • Android Users: You need to check any auto-backup settings you can find on individual apps. Some examples of apps uploading media automatically to the cloud are Facebook, Twitter, and Dropbox. Check the settings menu of your apps and disable any photo-syncing that you’re not comfortable with.

8. Backup Your Media Offline

While it is important to prevent undesired media from ending up in the cloud, it is equally important to backup the data that is important to you. An offline backup of your media is not only important for when your phone is lost, stolen, or severely damaged, but also for when somebody hacks into your cloud account and deletes all of your data!

Most smartphones provide a way to back up your device’s media that is not cloud-based and that can be stored in your personal computer. For example, Apple devices can leverage iTunes to create backups, and Samsung devices can backup through the Kies software.

9. Beware Fake Messages

If you use cloud based storage services, be on the lookout for phishing emails.

These emails may look like real messages from the developers of the service, but they are not. Hackers are trying to trick you into providing your personal information.

Here are some red flags to watch out for:

  • The spelling of the sender’s email is funny looking. For example, instead of xxx@dropbox.com, it reads xxx@dropboxx.com or xxx@drop-box.co.
  • The hyperlinked URLs have misleading domain names. For example, if you hover over a link, you notice that instead of going to the apple.com domain, it goes to apple-com.info.
  • The message contains plenty of misspellings or typos.
  • You are asked to submit your password or personal information, such as mailing address, phone number, or social security number, via email.
  • The message includes a form in Word or PDF format for you to fill out.
  • You’re asked for money to cover for expenses.

If you see any of these red flags, don’t click on any of the links, and delete the email immediately.

10. Delete What You Don’t Want Anybody to See

In an era of potentially unlimited storage through the cloud, we are tempted to keep everything.

  • THOSE pictures from your bachelorette party,
  • Intimate videos or sexts with your current or past partners,
  • Progress pictures when you started your diet,
  • Financial or tax documents over 5-years old, or
  • Scanned copies of IDs from several years ago.

If you don’t want anybody else getting their hands on your data, delete it. This is the only way that you can be sure.

Read more articles from Wise Bread:

TIME women

A Million Peeping Toms: When Hacking Is Also a Hate Crime

"Serena" Premiere - 58th BFI London Film Festival
Jennifer Lawrence attends the premiere for "Serena" during the 58th BFI London Film Festival at Vue West End on October 13, 2014 in London, England. Stuart C. Wilson—2014 Getty Images

Soraya Chemaly is a media critic and activist.

Technology isn’t just mirroring offline crimes but amplifying them in ways that qualitatively change their impact

In her first public statements about the theft and distribution of her private nude photographs, Jennifer Lawrence called the act “a sex crime.” There are differences of opinion about using those words to characterize what happened. What is not debatable however is that, of the reportedly more than 100 celebrities targeted in this episode involving Lawrence, the overwhelming majority have been women. So, why aren’t we seriously discussing this in terms of gender-based hate? That’s also a serious charge.

The nonconsensual distribution of intimate photos is similar to offline voyeurism in many ways. We call these voyeurs Peeping Toms, a classic linguistic minimization of a sex crime that, like revenge porn, is gendered. Peeping Thomasinas aren’t really a thing. (The crime is treated differently state by state. In some states, but not all, voyeurs must register as sex offenders. Revenge porn is a non-registry offense.)

“There is no principled way to argue that this is any less serious than voyeurism,” explains Mary Anne Franks, Associate Professor of Law at the University of Miami School of Law and Vice-President of the Cyber Civil Rights Initiative. “There is no denying the blunt truth of [Lawrence’s] words: she alone has the right to control access to her naked body, and anyone who violates that right has committed a profound and inexcusable wrong. That means that laws against hacking are insufficient to address this violation.” Danielle Citron, author of Hate Crimes in Cyber Space, has also argued that these crimes clearly infringe on women’s civil rights.

However, what happens when there are millions of Peeping Toms? Given the scope and number of people who participated, and the time and effort the hackers took to gather the photographs and carefully plan their release, it’s clear that technology isn’t just mirroring offline crimes but amplifying them in ways that qualitatively change their impact and should prompt serious debate about gender-based hatred and bias crimes.

Federal hate crime legislation does not actually require that perpetrators of crimes express explicit hatred for the people they target. Instead, the salient information is that hate crimes are those in which a person is targeted because of, in this case, his or her gender. In addition, a “prominent characteristic of a violent crime motivated by bias is that it devastates not just the actual victim and the family and friends of the victim, but frequently savages the community sharing the traits that caused the victim to be selected.” While men are also the victims of revenge porn, as with the threat that a serial rapist of women poses to a community, how can anyone doubt that girls and women experienced the theft and sharing of these photos, which overwhelming involved women, in ways that men did not?

This wasn’t a privately executed sex crime, but a public one infused with gender bias. As the systematic theft, accumulation and mass sharing of these photos shows, we live in a culture in which violations of women’s privacy are normalized, where harms to women are routinely trivialized, where our sexual objectification is the norm and where society resists legitimate and reasonable consideration of the role gender and status play in what happened. (There have been at least four waves of photo released, the last of which included the first man.)

It’s not just that photographs like Lawrence’s violated women’s rights to privacy and constituted theft, or that they might be considered pornographic or offensive. It’s that the perpetrators sought to attack the women, humiliate them, assault their dignity, and interfere with their lives and well being because they are women. Revenge porn is overwhelmingly perpetrated against women by men, and is rooted in displaying male dominance. There is nothing new in this type of female dehumanization. What’s new is its digitized and scalable industrialization. The attack on female celebrities sends a clear message that even the most admired and powerful women can be treated this way.

We have a national predisposition to downplay gender as consequential. This November marks the fifth anniversary of the Matthew Shepard & James Byrd Jr. Hate Crimes Prevention Act, in which sexual orientation, gender, gender identity and disability were finally added to federal hate crimes law.

The purpose of the 2009 act was largely to ensure that people have the chance to pursue justice if they feel that their state courts have failed. Only some states have hate crime statutes and, of those, a sub-segment include gender as a category for consideration. The battle to include gender at the federal level was long and hard fought. Either way, social recognition of gender-based hate, as post Elliot Rodger’s public discussions showed, remains controversial.

Bias and hate crime laws exists so that members of groups that were historically discriminated against know that the societies they live in support their equal right to live their lives, raise their children, travel in public, and pursue their work, free of fear and discrimination. They are a challenge to social norms that would perpetuate violence and subjugation, an old-fashioned word no one likes to use in the United States, on the basis of immutable characteristics. Like being female.

If there is one silver lining in this, it’s that the women who were targeted are not being stigmatized or punished and that the trajectory of traditional shame seems to be reversing in a way that accrues to the perpetrator, and not the victims, of these assaults.

TIME Ideas hosts the world's leading voices, providing commentary and expertise on the most compelling events in news, society, and culture. We welcome outside contributions. To submit a piece, email ideas@time.com.

TIME Security

Snapchat Says Leak of Nude Photos Isn’t Its Fault

The logo of mobile app "Snapchat" is displayed on a tablet on January 2, 2014 in Paris.
Lionel Bonavent—Getty Images

Company says third-party applications were responsible for the breach of as many as 200,000 user accounts

Images from tens of thousands of Snapchat user accounts, many explicit, were leaked onto the internet late Thursday — but the messaging app said the hack wasn’t its fault.

Snapchat said that third-party applications were responsible for the breach of as many as 200,000 user accounts, and that their own servers were never compromised.

A 13GB database of Snapchat photographs taken over a number of years was leaked to online messageboards Thursday. It reportedly includes a large amount of child pornography, from teenage users.

“Snapchatters were victimized by their use of third-party apps to send and receive Snaps, a practice that we expressly prohibit in our Terms of Use precisely because they compromise our users’ security,” a statement read. “We vigilantly monitor the App Store and Google Play for illegal third-party apps and have succeeded in getting many of these removed.”

The news comes just weeks after the release of nude photos of more than 100 celebrities in a massive hack of photos stored in Apple’s iCloud.

TIME Hong Kong

Hong Kong Democracy Protesters Are Being Targeted by Malicious Spyware

HONG KONG-CHINA-POLITICS-DEMOCRACY
A father and son take a selfie with a mobile phone in front of a barricade in the Mong Kok district of Hong Kong on Sept. 30, 2014 Xaume Olleros—AFP/Getty Images

The culprit is "a very large organization or nation state," experts say

A computer virus that spies on Apple’s iPhone and iPad operating system is targeting pro-democracy protesters in Hong Kong, according to tech experts.

Known as Xsser, the malicious software is capable of harvesting data including text messages, photos, data logs and passwords from mobile devices, Lacoon Mobile Security said Tuesday.

The spyware is hosted on the same Command and Control domain as an existing fake program for the Android operating system that was disguised as a protest-organizing app and distributed around Hong Kong last week.

“Cross-platform attacks that target both iOS and Android devices are rare, and indicate that this may be conducted by a very large organization or nation state,” said Lacoon in a statement.

Tens of thousands of people have paralyzed key areas of the city over the past few days in support of greater electoral freedom, much to the chagrin of the central government in Beijing.

TIME Opinion

Clicking on Jennifer Lawrence’s Nude Photo Is Sleazy, But Is It Really Sexual Assault?

Christian Dior : Frontrow - Paris Fashion Week : Haute-Couture Fall/Winter 2014-2015
Jennifer Lawrence attends the Christian Dior show as part of Paris Fashion Week in Paris, France. (Dominique Charriau--WireImage) Dominique Charriau—WireImage

When we call every crime against a woman "sexual assault," we dilute the meaning of the phrase

Words are important, and lots of harsh ones have been thrown around after hackers stole nude and semi-nude photos of celebrities like Jennifer Lawrence from various personal accounts and published them online. Specifically, some commenters are saying that anyone who views the stolen pictures is guilty of sexual assault.

What happened to Jennifer Lawrence, Kate Upton, and others is horrible. It’s also a crime and should be prosecuted as such. But some outraged online commentators are calling the photo-hacking incident a sexual assault, and that’s a bandwagon I just can’t get on.

While the theft and humiliating distribution of these photos is an enormous violation of personal privacy and sexual autonomy, it is not the same thing as a physical sexual assault. It is is not the same as being raped, or forced to perform oral sex, or molested as a child, or beaten. It’s not a question of “more or less awful,” because both scenarios are horrific examples of how women are treated in our society. But they’re different, and it’s especially important to be precise when we’re talking about violence.

“It’s a bad act, but I don’t know that it would meet a legal definition of sexual assault,” said Scott Berkowitz, president of the Rape, Abuse and Incest National Network (RAINN.) Is it possible for a sexual assault to be completely non-physical? “Sexual assault is a very general and vague term to begin with, each state defines it a little differently, it’s sort of a catch-all category that can include harassment and verbal abuse.” he said. “The idea is that it’s usually based on some physical interaction.”

When fighting to end sexual assault on college campuses, we like to say “rape is rape”-- this means that rape is not “nonconsensual sex,” it’s not a “misunderstanding,” it’s rape. If we insist on linguistic clarity when defining rape, then we should do the same for sexual assault. Cat-calling isn’t sexual assault. Viewing leaked photos online isn’t sexual assault. Even the horrific sexist comments made by online trolls don’t count as sexual assaults. Only sexual assault, which the Department of Justice describes as “forced sexual intercourse, forcible sodomy, child molestation, incest, fondling, and attempted rape,” is sexual assault.

What happened to Jennifer Lawrence, Rihanna, Kate Upton, and Aubrey Plaza was an enormous transgression, one that should be taken seriously as a criminal offense. And incidents like these remind us that we’re still experiencing a widespread degradation of women, and that helps enable sexual violence. But we should call things by their correct names, and this incident is most similar to revenge porn, which is when someone (often a former partner) distributes explicit photos without the subject’s consent. Revenge porn is now a felony in Arizona and against the law in nine other states, and 27 states currently have legislation in process.

When we are angry about something, especially something that happens to women, we tend to elevate it to the level of an atrocity. This is partly because of a widespread callousness towards issues affecting women– it’s hard to get people to pay attention to anything that isn’t a horrific rape. But when we dilute the specific meanings of our words, we leave them up to interpretation, and that is very dangerous for a movement working to fight the dangerous “he-said-she-said” narrative of sexual attacks. When we expand the definition of sexual assault to include every nasty thing that could happen to woman, we risk making the term meaningless. If everything is sexual assault, then nothing really is.

Instead of painting the photo-hacking incident as sexual assault, let’s use it to have a real discussion about how we can stop this from happening again. And let’s start by getting that revenge porn legislation through in those 27 states.

 

TIME Opinion

Stop Blaming Jennifer Lawrence and Other Celebrities for Taking Nude Photos in the First Place

Jennifer Lawrence
Jennifer Lawrence Mike Coppola—Getty Images

If your reaction to the hack attack on celebrities is to blame them for taking nude photos, you're pointing the finger at the wrong person.

There have been a lot of reactions to the massive leak of nude photos of some of Hollywood’s biggest celebrities, including actress Jennifer Lawrence and model Kate Upton, after an anonymous user posted stolen images to image-sharing website 4chan. But one of the most mind-boggling reactions has come from the people who say, “If you don’t take nude photos, they can’t be stolen.”

This is not a fringe reaction. From Ricky Gervais to rapper RZA to many people across the internet, there seems to be a common idea that the horrible and humiliating invasion of these women’s privacy and the theft of their property is in some way their own fault. When Mary Elizabeth Winstead, one of the actresses who had naked images stolen, tweeted, “To those of you looking at photos I took with my husband years ago in the privacy of our home, hope you feel great about yourselves,” this was one of the responses she received: “‪@M_E_Winstead Stop posing nude on camera, dummy. Your husband not know what you look like nude? ‪#LessonLearned.”

Now, obviously, there is truth to this idea. A person can’t steal something that doesn’t exist. So if you don’t have nude photos, they can’t be stolen. Just like if you don’t have a car, it can’t be stolen. And if you don’t use a credit card, it can’t be compromised.

But that’s absurd, you might be saying. People need cars and they need to use credit cards, but no one needs to take nude photos of themselves. Despite the fact that neither cars, nor credit cards technically qualify as something we need, let’s parse this idea for a moment. In 2014, a huge part of our lives — working, shopping, socializing and dating — involves technology. From shopping history to credit card information to personal correspondence, digital devices store a stunning amount of personal and private information, making them an integral part of our culture. So it’s willfully naive to suggest that a person’s sex life should be kept wholly separate from that culture. Show me one person who can honestly say they’ve never taken or sent a suggestive photo, sext or email that they wouldn’t want splashed across the internet for millions to see, and I’ll show you someone who doesn’t use or understand modern technology.

Yet taking nude photos — or having a car or using a credit card — isn’t the problem here. The problem is the hacking and the stealing, in this case of something immensely private. And it’s not only a problem, it’s a crime. It’s true that posting naked photos of people without their consent is still largely a gray area, legally speaking, which is why so many revenge porn sites have exploded across the internet in recent years. But hacking and stealing photos is definitely a crime; just ask Christopher Chaney, the man currently serving a 10-year sentence for stealing and posting nude images of Scarlett Johansson and Mila Kunis, among others.

So why are people so quick to point the fingers of blame at the women who are victims of the hack? It’s likely because it’s easy — far easier than blaming a culture that nurtures this kind of misogynist attack — and also because it makes people feel safe. After all, if you’re not the kind of person who would take nude photos then you’re not the kind of person who has to worry about this kind of invasive crime, right? Yet that kind of thinking doesn’t get at the root of the problem (i.e. the hacker and protecting our devices from similar attacks) and it certainly won’t help you when it’s not celebrities who are being targeted and it’s not nude photos that are being stolen. And until people cut out the victim-blaming and focus on the real culprits, we’re all just a little bit more vulnerable.

TIME Security

How That Massive Celebrity Hack Might Have Happened

"The Other Woman" - Los Angeles Premiere
Kate Upton at the Los Angeles Premiere of "The Other Woman" at Regency Village Theatre on April 21, 2014 in Westwood, Calif. Jon Kopaloff—FilmMagic/Getty Images

Tech experts say hackers may have gained access to cellphone pictures of Jennifer Lawrence, Kate Upton and others in the iCloud via the "Find My iPhone" app

Correction appended

The leak of personal photos of more than 100 female celebrities, nude and otherwise, has tech observers questioning and debating potential vulnerabilities in Apple’s iCloud. But for those of us who don’t intuitively understand technology the questions remain: how could this happen and could it happen to me? Here are some answers:

Who was affected?

An anonymous user posted photos of celebrities like The Hunger Games star Jennifer Lawrence and model Kate Upton to the site 4Chan. The hacker claimed that there could be posts of more than 100 celebrities in total. Some celebrities, Lawrence and Upton included, confirmed the photos’ authenticity. Others, like Nickelodeon star Victoria Justice, claimed the photos were fakes.

How did the hackers do it?

The leading theory goes that hackers found a vulnerability in Apple iCloud’s “Find My iPhone” service, which helps users find lost or stolen phones via the cloud. Apple typically protects its products from so-called “brute force” programs that repeatedly guess random passwords for a given username until it gets a match.

But for some reason, various tech blogs have reported, Apple failed to do this with its Find My iPhone service. Hackers identified this vulnerability, TheNextWeb reports, and allegedly used a brute force service called “iBrute” to gain access to celebrities’ passwords — and consequently, the photos stored in their iCloud accounts.

Some tech observers are skeptical of this explanation, though. Most hacks occur through more straightforward methods of collecting a user’s personal data — via a lost cellphone owned by one of the celebrities, for example. There’s also evidence that some photos came from other devices that wouldn’t back up to the iCloud, like Android phones.

What does Apple have to say about all of this?

An Apple spokesperson told Re/code that the company is “actively investigating” the issue, but provided few other details. The company also reportedly rolled out a security upgrade Monday, just hours after the first hack, to eliminate the possibility of a brute force service gaining access to passwords via Find My iPhone.

Could this happen to me?

If the hackers did indeed use a brute force method on the iCloud and Apple has yet to fix the problem, then, in short, yes it could happen to you. Brute force methods can be applied so long as the hacker has your username. That said, this method does not collect broad amounts of data for a lot of people. Hackers would need a reason to target you specifically.

How do I protect myself?

The only way to completely protect yourself on the internet is to stay off it. But if you want to continue living in the 21st century, use two-step verification. Apple’s iCloud is just one of many services where you can set your account so that it asks you two personalized questions before you can access it. This makes it much, much harder for hackers to get where you don’t want them. Also, maybe think twice before uploading those nude photos?

The original version of this article misidentified the alleged role of code-hosting site GitHub in the data theft. Hackers reportedly used a code that was posted to the site.

TIME Security

UPS: We’ve Been Hacked

The United Parcel Service logo on the side of a delivery truck on April 23, 2009 in New York City.
The United Parcel Service logo on the side of a delivery truck on April 23, 2009 in New York City. Chris Hondros—Getty Images

Malware that impacted 51 franchises in 24 states may have compromised customers' credit and debit card information

The United Parcel Service announced Wednesday that customers’ credit and debit card information at 51 franchises in 24 states may have been compromised. There are 4,470 franchised center locations throughout the U.S., according to UPS.

The malware began to infiltrate the system as early as January 20, but the majority of the attacks began after March 26. UPS says the threat was eliminated as of August 11 and that customers can shop safely at all locations.

“The customer information that may have been exposed includes names, postal addresses, email addresses and payment card information,” wrote the company in a public statement. “Not all of this information may have been exposed for each customer. Based on the current assessment, The UPS Store has no evidence of fraud arising from this incident. The UPS Store is providing an information website, identity protection and credit monitoring services to customers whose information may have been compromised.”

A list of impacted franchises can be found here.

Your browser, Internet Explorer 8 or below, is out of date. It has known security flaws and may not display all features of this and other websites.

Learn how to update your browser