Apple iCloud Hack's Other Victim: Cloud Trust - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Government // Cybersecurity
Commentary
9/10/2014
10:25 AM
Charles Babcock
Charles Babcock
Commentary
Connect Directly
Twitter
RSS
50%
50%

Apple iCloud Hack's Other Victim: Cloud Trust

Our flash poll finds users feel more vulnerable about cloud security in general. No wonder: Apple's opening statement of indignation now sounds a little hollow.

The release of movie stars’ personal photos, raided from Apple’s iCloud, seemed to me like a calculated assault. Someone conceived of the most attention-getting way to embarrass iCloud operations on the eve of the release of the iPhone 6. And Apple appeared all too vulnerable to such an incident.

"A trove of naked photos and video content stolen from the stars appeared on the 4Chan chatroom site over the weekend. Questions about how the hackers got hold of the celebs' accounts began to center around a possible flaw in Apple's iCloud and Find My iPhone," reported my colleague Kelly Jackson Higgins for Dark Reading on Sept. 2. There were reports Apple had recently fixed a hole that would allow a brute-force password attack, she noted.

What better way to cast doubt on the security of iCloud than to scatter celebrities' personal information across the Internet? And just in case anyone missed it, make sure the words "Jennifer Lawrence" and "nude" or "naked" are combined in as many headlines as possible. If that was the attackers' goal, then it can't be denied, they in some measure succeeded.

How successful were the scare tactics? We ran a flash poll to ask InformationWeek readers how the incident affected their view of cloud security. Twenty percent said they are now less confident storing photos and data in an Apple cloud service, and 40% said they are less confident doing so with any cloud service.

So how hard was it to obtain those photos? "None of the cases we have investigated has resulted from any breach in any of Apple's systems including iCloud or Find my iPhone," an Apple statement said soon after the incident. Meanwhile, it added, "We are continuing to work with law enforcement to help identify the criminals involved." The latter sentence has a certain satisfying ring to it. The proper authorities are on the case, and its outcome is all but a foregone conclusion.

But we shouldn't be too convinced of that. First of all, Apple left itself some weasel room in its statement. Forty hours after a headline-making breach, the best it could say was "none of the cases we have investigated has resulted in any breach." This also says that, at that late date, Apple hadn't investigated all the cases. If it had, it's possible one of the cases might incontrovertibly establish there had been a breach. The hole in the statement leaves enough wiggle room to drive a truckload of stolen backup tapes through.

And what if the offending party is a script kiddie who somehow took advantage of weaknesses in the Apple systems? When this has happened elsewhere, the authorities got only lightly involved and usually advised the offended party to tighten up its procedures. To which prison does Apple intend to sentence this criminal, just so his parents will know where to go to visit?

[It's time to dismantle the moat. See Mobile, Cloud, Partners: Where's The Weak Link?]

If the iCloud password system could be hit with a brute-force attack, then a modest amount of compute power could repeatedly try likely passwords based on knowledge gleaned from the target's frequent activity reports and personal doings. The names of children, pets, favorite activities, or locations could be tried in various spellings and combinations until one is found that works. The protection against brute-force attacks is to limit the number of password tries. But such a limit would interfere with those Apple customers who might have momentarily forgotten their passwords. Likewise, setting a requirement that a password be non-obvious -- containing capital letters, numbers, punctuation marks -- would have been another defense.

But as we all know, good security defenses slow the consumer impulse to get to a site and spend money. Vendors that are proud of their seamless vertical integration and ease of use are probably less likely to put barriers in the way of the typical user. On the contrary, it appears iCloud's security requirements were kept as simple as possible.

"Certain celebrity accounts were compromised by a very targeted attack on user names, passwords, and security questions," a regrettable incident, but "a practice that has become all too common on the Internet," Apple's statement continued. In short, it was individuals who were compromised, not Apple's systems. And to carry the logic a step further, it is the individuals who allowed their user names, passwords, and security questions to be guessed that are at fault. If Apple makes things easy for consumers to use, it's still not Apple's fault that some customers are less than stringent in following good practices as they use them.

This makes Apple's opening statement of indignation sound a little hollow. "When we learned of the theft, we were outraged and immediately mobilized Apple's engineers to discover the source. Our customers' privacy and security are of utmost importance to us." Yes, but it wasn't too hard to guess Jennifer Lawrence's password and steal her pictures, given the protections you provided.

Should this incident decrease consumer confidence in the security of cloud use? It should alert them that vendors of cloud services are interested in moving them to the goods; protecting their security is typically coming in a distant second, no matter what they say after a breach. If it's easy to remember your password on a cloud login system, it may also be easy to guess it by those who know a little something about you. And if you think lots of engineers and millions of users mean you must be using a secure system, try finding out what good security practices are and note the many ways you can improve on the minimal requirements your cloud vendor has laid in front of you.

Today's endpoint strategies need to center on protecting the user, not the device. Here's how to put people first. Get the new User-Focused Security issue of Dark Reading Tech Digest today. (Free registration required.)

Charles Babcock is an editor-at-large for InformationWeek and author of Management Strategies for the Cloud Revolution, a McGraw-Hill book. He is the former editor-in-chief of Digital News, former software editor of Computerworld and former technology editor of Interactive ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
John Barnes
50%
50%
John Barnes,
User Rank: Moderator
9/11/2014 | 1:18:57 PM
Re: If your password can be guessed, it will be
Doesn't require a high degree of fame. Birthdays, mother's maiden names, etc. end up on Facebook and so forth all the time, and operations that were "big data" a few years ago are now doable on high-end home systems.


There are many good tricks out there; the best metatrick is probably to rotate which tricks you use so there's not a pattern in your passwords. Or just get a password manager.
David F. Carr
50%
50%
David F. Carr,
User Rank: Author
9/11/2014 | 11:17:44 AM
If your password can be guessed, it will be
The lesson to take away here is not to use your dog's name as a password and then give interviews where you talk about how your life revolves around your dog (or cat, or turtle). Also, avoid getting so famous that this comes up as an issue.
Commentary
Learning: It's a Give and Take Thing
James M. Connolly, Editorial Director, InformationWeek and Network Computing,  1/24/2020
Slideshows
IT Careers: Top 10 US Cities for Tech Jobs
Cynthia Harvey, Freelance Journalist, InformationWeek,  1/14/2020
Commentary
Predictions for Cloud Computing in 2020
James Kobielus, Research Director, Futurum,  1/9/2020
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
The Cloud Gets Ready for the 20's
This IT Trend Report explores how cloud computing is being shaped for the next phase in its maturation. It will help enterprise IT decision makers and business leaders understand some of the key trends reflected emerging cloud concepts and technologies, and in enterprise cloud usage patterns. Get it today!
Slideshows
Flash Poll