Apple, the Cloud and Security
You may have heard the news that lit up the Internet over the holiday weekend – as only celebrity scandals can. Hackers stole photos of numerous Hollywood starlets in various states of undress by breaking into iCloud accounts.
Immediately people were abuzz with the critical question, “Just how safe is the cloud?”
But the cloud is not new. It’s a large amorphous term that has long been in existence (think email — have you ever had a Hotmail, Yahoo or Gmail account?) Instead, the technology is changing implementation methods. We are shifting to a world where specific hardware is no longer as relevant as the user experience — the latter of which includes some semblance of control over the content we create and its associated metadata.
This breach is undoubtedly a disconcerting maelstrom for Apple, only a week before the highly anticipated Sept. 9 announcement, which will include enhanced iCloud features as part of the new iOS. Apple immediately released a statement noting that this was a targeted attack based on password cracking, and not a larger systemic issue of Apple’s system.
CUPERTINO, Calif.–(BUSINESS WIRE)–We wanted to provide an update to our investigation into the theft of photos of certain celebrities. When we learned of the theft, we were outraged and immediately mobilized Apple’s engineers to discover the source. Our customers’ privacy and security are of utmost importance to us. After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved.
To protect against this type of attack, we advise all users to always use a strong password and enable two-step verification. Both of these are addressed on our website at http://support.apple.com/kb/ht4232.
Security is much more than an IT department concern as business implications of a breach can be far reaching. Additionally, the increasingly mobile world creates access points that make systems easy to operate for the end user, but also creates the possibility of compromised privacy.
Although the terms are often used interchangeably, there is a difference between privacy and security.
- Security is the state of being free from danger—no one is maliciously corrupting your system (e.g., Home Depot’s potential credit card system breach).
- Privacy is the state of being free from observation—no one is watching what you are transmitting (e.g., the aforementioned private pilfered photos currently making the rounds).
The directed attacks were apparently due to a (now-fixed) vulnerability allegedly discovered in the Find My iPhone service. Unlike other entry points, which lock accounts after a pre-determined amount of login attempts, Find My iPhone had no limit or user alert. This would allow hackers to guess passwords with reckless abandon – either based on personal information gleaned from press junket interviews or from a script that blasts passwords until one works. Once in, other iCloud functions are readily available to the malicious intruder.
This incident was not a breach. It was a brute-force attack.
Of course, the best prevention against fraud is policing a strong PIN policy. The most basic thing you can do in personal data security is use complex passwords.
- Update passwords every 90 days.
- Do not use the same password for all profiles.
- Use longer passwords, with a minimum of 8 characters.
- Include a minimum of four non-repeating digits.
- Do not use sequenced numbers such as “1234” or “1111.”
- Include a mixture of upper- and lower-case letters, numbers, and special characters.
- Do not associate with any personally identifying information such as birthdays, addresses, phone number, social security, pets, or your latest Hollywood blockbuster title.
Complex passwords serve as a strong deterrent for those who would potentially try to gain access to your data. While any password can be compromised with enough time, complex ones point hackers to easiertargets.