Recently, hackers used Apple’s iCloud service to illegally access nude pictures of Jennifer Lawrence, Kate Upton, and other celebrities. They then posted the photos on 4chan, an anonymous image-sharing website. Apple and the FBI are currently investigating this incident. In the meantime, here to comment are a number of experts in the information security field. Prominent companies in the industry, including Kaspersky Lab, Netskope, and Proven Legal Technologies, are represented.
Feature Download: Five Costly Data Breaches
Eduard Meelhuysen, VP EMEA, Netskope:
“iCloud is an incredibly important cloud storage app due to Apple’s huge user base, and its popularity means that it’s not just celebrities who need to think carefully about iCloud security. Even if you don’t think your organisation is using iCloud, your employees undoubtedly are. Apps like iCloud, which are predominantly aimed at consumers, are such an essential part of users’ lives that blocking their use within a business environment isn’t really an option. But as this breach shows, iCloud is far from infallible, and there are many security questions that need to be addressed.
“To protect sensitive corporate data, organisations need to understand what data is being moved into iCloud and what users are doing with that content. Rather than block iCloud, or any app for that matter, organisations should try to shape usage by stopping risky behaviours such as the upload of personal identifiable information or the sharing of sensitive content outside of the company. That way you can mitigate risk while enabling the use of cloud in your business.”
Phil Beckett, Managing Director, Proven Legal Technologies:
“For companies considering using cloud-based technologies, including the storage of confidential data, these latest hacks should serve as a warning that they too run the risk of a security breach.
“Certainly cloud-based systems don’t need to be avoided altogether; however, an appropriate risk assessment should be carried out. Firms need to look at the inherent value of the information being stored on the cloud, the security measures implemented by the cloud provider, and whether it is necessary to implement extra measures, such as additional layers of encryption.
“The real task for businesses is to identify the scope, risk and impact of a potential data loss so that they can respond appropriately with preventative security. This is a crucial undertaking.”
Philip Lieberman, President & CEO, Lieberman Software:
“The hack was a two part attack. The first part of the attack was obtaining the email addresses (Apple IDs) of the targets. The second part of the attack was understanding that the iCloud service had a flaw that allowed an unlimited number of bad password attempts without lockout or triggering sufficient alerts. Knowing that the iCloud service did not lock out bad password attempts allowed the attacker to try different lists of works, phrases and character combinations from existing dictionaries of words (dictionary attack) and ultimately use every possible combination of letters, numbers and punctuation via a brute force attack.
“Apple should have logs containing IP addresses of all parties connecting to their services. Using this information, they should be able to quickly identify those attackers who executed a large numbers of login attempts.
“This does beg the question of Apple’s competence in security operations. They should have detected large numbers of logon attempts from a specific address in a short period of time, and their iCloud system should have provided lockout functionality after a fixed number of bad passwords. The technology to protect their clients from these attacks is easy to implement and costs little to operate. One would think that after the previous Find My IPhone hack, Apple would have realized that it needed to clean up its act with respect to security.
“To be clear, Apple was not penetrated; it simply employed a lock on its customers’ accounts that was commercially incompetent. However, since Apple customers agree to an End User License Agreement (EULA) that effectively limits Apple’s liability to zero, Apple has little to no direct financial liability, albeit reputation damage could be significant. Users should remember that they are using a consumer grade service with Apple. Much more secure systems exist for file storage, and these should be used for sensitive data.”
Mike Jackson, Director of Academic Quality and Enhancement, Birmingham City University:
“It’s clear that someone has been able to obtain private pictures of celebrities. We can’t tell at this point whether this is as a result of many individual attacks on the computers owned by the stars, or whether it is the result of a single attack on Apple’s iCloud.
“From a hacker’s point of view, a failure of iCloud brings richer pickings. There would be a lot of work involved in hacking into many individual machines, whereas a security hole in iCloud would mean that millions of pieces of information would become available at once.
“Whenever you place information on a computer, that information becomes less secure. If you connect a computer to the Internet, then the security risk grows. If you store information on a cloud service, then you rely completely on security measures of the service provider. Once on the cloud it’s these security measures which make the difference between upholding a user’s privacy and allowing the whole world to access their documents and pictures.”
Stefano Ortolani, Security Researcher, Kaspersky Lab:
“The leak is still under scrutiny / analysis, so it is not clear at this stage if cloud services are to blame or if they are just files somehow leaked from a private collection.
“The security of a cloud service depends on the provider. However, it’s important to consider that as soon as you hand over any data (including photos) to a third-party service, you need to be aware that you automatically lose some control of it. This is also the case for when you upload something online.
“In order to make your private data more secure, you should cherry-pick the data you store in the cloud and know (and control) when the data is set to automatically leave your device. For instance, in iCloud there is a feature called “My Photo Stream” which uploads new photos to the cloud as soon as the device is connected to Wi-Fi; this is to keep photos synchronised across all your devices. Disabling this option might be a good starting point to be a bit more in control.
Richard Parris, CEO, Intercede:
“As we live more and more of our lives online, all our various digital identities need to be effectively protected – worryingly, it appears that this is not the case at the moment. We need so many passwords today, for social networking, email, online banking and a whole host of other things, that it’s not surprising consumers are taking shortcuts with automatic log ins (for apps) and easy to remember passwords. These solutions are increasingly not fit for purpose though – they do not offer proof of a person’s identity and are easily lost, stolen or hacked, leaving consumers at risk of identity theft.
“It’s time for stronger authentication and more sophisticated forms of identity, but also for a more comprehensive, wider program of education for the general public highlighting the numerous, and largely unknown vulnerabilities inherent with mobile devices and the apps we use in our everyday lives. Whether this is an issue for the app developers, handset makers, regulatory bodies or even the government is a discussion for another day, but one thing is clear – consumers, celebrity or otherwise need to be educated more about the potential security risks posed by the devices in their pockets,” Parris concluded.