The iCloud hack story has been discussed seriously on news shows and websites that include tips on how to protect yourself online (two-factor authentication has never gotten so much airplay as it has over the past week) and it has been the punch line of Jimmy Fallon’s monologues (I admit I laughed at the jokes).
However, the more I read about the iCloud hack, it’s obvious that the story has many layers.
First, this was a prime example of a targeted attack. While I don’t think that breaches are random, the iCloud celebrity breach was most definitely targeted, and it showed the tenacity of the hackers to keep trying until they got what they wanted. As Lysa Myers of ESET said in an email note to me:
Having little/no rate limiting on the number of times you can log into an account isn't good by any stretch of the imagination, but a service is not considered broken if it's behaving as designed.
The hackers were able to get the login information because it was so easy to find. The answers to security questions to gain access or acquire “forgotten” passwords were found on the celebrities’ websites, bios, social media and Wikipedia pages. Myers suggested that users can increase their protection by choosing strong, complex passwords and secret questions whose answers cannot be found on Google or guessed. This includes never answering a secret question with an answer that can be found easily on Facebook. On the enterprise side of things, maybe it is time for businesses to generate better secret questions that don’t incorporate answers that are simple to find.
Second, a lot of talk has centered around this being a “brute-force attack.” But what, exactly, does that mean? Garrett Gross, product manager at AlienVault, described it this way on his blog:
A brute-force attack is, simply, an attack on a username, password, etcetera, that systematically checks all possible combinations until the correct one is found. Scripts are usually used in these attacks, sometimes run from purpose-built cracking machines loaded with custom chips and/or GPU arrays. In the worst case scenario, this process involves going through every single available character in the key space so, the more processing and memory handling, the faster the key gets generated.
Vijay Basani, CEO of EiQ Networks, then pointed this out to me in an email:
iCloud breach may be linked to software called iBrute that is capable of carrying out automated brute-force attacks against iCloud accounts, where an attacker (in this case computer) simply guesses a password again and again until they succeed.
Third, the cloud is a more intricate technology than the average person realizes. According to Andrew Conway, research analyst with Cloudmark, while iCloud is receiving bad publicity over this, it’s unlikely to be the sole source of these images as one of the collections contains a Dropbox how-to file and others may have come from compromised desktop machines. He went on to tell me:
While Apple is suggesting users back up key chains to the iCloud, it could potentially offer access to all other accounts. This will only offer a hacker more to utilize. Smartphone and cloud storage are potentially not private and therefore it is advisable not to hold any content on a device that should not be made public.
And while I could talk about a number of other issues in regard to this hack, I’m going to provide a final learning point here, and that is that Apple is still way too reactive and behind on its security than it should be. This isn’t 2004 anymore.
As an eSecurity Planet article pointed out, Apple’s release stated this:
None of the cases we have investigated has resulted from any breach in any of Apple's systems including iCloud or Find my iPhone. In order to avoid these types of attacks, Apple advises all users to leverage a strong password and enable two-step verification.
All well and good, but the question remains, why didn’t Apple institute better security practices (i.e., limiting login attempts) from the get-go? It’s almost like it is blaming the victims for the breach. But users only have so much control. Those who create and manage the technology need to step up the security functions on their end. Apple has announced that it will beef up its security after the fact, but this is getting to be an old story. Apple, and every other company out there, needs to be more proactive about security best practices. Users are getting frustrated at how often their personal information is being compromised because the companies that are entrusted to protect it aren’t doing their job.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba