The Many Layers of the iCloud Hack

Sue Marquette Poremba
Slide Show

Trends in Cyber Crime: A Look at the First Half of 2014

The iCloud hack story has been discussed seriously on news shows and websites that include tips on how to protect yourself online (two-factor authentication has never gotten so much airplay as it has over the past week) and it has been the punch line of Jimmy Fallon’s monologues (I admit I laughed at the jokes).

However, the more I read about the iCloud hack, it’s obvious that the story has many layers.

First, this was a prime example of a targeted attack. While I don’t think that breaches are random, the iCloud celebrity breach was most definitely targeted, and it showed the tenacity of the hackers to keep trying until they got what they wanted. As Lysa Myers of ESET said in an email note to me:

Having little/no rate limiting on the number of times you can log into an account isn't good by any stretch of the imagination, but a service is not considered broken if it's behaving as designed.

The hackers were able to get the login information because it was so easy to find. The answers to security questions to gain access or acquire “forgotten” passwords were found on the celebrities’ websites, bios, social media and Wikipedia pages. Myers suggested that users can increase their protection by choosing strong, complex passwords and secret questions whose answers cannot be found on Google or guessed. This includes never answering a secret question with an answer that can be found easily on Facebook. On the enterprise side of things, maybe it is time for businesses to generate better secret questions that don’t incorporate answers that are simple to find.


Second, a lot of talk has centered around this being a “brute-force attack.” But what, exactly, does that mean? Garrett Gross, product manager at AlienVault, described it this way on his blog:

A brute-force attack is, simply, an attack on a username, password, etcetera, that systematically checks all possible combinations until the correct one is found. Scripts are usually used in these attacks, sometimes run from purpose-built cracking machines loaded with custom chips and/or GPU arrays. In the worst case scenario, this process involves going through every single available character in the key space so, the more processing and memory handling, the faster the key gets generated.

Vijay Basani, CEO of EiQ Networks, then pointed this out to me in an email:

iCloud breach may be linked to software called iBrute that is capable of carrying out automated brute-force attacks against iCloud accounts, where an attacker (in this case computer) simply guesses a password again and again until they succeed.

Third, the cloud is a more intricate technology than the average person realizes. According to Andrew Conway, research analyst with Cloudmark, while iCloud is receiving bad publicity over this, it’s unlikely to be the sole source of these images as one of the collections contains a Dropbox how-to file and others may have come from compromised desktop machines. He went on to tell me:

While Apple is suggesting users back up key chains to the iCloud, it could potentially offer access to all other accounts. This will only offer a hacker more to utilize. Smartphone and cloud storage are potentially not private and therefore it is advisable not to hold any content on a device that should not be made public.

And while I could talk about a number of other issues in regard to this hack, I’m going to provide a final learning point here, and that is that Apple is still way too reactive and behind on its security than it should be. This isn’t 2004 anymore.

As an eSecurity Planet article pointed out, Apple’s release stated this:

None of the cases we have investigated has resulted from any breach in any of Apple's systems including iCloud or Find my iPhone. In order to avoid these types of attacks, Apple advises all users to leverage a strong password and enable two-step verification.

All well and good, but the question remains, why didn’t Apple institute better security practices (i.e., limiting login attempts) from the get-go? It’s almost like it is blaming the victims for the breach. But users only have so much control. Those who create and manage the technology need to step up the security functions on their end. Apple has announced that it will beef up its security after the fact, but this is getting to be an old story. Apple, and every other company out there, needs to be more proactive about security best practices. Users are getting frustrated at how often their personal information is being compromised because the companies that are entrusted to protect it aren’t doing their job.

Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.


Add Comment      Leave a comment on this blog post
Sep 11, 2014 2:01 PM MCSE MCSE  says:
This never ceases to amaze me – I have been working on Inter/Intra-net and server infrastructure since arpanet. Yes I am older, and have seen a lot. The one thing I never saw was any document of any kind explaining how on earth anyone could have any expectation of privacy on the Internet – period. It is patently impossible, making the answer simple – if you want privacy, keep it off the internet – period. Internet appliances are not toasters – and if you treat your personal photos or information like a piece of toast left on a table outside – don’t be surprised to see a flock of birds chipping away at it and making off with the pieces. For each and every “security feature”, there are countless back doors and holes. Some planned for internal use, others errors caused by cascading updates creating holes where there were none. With the speed of development nowadays, it is again, impossible to test all the possible scenarios, and therefor even more impossible to suggest there is any security for those who choose to throw things at some mysterious “cloud” (a roomful of servers), without knowing what they are doing. When I started working on computers in the 70′s, there were already sig Reply

Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe Daily Edge Newsletters

Sign up now and get the best business technology insights direct to your inbox.

Subscribe Daily Edge Newsletters

Sign up now and get the best business technology insights direct to your inbox.