Holes in the internet cloud - blame Apple

Hackers accessed photos of celebrities, including actress Jennifer Lawrence, stored in Apple's service iCloud, which backs up photos and other documents from iPhones. Photo / Getty Images
Hackers accessed photos of celebrities, including actress Jennifer Lawrence, stored in Apple's service iCloud, which backs up photos and other documents from iPhones. Photo / Getty Images

In the wake of the theft of the private data and photos of dozens of celebrities, there is at least one major culprit.

Not the alleged leakers, though obviously they're to blame, but the company that has most prominently overstated its security in the first place: Apple.

Apple is currently delighted that people are talking about how you shouldn't take naked photos of yourself in the first place, but make no mistake: Apple has been provably irresponsible with users' security.

It is currently unclear how the naked photos were gathered - most likely through a number of different methods and different servers over a period of months if not years.

What is clear is that Apple has had a known security vulnerability in its iCloud service for months and has been careless about protecting its users. Apple patched this vulnerability shortly after the leak, so even if we're not sure of exactly how the photos got hacked, evidently Apple thinks it might have had something to do with it.

Whether this particular vulnerability was used to gather some of the photos - Apple is not commenting, as usual, but the ubiquity and popularity of Apple's products certainly points to the iCloud of being a likely source - its existence is reason enough for users to be deeply upset at their beloved company for not taking security seriously enough.

Here are five reasons why you should not trust Apple with your nude photos or, really, with any of your data.

1. The vulnerability is Security 101 stuff.

Up until Monday, Apple had a significant and known brute-force vulnerability in its Find My iPhone service, where you type in your Apple ID and password on your computer in order to locate your iPhone on a map.

Most services that use passwords, from Facebook to Google to banks, will lock your account or at least throttle logon attempts after a certain number of failed access tries to prevent a person who is not you from making endless guesses at common passwords.

Apple itself will do this in most places - but not through its Find My iPhone service, where hackers are allowed unlimited attempts at guessing passwords. You can endlessly try password after password as quick as you like.

Once a correct Apple ID password is confirmed through Find My iPhone, a hacker then has access to your iCloud account. So a hacker could simply run an automated tool and knock on the door enough times with password guesses until he broke through. Even a decent password, like "D0nM@tt1ngly!" would still be vulnerable to this sort of attack.

The Find My iPhone vulnerability doesn't really rise to the level of a bug, since limiting brute-force attacks is part of the basic security design of any system - or should be.

2. The vulnerability was publicly known since May.

A Russian security group called HackApp released iBrute, a proof-of-concept tool to exploit this vulnerability, on August 30. But don't blame them, because the celebrity hacking probably took place quite a while before that.

The Register publicised the lack of any sort of limit on iCloud logon attempts in May, and Apple did nothing about it, giving hackers plenty of time to bash away at accounts.

Even after iBrute was publicly released, Apple didn't patch the vulnerability until September 1 and did nothing to secure accounts in the meantime. I cannot fathom how the company left this one out in the wild for months, and I suspect it will cost someone at Apple his or her job.


Camera Roll automatically backs up all photos to the cloud by default. Photo / AP

3. Apple defaults users into the cloud.

Clouds are wispy and ephemeral, the very opposite of secure, so why would you want to store anything in them? No one particularly does: Cloud storage has been forced on users because it suits tech companies, not because it's what's best for consumers.

But Apple makes it very hard not to store photos in its cloud, nude or otherwise. Camera Roll automatically backs up photos (all photos) to the cloud by default, and Apple makes it difficult for average users to change the default. It's worked. And it's too bad, because whatever you store on the cloud has far less legal and security protection than what's on your own computer.

Even deleting photos from your phone doesn't delete them from the cloud, as security expert Nik Cubrilovic pointed out on Twitter. (The American Civil Liberty Union's Christopher Soghoian has wisely suggested a "private photo" feature that doesn't upload certain photos to the cloud.)

Defaulting to the cloud is like checking baggage on an airline: People might look through your stuff, and even steal it. And like the airlines, Apple's liability is strictly limited by the extremely generous (to Apple) agreement you sign when you purchase any of its products.

4. Apple does not encourage two-factor authentication.

The false sense of security Apple creates by offering two-factor authentication and then not enforcing it is appalling.

Two-factor authentication, in which physical possession of a particular device (like a phone) is necessary to log in to an account, is one of the most common and effective supplements to the problematic security of regular passwords.

Google, Yahoo, Facebook, Twitter and many other services offer two-factor, though rarely by default. Still, as the Daily Dot writes, "For reasons that defy all logic, Apple makes it extraordinarily difficult to enable two-step verification," making users wait three days just to turn it on.

(In other words, if you had found out about the vulnerability on August 30, you couldn't have protected yourself until September 2.)

Apple barely publicises its two-factor authentication and has not encouraged users to adopt it. Apple controls the default user experience for its products, and it has the responsibility for that default to be reasonably secure - which it currently is not.

5. Two-factor authentication wouldn't have worked anyway.

Even if you were a celebrity who had enabled two-factor authentication, it wouldn't have helped in this case because Apple doesn't enforce two-factor authentication for iCloud logons even if you have it turned on, as was reported by Ars Technica all the way back in May of 2013.

Apple primarily uses two-factor to prevent credit card purchases, not to protect the privacy of your data. Though probably the least exploited loophole (due to the difficulty of using Apple's two-factor in the first place), this is perhaps the most sheerly irresponsible security decision Apple has made. The false sense of security created by offering two-factor and then not enforcing it is appalling.

These are all problems Apple has known about for months, if not years, and did nothing to stop. Apple's two-factor is still fundamentally broken, so even today Apple is still misrepresenting the security it can offer to its users.

This is not to excuse any other services that may have been compromised, nor the hackers themselves. But whether any of these problems were directly responsible for the leak, Apple users, from Jennifer Lawrence to corporate executives to laptop musicians to you, should be out for blood, and other companies should use this as a lesson to double- and triple-check their own security stories.

Apple will probably survive though. iPhones are so cool and pretty.

-Slate

FAQs around the internet Cloud

What is the internet cloud?

The cloud refers to storage of data on large-scale shared servers rather than on users' own home hardware.

It allows people to access their documents and pictures remotely on multiple devices such as PCs, smartphones and tablets from anywhere with an internet connection.

Hackers appeared to access photos stored in Apple's service called iCloud, which backs up photos and other documents from iPhones. As a result, the private pictures of the female celebrities became public and spread across social media, starting with the image-sharing service 4chan.

Apple, in its first public statement on the incident, said celebrity accounts were compromised in a "targeted attack" to gain passwords, but maintained that it found no breach of the iCloud or other Apple systems.

Read also:
How to keep those naked selfies safe
Apple admits celebrity accounts were hacked

What is in the cloud?

People can choose to back up pictures, videos and other files in the cloud. In some cases smartphones and other devices will do this by default - a fact not all users are aware of.

"Many iPhone owners are possibly oblivious to the fact that every time they take a photo, it is invisibly and silently uploaded to iCloud in the background," says computer security consultant Graham Cluley in a blog post.

The private pictures of Lawrence, Upton and others appeared to have been stored in these cloud servers, even if they were deleted from the phones or other devices used to take the pictures.


Is the cloud secure?

Major services like Apple's iCloud and Google Drive use encryption to secure data. But Rob VandenBrink at the SANS internet Storm Center said a flaw in Apple's "Find My iPhone" app lacked protection against "brute force attacks" from hackers.

"And of course once an account password is successfully guessed, all iCloud data for that account is available to the attackers," VandenBrink said in a blog post.

"So no rocket science, no uber hacking skills. Just one exposed attack surface, basic coding skills and some persistence."


Are passwords involved?

Because many people use easy-to-guess passwords like "123456" and reuse them across multiple services, hackers often can gain access with little difficulty.

Rik Ferguson at the security firm Trend Micro said attackers could have used the "I forgot my password" link for Apple accounts.

"The peril in this for celebrities is that much of their personal information is already online and a security question such as 'Name of my first pet' may be a lot less secret for a celebrity that it is for you and I," Ferguson says.

A better system is to activate two-factor authentication, which sends an additional code to a predetermined email or phone.


Are there other vulnerabilities?

An old technique used by hackers known as "phishing" can get a user to hand over a password voluntarily. This often begins with an email which says an account has been compromised and requests that the user log in via a link.

Symantec security response manager Satnam Narang said his firm has been warning about fake emails or SMS messages claiming to come from Apple technical support.

The comedian Sarah Silverman tweeted recently: "I got a text from apple privacy security saying my iTunes id has been compromised -- HOW DO I KNOW THEYRE NOT THE SCAM? Help!"

Narang said these kinds of hacks are likely to continue because many people fall for the scams.

"Users should also be wary of emails or text messages claiming to be from Apple support, security or protection groups. Don't click on any links in these emails and never send your Apple ID credentials in a text message," he said.

Chris Morales at NSS Labs said Apple "is doing what everyone else in the industry is doing" to make its system easy to use, which also makes it easier to hack.

"The cloud is so convenient, so everybody is putting their whole lives in the cloud," he said.

-AFP

© Copyright 2014, APN New Zealand Limited

Assembled by: (static) on red akl_n2 at 21 Sep 2014 10:42:37 Processing Time: 736ms