Week 2 Blog 

Apple iCloud hack dominates headlines…and lowly security blogs. 

Whether you are into information security or not you have heard of the recent hacking of the Apple iCloud.  Several “celebrities” were relieved of some of their privacy on the Apple service by having dozens of their rather private media files taken from the cloud and displayed for the world to see.  Are these non-security minded individuals victims here?  Most certainly.  Are they blameless in this attack?  Absolutely not.  The hacker, victim, and service owner all are to blame in an attack like this.  I would like to take this blog entry to outline some big picture issues that typical users are susceptible to, and hopefully follow up each week with more in depth information on how to protect yourself.

After some quick investigation on this case it was determined the hackers’ method to gain access to these accounts was their ability to attack the user names, passwords or security question answers.  Once one of these entities is known to an experienced hacker they can use brute force to get into an account.  In other words they attacked the single factor authentication used by these services.  A few reasons why this was successful, and will always be successful with services such as this:

1.       Most users are susceptible to a Brute force, or a dictionary attack.  This tries a known value such as a username or a password, and attempts to guess the unknown value by trying millions of character combinations.  Eventually, if the password is not overly complex, the software will get the right combination and be allowed access.  Apple could have 10 layers of security, but if somebody enters with legit credentials, they will never know.  This method works with most users of online services because they use easy, memorable passwords.  It might be difficult to create a strong password, but after many repetitions a strong password can be entered without a second thought.  Future entries here will cover how to create strong passwords, and how to store them securely so you don’t even have to remember them all.

2.       Another reason brute force works on these customer centric services: single factor authentication.  There are generally three factors you can use to let a system know you are authorized; something you are, something you know, or something you have.  A username and a password are both something you know, thus single factor of authenticating which is much easier to crack.  Yes, multi-factor authentication is almost impossible on a service like this...this just means the one factor you are using better be strong!  Another technical control that could be used, but is not due to ease of access: max retries before locking an account.  For user convenience a lot of these services will let you try and authenticate until you have literally tried every word in the dictionary.  Simply setting a threshold to lock out the account would prevent a brute force attack.  Additionally, a notification should be sent to a user if someone is unsuccessfully using their username an absurd amount of times.

3.       Lack of personal OPSEC and the ability to be socially engineered.  Some of the victims here willingly gave their account information away via phishing attacks.  You must always be cognizant when online, especially when anyone you don’t personally know is asking for information about you.  Ask yourself what this information could be used for, and verify the authenticity of the recipient at all times.  Don’t allow yourself to become a victim.

This was an interesting case because the lack of security certain high profile people displayed caused Apple to change its security policies.  In this article they detail additional steps they will use to keep hackers out.  They needed a swift response because their stock prices took a hit immediately following the events.  Any negative press towards your security requires immediate action.   All of the new policies are good measures, designed mostly at protecting users from themselves, since ultimately it was their own ignorance that caused their account to become compromised. 

This definitely displayed how a perceived lack of security can cause consumer distrust, resulting in a negative impact to business.  More to come on how to protect yourself from the bad people...