At 2:30 ET on Sept. 2, Apple did something it normally does not do: It issued an emergency media advisory about a security risk to its users.
The risk had been reported on by multiple media outlets, including eWEEK, over the previous 48 hours, as Hollywood celebrities had their personal privacy invaded and images stolen, allegedly from Apple’s iCloud service.
“After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet,” Apple stated. “None of the cases we have investigated has resulted from any breach in any of Apple’s systems, including iCloud or Find my iPhone.”
Apple is mincing words here.
The statement claims that iCloud itself was not breached, yet that is the service that was holding the images. The statement claims that it was a “targeted attack,” and yet it was not one or two celebrities that were hacked, but dozens. Furthermore, the statement claims the attack was on user names—which, in this case, is the AppleID, which, in fact, is a system under Apple’s control.
Make no mistake about it. A criminal act occurred here, and the hackers are responsible. That said, Apple also has a responsibility to protect users properly—from hackers and also from themselves.
Digging a little deeper here, Apple is not yet giving us the full details of its 40-hour investigation, and it is not precisely known what tools were used in the targeted attack. One of the prevailing theories is that it was a brute-force attack that randomly and automatically guessed user names and passwords. Apple’s statement that the iCloud or Find My iPhone system were not directly breached does not negate that theory.
Another possibility is a simple phishing attack in which the hackers sent fake emails to the celebrities and got them to click on something. Such an attack could have potentially led to the credential disclosure.
Whatever the case, there are things that Apple should and must be doing to protect its users against both brute-force and phishing attacks. While users can use complex passwords and common sense when clicking on links, Apple can go above and beyond that.
Earlier this year at the Black Hat USA security conference, Yahoo Chief Information Security Officer Alex Stamos made a case for what he referred to as “security paternalism.” That is to say, vendors can and should make security decisions on behalf of users to help protect them. It would be a good idea at this point for Apple to embrace Stamos’ approach and take proactive security measures for users.
In brute-force attacks, a technique known as rate-limiting, which limits the number of tries a user can make to connect, is one obvious mitigation technique. Also, assuming the users were already logging in to iCloud from their local locations, Apple could or should be able to determine that a remote log-in from a different location is likely a fraudulent attempt at access.
Big data analytics techniques similar to those that banks and credit card vendors use to detect fraud by way of anomalous behavior might be used to limit the risk of phishing, as well.
If a user is asking for a full iCloud restore to a new device, while their existing devices are still active, there should be some kind of confirmation prompt sent to the user’s email or phone. If the iCloud backup is only able to back up and restore to a verified AppleID connected device, that’s another possible step that might be able to limit risk.
No doubt, Apple’s security teams have even more ideas and techniques available to them to further improve user security. For all we know, Apple could already be executing on all the various techniques outlined above.
The bottom line is that there is now fear, uncertainty and doubt in the minds of users around the world about Apple’s security, and it is incumbent upon the tech giant to take every possible measure to restore trust and confidence.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.