Is Apple's iCloud Less Secure Than Other Cloud Storage?

NEWS ANALYSIS: Whatever enabled the breach, it can happen against any type of cloud storage service. Apple was in the wrong place at the wrong time.

Apple iCould

How relevant to all of us is the Labor Day weekend hack attack on female celebrities that exposed a number of nude photographs stored in a cloud service--in this case, Apple's iCloud?
It is indeed relevant, even though most of us are not celebrities sought after for their photographs, nude or otherwise. It's relevant because more and more people are trusting their personal files to cloud storage, and if that trust erodes, the business model--and eventually the sector--will fail and be replaced by something else.
This is a result that companies such as Apple, Amazon, Microsoft, Google, Yahoo, Facebook and dozens of others that store personal files for customers do not want to see happen at any cost. In fact, it's safe to say that nobody wants to see this continue to happen, yet it does--and on an all-too-regular basis.
In case you haven't heard, three days ago an as-yet-unidentified hacker broke into the stars'--including actresses Jennifer Lawrence and Kirsten Dunst and model Kate Upton--iCloud storage accounts, stole the images and then published the photos to an image Website called (the domain of which is now for sale). It has been called the biggest celebrity hacking scandal to date. It was important enough for the FBI to assemble a team to investigate the case.

Apple Claims Its Security Not to Blame
Apple took a day and a half to respond that it believes the photos were leaked due to targeted attacks on specific accounts and not because of a direct breach of Apple's storage or mobile security.
Whatever process enabled the breach, this type of problem can happen against any type of cloud storage service. Apple just happens to be the victim in this latest attack.
"We have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet," the company said in a statement. "None of the cases we have investigated has resulted from any breach in any of Apple's systems, including iCloud or FindMyiPhone."
Whether Apple's security was part of the issue, the company patched at least one vulnerability in the iPhone right after the photos were leaked. So that tells us something.

Two Vulnerabilities Identified
“There were two vulnerabilities that were talked about, and they don't know which one was actually used," Steve Pao, general manager of Security Business at Campbell, Calif.-based Barracuda Networks, told eWEEK. "One was in FindMyiPhone. This is a phone service on the iPhone that did not have brute force attack prevention."
This patch was confirmed on open source code-sharing site Github by someone with inside knowledge of the attack. "The end of the fun, Apple has just patched,' " the post read.
"It turns out that just 36 hours before the images went up on the site, a sample script was submitted to Github that could be used to check against the 500 most-known passwords," Pao said. "By the way, 'password' isn't the most common password anymore. '1-2-3-4-5-6' is now the most common one.
"Anyway, the hacker may have used that demo code (on Github) to hack into those accounts and steal the photos."
The second vulnerability was associated with how Apple does authentication for additional devices into the same iCloud keychains, Pao said.

Tougher Passwords Always Help
"What's interesting is that after reading that, I even changed my own [passwords]," Pao said. "Let's say you have a Mac and want to add an iPad to the iCloud account. By default, the Mac sends an SMS or an iMessage message to your favorite device."
These can be intercepted by a hacker during the authentication process, which would enable the hacker to gain entry into the iCloud account.
"Another way you can do it (connect the devices to the same iCloud account) is with a four-digit PIN (personal identification number). But it turns out that the four-digit PINs are really easy to 'brute force,' " Pao said. "A user has to figure out for himself how to enter a more complicated password."
Opinions differ on Apple's liability in this incident.

Is there any reason for users of iCloud to be more worried than usual about security of their files? There is indeed, Forrester Research security analyst Andras Cser told eWEEK.
"iCloud contains much more sensitive data than other services," Cser said. "iCloud is built in into the Apple ecosystem. iCloud is probably less safe than other networks because of its almost exclusive consumer focus.
"Market share causes hackers to pay attention to a platform. But most importantly it's the value of information that hackers can gain. This incident underscores that if you put data into the cloud it should better be encrypted separately from the cloud provider, using a different service like nCryptedCloud, CipherCloud and others."

Security of online content is a shared responsibility, Boris Gorin, head of security engineering at cloud app security provider FireLayers, wrote in his blog.

"It is your obligation to manage passwords, protect against identity fraud, prevent loss or theft of their devices, encrypt sensitive data, access to devices via secure networks and a host of other risk mitigation activities," Gorin wrote. "Cloud service providers are charged with ensuring that their application and IT infrastructure is secure and in working order. The same division of responsibility exists between corporations and the cloud service providers of enterprise business applications like SalesForce, GoogleApps, NetSuite, SugarCRM, WorkDay and others.
"Cloud application security is a corporate problem. Understanding that your business shares responsibility in securing cloud application usage and data, as well as closing related compliance gaps is the cornerstone of a cloud application governance strategy. The more you appreciate the magnitude of the risk you face, the better you are able to mitigate it."

Impact on Business Could Be Substantial
The impact of this event on businesses is as important, if not more so, than the effect on consumer users. It has been estimated by IT researchers that about 65 percent of all small and midsize businesses are now storing some sort of data in the cloud in an effort to save money and make those files more easily available to employees, business partners and contractors. That's a lot of files stored in the cloud in only about eight years.
That 65 percent will soon be 66 percent, then 67 percent, and so on, in a short time. Alarmingly, the number of hacking events is also increasing.
The level of sophistication among the hackers remains way ahead of the mainstream world. Former Secretary of State Hillary Clinton admitted as much the other day at an IT event in San Francisco when she talked about how U.S. federal government is using new-gen IT: It doesn't.
"Let's face it: Our government is woefully behind in all of its policies that affect the usage of technology," Clinton said. "When I came to the State Department, it was still against the rules to let all foreign service officers have access to a BlackBerry. You couldn't have desktop computers when Colin Powell was there. Everything you (in Silicon Valley) are taking advantage of and inventing and using is still a generation or two behind when it comes to our government."
Oh boy. That's encouraging.

Chris Preimesberger

Chris J. Preimesberger

Chris J. Preimesberger is Editor-in-Chief of eWEEK and responsible for all the publication's coverage. In his 15 years and more than 4,000 articles at eWEEK, he has distinguished himself in reporting...