Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Apple
    • Apple
    • Cloud
    • Cybersecurity
    • Storage

    Is Apple’s iCloud Less Secure Than Other Cloud Storage?

    By
    Chris Preimesberger
    -
    September 3, 2014
    Share
    Facebook
    Twitter
    Linkedin
      Apple iCould

      How relevant to all of us is the Labor Day weekend hack attack on female celebrities that exposed a number of nude photographs stored in a cloud service–in this case, Apple’s iCloud?
      It is indeed relevant, even though most of us are not celebrities sought after for their photographs, nude or otherwise. It’s relevant because more and more people are trusting their personal files to cloud storage, and if that trust erodes, the business model–and eventually the sector–will fail and be replaced by something else.
      This is a result that companies such as Apple, Amazon, Microsoft, Google, Yahoo, Facebook and dozens of others that store personal files for customers do not want to see happen at any cost. In fact, it’s safe to say that nobody wants to see this continue to happen, yet it does–and on an all-too-regular basis.
      In case you haven’t heard, three days ago an as-yet-unidentified hacker broke into the stars’–including actresses Jennifer Lawrence and Kirsten Dunst and model Kate Upton–iCloud storage accounts, stole the images and then published the photos to an image Website called 4Chan.org (the domain of which is now for sale). It has been called the biggest celebrity hacking scandal to date. It was important enough for the FBI to assemble a team to investigate the case.

      Apple Claims Its Security Not to Blame
      Apple took a day and a half to respond that it believes the photos were leaked due to targeted attacks on specific accounts and not because of a direct breach of Apple’s storage or mobile security.
      Whatever process enabled the breach, this type of problem can happen against any type of cloud storage service. Apple just happens to be the victim in this latest attack.
      “We have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet,” the company said in a statement. “None of the cases we have investigated has resulted from any breach in any of Apple’s systems, including iCloud or FindMyiPhone.”
      Whether Apple’s security was part of the issue, the company patched at least one vulnerability in the iPhone right after the photos were leaked. So that tells us something.

      Two Vulnerabilities Identified
      “There were two vulnerabilities that were talked about, and they don’t know which one was actually used,” Steve Pao, general manager of Security Business at Campbell, Calif.-based Barracuda Networks, told eWEEK. “One was in FindMyiPhone. This is a phone service on the iPhone that did not have brute force attack prevention.”
      This patch was confirmed on open source code-sharing site Github by someone with inside knowledge of the attack. “The end of the fun, Apple has just patched,’ ” the post read.
      “It turns out that just 36 hours before the images went up on the 4Chan.org site, a sample script was submitted to Github that could be used to check against the 500 most-known passwords,” Pao said. “By the way, ‘password’ isn’t the most common password anymore. ‘1-2-3-4-5-6’ is now the most common one.
      “Anyway, the hacker may have used that demo code (on Github) to hack into those accounts and steal the photos.”
      The second vulnerability was associated with how Apple does authentication for additional devices into the same iCloud keychains, Pao said.

      Tougher Passwords Always Help
      “What’s interesting is that after reading that, I even changed my own [passwords],” Pao said. “Let’s say you have a Mac and want to add an iPad to the iCloud account. By default, the Mac sends an SMS or an iMessage message to your favorite device.”
      These can be intercepted by a hacker during the authentication process, which would enable the hacker to gain entry into the iCloud account.
      “Another way you can do it (connect the devices to the same iCloud account) is with a four-digit PIN (personal identification number). But it turns out that the four-digit PINs are really easy to ‘brute force,’ ” Pao said. “A user has to figure out for himself how to enter a more complicated password.”
      Opinions differ on Apple’s liability in this incident.

      Is there any reason for users of iCloud to be more worried than usual about security of their files? There is indeed, Forrester Research security analyst Andras Cser told eWEEK.
      “iCloud contains much more sensitive data than other services,” Cser said. “iCloud is built in into the Apple ecosystem. iCloud is probably less safe than other networks because of its almost exclusive consumer focus.
      “Market share causes hackers to pay attention to a platform. But most importantly it’s the value of information that hackers can gain. This incident underscores that if you put data into the cloud it should better be encrypted separately from the cloud provider, using a different service like nCryptedCloud, CipherCloud and others.”

      Security of online content is a shared responsibility, Boris Gorin, head of security engineering at cloud app security provider FireLayers, wrote in his blog.

      “It is your obligation to manage passwords, protect against identity fraud, prevent loss or theft of their devices, encrypt sensitive data, access to devices via secure networks and a host of other risk mitigation activities,” Gorin wrote. “Cloud service providers are charged with ensuring that their application and IT infrastructure is secure and in working order. The same division of responsibility exists between corporations and the cloud service providers of enterprise business applications like SalesForce, GoogleApps, NetSuite, SugarCRM, WorkDay and others.
      “Cloud application security is a corporate problem. Understanding that your business shares responsibility in securing cloud application usage and data, as well as closing related compliance gaps is the cornerstone of a cloud application governance strategy. The more you appreciate the magnitude of the risk you face, the better you are able to mitigate it.”

      Impact on Business Could Be Substantial
      The impact of this event on businesses is as important, if not more so, than the effect on consumer users. It has been estimated by IT researchers that about 65 percent of all small and midsize businesses are now storing some sort of data in the cloud in an effort to save money and make those files more easily available to employees, business partners and contractors. That’s a lot of files stored in the cloud in only about eight years.
      That 65 percent will soon be 66 percent, then 67 percent, and so on, in a short time. Alarmingly, the number of hacking events is also increasing.
      The level of sophistication among the hackers remains way ahead of the mainstream world. Former Secretary of State Hillary Clinton admitted as much the other day at an IT event in San Francisco when she talked about how U.S. federal government is using new-gen IT: It doesn’t.
      “Let’s face it: Our government is woefully behind in all of its policies that affect the usage of technology,” Clinton said. “When I came to the State Department, it was still against the rules to let all foreign service officers have access to a BlackBerry. You couldn’t have desktop computers when Colin Powell was there. Everything you (in Silicon Valley) are taking advantage of and inventing and using is still a generation or two behind when it comes to our government.”
      Oh boy. That’s encouraging.

      Chris Preimesberger
      https://www.eweek.com/author/cpreimesberger/
      Chris J. Preimesberger is Editor Emeritus of eWEEK. In his 16 years and more than 5,000 articles at eWEEK, he distinguished himself in reporting and analysis of the business use of new-gen IT in a variety of sectors, including cloud computing, data center systems, storage, edge systems, security and others. In February 2017 and September 2018, Chris was named among the 250 most influential business journalists in the world (https://richtopia.com/inspirational-people/top-250-business-journalists/) by Richtopia, a UK research firm that used analytics to compile the ranking. He has won several national and regional awards for his work, including a 2011 Folio Award for a profile (https://www.eweek.com/cloud/marc-benioff-trend-seer-and-business-socialist/) of Salesforce founder/CEO Marc Benioff--the only time he has entered the competition. Previously, Chris was a founding editor of both IT Manager's Journal and DevX.com and was managing editor of Software Development magazine. He has been a stringer for the Associated Press since 1983 and resides in Silicon Valley.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×