Today Apple issued a statement saying that after a 40-hour investigation they found celebrity accounts had been hacked — but a flaw in iCloud was not to blame.
Rather, targeted attacks on user names, passwords, and security questions led to those accounts being compromised. “None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone,” the company said.
To protect against these types of attacks, Apple recommends using two-step verification.
Security and user experience have long been at odds. Many users just don’t want to use security protocols, whether its adding a few extra steps to online banking logins or putting anti-virus software on a PC. Nearly 40% of Americans think encryption isn’t a successful tool against hackers, according to a new YouGov study commissioned by Tresorit. And the ones who are skeptical about encryption are not using security any stronger than simple password protection.
Unfortunately, as AuthEntry told VentureBeat, “Relying on plain password protection is like using a piece of string to tie your bike to a meter in NYC and expecting it to be safe.”
Password protection is only so strong, which means a dedicated hacker can breach this security, given enough time. It also means that Apple has a vulnerability issue, if only because password-only security is easily breached.
I sat down with Keith Stewart, VP of product at cybersecurity firm vArmour to talk about the difficulty of securing cloud computing. He says that part of the problem is that service providers forget that keeping files secure is not just about securing a main database full of personal or sensitive information: You need to secure the periphery too.
“Bad guys don’t go after the database. They know, unless you’re a complete idiot, you put some walls around it. They go after all the stuff that’s near the database, because they’re going to find stuff in there that you don’t want them to find,” says Stewart. He calls it attacking rings around the asset.
Which is probably how hackers were able to drag up supposedly deleted photos of Jennifer Lawerence and flash them all over 4chan; once a hacker infiltrates a system, it’s not difficult for them to access backup storage and other files.
It’s nice that Apple’s is using this experience to push users to setup two-step authentication. However, Apple should really make this security feature mandatory, as well as create tougher security settings. Only if it’s serious about security, that is.