The dust has barely begun to settle following the massive celebrity ‘nude photo’ leak over the weekend, yet allegations and claims are flying here, there, and everywhere.
Fingers are being pointed at suspect iCloud security despite no concrete evidence of exactly how the images became public in the first place (that is, apart from the original ‘leakers’ confession of obtaining the images from iClouds)
Firstly, it has to be unlikely that iCloud itself sustained a large attack, especially as the service is 128-bit encrypted both ways of delivery.
What is much more likely was that this was an attack of social engineering, an exploitation which works by manually deciphering information about the target ie. email addresses, date of birth, secret question answers, to try and attempt a spoof access to an account.
Of course this does raise issues about the surrounding security of iCloud against social engineered attacks, but businesses should have a much higher level of security than your regular Hollywood celebrity.
Steve Jones, head of R&D at UK penetration tester RandomStorm, said: "Although Apple’s encryption of the data itself is considered robust, Apple could apply AES 256 bit encryption to the images. This would put the majority of hackers off, or really slow them down.
"However, access to the celebrities’ images could have been gained through more indirect means, such as guessing the celebrities’ passwords, or by finding their email address and then correctly answering traditional security questions.
"Apple could improve the security of iCloud by enforcing the use of much stronger, unique passwords and by introducing two factor authentication to iCloud accounts, to ensure that access is from the correct device and/or account owner."
Weak passwords could be what is at the heart of this leak, and if your business is not operating at a level where it is creating stronger passwords than a layman then things needs to change.
Paco Hope, Principal Consultant at software security company, Cigital, also argues that iCloud is not in itself risky for businesses if used correctly. "Businesses build security in by using secure software to access their data. The choice of cloud provider is just part of that overall picture. This hack means nothing with respect to the security of iOS: iOS devices were merely the cameras in this situation. No one should change their position on iOS versus Android versus Windows based on this incident."
Furthermore, large firms such as Apple obviously have trained and dedicated in-house security teams which are constantly patching and working around flaws in the armour. Rik Ferguson, VP of security research at Trend Micro, said: "A wide scale ‘hack’ of Apple’s iCloud is unlikely. Even the original poster is not claiming that."
Steve Jones further argues that the security responsibility does not solely lie with the cloud storage provider. He said: "Businesses observing this hack should already understand that any digital asset that is valuable, whether it be employee login details, customer data, patient records, financial details, or intellectual property, is a target for cyber thieves and needs to be protected appropriately.
"This also means that businesses cannot delegate information security to their cloud service provider. If your business is faced with a determined assailant you need to put in place your cyber fire drill: change the rules on your firewall to shut the ports until further notice, move the assets, hide the assets and block access until you have had time to assess which vulnerability was exploited."
Mike Ellis, CEO at ForgeRock, also argues that it is indeed businesses that need to be more aware of cloud security. He said: "Big businesses as well as large, trusted government organisations need to manage vast and growing numbers of employee and customer digital identities.
"Global brands and large organisations that fail to take the right steps to address the growing complexity of identity relationship management risk not just a big dent in their reputation and trust, as iCloud is surely likely to face, but serious commercial or social consequences too as customers switch to more trusted brands or switch off entirely altogether. This example is just the tip of the iceberg and must be addressed sooner than later."
But Egemen Tas, VP of Engineering at Comodo Group, highlights some of the ramifications he thinks businesses with lapsed cloud security face. He said: "Cloud service providers should realise that they are expected to be as liable as a bank would be when it comes to catching fraudulent activities or having security and compliance procedures in place.
"Banks have legal compliancy requirements and regulations hence they have ways to combat similar threats to the cloud. Why shouldn’t cloud storage providers have similar legal regulations and liabilities? Just like we are more than one password away from our personal online banking accounts, we should be more than one password away from our cloud storage accounts. Having one password on our cloud accounts is not enough to combat attacks of this nature."
This breach, no matter who to blame, ultimately still alerts businesses to the risk of cloud storage, but this unforunate opportunity should be used to highlight areas where improvements can be made and cloud security awareness can be heightened. Alex Raistrick, from Palo Alto Networks comments: "The recent scandal involving leaked photos of celebrities stolen from Apple’s iCloud storage facility serves to highlight that security is still one of the greatest barriers preventing cloud computing from reaching its full potential. However, amid the negativity there are now more opportunities than ever for channel partners who specialise in cloud security to move in and toughen up security, particularly on previously ‘trusted’ platforms."
This article is from the CBROnline archive: some formatting and images may not be present.