The breach
So, you've heard by now that several dozen celebrities have had their iCloud / iPhone accounts hacked, and naked selfies leaked onto 4Chan / Imgur. It's still early, but Apple came out on Tuesday, stating emphatically that there was no breach. -- insert laughter -- I guess this all depends on how you define what a breach is.
The lie
In my opinion, Apple is actually lying. On August 30, it was revealed by researchers that iCloud was vulnerable to brute force attacks, and had written a script to take advantage of this by running through a dictionary of the 500 most popular passwords against individual iCloud accounts. If Apple did not see the brute force attack method as a vulnerability, then why patch it, two days later? And there you have it: Apple knew it was a vulnerability and closed it, but that does not mean that the vulnerability was open for those two days; anyone who knew about the vulnerability could have written their own script and attacked iCloud users. In fact, the stolen photos and videos show that they were taken over a period of years -- in other words, if you have an iCloud account, you were vulnerable. That's what I would call a breach.
Up popped the Apple apologists and the mainstream media, telling us that all cloud services are equally at risk. That's complete bullshit.
Unlike Apple, Google and Microsoft, among many others including your bank, have long blocked brute force attacks. If you don't believe me and you want to screw yourself, try using multiple wrong passwords to your online bank / financial account and see what happens.
Unlike iCloud, if you select client-side encryption cloud storage services such as Tresorit or Spider Oak, your information can only be accessed by devices specifically assigned by you. No third party can access your data, midstream, unless they can break 256 bit encryption, which, while not impossible is impractical, as to require several years to break.
The reality
Where Apple does share protection steps with Google and Microsoft: Two-factor authentication, but it requires you to use it. When you use it, any time someone tries to access your account from a device other than your own, a second authentication is required, typically code sent to you via text message -- this is where end-users who want to keep their private data private, need to take responsibility for using good practices. If you don't use good practices in the security of your data, you cannot expect your data to remain safe.
Think about it. These folks frequently use remote security services to keep their homes protected, and use car alarms / disabling devices for their vehicles. But they won't use 2-factor authentication?
But 2-factor authentication does not always mean that your data is safe. The safest means of storing data in the cloud, again, is to use client-side encryption storage. Combine that with 2FA, and you're even safer.
Schadenfreude
It is mind-numbing how naive people are, when it comes to boasts of the relative security of iOS / Apple. For years, Apple's devices / operating systems / browsers fell to hackers within minutes of the annual PWN2OWN challenge, even as Google's systems / devices survived. The people who make such false claims of the relative safety of iOS / Apple are fanboys and should be ignored, period.
If you believe in the fanboy bullshit, I tell you, schadenfreude!
No really, there are forensic tools on bittorrent that will allow people to specifically access iCloud backups. In fact, along with the brute force attack, these forensic tools may have been used in this celeb nude photo grab, and it's been available for years.
In other words, if you use iCloud, your account was easily accessible to hackers. So I repeat to those iPhone fanboys: Schadenfreude.
No comments:
Post a Comment