This weekend Apple’s iCloud made headlines for all the wrong reasons. It was implicated in an alleged hacking attack that saw celebrities’ most private photographs leaked online. If celebrities’ data isn’t safe in the cloud, many business users will be wondering, is data belonging to companies at risk too?
As with most high-profile hacking stories, there’s a bit more to it than the headlines suggest. The likelihood that a hacker has managed to compromise Apple’s iCloud is remote – as Apple details on its support pages, iCloud is well protected, although researchers have identified exploitable flaws – and the photographs may not even be real ones; some of the victims have said that the images of them have been faked.
However, even if the images are real it’s likely that the hacker obtained them through relatively simple and low-tech means rather than through compromising an entire cloud storage system.
Hacking is hard. Tricking people is much easier.
Dirty tricks, done dirt cheap
In May, Australian owners of iOS devices found themselves locked out of their hardware. A stranger gained access to their iCloud accounts, remotely locked their devices and demanded payment to unlock them again.
The stranger was described as a hacker, but scammer would be more accurate: it’s believed that the users’ credentials were obtained through the low-tech method of phishing, where fake emails are sent out in order to obtain people’s login information. Once that information had been obtained, the scammer could get into people’s iCloud accounts and lock their devices.
The information needn’t have come from iCloud. If you can get into somebody’s email account you can make use of services’ forgot-password links to reset the logins for other online services. If the person whose account you’ve compromised uses the same password across multiple services – as many people do – then a single password becomes the key to somebody’s entire digital life.
If that password provides access to an unprotected cloud storage system, such as shared folders containing unencrypted documents, then it’s just a matter of syncing to get perfect copies of everything in those folders.
The major cloud services use SSL and AES encryption to protect their customers’ data, but there’s not much they can do when user names and passwords are handed out willingly or used on less secure sites which are then compromised. It’s rather like having a state-of-the-art alarm system in a mansion and then leaving going out with the alarm switched off and the front door wide open.
As with many security problems, the biggest risks aren’t from the technology. They’re from the people using it.
Two cheers for 2FA
A frightening number of people’s passwords are easily guessable: in its annual survey of online password dumps, SplashData found that the most common password in the year of NSA and Edward Snowden revelations and endless security breaches was "123456". Second was "password", followed by "12345678", "qwerty", "abc123", "123456789", "111111" and "iloveyou".
The data available to SplashData is also available to software writers. Password cracking tools use databases of people’s passwords to enable so-called Brute Force Attacks, which automatically try multiple passwords at dizzying speeds. iCloud was vulnerable to such hacks – there was no limit on how many unsuccessful passwords you could try – and while that vulnerability has been fixed, other online sites and services are still vulnerable to such attacks.
Most IT departments mandate more sensible, strong passwords, of course, but many cloud services also offer a second level of protection. That level is known as Two Factor Authentication, or 2FA for short; some services prefer MFA, for Multi-Factor Authentication.
2FA/MFA is simple and effective. Whenever a new device (or even a reset web browser) attempts to access an account, 2FA asks for corroboration. Most commonly that means sending a code to a stored email address or better still, a mobile phone. No code, no access.
OneDrive uses 2FA, as does iCloud, Dropbox, Amazon, Box, Google and others. You’ll find a useful list of which services do and don’t offer 2FA at twofactorauth.org.
2FA is very effective, but it does depend on people hanging on to their devices. What happens if the nominated device for 2FA gets lost or stolen?
Protect your phones
A lost or stolen mobile phone can be the keys to a kingdom. Take an iPhone, for example: it has access to email, may use iCloud Keychain to store passwords and logins for multiple sites, may have apps whose login screens have "remember me" ticked and may be the nominated device for 2FA/MFA.
Once again, the protection is there if the user or organisation enables it. Depending on the device phones can be protected with passcodes, gestures or biometrics, and if a device is lost, misplaced or stolen we can revoke app and access authorisations or remotely lock and wipe the devices.
We don’t yet know whether the stolen celebrity photos were the result of a phishing attack, a brute force attack, inside information or something else entirely, but we do know how to minimise the risk of content getting into the wrong hands. We can limit access on a need-to-know basis, sharing only what we really need to share with the people we really need to share it with. We can mandate strong, unique passwords.
We can use encryption not just to protect data in transit but to lock out anyone who shouldn’t be able to access it. And we can enable two-factor authentication.
Cloud computing needn’t be less secure than traditional computing, but the things that make it so compelling – the ability to access crucial data or documents from anywhere on almost any device – also make it easier for sloppy security to backfire badly.