After Celebrity Photo Hack, How Safe Is the Cloud?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://mashable.com/2014/08/31/how-safe-is-icloud/

A trove of celebrity nude images — purportedly of some major celebrities —
spread across the web Sunday evening. Although the veracity of many of the
images in question is unclear, a number of celebrities have confirmed that
they are the victims of this violation of privacy.

Hacking into cell phones or online accounts to access nude or personal
photographs from celebrities is hardly new (remember when Paris Hilton's
SideKick was hacked?), but what makes this incident potentially more
disturbing are the rumors that this cache of images is associated with a
broader attack on iCloud and its Photo Stream feature.

To be clear, it is not confirmed that iCloud was involved in this incident.
We've reached out to Apple for comment and will update if we get any
statement from the company. It's also important to note that even if iCloud
accounts were compromised, that doesn't necessarily signify a larger,
systemic breach.

Still, knowing how many people use iCloud, we wanted to address how safe
iCloud and other cloud systems, such as Dropbox, Google Drive and OneDrive,
are.

An overview of iCloud security

On its website, Apple has an entire overview of the security measures in
place to protect data on iCloud.

iCloud data is encrypted both on the server and when it is in transit (that
means, when it is sent from your device to the server). For photos, Apple
says that there is a minimum level of 128-bit AES encryption.

On official Apple apps, Apple uses secure tokens to authenticate an
account. This means that your username and password aren't stored within
the apps themselves. For third-party apps that might access iCloud, Apple
sends the username and password over SSL.

This means that as long as your password is unique and secure, it should be
very difficult for someone to intercept your data as it is sent from your
phone or computer to Apple's servers.

How strong is your password

The real question is less about how good iCloud security is and more about
how strong (and how unique) a user's password is.

Apple requires users to have a password with at least 8 characters, a
number, an uppercase letter and a lowercase letter. I know that in the
past, however, if you had a password that did not fit those rules, Apple
wouldn't force you to create a new password unless you were signing up for
two-factor authentication.

Moreover, the real problem that most users run into isn't that their
password isn't strong enough; it's that it isn't unique.

Look, it's tough to keep track of the hundreds of different passwords we
create for our various accounts. Thus, it usually becomes easier to just
reuse the same password over and over again.

This is problematic because if a site that you use frequently is hacked and
you use that email/password combination for other accounts, all of those
accounts are at risk, too.

This means that even if your password was created to be "strong," it's
useless if you use it (and the same email or username) at multiple places.
Hackers have access to large database sets of compromised usernames and
passwords.

This is why we always encourage users to change their passwords anytime
that password is used in more than one place with the same login name. This
is especially true if an account is important or is linked to another
account (such as Facebook, Gmail or Twitter).

Two-factor authentication

Although passwords can be problematic (because people reuse them), even
that risk can be mitigated through the use of two-factor authentication.
Two-factor authentication means that before you can access an account, you
must login with both a password and a unique device code (usually sent via
SMS or from an authenticator key).

Apple offers its own support of two-factor authentication for iTunes and
iCloud accounts. If enabled, this means that before a new computer or
device can gain access to your iCloud data, you must approve that device
with a four-digit authentication code (sent to your phone via SMS) or grant
access from another enabled machine. A pop-up also appears on all of your
devices letting you know that another computer now has access to your
iCloud or Apple ID data.

Although it's great that Apple offers two-factor authentication, we should
note that the setup process with Apple's two-factor system is not as easy
as setting up two-factor authentication with Google or Dropbox. Apple's
system does not work with third-party authenticators such as Yubikey or
Google's own Google Authenticator protocol for generating unique four-digit
codes.

The setup process for two-factor authentication is such that we suspect the
vast majority of users do not have it enabled on their accounts. This means
that for most accounts, access to iCloud and assorted data could be
obtained by simply gaining access to the iCloud password.

Social engineering: the real threat

Apple's built-in security systems are quite robust. The option for
two-factor authentication is yet another way for users to double down on
their security.

The real vector, however, for most security attacks isn't necessarily with
security bugs built into the systems themselves, but with an area much
harder to protect against: people.

In 2012, Wired reporter Mat Honan was the victim of an extensive hack that
left his digital life in shambles.

The hacker didn't gain access to Honan's accounts by cracking his
passwords. Instead, he was able to use public information, unsettling
security practices by tech support and good old-fashioned social
engineering to ultimately gain access to his Gmail and iCloud accounts.

Two years later, companies such as Apple and Amazon (who both inadvertently
aided the criminal in accessing Honan's accounts) have changed their
support policies. But unless two-factor authentication is turned on, social
engineering and getting the right (well, wrong) tech support agent could
offer up access to the wrong person (or allow a criminal to get important
information useful in getting into an account by successfully answering
secret questions).

Accessing content from local devices

If you sync your computer with iCloud or iPhoto, the files sent to iCloud
and those stored on iCloud are encrypted and secure. The files on your
device itself, however, might be another story.

As an example, if your iPhone or iPad does not have a passcode on it (and
does not have the option that requires the user to approve access to USB
every time it is plugged into a new machine), someone could plug your
device into a computer and use iTunes or other third-party programs to copy
every file from your phone. Some of those files may be encrypted, but files
such as photos and videos are not.

With iOS 7 on the iPhone 4S or iPad 2 and higher, if a locked phone is
connected to a computer, even if the entire file system is copied over, the
contents of that system are still encrypted as long as you have a passcode
on your phone.

Likewise, although Apple offers great encryption built into OS X, it's not
enabled by default. That means that if someone gains physical access to
your laptop or desktop and can get into your user account (assuming you
have a password set), that person can access your files.

This has nothing to do with iCloud per se, but your local data can often be
intercepted more easily than data on the cloud.

So can you trust iCloud?

Until we see any evidence that indicates that a broader iCloud breach
occurred (or even get confirmation that iCloud was involved in these
incidents), we have no reason to believe that iCloud is unsafe.

The much more important question that users should ask themselves — whether
they use iCloud or Google or OneDrive or Dropbox — is if they can trust
themselves.

This means:

- Using secure, unique passwords on their accounts and devices

- Using two-factor authentication when available

- Enabling locks and passwords on computers and phone accounts

- Running the latest version of an operating system

Those steps alone won't ensure that your data will always be safe — but it
will go a long way in minimizing how attackers can access your accounts.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!