With the recent iCloud breach occurring late last week, the focus in the main stream media over the past couple of days has been on security and vulnerabilities. For several days Apple remained silent, but due to the attention the incident has been receiving in the media, they finally released the following statement:
Source: Business Insider
“After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet.
None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud,” Apple said in its statement.
“We are continuing to work with law enforcement to help identify the criminals involved.”
In other words, Apple is saying we don’t share any of the blame… It’s the victims fault and of course the hackers. While we can agree that the hackers should be soundly condemned for this breach, Apple should at least take ownership for the breach of its system. Many including the Business Insider are questioning Apple’s response, as it leaves several unanswered questions.
But Apple’s response still leaves some unanswered questions. If the culprits weren’t able to infiltrate iCloud, then how were they able to target individuals? And what, if anything, can Apple do to prevent it?
This has huge implications for Apple as they have been advertising their system, including the iCloud, as secure. Their latest direction after doing very well in the consumer market is to seek a greater share of the enterprise market for which security is paramount. Recently they announced a new partnership agreement with American Express to work together on its new iPhone payments system. But it could all fall apart if they are perceived as being insecure.
Lets look at what Apple said back then in 2012:
Apple takes data security and the privacy of your personal information very seriously. iCloud is built with industry-standard security practices and employs strict policies to protect your data.
iCloud secures your data by encrypting it when it is sent over the Internet, storing it in an encrypted format when kept on server (review the table below for detail), and using secure tokens for authentication. This means that your data is protected from unauthorized access both while it is being transmitted to your devices and when it is stored in the cloud. iCloud uses a minimum of 128-bit AES encryption—the same level of security employed by major financial institutions—and never provides encryption keys to any third parties.
In response to Apple’s statement, regarding no breach found in any of Apple’s systems including iCloud, the hackers are offering a different explanation which seems to contradict their version of events. They apparently said that they uses a brute force attack software to crack passwords of some of the users on iCloud and another piece of software to upload the entire contents of their iCloud account.
So the question remains what motivation would they (the hackers) have to lie after openly admitting to committing a crime which could land them in jail for many years if they got caught.
According to Wired Magazine, in an article written by Andy Greenberg, a piece of software called EPPB or Elcomsoft Phone Password Breaker, was openly being discussed on the hackers website as a means to download their victims’ data from iCloud backups. This software is sold to government and law enforcement agencies by Moscow based forensics based firm Elcomsoft.
Below are a few quotes from this article:
Source: Wired Magazine
“one step in the hackers’ sext-stealing playbook has been ignored—a piece of software designed to let cops and spies siphon data from iPhones, but is instead being used by pervy criminals themselves.
On the web forum Anon-IB, one of the most popular anonymous image boards for posting stolen nude selfies, hackers openly discuss using a piece of software called EPPB or Elcomsoft Phone Password Breaker to download their victims’ data from iCloud backups. That software is sold by Moscow-based forensics firm Elcomsoft and intended for government agency customers. In combination with iCloud credentials obtained with iBrute, the password-cracking software for iCloud released on Github over the weekend, EPPB lets anyone impersonate a victim’s iPhone and download its full backup rather than the more limited data accessible on iCloud.com. And as of Tuesday, it was still being used to steal revealing photos and post them on Anon-IB’s forum.
“Use the script to hack her passwd…use eppb to download the backup,” wrote one anonymous user on Anon-IB explaining the process to a less-experienced hacker. “Post your wins here ;-)”
One of the things that still baffles the mind is why would Apple not have a system in place to deter a Brute force attack on login ID’s and passwords to their iCloud service. For those who do not know, a brute force attack is one in which many password guesses are done, systematically checking all possible keys or passwords until the correct one is found. It includes such techniques such as a “dictionary attack” in which all words in a dictionary are used as guesses.
In a lot of cases it requires thousands of guesses, so as a way to combat this many IT systems such will lock out the associated account after three incorrect guesses. The fact that this deterrent does not seem to have been in place is rather surprising.
Source: Wired Magazine
“Apple’s security nightmare began over the weekend, when hackers began leaking nude photos that included shots of Jennifer Lawrence, Kate Upton, and Kirsten Dunst. The security community quickly pointed fingers at the iBrute software, a tool released by security researcher Alexey Troshichev designed to take advantage of a flaw in Apple’s “Find My iPhone” feature to “brute-force” users’ iCloud passwords, cycling through thousands of guesses to crack the account.
If a hacker can obtain a user’s iCloud username and password with iBrute, he or she can log in to the victim’s iCloud.com account to steal photos. But if attackers instead impersonate the user’s device with Elcomsoft’s tool, the desktop application allows them to download the entire iPhone or iPad backup as a single folder, says Jonathan Zdziarski, a forensics consult and security researcher. That gives the intruders access to far more data, he says, including videos, application data, contacts, and text messages.
Note that even with the patch issues by Apple to fix the security flaw exposed by iBrute, some users are still exposed.
For Apple, the use of government forensic tools by criminal hackers raises questions about how cooperative it may be with Elcomsoft. The Russian company’s tool, as Zdziarski describes it, doesn’t depend on any “backdoor” agreement with Apple and instead required Elcomsoft to fully reverse engineer Apple’s protocol for communicating between iCloud and its iOS devices. But Zdziarski argues that Apple could still have done more to make that reverse engineering more difficult or impossible.
“When you have third parties masquerading as hardware. it really opens up a vulnerability in terms of allowing all of these different companies to continue to interface with your system,” he says. “Apple could take steps to close that off, and I think they should.”
So there you have it folks. Apple has endured one of their most difficult weeks in recent times. They obviously have a lot of work to do both in terms of providing better security to their systems and also rebuilding their reputation.
From this security breach there are lessons to be learned.
- For companies such as Apple who are advertising Cloud services, they must ensure that their infrastructure is secure and not prone to common attacks such as the “Brute Force” attack as what appeared to have occurred.
- Companies should limit access to software that can impersonate their devices. With the Elcomsoft tool, the hacker was able to impersonate iPhone devices and able to take advantage of its trusted communication protocols with the iCloud.
- Consumers should be very mindful of where they choose to store sensitive information and where it is being synched. In the case of photos and videos on an iPhone there is a setting where if not switched off will automatically sync it to the iCloud. So even if the phone or video is deleted from the user’s device, it will still exist in the Cloud. The better alternative is not to store that information where it can be easily accessed in an unencrypted format.
For those of you who value security there is an option and it is BlackBerry 10. When this operating system was being built, BlackBerry made sure to architect security into every single layer.
Below is what BlackBerry has to say about its own security.
Source: Inside BlackBerry
“BlackBerry is synonymous with security”
- Protection with locks, pins and passwords
- Customizable permissions for native apps
- Long-standing support for AES-256 data encryption and existing S/MIME encryption and functionality
- Device tracking with BlackBerry Protect
- Industry’s most secure messaging with BBM Protected
The choice is very simple indeed.
You can own an iOS or Android device and gamble that what you have and who you are is of no interest to anyone as these attacks gather pace in the hope that when the day comes that some hackers somewhere look at YOUR information they can’t find any way of using it to extort money from you or ruin your reputation in some way.
Or you can buy a BlackBerry.
What’s it going to be?