Apple’s Cook Promises Feeble iCloud Security Upgrades

Apple is taking steps to improve security in the wake of the furor generated by hackers’ posting nude photos of celebs on the Internet, CEO Tim Cook told The Wall Street Journal.

Apple will alert users via email and push notifications when someone tries to restore iCloud data to a new device, Cook said.

It already does this when someone tries to change an account password or when a device logs in to an account for the first time.

Users can respond immediately by changing their passwords or alerting Apple’s security team.

Apple also will extend its use of two-factor authentication (2FA) to cover access to iCloud accounts from a mobile device, including it in iOS 8, Cook said.

He admitted that Apple could have done more to alert customers to the dangers of hackers targeting their accounts, and to the importance of creating stronger and safer passwords.

Those Darn Users!

Cook reportedly also said the victims’ accounts were compromised when hackers correctly answered security questions to obtain their passwords, or that the celebs’ user IDs and passwords had been stolen through a phishing scam.

None of the Apple IDs and passwords leaked from the company’s servers, he maintained.

That contradicts a statement on the GitHub iBrute page, which claims the celebs’ data was taken in a December 2009 breach of advertising network RockYou.

“If the hacker didn’t use iBrute, they were pretty dumb,” Jonathan Sander, strategy and research officer at Stealthbits Technologies, told TechNewsWorld. “Hackers don’t like work; they … wait for something like iBrute to appear, set it up, and sit back with a bag of chips to wait for the results.”

Blaming the victim does not sit well with Richard Blech, CEO of Secure Channels.

Technology is the application of scientific knowledge for practical purposes, Blech told TechNewsWorld. “If, at the end of the day, we simply continue to blame the user, why call it ‘technology’ at all?”

Also, Apple “has really awful security questions,” Sean Sullivan, a security advisor at F-Secure, pointed out. “They’re very easy to research, and [Apple] forces customers to use them.”

Apple did not respond to our request to comment for this story.

Dude, You Got a Break-In

Getting an alert from Apple about a suspected hack is like getting a call from a neighbor saying someone is breaking into your house. You still have to call the police and will have lost stuff.

Notification could help victims of targeted attacks, which move at a slow pace, because the victim could take action in a timely manner, Stealthbits’ Sander said. “But it wouldn’t help when [hackers] run iBrute overnight and have your data before you even wake up to the email.”

2FA – a Flawed Approach?

“Apple needs to [use] simple two-factor authentication, which should not take too much time to implement,” John Prisco, CEO of Triumfant, told TechNewsWorld. “Send a text code to the client’s iPhone and this type of hack will be greatly reduced.”

However, that reliance on texting to the user’s phone is the 2FA approach’s weak point.

“The phone can’t receive the 2FA code if it’s being reset and restored,” F-Secure’s Sullivan told TechNewsWorld.

Further, 2FA is a controversial approach because, while it improves security, the user experience “becomes more cumbersome, requiring more time and effort from end users,”Securonix CMO Sharon Vardi told TechNewsWorld. That could detract from the user experience.

Smartphone OS creators don’t offer users a choice of security levels, as is done in Windows and Web browsers, because “security breaks usability,” Sullivan said, and “most users prefer convenience.”

Richard Adhikari has written about high-tech for leading industry publications since the 1990s and wonders where it's all leading to. Will implanted RFID chips in humans be the Mark of the Beast? Will nanotech solve our coming food crisis? Does Sturgeon's Law still hold true? You can connect with Richard on Google+.

1 Comment

  • It’s not Apples Fault- kind of..

    Privacy on the Internet- privacy of ANY kind on the internet is a myth. On the "stolen" photos thing? Was it teenage boys desperately working to find just what they were looking for or worse than that, bottom feeder paparazzi?

    News sources today are screaming about another major retailer being hacked and looting a bazillion customer accounts. No privacy there.

    How about substantial allegations that government agencies ARE recording YOUR phone calls, emails, and financial transactions? Where is the privacy there?

    Even encryption is fallible and some commercial encryption vendors have been caught collaborating with three-letter government agencies.

    My stock email signature is at the end. It is my opinion on privacy on the internet.

    PRIVACY NOTICE:

    THIS MESSAGE WAS SENT OVER THE INTERNET.

    NOTHING SENT OVER THE INTERNET IS PRIVATE!

    For your own protection assume the CIA, NSA, FBI, KGB, RCMP, MSS. INIS, BND, Google, Microsoft, Yahoo, Apple, AT&T, BT and 32 other unidentified agencies and cyber-criminals have all read this message and will also read your reply.

    ENVIRONMENTAL NOTICE:

    This message contains only 100% organic post-consumer recycled bits and bytes.

    ANIMAL RIGHTS NOTICE:

    No bits or bytes were harmed in the creation or sending of this message. Bits and bytes were handled under the direct supervision of a qualified Doctor.(EE, IEEE, HAM, NEC, UL.)

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by Richard Adhikari
More in Hacking

TechNewsWorld Channels