Apple is taking steps to improve security in the wake of the furor generated by hackers’ posting nude photos of celebs on the Internet, CEO Tim Cook told The Wall Street Journal.
Apple will alert users via email and push notifications when someone tries to restore iCloud data to a new device, Cook said.
It already does this when someone tries to change an account password or when a device logs in to an account for the first time.
Users can respond immediately by changing their passwords or alerting Apple’s security team.
Apple also will extend its use of two-factor authentication (2FA) to cover access to iCloud accounts from a mobile device, including it in iOS 8, Cook said.
He admitted that Apple could have done more to alert customers to the dangers of hackers targeting their accounts and to the importance of creating stronger and safer passwords.
Those Darn Users!
Cook reportedly also said the victims’ accounts were compromised when hackers correctly answered security questions to obtain their passwords or that the celebs’ user IDs and passwords had been stolen through a phishing scam.
None of the Apple IDs and passwords leaked from the company’s servers, he maintained.
That contradicts a statement on the GitHub iBrute page, which claims the celebs’ data was taken in a December 2009 breach of advertising networkRockYou.
“If the hacker didn’t use iBrute, they were pretty dumb,” Jonathan Sander, strategy and research officer at Stealthbits Technologies, told TechNewsWorld. “Hackers don’t like work; they … wait for something like iBrute to appear, set it up, and sit back with a bag of chips to wait for the results.”
Blaming the victim does not sit well with Richard Blech, CEO of Secure Channels.
Technology is the application of scientific knowledge for practical purposes, Blech told TechNewsWorld. “If, at the end of the day, we simply continue to blame the user, why call it ‘technology’ at all?”
Also, Apple “has really awful security questions,” Sean Sullivan, a security advisor at F-Secure, pointed out. “They’re very easy to research, and [Apple] forces customers to use them.”
Apple did not respond to our request to comment for this story.
Dude, You Got a Break-In
Getting an alert from Apple about a suspected hack is like getting a call from a neighbor saying someone is breaking into your house. You still have to call the police and will have lost stuff.
Notification could help victims of targeted attacks, which move at a slow pace because the victim could take action in a timely manner, Stealthbits’ Sander said. “But it wouldn’t help when [hackers] run iBrute overnight and have your data before you even wake up to the email.”
2FA – a Flawed Approach?
“Apple needs to [use] simple two-factor authentication, which should not take too much time to implement,” John Prisco, CEO of Triumfant, told TechNewsWorld. “Send a text code to the client’s iPhone, and this type of hack will be greatly reduced.”
However, that reliance on texting to the user’s phone is the 2FA approach’s weak point.
“The phone can’t receive the 2FA code if it’s being reset and restored,” F-Secure’s Sullivan told TechNewsWorld.
Further, 2FA is a controversial approach because, while it improves security, the user experience “becomes more cumbersome, requiring more time and effort from end users,” Securonix CMO Sharon Vardi told TechNewsWorld. That could detract from the user experience.
Smartphone OS creators don’t offer users a choice of security levels, as is done in Windows and Web browsers, because “security breaks usability,” Sullivan said, and “most users prefer convenience.”