David Abbou

The infamous “Celebgate” a few weeks ago is still all over the mainstream press, mainly as fodder for the likes of TMZ and Entertainment Tonight to gossip about how the likes of Jennifer Lawrence, Kate Upton and Vanessa Hudgens have been exposed in their birthday suits. Apple has responded by extending their two-step verification process to iCloud, which should make it more difficult for hackers to breach and acquire their backed up data – that is if the user actually activates this measure.

Apple’s security was put through the ringer by the security community for lacking specific security features needed to fend off brute force password guessing attacks on phone backups stored within its iCloud. But it has since responded, by additionally adding a rate limit to how many times a user can guess their password before being granted access to the backup.

But as organizations recognized the value in using technology that complements our behavior in the mobile age, they began accommodating employees by letting them access work resources and information on their personal devices. The Bring-Your-Own-Device (BYOD) revolution had arrived.

However, even if Apple had already implemented these features before, they wouldn’t be enough to prevent these attacks if the user’s passwords and security questions, as is often the case, are weak and predictable. That’s because attackers can exploit such weaknesses and gain entry to your network as an authorized user. From there they can discover more sensitive passwords to your personal accounts and exploit leads from your contact list on who to target next.

This realization quite justifiably lobs the ball back in the consumer’s court. And using more robust passwords is just one of several security steps that users need to be more diligent in applying. If there’s one constructive and very critical lesson users need to take away from Celebgate, it’s that if you want to enjoy playing with your fun and shiny internet connected toy du jour without handing the keys to your private details – which could hurt your bank account as much as it can harm your reputation – you need to get with the security program.

In our increasingly cyber world, our cyber toys come with cyber responsibilities that users can’t keep ignoring if they want to avert their own personal disaster.

You don’t need to be an A-list sex symbol to learn this lesson the hard way. Recently a high school teacher in Israel conducted a pilot program by distributing shared tablets amongst her students. Little did she forget that the tablets were synched by default to her smartphone by virtue of her logging into her Gmail… which you guessed it, contained nude photos of herself. The high schoolers, reacted like, well, high schoolers. One student snapped photos of the pics from the tablet and in no time shared them with the class and beyond via WhatsApp. Asked to resign, the teacher has refused and instead is attempting to sue the child. She’s also blaming the school for not informing teachers about the potential security hazards of logging into your own email on shared tablets.

You can’t blame people for feeling for the teacher and her bad luck on one hand, but on the other hand this is a prime example of a self-inflicted privacy violation. And while many of us coast by and click right on by the fine details because we can’t start using our gadgets, apps and widgets fast enough, stories like these should be blinking in our brains like a bright pink neon sign that we’re no longer able to plead ignorance of the security policies so critical to our own protection.

Auto-syncing files, whether it be onto iCloud, Google Drive or any of the other cloud-based storage services all have options you can turn on or off via your account from any of your devices.

The vast majority of users are going to remain relatively technologically unsavvy, but that doesn’t mean you have to make yourself easy prey for attackers. There’s only so much spoon-fed protection we can demand from the services we use every day. If you don’t want hackers to mark you with a security tramp stamp, then putting a little bit of effort into your own security will help prevent from making you an easy target.

 

David Abbou

Nothing elicits attention to a cause like celebrity endorsement – or in the case of Apple and its iCloud storage – celebrity outrage over their private nude photos being hacked and exposed all over the internet.

Private nude photos of more than 100 celebrities were stolen from their respective iCloud accounts and leaked online on August 30, putting Apple and its security protocols on the hot seat, just a few weeks before the release of iOS 8.

But as organizations recognized the value in using technology that complements our behavior in the mobile age, they began accommodating employees by letting them access work resources and information on their personal devices. The Bring-Your-Own-Device (BYOD) revolution had arrived.

So who’s to blame for this infamous celebrity unveiling (pun intended)?

It took less than 48 hours for Apple to release a statement ensuring the public that none of these privacy violations were in fact a successful breach of their security systems, and that they were working with the FBI and other law enforcement to hunt down the as yet unknown assailants.

Problem solved? If only it were that simple for Apple. It’s been anything but ever since. In the case of iCloud, the truth seems much cloudier than their original synopsis.

Apple’s original statement would lead you to believe that iCloud’s security infrastructure is pristine, citing users that choose weak passwords and forego using two-step verification as the main culprit. Granted, many users are generally annoyed at having to go through an additional step just to retrieve a code from their phone and end up neglecting this feature. And episodes like this make it blatantly clear that the days we could get by using simplistic passwords and security answers to set up accounts containing our sensitive information are over. You may as well leave your front door unlocked and post signs to the whereabouts of your most valuable and personal possessions.

But in appearing to blame its rather prominent victims, Apple invited a well-warranted media storm of negative PR and celebrity backlash. It also motivated industry experts and pundits to hold Apple’s security up to intense scrutiny. What has been turned up by security experts and researchers so far is pretty alarming.

First, iCloud’s popularity in this case makes it one of the prime targets for attackers, and their “Picture Roll” backups are enabled by default. Comparatively, Windows Phone backups are turned off by default, while Android’s are mainly indirectly opened by third-party applications.

Noted hacker and tech blogger Nik Cubrilovic’s exceptional post on the issue reveals the relative ease with which someone can detect a user’s email address via iCloud’s recovery process which leads to several main bugs that can be exploited to access an account.

Another eye-opening wrinkle to the story is Elcomsoft Phone Password Breaker (EPPB), a Moscow-based forensics program originally created for use by police and government agency clients. This software – available online for anywhere from $79.99 to $400 – has shown it can easily download data from iCloud backups onto a computer, even with two-factor authentication enabled.

Apple has since acknowledged the need to improve this security measure as well as communicate it more effectively to their customers. On Friday, Apple CEO Tim Cook announced that from now on users will be sent an alert when there is an attempt to log in, change the password, or connect a new device to their iCloud account.

So where does Apple go from here? If it compiles the lessons learned from these security holes and bolsters its password set up and recovery processes that would be a step in the right direction towards preventing future breaches and gaining back some customer confidence. Another equally important lesson that should not get lost in the shuffle is one of customer accountability. Most of us who are not cyber-security conscious will continue our bad habits until we get caught with our pants down. Which is why in the end, whether you’re an ordinary Joe or Jennifer Lawrence, it is ultimately still iCloud’s responsibility to save us from ourselves.