Thursday 4 September 2014

iCloud Compromise...

The mainstream news has covered the compromise of iCloud, which led to a number of private photographs being exposed to the public.  The first assumption was that iCloud was hacked or compromised, but Apple denies this.

Accounts Compromised...

Rather than iCloud in its entirety being compromised, the compromise was to individual accounts.  It is assumed that the celebrity accounts were compromised with a brute force attack, allowing multiple tries of various passwords to each account.  This meant with the right software toolset which could be acquired cheaply, numerous passwords could be tried against each account.

Simple Passwords...

It would seem that celebrities are very much like the general public when it comes to passwords.  There are commonly used passwords, the top 25 of 2013 can be found here.  From that article you see the commonly used passwords are "123456" and "password"!  With relatively simple passwords or common words, they can easily be compromised using a dictionary attack

Security (?) Questions...

There are many ways to recover a password.  It may be requested a new password which the site or application will ask you to subsequently change.  There may be a need to telephone a call centre and provide details over the telephone to reset your password.  The least secure in my opinion, is the ability to answer security questions that the user has the answer.

This would seem like a secure way of resetting a password, as how many people would know your mother's maiden name, where you were born, what your favourite football team is, etc?  The internet and social media has been great in many respects, but it exposes a lot of information about an individual out into the wild.  Once it's out there, there is no way to control, edit or delete it.  Bear this in mind if you have to use to methodology for any website or application.

It would seem that this current compromise a is new thing, but something very similar happened over nine years ago when Paris Hilton's mobile phone was hacked in 2005.  How was this done?  The T-Mobile Sidekick device had an internet facing dashboard.  If you forgot your password, you could answer some security questions including date of birth and your pet's name.  All the security questions could be answered with an internet search engine.

Complex Passwords, hard to remember?

As the levels of security have to rise, so this can only make it more difficult to use the services or applications.  There is always a balance between usability and complexity.  We can encourage people to use a mixture of upper and lower case, special characters and numbers, but will only mean more password resets these complex passwords will be forgotten more easily.

Also common advice is not to use the same password over multiple applications and services.  This only increases the users capacity to forget a password!


News has come to light this morning that rather than a brute force attack, it may have been a phishing attack.  We are reminded to check the legitimacy of an email before acting on it, and if it seems fishy (excuse the pun) to ignore it or delete it.  Some celebrities may have fallen for one of the simplest tricks.

The bad guy sends out emails that looks like an email from Apple.  It tells the user that there is some sort of issue with the account that requires a password reset/change/confirmation.  The user will enter their password which is stored by the bad guy.  The user will be presented with either a failed message screen, a confirmation all is OK and if they were clever, even synchronise the password with Apple, so all seems right for the user.

Two Factor Authentication...

I have written a few blog posts in the past regarding passwords and multi-factor authentication, but it's relevant to re-cap it.  It we look at the different types of information that can be used to log a user in, we can take different types of information in order to increase security.  So one form this can take is information the user knows, such as username, password, PINs and patterns.  Another form this information can take is information a piece of technology gives the user, such as a passcode from a token, a passcode from a device such as a smartphone or computer, or a passcode set via SMS to a known mobile telephone number.  If the known information and the provided information are different types of information, or factors, it becomes clear where the term two factor authentication comes from.

Free protection...

I've mentioned it before, but service providers such as Apple's iCloud, GMail, eBay and Facebook give the option to switch on two-step verification, where if you try to login from a new device, a new browser or a different country, the user will be prompted to enter a code that is sent to the registered mobile phone number.  The security is there and it's free!

Increase your security posture

Be aware of the security questions you choose to to use.  Are the answers to your security questions available from the likes of Facebook and Twitter?

Be aware of emails asking for password changes.  Double check with the service provider.

If you want to use more complex passwords, but are worried about remembering them all, use a password vault to store these passwords securely.

Although two factor authentication may add a slight delay to using the service, it gives a level of protection that will make it a lot more difficult to compromise your personal information, your data and in this case, your personal photos.

No comments:

Post a Comment