This is part 7 of an n-part blog series, discussing the things I found to be game changers in Infosec in 2014.
Item: Apple's iCloud password brute force "feature"
What is (or was) it? A horrible time to be a celebrity with nude photos, bad passwords, and bad security questions.
Why it's significant? Many of my readers will likely argue that this is not up to the same significance as some other things I haven't covered yet, but I disagree. Any time regular users (e.g. people outside of infosec) consider the security of what they have stored in the cloud and their own password usage, that's a win for infosec.
This story is significant because it brought attention to password security and the questions used to protect those accounts. Apple agrees that attackers shouldn't be able to brute force attack your password on its services and they've put (some) protections in place to prevent this sort of thing. But attackers figured out how to bypass these protections using the "Find my iPhone" service. This is a great example of defense in depth. Businesses often talk about how they've secured 95% of their machines. That's great, but what about the remaining 5%? Here, Apple had secured most methods of logging into iCloud accounts against brute force guessing. But they had neglected to do so on one web form, and that's all it took.
To be fair, the impacted celebrities should have used better passwords to prevent the brute forcing of their accounts. We all should use better passwords. But we should also expect that big business like Apple will protect us from brute force attacks. We've demonstrated repeatedly over time that the user cannot be responsible for their own security.
The worst part was that Apple knew of the vulnerability and did nothing before the event. It's easy to say that people should use better security questions, but that falls flat since Apple added security after the iCloud hack was made public.
Note: As of today, there are still problems with iCloud secondary authentication as evidenced by this tool. One day iCloud will get it together, but that day is not today. We have to carefully consider what we store in the cloud, both for personal and professional use. Once we decide (after weighing all the risks) what is to be stored in the cloud, we should determine what security measures around that data make sense.
Could it have been prevented? Absolutely, 100% yes. As discussed previously, Apple knew about the vulnerability ahead of time. This leaves them in a precarious position, though it appears the only company to have been sued so far was Google (related to DMCA takedown requests).
Unfortunately for iCloud, its security problems didn't end there. Later, users in China were hit with a man in the middle attack. A truly bad situation for Apple, but according to some press reporting, it was likely sanctioned by the Chinese government given the level of infrastructure involvement.
Stay tuned for more installments in the Infosec year in review.