As last week's leak of private celebrity photos continues to make headlines, the security community has turned its focus toward the vulnerability in Apple Inc.'s iCloud service at the heart of the incident and the likelihood of similar flaws. Experts believe the iCloud hack highlights how enterprise data may be at risk, especially at organizations that don't know that sensitive data has been sucked into the cloud.
The incident, revealed late Sunday and nicknamed "The Fappening" in online forums, exposed compromising photos of Jennifer Lawrence, Kate Upton and other high-profile individuals.
In a statement today about its investigation, Apple said the iCloud hack was not directly caused by an iCloud vulnerability, but rather through a targeted attack against the system's authentication mechanism.
"After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet," Apple said in its statement. "None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved."
However, the Cupertino, Calif.-based vendor patched a vulnerability in its Find My iPhone app -- a part of the larger iCloud suite of services -- that security experts suspect to be at least partially responsible for the leak.
Before the patch, the app allowed users to enter an unlimited number of passwords attempts without being locked out, a flaw that exposed the service to brute-forcing attacks. A five-attempt limit was put in place for the service within 24 hours of the breach being reported.
Days before the breach, the team behind HackApp, an automated mobile application security audit tool, released iBrute, a tool that can be used to brute-force the Find My iPhone service. In a statement on the HackApp website, the group apologized for delivering a presentation on the tool and related vulnerability at a DefCon security conference in Moscow last month, indicating that their tool or technique may have played a role in the iCloud hack.
"I'm really sorry that talk given by @hackappcom and @abelenko on local @DefconRussia a group meeting (@chaos_construct event) a few days ago have had such nasty consequences. And blackhat community performed such weak, cheap and ungrateful feedback," said the HackApp team in a statement. "For everyone who was involved in this incident, I want to remind, that today we are living in a Brave New Global World, when privacy protection wasn't ever so weak, and you have to consider, that all you data from "smart" devices could be accessible from internet, which is the place of anarchy, and, as result, could be source of undesirable and unfriendly activity."
The Federal Bureau of Investigation said in a statement Monday that the agency is "aware of the allegations" concerning the celebrity leaks and is "addressing the matter". The investigative agency has previously investigated cases of image leaks involving celebrities, all of which resulted in convictions.
iCloud hack: Enterprises beware
While Apple and the FBI continue their investigations, several security experts told SearchSecurity that enterprises should be aware that iCloud -- along with other cloud storage services like Dropbox and Box -- may be collecting troves of sensitive corporate data which, if compromised, could have far-reaching consequences.
Andrey Belenko, senior security engineer at Oak Park, Ill.-based mobile security vendor viaForensics LLC, said that iCloud can collect everything from photos and videos to text messages and application data, depending on the settings enabled by each user. Calendar details, notes, contacts and a variety of other information may also be backed up to iCloud.
Tal Klein, vice president of marketing at Palo Alto-based cloud security vendor Adallom Inc., added that the iCloud Keychain stores and syncs login credentials across multiple Apple devices, storing them by default in iCloud, with protection provided by a password and a separate four-digit PIN or passcode. Users can choose to backup that data locally instead.
The good news, Belenko said, is that Apple documentation clarifies what data is being stored and where, so enterprise security teams can determine which assets may have been stored in the iCloud environment and take action accordingly if they so desire. The Apple website explains how the information collected by iCloud is protected, as well as the implications of using certain services like Find My iPhone, and even how to delete photos collected by My Photo Stream.
Of course, taking such proactive measures requires an enterprise to be fully committed to a security program, and according to Keith Palmgren, an instructor with the SANS Institute and president of San Antonio, Texas-based consultancy NetIP Inc., the amount of large companies that still don't have an executive responsible for security are unlikely to have a plan in place for securing users' cloud backups.
"I'll bet you your next paycheck that those companies don't have a clue what data is being sent to the cloud," said Palmgren.
How to protect data sent to iCloud
If iCloud and other consumer-focused cloud storage services do pose a potential risk to corporate data, what should enterprises do to protect data that is sent to the cloud?
Michael Sutton, vice president of security research at San Jose, Calif.-based cloud security vendor Zscaler Inc., said that enterprise security teams must accept that the use of consumerized IT services is a reality, and that the cost savings and productivity boost provided by such services makes it nearly impossible to bar them from being used.
With that in mind, Sutton advised security professionals to work with business units to secure cloud service deployments in advance, and to implement traffic-monitoring efforts to prevent unapproved data from being uploaded to cloud storage services.
Palmgren advised that enterprises also educate users on the benefits of applying multifactor authentication for not only cloud storage services, but also other sensitive online services such as banking sites. Apple does in fact provide an SMS-based version of multifactor authentication, which allows users to have codes sent to their device whenever a login attempt is registered.
"If you're not using those features, "you're not doing it right,"Palmgren said.
— MacLemon (@MacLemon) September 2, 2014
— Dan Kaminsky (@dakami) September 1, 2014
Is iOS security truly ready for enterprise environments? Resident expert Michael Cobb discusses.