Tech giant Apple is taking the iCloud hack that revealed naked selfies of various celebrities seriously. The iPhone-maker plans to roll out new security measures to keep its users, whether celebrities or everyday Joes, safe.
Apple CEO Tim Cook told the Wall Street Journal the company will alert users via e-mail and push notifications when someone tries to change an account password, restore iCloud data to a new device, or when a device logs into an account for the first time. Apple also plans to implement two-factor authentication, which would demand hackers have access to at least two pieces of info the user offered when signing up for the account, such as a code, a password, or a log access key.
"When I step back from this terrible scenario that happened and say what more could we have done, I think about the awareness piece," he told the Journal. "I think we have a responsibility to ratchet that up. That's not really an engineering thing."
Company Not Doing Enough
We caught up with Mike Davis, CTO at real-time endpoint threat detection firm CounterTack, to get his thoughts on Apple’s moves. He told us it’s great to see the company taking security more seriously than before. However, he added, what Apple is doing isn't enough.
“Apple, with its estimated 300 million-plus users, is not just a ‘cloud service.’ They have become like Facebook or LinkedIn in that they are critical to the identity of many users around the world,” Davis said. “Your Apple ID allows you to save files, spend money and purchase applications, and even buy iTunes gift cards.”
Indeed, your Apple ID is just as powerful as your bank ID in many cases, yet Davis argues Apple is taking the stance that its security is not as important as the security of a bank or other large financial institution. He said this could be because Apple is not under any regulatory or compliance requirements like banks and other institutions.
“If you asked my wife, an avid Apple fan, she would probably be more upset her Apple account was compromised than her bank account because she knows she has fraud protection in place with the bank, but has no such confidence with Apple because they don't communicate to her what they are doing to protect her,” Davis said.
What Apple Should Really Do?
As Davis sees it, two-factor authentication is a good first step -- a step Apple should have taken a long time ago. He rightly pointed out that LinkedIn, Twitter, and thousands of other online cloud providers have had two-factor authentication for years. And he also pointed out that two-factor authentication won’t prevent other attacks -- it only helps reduce the risk of one type of threat.
“The issue Tim alluded to really is the right issue Apple should be solving: awareness. Apple's approach to technology, the proverbial walled garden, is anathema to security in general as it focuses on ‘less is more,’ ‘don't overload the user with too much information about what is happening,’ and just ‘make it work,’” Davis said. “Yet as a user you do want to know when your account is being used improperly, or by a device that shouldn't -- and you should know immediately, not just via an e-mail. Send me a phone call, a text, some immediate way so that e-mail doesn't get missed or tossed in spam.”
Davis' conclusion: Apple has to step up and realize it is now a tier 1 cloud provider -- and even though the company is not under any regulatory requirements to secure customer's data, it must implement the security controls that other tier 1 providers have or else risk massive brand -- and ultimately revenue -- impact.
Posted: 2014-09-07 @ 6:44am PT
I think that the internet is dangerously porous. Someone published some pictures, so they now close that hole, or seemingly close that hole, but there are many, many holes that have not been published.
Posted: 2014-09-07 @ 6:16am PT
Funny how companies use the regulatory excuse to not do the right thing. Then, when they are forced to they say, there is too much government regulation. Apple and others should do the right thing without the government or security lapses to push them. Apple, like most commercial companies, has very poor security and software design best practice use.
Posted: 2014-09-07 @ 5:54am PT
Confused... didn't Timmy just deny it was an APPLE problem??
Posted: 2014-09-07 @ 3:43am PT
Get educated at Blackberry Campus.
Posted: 2014-09-07 @ 3:41am PT
The best security - don't put private stuff online.
Posted: 2014-09-07 @ 2:16am PT
Excellent view by Davis, and hats off to Apple, for taking steps to take measures. Security will always be a problem, but taking steps beforehand would require criminal mind in Apple team.
Posted: 2014-09-06 @ 9:09pm PT
Great post and I commend Apple execs for taking responsibility rather than running for cover because it's hard and burdensome to do what they are committing to.
Although, only relying on awareness and not 2 Factor could leave a hole in their sytsem. Whan a hacker does get in, don't you think the first thing they are going to do is gain elevated privileges and change the notification system? Seriously. Think like a hacker not an amateur after selfies.
Posted: 2014-09-06 @ 7:26am PT
The excellent post mentioned in the comment below is from The Center for Education and Research in Information Assurance and Security (CERIAS) at Purdue University. Thank you John Kinyon.
Posted: 2014-09-05 @ 4:54pm PT
Great post from Gene Spafford and Samuel Liles:
"What is wrong with all of you? Reflections on nude pictures, victim shaming, and cyber security"
The post explains why people trust cloud providers and gives recommendations for cloud service providers and the security community.