A few days ago a group calling themselves hackappcom posted a proof of concept script on the popular code repository called Github that would allow for a user to attempt to breach iCloud and access a user account. This script would query iCloud services via the “Find My iPhone” API to guess username and password combinations. The problem here was that apparently, Apple was not limiting the number of queries one could make, allowing attackers numerous chances to guess password combinations without the fear of being locked out. The result was some Hollywood actors had their personal photos leaked online.
This incident has unfortunate consequences for the victims. This has also been a great wake up call to clean up your password practices and improve your personal security. There are few basic things you can do to increase your personal security:
- Enable two-factor authentication on your iCloud account.
- Once this is enabled a user would receive a four-digit SMS message with a code to input in addition to their password.
- Use a strong password. Many people use the same password for multiple logins or use one that is “easy to remember”. You’d be better served using a password such as “IZYcq7XO9agP4[PBj+a.” or a passphrase.
For companies
Rather than taking a “one-size-fits-all” approach to security, without actually considering how the technology will fit into the your operations, business need to make sure they’ve conducted thorough risk analyses. Following are some of the questions you should ask:
- What safeguards (physical, technical and administrative) are being used to secure your information?
- When was the last time a provider included an assessment of its cloud provider in its own risk analysis?
- What happens if the cloud vendor suffers a breach — who cleans up the problems?
You’ll also want to perform a risk analysis for your own facility, to make sure there aren’t any vulnerable areas on your end that could expose your organization to breaches.
You should also keep records of the weak areas you find and what steps you’ll take to prevent breaches.