In August 2014, several hackers announced that they had broken into dozens of celebrities’ iCloud accounts. They stole a huge amount of private photos, and have already leaked hundreds of them online. The security breach sparked a huge debate about cyber security and Apple’s products.
In addition to celebrities, iCloud hackers also targeted people that they knew in their personal lives. Some of these hackers bragged about their crimes on Anon-IB, an anonymous image board that is well-known as a forum for cyber criminals. Several Anon-IB members said that they had been targeting their acquaintances, and complained that the theft of the celebrities’ photos brought attention to a vulnerability that they had been exploiting for years.
Apple has had problems with iCloud security for quite some time. In 2012, company co-founder Steve Wozniak warned of the “horrible problems” with cloud computing. Shortly thereafter, hackers broke into Wired journalist Mat Honan’s iCloud account. According to Honan, the hackers gained access via Apple tech support and used social engineering to bypass his account’s security questions.
Wozniak’s warnings and the attack against Honan foreshadowed the recent security breach. Even after two years, there are still significant security problems facing iCloud.
How the 2014 Attack Occurred
After the news broke about the theft of the celebrities’ photos, Apple said that the incident was “a targeted attack on user names, passwords, and security questions.” While the exact details of the incident are unknown, many believe that it was due to an iCloud vulnerability.
According to this theory, a security flaw in the Find My iPhone service allowed hackers to repeatedly guess a user’s log-in information. There were no consequences for trying numerous attempts, and the hackers were not locked out after a number of tries. As a result, the hackers were able to break into their victims’ accounts by flooding the service with log-in attempts.
Apple appears to have solved this problem. However, it claimed that the hackers did not exploit any specific iCloud vulnerabilities. Instead, the company said that phishing or brute force attacks were responsible for the breach.
The Methods Used by the Hackers
The iCloud hackers used a variety of common techniques to gain access to their victims’ private information. These include social engineering, phishing, and brute force.
Brute force attacks involve hammering the system. Hackers first research their target. Specifically, they are looking for the answers to common security questions like “What was the name of your first boyfriend/girlfriend?” or “What is your mother’s maiden name?”
Once they have enough information, they use an unlimited number of attempts in order to access the system by trying every possible answer. They begin with the most likely options, and these options are supplied by their background research.
Hackers who employ phishing methods attempt to trick their targets into giving away their account information. They typically send out personalized emails claiming that the recipient has won a prize or is eligible for an award. These emails instruct the target to call the hacker, who is posing as a legitimate organization.
The unwitting victim will contact the hacker in order to claim their reward. The criminal will ask for their personal information, and will then politely end the conversation. Using this information, they will break into their target’s accounts.
Phishing can also involve hiding malware inside a file that is sent to the target. The malware infects the computer when the recipient opens the file to learn about their winnings.
Social engineering is another hacking technique. This term describes a process of cyber intrusion that relies on a human, rather than a technical, exchange in order to complete a theft.
The hacker will physically access the target’s computer by posing as the representative of a reputable organization, like the target’s IT company. Another method involves talking to the target at a bar or public place, and slowly drawing personal information from them throughout the conversation.
How to Protect Your iCloud Account
Following the recent iCloud breach, Apple released a patch that addressed the issue of security. The service now sends notification emails to users when their iCloud accounts are accessed or changed. It also has a two-factor password authentication system that texts users a randomized access code.
These changes add an extra layer of security to iOS and iCloud accounts. However, they are no substitute for password security.
Users should update their passwords frequently, and should refrain from reusing them. Passwords should be fairly complex. They should include both uppercase and lowercase letters, as well as symbols. Users should also avoid using obvious passwords like their birthday or their spouse’s name.
Remembering several passwords at once can be difficult. Some IT experts recommend using mnemonics or writing them down. Others suggest using a password manager program.
The use of a password manager is widely considered to be the best way to keep passwords safe. This tool will randomly generate passwords and will store them in a protected vault. Users only need to keep track of one password in order to protect all of their accounts.
In spite of the recent security breach, people should still continue to use their iCloud accounts. However, they should take the proper precautions. These include both the basics of password security and an awareness of hackers’ methods. For more information about cyber security, please contact us.