Trusting the cloud (Part 2)

A few more observations.

Just to let you know where I stand on the issue:
People have a right to privacy, it is fine to embrace technology, take intimate photos of yourself and distribute it. However, you would expect that photos and personal content would remain secure and accessible only to who you want to allow.

If the app developer and the user is not responsible for the user’s privacy, then who is? One can’t assume that the application developer will provide security and privacy.

I still stand by the fact that the application developer must develop their products with privacy and security in mind.
Think about the automobile industry, if they don’t manufacture cars with safety improvements, people will die. While this is not as extreme, imagine if you had information that does cause major distress?

Let’s examine the core issues in detail.

1. If you are of value, you will be a target.

You might not be famous, successful, etc but to someone on the opposing team and determination, you may be their target. Multiply this if your popular and you become a major target, it is a numbers game.

The Fox News article states the following:

Many high-traffic websites feast on showing every inch of female flesh, preferably belonging to famous females, than they can access.

It is quite obvious that there is a market for this so they were targets!

2. The distribution of data opens opportunities for your enemy

Online technology, not just cloud services allow for more information to be distributed around to different services. Now it is a case of gathering pieces of the puzzle. The ArsTechnica article states that a reporter, Mat Honan was a target:

a “hacker” was able to get access to the last four digits of his credit card number from Amazon and, using that information, gained access to his Gmail account. The attacker then called Apple’s tech support and convinced Apple that he was Honan, getting the password on his account reset.

Little bits of information when matched together will help complete the puzzle. As a potential target, you will need to be conscious of the information you allow to be public. Operation security is the practice of information management.

Samantha Stone sums up the first two points and has directed her blame straight at the victims but let’s put this into perspective, yes, there is some blame there but technology is a tool. Like a car, you have to learn how to use it and be aware of the dangers and safety. By the same token, the application developer must ensure that their product is safe to use, which segway into the third point.

3. Poor application security

It is extremely hard to implement new technologies, it is also hard to implement security safeguards around new technology. However, history does repeat itself so what concepts we know could happen before will most likely happen again.

We take things for granted however, being privy/one step ahead will help stop attacks such as these. A combination of OpSec and application vendor security will help reduce situations like this from happening.

If there is a product out there to break into your systems, wouldn’t you be on it like a rash to fix it up?

The ArsTechica article states:

Because of this weakness, the Find My iPhone service did not lock out access to the account after a number of failed attempts— so the attacker was able to keep hammering away at targeted accounts until access was granted.

Brute force attacks and account lockout is NOT a new idea!

It is an old concept, shouldn’t you avoid making the same mistake twice???

Importantly from an OpSec point of view is that fact that, as celebrities, their personal information is no longer personal, rendering any security related challenge based on personal information useless.

The Dark reading article demonstrates how ‘easy’ it is to break into the accounts.

Further to this, Fort Knox does not have a broken wooden door between the outside world and the gold. Having your entire life (online backups) behind a ‘flimsy’ door (think weak password) is just asking for trouble.

There is more than one way to get valuable information, the Wired article points to the fact that if you have a backup and it is intercepted by your Enemy, they have a fighting chance of obtaining your personal information.

4. Reducing your potential loss.

Well, this is a tricky one. Unless if you are in the know, it is hard to keep up.

Quick thoughts:
1. Any real world threat can be carried out with efficiency and anonymity thanks to technology.
2. OpSec, Identity management is increasingly important in this age.
3. Evolution and rapid change makes it very difficult to keep up. Embrace new technology with a pinch of salt if you believe that you are a target.
4. There are specialists out there to help, go find one!

http://www.foxnews.com/politics/2014/09/04/nude-photo-hacking-why-mainstream-media-are-part-problem/
http://arstechnica.com/security/2014/09/what-jennifer-lawrence-can-teach-you-about-cloud-security/
http://www.reviewjournal.com/opinion/blame-technology-ignorant-victims-photo-hacking
http://www.washingtonpost.com/news/morning-mix/wp/2014/09/05/after-nude-celebrity-hacking-apples-tim-cook-says-company-will-improve-security/
http://www.darkreading.com/attacks-breaches/celeb-hack-is-apple-telling-all-it-knows/a/d-id/1306923
http://www.wired.com/2014/09/eppb-icloud/

Trusting the cloud

A recent incident is making the rounds involving private photos of celebrities, iCloud and a hacker.

The hacker ‘broke’ into a few celeb accounts, pillaged and published.

The celebs lost their private moments.

A number of points here:

  1. If you are of value, you will be a target. Pretty obvious here.
  2. There would be no way that the celeb would know that they were under attack. The attack was not done on their phone, the attack was done ‘on the cloud’.
  3. Poor application security allowed for this to happened. To be precise, a combination of poor application security and poor passwords allowed for this to happen.
  4. If you are a potential target, consider what your potential loss is or speak to a professional.
  5. Finally, if you want your pics to be private, don’t use a cloud service. Remember, anything on the net is considered to be public!

http://www.bbc.co.uk/newsbeat/29008876