Security Concepts Explained
I have decided to start a routine blog post related to explaining security principals in a way that, hopefully, everyone should be able to understand. I’m calling these posts, Security For Grandma (SFG), because as I write these posts I’m going to try to explain topics in the same way that I would if my grandmother asked me to explain some “hacking thing” that showed up on the news. If you’re a seasoned security professional you’re welcome to continue reading of course, but please don’t be surprised by the simplicity of the topics.
Update: SFG has been renamed to Security Concepts Explained for clarity. The idea is the same.
Celebrity iCloud Hack
In my first SFG post I’ll be talking about the compromise of hundreds of celebrity iCloud accounts resulting in the leak of many personal, and mostly embarrassing, photographs of some of our favorite stars. At this point I think most people are familiar with the headlines, but it you don’t know what I’m talking about take a minute to Google “Celebrity Hacking” and read a few news posts. Now, let’s address some terms that the media throws around without really explaining much of what they’re talking about.
What is this iCloud you speak of? While we’re on the subject what is this whole “cloud” thing anyway? In the most simple terms the “cloud”, these days, refers to a computer or collection of computers connected to the Internet where you store information. It’s a bit more complicated, but for the general public all you need to know is that it’s just another computer somewhere where your data is being kept so you can access it anywhere there is Internet access. For example, you’re writing a story on your home computer, and you want to read it on your phone later. So you save your story to a computer in the “cloud”, and then use your phone to retrieve it from the the remote computer you stored it on, and read it later at the airport.
Why is it called the “cloud”? Mostly out of laziness. In network engineering when you draw a diagram of how computers and systems are connected eventually you want to show how they’re connected to the broader Internet. Rather than worry about the details of the millions of systems on the Internet we just draw a big cloud and label it “Internet” or “World Wide Web”. Think about it this way, if you were drawing a map of your neighborhood, and you get to the point where your neighborhood connects to a major city; rather than draw every street in New York City, for example, you can just draw a big cloud picture and label it NYC – the details are unimportant in relation to your neighborhood map. Unfortunately, a simple icon used by engineers has become a marketing buzz word that is nebulous at best.
So the bottom line is the iCloud is just a bunch of computers owned by Apple where their customers can keep their files, music, and any picture that might be on their phone. iCloud a brand name; that’s all.
When you hear the phrase brute-force attack this is just a fancy way of saying they guessed some piece of information. In this case the attackers may have simply guessed the celebrities’ passwords. For example, let’s say we were trying to get into “John’s” account on Apple’s iCloud. In this case, we could “brute-force” our way into John’s account by going to the iCloud login screen and try different passwords until one worked. In practice human’s rarely do this by hand instead we use computer programs to try out thousands of passwords for us.
Sometimes you’ll see this called two-factor authentication or multi-factor authentication, but it’s referring to the same concept. The easiest way to describe two-factor authentication is to use an example. Let’s say you want to get into a secret building so you go to the door and knock. A man opens the door, and asks for the secret password. You tell him the correct password, but then he asks you to show him your “secret building” badge. Since you don’t have a badge the man doesn’t let you into the building. In this case you needed two things to get into the building – a secret password and a badge. Many online services like email or cloud storage now offer two-factor authentication as an option. For example, you can setup your gmail account to require that you enter both a password and a separate one-time use code that is sent to your phone. So you need to know your password, and have access to your phone in order to login to your email account. In other words, you need two-factors, something you know (password) and something you have (phone).
My Take on the Attack
Now that the vocabulary is out of the way we can talk about the celebrity iCloud accounts that were hacked. Everyone is asking the same question- how did this happen? The short answer is that we don’t know yet. One theory is that attackers brute-forced the celebrity iCloud accounts. If this is true then both Apple and the celebrities are to blame, and here’s why. It is common practice to limit the amount of times you can attempt and fail to log into an account. Once you exceed the maximum login attempts many websites will freeze your account and/or not allow you to try to login for a set amount of time (e.g. 5 mins). If Apple did not limit login attempts then they failed at security on a very basic level allowing attackers to guess at passwords as many times as they want. However, the users of the iCloud accounts are also to blame in this case. I’m not going to discuss the wisdom of taking nude photos and trusting a third party (in this case Apple) to protect them, but a good rule is that you should pick strong passwords that have no connection to your life. If your dog’s name is “spot”, then spot123 is not a good password. When guessing passwords it’s standard practice to make educated guesses by gathering information on your target, and there is A LOT of information readily available out there about celebrities. Another possible cause for the breach is that there is a problem with Apple’s iCloud. _Apple has completely denied this, and so far I have seen no evidence that this is the problem. _This scenario is far more scary because it means that there is very little users can do to help protect their data. In this case it’s up to Apple to fix the hole and plug it before more information is leaked.
So what can we do as users? The media keeps posting the following recommendations:
Pick strong passwords that are at least 12 characters with a mix of numbers, upper and lower letters, and special characters (e.g !@#$%^&*())
Use two-factor authentication (instructions vary by account)
These are good suggestions, but I’d like to add this one. Don’t use the verification questions to reset your password. On many sites if you forget your password you can fill in pre-answered questions to reset your password. Most verification questions are easily answered by looking up public records. For example, using a complex password like, qserqw34!@#$QWE$!@#$, does nothing to protect you if all I need to know is your mother’s maiden name to reset your password to whatever I want_. _
My final point is this – when you use the “cloud” you’re trusting someone else with your data. It’s no different than keeping your money in a bank rather than under your mattress. Protect your passwords like you would your ATM PIN. Choose who you trust with your personal information wisely, and be careful with what information you share. As a general rule just assume that all information on the cloud could one day become public knowledge.